C9 static article publishing system 0day (2.3.8 message books are not strictly filtered)

Why?

C9 static article publishing system version 2.3.8 does not strictly filter messages, resulting in inserting a sentence

Code:

Names = funstrs (request. Form ("names "))
Code = funstrs (request. Form ("mg "))
Title = funstrs (request. Form ("title "))
Checkcode = funstrs (request. Form ("checkcode "))

You can see that the message content is filtered by the funstrs function, and then you can see how the funstrs function is written,

Function funstr (str)
Str = trim (str)
Str = replace (str, "<", "& lt;", 1,-1, 1)
Str = replace (str, ">", "& gt;", 1,-1, 1)
Str = replace (str ,"","'")
 
Funstr = str
End Function

After simple filtering of <,>, and other content, we can use Unicode encryption to encrypt a sentence, and the entire number of bytes can be inserted into the database, the database address is/db/% 23% 20db. asa,

This is an official test. The database inserts a sentence,

When you see familiar words, the password is a, and you win the official website,

Simple Elevation of Privilege To win servers:

The vulnerability has been officially fixed, so you don't need to follow the instructions. As for how to exploit the vulnerability in this system, find it and I will not post it.

Reprinted please indicate the source