|
 | 作者: hsmw [hsmw]
 论坛用户 |
登录 |
| 漏洞是这样的,在url后加上特殊字符会出现错误信息,并且存在 and 1=1和and 1=2这样的漏洞,可以进行SQL lnjection注入攻击 代码 <!--#include file="conn.asp"--> <!--#include file="const.asp"--> <!--#include file="md5.asp"--> <% if Request("method") = 1 then articleid = Request.form("articleid") face = Request.form("face") content = Qcdn.checkStr(Trim(Request.form("content"))) username = Qcdn.checkStr(Trim(Request.form("username"))) password = Qcdn.checkStr(Trim(Request.form("password"))) if Request.Cookies("qcdn")("user_name") = "" then password = md5(password,16) end if ip = Request.ServerVariables("REMOTE_ADDR") Sql = "select Unid from article_User where username = '"& username &"' and password = '"& password &"'" set rs = conn.execute(sql) if rs.eof and rs.bof then response.write "<script>alert(""1、您还没有注册!\n\n2、错误的用户名或密码!"");location.href=""UserReg.asp"";</script>" rs.close : set rs = nothing response.end else sql = "Insert into article_remark(articleid,username,content,faceid,intime,ip)values("& articleid &",'"& username &"','"& content &"',"& face &",Now(),'"& ip &"')" conn.execute(sql) Response.write "<script>alert(""评论发布成功"");location.href=""remarkList.asp?unid="& articleid &""";</script>" response.end end if elseif Request("method") = 2 then unid = Request("unid") conn.execute("update article_info set Audit = 0 where Unid in ("& unid &")") Response.Write("<script>alert(""审核成功"");window.opener.location.reload();window.close();</script>") Response.End() elseif Request("method") = 3 then unid = Request("unid") Response.Write("<script>window.opener.location.href=""admin_newsedit.asp?unid="&Unid &""";window.close();</script>") Response.End() end if if Request("Unid") = "" then Errmsg = "<li>发现异常错误。<li>传递的文章编号为空。" call Qcdn.Err_List(errmsg,3) Response.End() else unid = Request("Unid") end if ad = Request("ad") Sql = "Select title,content,Nclassid,classid,Nkey,hits,writer,writefrom,Intime,Popedom from article_info where Unid = " & Unid Set Rs = conn.execute(Sql) if Rs.eof and Rs.bof then Errmsg = "<li>发现异常错误。<li>错误编号为: error 108。<li>请联系解决问题。" call Qcdn.Err_List(errmsg,3) Response.End() else Popedom = Rs(9) if AddPopedom then if Popedom = 1 then if Request.Cookies("qcdn")("user_name") = "" then Response.write ("<script>alert(""如果您是会员,请登陆后浏览。"");window.close();</script>") Response.end end if end if end if Conn.execute("Update article_info set hits=hits+1 where Unid = " & Unid) title = Rs(0) content = Rs(1) Nclassid = Rs(2) classid = Rs(3) Nkey = Rs(4) hits = Rs(5) writer = Rs(6) writefrom = Rs(7) Intime = Rs(8) end if Rs.close %> |
| 地主 发表时间: 04-02-16 03:34 |
| 回复: hsmw [hsmw] 论坛用户 |
登录 |
|
怎么没有人来帮忙啊! |
| B1层 发表时间: 04-02-16 18:05 |
 | 回复: 286 [unique]  版主 |
登录 |
|
你连出现的问题都知道,还不知道修改方法吗? 前一个问题你说的太笼统,加上一个判断就行了。 后一个问题,把 Sql = "select Unid from article_User where username = '"& username &"' and password = '"& password &"'" set rs = conn.execute(sql) 改为 Sql = "select Unid from article_User where username = '"& username &"'" set rs = conn.execute(sql) if rs("Password")=password then .... else .... end if |
| B2层 发表时间: 04-02-17 09:42 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 编程破解
标题: 谁来帮忙改下我写的程序?