|
LgKj.LocalDevilRank.asp:
开头省了没用的
Sc=request.Form("ServerCode")
Job=request.Form("Job")
F Sc="" THEN
Sql="SELECT Name,cLevel,Class,Money,PkLevel,PkCount,ResetLife,AccountID FROM Character INNER JOIN memb_info ON AccountID = memb_info.memb___id WHERE (memb_info.servercode = 0 ) AND (IsNull(CtlCode,0)<>1) ORDER BY PkCount DESC"
rs1.open sql,conn,1,1
Else
if Job="" then
Sql="SELECT Name,cLevel,Class,Money,PkLevel,PkCount,ResetLife,AccountID FROM Character INNER JOIN memb_info ON AccountID = memb_info.memb___id WHERE (memb_info.servercode = "&Sc&" ) AND (IsNull(CtlCode,0)<>1) ORDER BY PkCount DESC"
rs1.open sql,conn,1,1
else
Sql="SELECT Name,cLevel,Class,Money,PkLevel,PkCount,ResetLife,AccountID FROM Character INNER JOIN memb_info ON AccountID = memb_info.memb___id WHERE (memb_info.servercode = "&Sc&" ) AND (Class = "&Job&") AND (IsNull(CtlCode,0)<>1) ORDER BY PkCount DESC"
rs1.open sql,conn,1,1
前台唯一能注入的地方就只有这里
除了没解密的公用函数库 看不到
然后就是后台登录文件 任意一文件
前面代码没用省了
<%
'检查管理员是否登录
AdminName = ReplaceBadChar(Trim(Request.Cookies(webkey)("AdminName")))
AdminPassword = ReplaceBadChar(Trim(Request.Cookies(webkey)("AdminPassword")))
RndPassword = ReplaceBadChar(Trim(Request.Cookies(webkey)("RndPassword")))
If AdminName = "" Or AdminPassword = "" Or RndPassword = "" Then
Response.Redirect "default.asp"
End If
%>
这验证方法真好
webkey
默认是BaiWanMuWebServer
新版本好像是 BaiWanMU.Com
后台没有任何写文件方法!
还有一处漏洞就是COOKIES修改登录了的会员 不验证密码的 不过没什么作用 |