以下是引用片段:

<%@ LANGUAGE = VBScript.Encode %>
<!--#include file="Inc/SysProduct.asp" -->
<%
ShowSmallClassType=ShowSmallClassType_Article
dim ID
ID=trim(request("ID"))
if ID="" then
    response.Redirect("cg_Product.asp")
end if

sql="select * from cg_Product where ID=" & ID & ""
Set rs= Server.CreateObject("ADODB.Recordset")
rs.open sql,conn,1,3
if rs.bof and rs.eof then
    response.write"<SCRIPT language=JavaScript>alert('找不到此成功案例!');"
  response.write"javascript:history.go(-1)</SCRIPT>"
else   
    rs("Hits")=rs("Hits")+1
    rs.update
%>

    只过滤了 get post,存在 cookie 注射,注入中转即可。

    amanda/cg_ProductShow.asp

    http://localhost/jmCook.asp?jmdcw=169%20and%201=1