Xss obtains the Administrator's background address.

Author: Trojan [ESST] Elastic Compute Security Team [edevil-Soul Security Team] http://bbs.x-xox-x.com/thread-793-1-1.html

Some time ago, when I started to get the code on the game payment platform, I checked it. I didn't find the injection vulnerability, So I simply thought it was safe. The Code is as follows <! -- # Include file = "inc/conn. asp" -->

<%

On error resume next

Dim s, newsid, pathstr, I

Newsid = cint (request. QueryString ("newsid "))

If err> 0 then

Response. write "<script language = JavaScript> {window. alert (invalid parameter call !); Window. location = index. asp ;}</script>"

Response. end

End if

If NewsID <0 then

Response. write "<script language = JavaScript> {window. alert (Sorry, this c is not found !); Window. location = index. asp ;}</script>"

Response. end

End if

Call ConnectionDatabase

Set Rs = GrateRs ("select * from H_news where newsid =" & newsid, 3)

If Rs. eof then

Response. write "<script language = JavaScript> {window. alert (Sorry, this news is not found !); Window. location = index. asp ;}</script>"

Response. end

End if

If Rs ("islink") = 1 then

Response. redirect Rs ("link ")

Response. end

End if

%>

<HTML>

<HEAD>

<TITLE> <% = SiteName %>-Alliance dynamics-<% = Rs ("topic") %> </TITLE>

<META http-equiv = Content-Type content = "text/html; charset = gb2312">

<LINK href = "inc/css.css" type = text/css rel = stylesheet>

 

</HEAD>

<BODY>

<Br>

<Table width = "507" height = "500" border = "0" align = "center" cellpadding = "0" cellspacing = "0">

<Tr align = "left">

<Td height = "30" colspan = "4">

<Font size = "3" color = "# FF6600"> <center> <B> <% = Rs ("topic ") %> </B> </center> </font> </td>

</Tr>

<Tr align = "center" valign = "top">

<Td height = "22" colspan = "4" bgcolor = "# FFFFFF"> posting time: <% = Rs ("time") %> & nbsp;

<% If Rs ("from") <> "" then response. write ("Source:" & Rs ("from") %> </td>

</Tr>

<Tr bgcolor = "# D1C8C1">

<Td height = "1" colspan = "4"> </td>

</Tr>

<Tr bgcolor = "# FFFFFF">

<Td height = "24" colspan = "3" valign = "top"> & nbsp; </td>

</Tr>

<Tr bgcolor = "# FFFFFF">

<Td width = "1%" valign = "top"> & nbsp; </td>

<Td width = "98%" style = "font-size: 13px; line-height: 22px;" valign = "top"> Information Source: minus-Zero game payment platform <a href = "www.0xpay.com
Http://www.0xpay.com "> www.0xpay.com </a> <br> customer service QQ: 918224 <br> <%

Content = replace (Rs ("content"), " screen. width-500) this. style. width = screen. width-500; if (this. height> 350) this. style. width = (this. width * 350)/this. height; "" src = """)

Content = replace (content, "border = 0>", "" border = 0> </div> ")

Response. write content

%> <Br> <script language = javascript>

Function copyToClipBoard (){

 

Var clipBoardContent = document. title ++ document. location;

 

ClipBoardContent + =;

 

Window. clipboardData. setData ("Text", clipBoardContent );

 

Alert ("Congratulations! Copied successfully ");

 

}

Document. write ("<input size =" 50 "border-style: dotted; border-width: 1px; background-color: #000000 value =" "+ document. location + ""> <input type = "button" style = border-style: solid; border-width: 1px value = "click to copy" title = "click to copy the URL of this article to the Clipboard" onclick = "copyToClipBoard ()"> & nbsp; share with your QQ/MSN friends! ");

 

</Script> </td>

<Td width = "1%" valign = "top"> & nbsp; </td>

</Tr>

</Table>

 

<%

Rs ("click") = Rs ("click") + 1

Rs. update

Call DBConnEnd

%>

</BODY> </HTML>
Copy the conn Code as follows <% @ LANGUAGE = VBScript CodePage = 936%>

<% Server. ScriptTimeOut = 72000%>

<! -- # Include file = "config. asp" -->

<%

Response. Buffer = True

Randomize timer

Dim db, verStr

Dim SqlNowString, Conn

Dim Rs, Rs1, Rs2

Dim mssql

 

Currently, the game is supported ///////////////////////////////////// //////////////////

AllGames = "Legend of the hot blood | legend of the world | journey | audition golden pig recharge | tianlong Babu | audition MB recharge | magic domain"

//////////////////////////////////////// ///////////////////////////

Sub ConnectionDatabase

Dim ConnStr

 

Connstr = "driver = {SQL Server}; server =" & sqlip & "; uid =" & sqluid & "; pwd =" & sqlpwd &"; database = "& sqlname &""

On Error Resume Next

Set conn = Server. CreateObject ("ADODB. Connection ")

Conn. open ConnStr

If Err Then

Err. Clear

Set Conn = Nothing

Response. Write "The Sever Is Busy, Please try again ..."

Response. End

End If

 

End Sub

 

Function GrateRs (SqlStr, wr)

Dim Rs

Set Rs = Server. CreateObject ("ADODB. Recordset ")

On Error Resume Next

Rs. Open SqlStr, Conn, 1, wr

Set GrateRs = Rs

If Err Then

Err. Clear

Set Conn = Nothing

Response. Write "The Sever Is Busy, Please try again ..."

Response. End

End If

End Function

 

Function ReplStr (s)

& Nbs