SiteDynamic v1.6.0.1 SQL Injection 0day

Source: Internet
Author: User

SiteDynamic enterprise website management system v1.6.0.1 I will not talk about it much, there are not many websites used, and I helped my friends dig holes. On the Forum, xiya posted the fckeditor Upload Vulnerability. Read the Code:
001 // page/default. asp 5-122

002

003

004 <%

005 pageID = strCLng (Trim (Request ("pageID ")))

006 ID = strCLng (Trim (Request ("ID ")))

007

008 If isNumeric (pageID) = False Then

009 FoundErr = True

010 Message = Message & amp; "<li> parameter error! </Li>"

011 End If

012

013 if FoundErr <> True then

014

015 if ID = 0 then

016

017 If pageID <> 0 Then

018 set rs = server. CreateObject ("adodb. recordset ")

019 SQL = "Select * from db_channel where pageID =" & amp; pageID

020 rs. open SQL, conn, 1, 1

021 pageName = rs ("pageName ")

022 description = rs ("description ")

023 keywords = rs ("keywords ")

024 pic = rs ("pic ")

025 link = rs ("link ")

026 PageMode = rs ("PageMode ")

027 PageAmount = rs ("PageAmount ")

028 PageLine = rs ("PageLine ")

029 intro = rs ("intro ")

030

031 If Not rs. Eof Then

032 if rs ("pageID")> 0 then

033 if rs ("ChiID")> 0 then

034 strChiID = ""

035 set strrs1_conn.exe cute ("select pageID from db_channel where ParentID =" & amp; rs ("pageID") & amp; "or ParentPath like & apos;" & amp; rs ("ParentPath") & amp; "," & amp; rs ("pageID") & amp; ", % & apos ;")

036

037 do while not strRs. eof

038 if strChiID = "" then

039 strChiID = strRs (0)

040 else

041 strChiID = strChiID & amp; "," & amp; strRs (0)

042 end if

043 strRs. movenext

044 loop

045 else

046 strChiID = pageID

047 end if

048 end if

049 end If

050 rs. close

051 set rs = nothing

052

053 SQL = "select * from db_page Where pageID in (" & amp; strChiID & amp ;")"

054 Else

055 SQL = "select * from db_page where 1 = 1"

056 End If

057 else

058 SQL = "select * from db_page where ID =" & amp; ID & amp ;""

059 End if

060

061 if not (Trim (Request ("keyword") = "" or isempty (Trim (Request ("keyword") then

062 SQL = SQL & amp; "and (title like & apos; %" & amp; Trim (Request ("keyword") & amp; "% & apos; or content like & apos; % "& amp; Trim (Request (" keyword ") & amp;" % & apos;) "// bugs

063 end if

064

065 SQL = SQL & amp; "order by dateandtime desc"

066 & apos; response. write SQL

067 & apos; response. end

068 set rs = server. CreateObject ("adodb. recordset ")

069 rs. open SQL, conn, 1, 1

070

071 if ID <> 0 then

072 if Trim (rs ("PageMode") = 4 then

073 response. redirect Trim (rs ("URL "))

074 end if

075 & apos; file type

076 if Trim (rs ("PageMode") = 3 then

077 filesURL = Trim (rs ("files "))

078 If filesURL = "" Then

079 response. write "No data! "

080 End If

081 Call Getdownload (filesURL)

082 end if

083

084 srtTitle = Trim (rs ("Title "))

085 srtPageID = Trim (rs ("pageID "))

086 description = rs ("description ")

087 keywords = rs ("keywords ")

088 end if

089

090 sub getTitle ()

091 if pageID = 0 and ID = 0 then

092 response. write "full-text search"

093 elseif pageID <> 0 then

094 response. write "" & amp; pageName & amp ;""

095 elseif ID <> 0 then

096 response. write "" & amp; srtTitle & amp ;""

097 end if

098 end sub

099

100 sub getadoTitle ()

101 if pageID = 0 and ID = 0 then

102 response. write "full-text search"

103 elseif pageID <> 0 then

104 response. write "" & amp; pageName & amp ;""

105 elseif ID <> 0 then

106 doPageID = rs ("PageID ")

107 set doRs = server. CreateObject ("adodb. recordset ")

108 Set doRs = conn. Execute ("Select * From db_channel Where pageID =" & amp; doPageID)

109 response. write "" & amp; Trim (doRs ("pageName") & amp ;""

110 end if

111 end sub

112

113 sub getLocation ()

114 if pageID = 0 and ID = 0 then

115 response. write "-& amp; gt; full-text search"

116 elseif ID <> 0 then

117 call Nav (srtPageID)

118 else

119 call Nav (pageID)

120 end if

121 end sub

 

Use Code
Javascript: alert (document. cookie = "keyword =" + esc

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.