漏洞-1
漏洞类型:存储型xss
代码文件:LstBook.Asp
详细代码:
[php]
------------------------------------------------
If action="addbook" Then
If Trim(Request("xm"))="" Then
Call alert("姓名不能为空","-1")
End If
If Trim(Request("sj"))="" Then
Call alert("手机不能为空","-1")
End If
If Trim(Request("dz"))="" Then
Call alert("地址不能为空","-1")
End if
Set oRs=server.createobject("adodb.recordset")
sSql="Select * from [LstBook]"
oRs.open sSql,oconn,1,3
oRs.addnew
oRs("xm")=Trim(Request("xm"))
oRs("sj")=Trim(Request("sj"))
oRs("dz")=Trim(Request("dz"))
oRs("qq")=Trim(Request("qq"))
oRs("email")=Trim(Request("email"))
oRs("ly")=Trim(Request("ly"))
oRs("time")=now()
oRs("state")=0
oRs.update
oRs.close
Call Alert("您的留言提交成功,我们将尽快给您解答。","/lstbook.asp")
Set oRs = Nothing
[/php]
--------------------------------------------------------------
利用说明:以上代码都只是用trim过滤了空格而已,所以.....呵呵 可以利用此xss截取cookie进后台!
漏洞-2
漏洞类型:sql注入
代码文件:LstInfo.asp
详细代码:
------------------------------------------------
[php]
<%
If Id="" Then
Call alert("参数错误,返回首页.","/")
End If
'本页
Set v= oConn.Execute("SELECT top 1 * FROM [LstJob] where Id ="&Id)
If v.bof And v.eof Then
Call BackUrl("/")
End If
oConn.Execute("UPDATE [LstJob] SET Jobhits = Jobhits +1 where Id ="&Id)
[/php]
代码说明:ID变量在“”文件里面,而在conn.asp文件里面ID是用Request来获取的~!!!这样就很明显了~!
PS:下面列举3条基本测试语句。其他的自行解决!
/LstJobInfo.asp?TT=&SS=&Id=1 and exists(select * from lstadmin)
/LstJobInfo.asp?TT=&SS=&Id=1 and exists(select usradmin from lstadmin)
/LstJobInfo.asp?TT=&SS=&Id=1 and exists(select usrpass from lstadmin)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论