Author: Legend of the wind http://www.anying.org reprint must indicate the URL, otherwise do not reprint
Well, I found a source code on the Internet to analyze the problem .. Search for documents. Let's take a look at the files one by one. ------------------------ Inject ----------------- The first file. common. asp ..
<% id=request.QueryString("id")set rs=server.createobject("adodb.recordset") exec="select * from Common where id="&idrs.open exec,conn,1,1%>
Simple vulnerabilities... Ah... Injection address http: // 127.0.0.1/common. asp? Id = xx [SQL] Second file down_detail.asp
<% Id = request. queryString ("id") set rs = server. createobject ("adodb. recordset ") exec =" select * from [download] where id = "& idrs. open exec, conn, 1, 1if rs. eof thenresponse. write "<div style =" "padding: 10px" "> no record! </A> "response. End () end if %>
Injection address http: // 127.0.0.1/down_detail.asp? Id = xx [SQL] third file. Downloads. asp
<% Id = request. queryString ("id") exec = "select * from download where id =" & idset rs = server. createobject ("adodb. recordset ") rs. open exec, conn, SQL = "update download set js = js + 1 where id =" & id & "and js is not null" 'download times conn.exe cute (SQL) response. redirect "" & rs ("url") & "rs. close set rs = nothing %>
An error can be reported when a single pair of meeting jumps are directly quoted. Injection address http: // 127.0.0.1/Downloads. asp? Id = xx [SQL] Fourth file job_yp.asp
<% id=request.QueryString("id")set rs=server.createobject("adodb.recordset") exec="select * from zpxx where id="&idrs.open exec,conn,1,1 %>
Http: // 127.0.0.1/job_yp.asp? Id = xx [SQL] fifth file news. asp
<% id=request.QueryString("id")set rs=server.createobject("adodb.recordset") if id="" thenexec="select * from news order by id desc"elseexec="select * from news where ssfl="&id&" order by id desc"end ifrs.open exec,conn,1,1%>
Http://www.bkjia.com/news. asp? Id = xx [SQL] The sixth file news_detail.asp
<% Id = request. queryString ("id") set rs = server. createobject ("adodb. recordset ") exec =" select * from news where id = "& idrs. open exec, conn, 1, 1if rs. eof thenresponse. write "<div style =" "padding: 10px" "> no news! </A> "response. end () end ifset dh = server. createobject ("adodb. recordset ") SQL =" select * from news_fl where id = "& rs (" ssfl ") &" dh. open SQL, conn, 1, 1%>
Http: // 127.0.0.1/news_detail.asp? Id = xx [SQL] File pro_detail.asp
<% Id = request. queryString ("id") set rsa = server. createobject ("adodb. recordset ") exec =" select * from [Products] where id = "& idrsa. open exec, conn, 1, 1if rsa. eof thenresponse. write "no such information record! "Response. End () end if
----------------------- Xss --------------- pass. asp
<% Ip = request. servervariables ("remote_addr") ypzw = request. form ("ypzw") name = request. form ("name") sex = request. form ("sex") nn = request. form ("nn") mz = request. form ("mz") hj = request. form ("hj") hyzk = request. form ("hyzk") sg = request. form ("sg") tz = request. form ("tz") sfz = request. form ("sfz") xueli = request. form ("xueli") szd = request. form ("szd") byyx = request. form ("byyx") tel = request. form ("tel") sj = request. form ("sj") jybj = request . Form ("jybj") gzjn = request. form ("gzjn") zc = request. form ("zc") set rs = server. createobject ("adodb. recordset ") SQL =" select * from Resume "rs. open SQL, conn, 1, 3rs. addnew rs ("ypzw") = ypzw rs ("name") = namers ("sex") = sex rs ("nn") = nn rs ("mz ") = mz rs ("ip") = ip rs ("hj") = hj rs ("hyzk") = hyzk rs ("sg") = sg rs ("tz ") = tz rs ("sfz") = sfz rs ("xueli") = xueli rs ("szd") = szd rs ("byyx") = byyx rs ("tel ") = tel rs ("sj") = sj rs ("jybj") = jybj r S ("gzjn") = gzjn rs ("zc") = zc rs. updaters. closeset rs = nothing conn. closeset rs = nothing Response. write "<script> alert ('Congratulations! Your resume has been submitted! '); Window. location. href ='/job. asp '; </script> "%>
Any wood filter, how to use XSS, test by yourself .. Here I only read the code. -------------- Editor --------------------------------------- http: // 127.0.0.1/system/xyeWebEditor/admin/default. asp Default Account: XY2010 password: XY2010 ------------- background -------------------- check the background SESSION verification, filter the single quotes, there is no way to use the universal password .. Then I read all the files and encountered a wooden SESSION verification, which was not very harmful, but it was also a vulnerability. /System/left. asp wood has <! -- # Include file = "seeion. asp" -->, which can be viewed directly. Http: // 127.0.0.1 // system/left. asp ---------------------------------------------------------------- now there are so many users interested in digging further .. PS: the children's shoes that write the program... Please study security ..