Author:Tr4c3[at]126[dot]com
http://www.nspcn.org
http://www.tr4c3.com
Version:
BBSGood.Speed Version 4.0
漏洞文件:
UserInfo.asp
漏洞描述:
变量Blogurl未经过滤带入sql语句,导致Sql注入漏洞
代码举例:
行1729-1853.
case
14
if Request.QueryString( " save " ) = 1 then
if trim (Request.Form( " blogurl " )) <> "" then
Set rsdj = Server.CreateObject( " ADODB.Recordset " )
rsdj2 = " select id from LxTel_User where blogurl=' " & trim (Request.Form( " blogurl " )) & " ' "
rsdj.open rsdj2,conn, 1 , 1
if not (rsdj.bof and rsdj.eof) then
rsdj.close
set rsdj = nothing
Response.Write " <script>alert('该二级域名地址,已经被人使用');history.back(-1);</script> "
Response.End
else
rsdj.close
set rsdj = nothing
end if
end if
...
if Request.QueryString( " save " ) = 1 then
if trim (Request.Form( " blogurl " )) <> "" then
Set rsdj = Server.CreateObject( " ADODB.Recordset " )
rsdj2 = " select id from LxTel_User where blogurl=' " & trim (Request.Form( " blogurl " )) & " ' "
rsdj.open rsdj2,conn, 1 , 1
if not (rsdj.bof and rsdj.eof) then
rsdj.close
set rsdj = nothing
Response.Write " <script>alert('该二级域名地址,已经被人使用');history.back(-1);</script> "
Response.End
else
rsdj.close
set rsdj = nothing
end if
end if
...
利用方法:
http://www.tr4c3.com/post/267.html