Xiaoqiang
There is an injection vulnerability in dig_vote.wst, but this page contains
Function. wst has the anti-injection code, but the anti-injection Code does not seem to be case-insensitive and can be skipped directly in upper case.
Download the official version 3.0 and 3.1, and check whether there is a vote in the injection mode.
Is to use cookies to verify the related file session. wst let's look at the code
First, determine whether the username value in the cookie is null. If it is switched to login. wst, if it is not empty, verify that UserAccountStatus is
1. Check whether UserRoleID is 3. If yes, the system considers that you are an administrator. In this case, the cookie spoofing vulnerability will generate the default Administrator of the program.
We also need to find the Administrator's username because the program queries the database and determines the username value to construct a cookie:
UserAccountStatus = 1; username = admin; UserRoleID = 3;
OK And then directly access/admin_login/index. wst to enter the background
Use webshell in db007.wst in the background,
When we access this page, it is a database online management. We can create a database table field and insert the field content. What do we think?