Beijing University Student Information bar whole site program V1.0 cookie Injection

Beijing University Student Information bar whole site program V1.0 cookie Injection

Cast blog
In the gonggao. asp file, rows 9-31:
<%
Dim id, rs, SQL
Id = trim (request ("id") // note
If id = "" then
Call list ()
Response. end
End if
Set rs = server. createobject ("adodb. recordset ")
SQL = "select * from [gonggao] where id =" & cstr (id) // note
If rs. eof and rs. bof then
Response. write "no news"
Response. end
End if
Function HTMLEncode (fString)
FString = replace (fString, ">", "& gt ;")
FString = replace (fString, "<", "& lt ;")
FString = Replace (fString, CHR (13 ),"")
FString = Replace (fString, CHR (10) & CHR (10), "</P> <P> ")
FString = Replace (fString, CHR (10), "<BR> ")
HTMLEncode = fString
End function
%>
Let's take a look at its anti-injection files:
-------- SQL anti-injection definition section ------------------
Dim Fy_Post, Fy_Get, Fy_In, Fy_Inf, Fy_Xh
Fy_In = "or | join | union | like | modify | cast | drop | exec | insert | select | delete | update | count | alter | rename | chr | mid | truncate | char | declare |"
Fy_Inf = split (Fy_In, "| ")
-------- POST part ------------------
If Request. Form <> "" Then
For Each Fy_Post In Request. Form
For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. Form (Fy_Post), Fy_Inf (Fy_Xh) <> 0 Then
Response. Write "<Script Language = JavaScript> alert !); History. back (); </Script>"
Response. End
End If
Next
Next
End If
-------- GET part -------------------
If Request. QueryString <> "Then
For Each Fy_Get In Request. QueryString
For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. QueryString (Fy_Get), Fy_Inf (Fy_Xh) <> 0 Then
Response. Write "<Script Language = JavaScript> alert !); History. back (); </Script>"
Response. End
End If
Next
Next
End If
----------------------------------

Cookie injection is not defined at all, so we can use cookies for injection.