XYCMS biotechnology company Vulnerability Analysis

Source: Internet
Author: User

Author: Legend of the wind http://www.anying.org reprint must indicate the URL, otherwise do not reprint

Well, I found a source code on the Internet to analyze the problem .. Search for documents. Let's take a look at the files one by one. ------------------------ Inject ----------------- The first file. common. asp ..

<% id=request.QueryString("id")set rs=server.createobject("adodb.recordset") exec="select * from Common where id="&idrs.open exec,conn,1,1%>

 

Simple vulnerabilities... Ah... Injection address http: // 127.0.0.1/common. asp? Id = xx [SQL] Second file down_detail.asp
<% Id = request. queryString ("id") set rs = server. createobject ("adodb. recordset ") exec =" select * from [download] where id = "& idrs. open exec, conn, 1, 1if rs. eof thenresponse. write "<div style =" "padding: 10px" "> no record! </A> "response. End () end if %>

 

Injection address http: // 127.0.0.1/down_detail.asp? Id = xx [SQL] third file. Downloads. asp
<% Id = request. queryString ("id") exec = "select * from download where id =" & idset rs = server. createobject ("adodb. recordset ") rs. open exec, conn, SQL = "update download set js = js + 1 where id =" & id & "and js is not null" 'download times conn.exe cute (SQL) response. redirect "" & rs ("url") & "rs. close set rs = nothing %>

 

An error can be reported when a single pair of meeting jumps are directly quoted. Injection address http: // 127.0.0.1/Downloads. asp? Id = xx [SQL] Fourth file job_yp.asp
<% id=request.QueryString("id")set rs=server.createobject("adodb.recordset") exec="select * from zpxx where id="&idrs.open exec,conn,1,1 %>

 

Http: // 127.0.0.1/job_yp.asp? Id = xx [SQL] fifth file news. asp
<% id=request.QueryString("id")set rs=server.createobject("adodb.recordset") if id="" thenexec="select * from news order by id desc"elseexec="select * from news where ssfl="&id&" order by id desc"end ifrs.open exec,conn,1,1%>

 

Http://www.bkjia.com/news. asp? Id = xx [SQL] The sixth file news_detail.asp

<% Id = request. queryString ("id") set rs = server. createobject ("adodb. recordset ") exec =" select * from news where id = "& idrs. open exec, conn, 1, 1if rs. eof thenresponse. write "<div style =" "padding: 10px" "> no news! </A> "response. end () end ifset dh = server. createobject ("adodb. recordset ") SQL =" select * from news_fl where id = "& rs (" ssfl ") &" dh. open SQL, conn, 1, 1%>
Http: // 127.0.0.1/news_detail.asp? Id = xx [SQL] File pro_detail.asp
<% Id = request. queryString ("id") set rsa = server. createobject ("adodb. recordset ") exec =" select * from [Products] where id = "& idrsa. open exec, conn, 1, 1if rsa. eof thenresponse. write "no such information record! "Response. End () end if

 

----------------------- Xss --------------- pass. asp


<% Ip = request. servervariables ("remote_addr") ypzw = request. form ("ypzw") name = request. form ("name") sex = request. form ("sex") nn = request. form ("nn") mz = request. form ("mz") hj = request. form ("hj") hyzk = request. form ("hyzk") sg = request. form ("sg") tz = request. form ("tz") sfz = request. form ("sfz") xueli = request. form ("xueli") szd = request. form ("szd") byyx = request. form ("byyx") tel = request. form ("tel") sj = request. form ("sj") jybj = request . Form ("jybj") gzjn = request. form ("gzjn") zc = request. form ("zc") set rs = server. createobject ("adodb. recordset ") SQL =" select * from Resume "rs. open SQL, conn, 1, 3rs. addnew rs ("ypzw") = ypzw rs ("name") = namers ("sex") = sex rs ("nn") = nn rs ("mz ") = mz rs ("ip") = ip rs ("hj") = hj rs ("hyzk") = hyzk rs ("sg") = sg rs ("tz ") = tz rs ("sfz") = sfz rs ("xueli") = xueli rs ("szd") = szd rs ("byyx") = byyx rs ("tel ") = tel rs ("sj") = sj rs ("jybj") = jybj r S ("gzjn") = gzjn rs ("zc") = zc rs. updaters. closeset rs = nothing conn. closeset rs = nothing Response. write "<script> alert ('Congratulations! Your resume has been submitted! '); Window. location. href ='/job. asp '; </script> "%>
Any wood filter, how to use XSS, test by yourself .. Here I only read the code. -------------- Editor --------------------------------------- http: // 127.0.0.1/system/xyeWebEditor/admin/default. asp Default Account: XY2010 password: XY2010 ------------- background -------------------- check the background SESSION verification, filter the single quotes, there is no way to use the universal password .. Then I read all the files and encountered a wooden SESSION verification, which was not very harmful, but it was also a vulnerability. /System/left. asp wood has <! -- # Include file = "seeion. asp" -->, which can be viewed directly. Http: // 127.0.0.1 // system/left. asp ---------------------------------------------------------------- now there are so many users interested in digging further .. PS: the children's shoes that write the program... Please study security ..

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.