当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-067690

漏洞标题:讯时网站管理系统XSS盲打漏洞

相关厂商:讯时网站管理系统

漏洞作者: ckwave

提交时间:2014-07-16 16:23

修复时间:2014-08-30 16:24

公开时间:2014-08-30 16:24

漏洞类型:xss跨站脚本攻击

危害等级:低

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-07-16: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-08-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

讯时网站管理系统一款界面清爽、操作体验极好的ASP网站管理系统,而且免费开源,尤其是这套系统的新闻部分非常深受各位站长的喜爱,使用时,这个CMS系统的首页需要你自己设计一个模板,然后由后台设置后进行JS调用。因此后台的功能比较完备,大家可以看截图。

详细说明:

看网站根目录ly-write.asp文件

<!--#include file = admin_conn.asp -->
<!--#include file = titleb.asp -->
<head>
<STYLE type="text/css">
<!--
a:link       {text-decoration: none; font-family: AdobeSm; color: #000000 }
a:visited    {text-decoration: none; color: #000000 }
A:hover      {COLOR: green; FONT-FAMILY: "宋体,MingLiU"; TEXT-DECORATION: underline}
body         {font-size: 9pt; font-family: 宋体,MingLiU, Arial;color: #000000}
TD           {FONT-SIZE: 9pt; FONT-FAMILY: "宋体,MingLiU, Arial";color: #000000;table-layout:fixed;word-break:break-all}
p            {FONT-SIZE: 9pt; FONT-FAMILY: "宋体,MingLiU, Arial";color: #000000}
input        {FONT-SIZE: 9pt; FONT-FAMILY: "宋体,MingLiU, Arial";color: #000000}
body         {margin-top: 0; margin-bottom: 0;margin-left:0;margin-right:0; color: #000000}
select       {FONT-SIZE: 9PT;}
option       {FONT-SIZE: 9pt;}
textarea     {FONT-SIZE: 9pt;}
-->
</STYLE>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta http-equiv="Content-Language" content="zh-cn">
<title>欢迎访问留言薄</title>
</head>
<body bgcolor="#B2C5D3">
<div align="center">
	<table border="0" cellpadding="0" cellspacing="0" width="760" id="table1">
		<tr>
			<td><img border="0" src="images/lyTOPS.gif" width="760" height="89"></td>
		</tr>
	</table>
</div>
<div align="center">
	<table border="0" cellpadding="5" cellspacing="0" width="760" id="table2" bgcolor="#FFFFFF">
		<tr>
			<td>
			<p align="center">
			<a href="ly-write.asp">
			<img border="0" src="images/lywrite.gif" width="89" height="37"></a>&nbsp;
			<a href="ly.asp">
			<img border="0" src="images/lyread.gif" width="89" height="37"></a></td>
		</tr>
	</table>
</div>
<%
username=trim(chkhtm(Request("username")))
email=trim(chkhtm(Request("email")))
sex=trim(chkhtm(Request("sex")))
lb=trim(chkhtm(request("lb")))
title=trim(chkhtm(Request("title")))
content=trim(chkhtm(Request("content")))
bm=trim(chkhtm(request("bm")))
lyyzmm=trim(chkhtm(request("lyyzmm")))
lyyzm=trim(chkhtm(request("lyyzm")))
if lyyzmm<>"" and lyyzm<>"" then
	if int(lyyzmm)<>int(lyyzm) then
		Response.Write "<script>alert('验证码输入不正确');</script>"
		Response.Write "<META http-equiv='refresh' content='0;url=ly-write.asp'>"
		Response.end
	end if
end if
if username="" or email="" or sex="" or title="" or content="" or lb="" then
%>
<div align="center">
	<table border="1" cellpadding="10" width="760" id="table3" style="border-collapse: collapse" bordercolor="#C0C0C0" bgcolor="#FFFFFF">
		
<!--webbot BOT="GeneratedScript" PREVIEW=" " startspan --><script Language="JavaScript" Type="text/javascript"><!--
function FrontPage_Form1_Validator(theForm)
{
  if (theForm.username.value == "")
  {
    alert("请在 你的姓名 域中输入值。");
    theForm.username.focus();
    return (false);
  }
  if (theForm.username.value.length < 2)
  {
    alert("在 你的姓名 域中,请至少输入 2 个字符。");
    theForm.username.focus();
    return (false);
  }
  if (theForm.username.value.length > 10)
  {
    alert("在 你的姓名 域中,请最多输入 10 个字符。");
    theForm.username.focus();
    return (false);
  }
  if (theForm.Email.value == "")
  {
    alert("请在 电子邮件 域中输入值。");
    theForm.Email.focus();
    return (false);
  }
  if (theForm.Email.value.length < 5)
  {
    alert("在 电子邮件 域中,请至少输入 5 个字符。");
    theForm.Email.focus();
    return (false);
  }
  if (theForm.Email.value.length > 50)
  {
    alert("在 电子邮件 域中,请最多输入 50 个字符。");
    theForm.Email.focus();
    return (false);
  }
  if (theForm.sex.selectedIndex < 0)
  {
    alert("请选择“性别”选项中的一项。");
    theForm.sex.focus();
    return (false);
  }
  if (theForm.sex.selectedIndex == 0)
  {
    alert("第一个“性别”选项无效。 请选择其他选项中的一项。");
    theForm.sex.focus();
    return (false);
  }
  if (theForm.lb.selectedIndex < 0)
  {
    alert("请选择“留言类型”选项中的一项。");
    theForm.lb.focus();
    return (false);
  }
  if (theForm.lb.selectedIndex == 0)
  {
    alert("第一个“留言类型”选项无效。 请选择其他选项中的一项。");
    theForm.lb.focus();
    return (false);
  }
  if (theForm.lyyzm.value == "")
  {
    alert("请在 验证码 域中输入值。");
    theForm.lyyzm.focus();
    return (false);
  }
  if (theForm.lyyzm.value.length < 5)
  {
    alert("在 验证码 域中,请至少输入 5 个字符。");
    theForm.lyyzm.focus();
    return (false);
  }
  if (theForm.lyyzm.value.length > 5)
  {
    alert("在 验证码 域中,请最多输入 5 个字符。");
    theForm.lyyzm.focus();
    return (false);
  }
  var checkOK = "0123456789-";
  var checkStr = theForm.lyyzm.value;
  var allValid = true;
  var validGroups = true;
  var decPoints = 0;
  var allNum = "";
  for (i = 0;  i < checkStr.length;  i++)
  {
    ch = checkStr.charAt(i);
    for (j = 0;  j < checkOK.length;  j++)
      if (ch == checkOK.charAt(j))
        break;
    if (j == checkOK.length)
    {
      allValid = false;
      break;
    }
    allNum += ch;
  }
  if (!allValid)
  {
    alert("在 验证码 域中,只能输入 数字 字符。");
    theForm.lyyzm.focus();
    return (false);
  }
  if (theForm.title.value == "")
  {
    alert("请在 留言标题 域中输入值。");
    theForm.title.focus();
    return (false);
  }
  if (theForm.title.value.length < 2)
  {
    alert("在 留言标题 域中,请至少输入 2 个字符。");
    theForm.title.focus();
    return (false);
  }
  if (theForm.title.value.length > 50)
  {
    alert("在 留言标题 域中,请最多输入 50 个字符。");
    theForm.title.focus();
    return (false);
  }
  if (theForm.content.value == "")
  {
    alert("请在 留言内容 域中输入值。");
    theForm.content.focus();
    return (false);
  }
  if (theForm.content.value.length < 1)
  {
    alert("在 留言内容 域中,请至少输入 1 个字符。");
    theForm.content.focus();
    return (false);
  }
  return (true);
}
//--></script><!--webbot BOT="GeneratedScript" endspan --><form method="POST" action="ly-write.asp" name="FrontPage_Form1" onsubmit="return FrontPage_Form1_Validator(this)" language="JavaScript">
		<tr>
			<td width="722" align="center">
			
				<div align="center">
					<table border="1" cellpadding="5" width="708" id="table5" style="border-collapse: collapse" bordercolor="#C0C0C0">
						<tr>
							<td width="128" align="center">你的姓名</td>
							<td width="557">
							&nbsp;<!--webbot bot="Validation" s-display-name="你的姓名" b-value-required="TRUE" i-minimum-length="2" i-maximum-length="10" --><input type="text" name="username" size="52" maxlength="10"></td>
						</tr>
						<tr>
							<td width="128" align="center">电子邮件</td>
							<td width="557">
							&nbsp;<!--webbot bot="Validation" s-display-name="电子邮件" b-value-required="TRUE" i-minimum-length="5" i-maximum-length="50" --><input type="text" name="Email" size="52" maxlength="50"></td>
						</tr>
						<tr>
							<td width="128" align="center">性  别</td>
							<td width="557">&nbsp;<!--webbot bot="Validation" s-display-name="性别" b-value-required="TRUE" b-disallow-first-item="TRUE" --><select size="1" name="sex">
							<option>请选择...</option>
							<option>男</option>
							<option>女</option>
							</select></td>
						</tr>
						<tr>
							<td width="128" align="center">留言类型</td>
							<td width="557">
							&nbsp;<!--webbot bot="Validation" s-display-name="留言类型" b-value-required="TRUE" b-disallow-first-item="TRUE" --><select size="1" name="lb">
							<option>请选择...</option>
							<%
							set rs = Server.CreateObject("ADODB.RecordSet")
							rs.Open "select * from [lylb] order by id asc",conn,1,1
							while not rs.eof
							%>
							<option value='<%=rs("id")%>'><%=rs("lb")%></option>
							<%
							rs.movenext
							wend
							rs.close:set rs=nothing
							%>
							</select></td>
						</tr>
						<tr>
							<td width="128" align="center">验证码
							<%
							Randomize
							an=""
							an= int((99999-22222+1) * RND +22222)
							%>
							<textarea style='display:none' cols=1 name='lyyzmm'><%=an%></textarea>						
							</td>
							<td width="557">
							&nbsp;<!--webbot bot="Validation" s-display-name="验证码" s-data-type="Integer" s-number-separators="x" b-value-required="TRUE" i-minimum-length="5" i-maximum-length="5" --><input type="text" name="lyyzm" size="15" maxlength="5">
							<%
							Response.Write an
							%>
							</td>
						</tr>
						<tr>
							<td width="128" align="center">留言标题</td>
							<td width="557">
							&nbsp;<!--webbot bot="Validation" s-display-name="留言标题" b-value-required="TRUE" i-minimum-length="2" i-maximum-length="50" --><input type="text" name="title" size="52" maxlength="50"></td>
						</tr>
						<tr>
							<td width="128" align="center">留言内容</td>
							<td width="557">
							&nbsp;<!--webbot bot="Validation" s-display-name="留言内容" b-value-required="TRUE" i-minimum-length="1" --><textarea rows="9" name="content" cols="82"></textarea></td>
						</tr>
						<tr>
							<td width="128" align="center">是否保密</td>
							<td width="557">&nbsp;<input type="radio" value="1" name="bm">保密 <input type="radio" value="0" checked  name="bm">不保密  <font color="#999999">(仅工作人员可以查看)</font></td>
						</tr>
					</table>
				</div>
			
				<p align="center">
				<input type=hidden name=sh value=<%=config("lysh")%>>
				<input type="submit" value="提交" name="B1">   <input type="reset" value="重置" name="B2"></p>
			
			</td>
		</tr></form>
	</table>
</div>
<%
else
sh=chkhtm(trim(request("sh")))
userip = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If userip = "" Then userip = Request.ServerVariables("REMOTE_ADDR")
Randomize
an= int((10-1+1) * RND +1)
if sex="男" then
   tx="images/lylan-"&an&".gif"
else
   tx="images/lynv-"&an&".gif"
end if
addtime=date()
content=replace(content,chr(13),"<BR>")
conn.Execute "insert into [ly] ([adduser],[email],[sex],[tx],[title],[content],[ip],[addtime],[bm],[lb],[sh]) values('"&username&"','"&email&"','"&sex&"','"&tx&"','"&title&"','"&content&"','"&userip&"','"&addtime&"','"&bm&"','"&lb&"',"&sh&")"
conn.close:set conn=nothing
if sh=1 then
	er=1
end if
Response.Redirect "ly.asp?er="&sh
end if
%>
<div align="center">
	<table border="1" cellpadding="5" width="760" id="table4" bgcolor="#FFFFFF" style="border-collapse: collapse" bordercolor="#C0C0C0">
		<tr>
			<td>
</td>
		</tr>
	</table>
</div>
<div align="center">
	<table border="0" cellpadding="0" cellspacing="0" width="760" height="37" id="table5">
		<tr>
			<td background="images/lydown.gif"> </td>
		</tr>
	</table>
</div>
<%
'rs.close:set rs=nothing
conn.close:set conn=nothing
%>


变量:Request.ServerVariables("HTTP_X_FORWARDED_FOR")没有过滤
再来admin/admin_ly.asp文件

<%
if Request.Cookies("admindj")="3" then
   Response.Write "<BR><BR><BR><BR><center>权限不足,你没有此功能的管理权限"
   Response.end
end if
%>
<!--#include file = admin_chk.asp -->
<!--#include file = admin_conn.asp -->
<!--#include file = titleb.asp -->
<%
if Request.Cookies("admindj")="2" and config("shylysh")="0" then
   Response.Write "<BR><BR><BR><BR><center>权限不足,你没有此功能的管理权限."
   Response.end
end if
%>
<head>
<meta content="text/html; charset=gb2312" http-equiv="Content-Type">
<meta content="zh-cn" http-equiv="Content-Language">
<STYLE type="text/css">
<!--
a:link       {text-decoration: none; font-family: AdobeSm; color: #000000 }
a:visited    {text-decoration: none; color: #000000 }
A:hover      {COLOR: green; FONT-FAMILY: "宋体,MingLiU"; TEXT-DECORATION: underline}
body         {font-size: 9pt; font-family: 宋体,MingLiU, Arial;color: #000000}
TD           {FONT-SIZE: 9pt; FONT-FAMILY: "宋体,MingLiU, Arial";color: #000000;table-layout:fixed;word-break:break-all}
p            {FONT-SIZE: 9pt; FONT-FAMILY: "宋体,MingLiU, Arial";color: #000000}
input        {FONT-SIZE: 9pt; FONT-FAMILY: "宋体,MingLiU, Arial";color: #000000}
body         {margin-top: 0; margin-bottom: 0;margin-left:0;margin-right:0; color: #000000}
select       {FONT-SIZE: 9PT;}
option       {FONT-SIZE: 9pt;}
textarea     {FONT-SIZE: 9pt;}
-->
</STYLE>
</head>
<BR>
<%
viewid=trim(request("viewid"))
delid=trim(request("delid"))
hyid=trim(request("hyid"))
shid=trim(Request("shid"))
sh=trim(Request("sh"))
content=trim(request("content"))
addtime=date()
if shid<>"" and sh<>"" then
	conn.Execute "update [ly] set [sh]="&sh&" where id="&clng(shid)
end if
if hyid<>"" and content<>"" then
  userip = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
  If userip = "" Then userip = Request.ServerVariables("REMOTE_ADDR")
  Set rs2 = Server.CreateObject("ADODB.RecordSet")
  rs2.Open "select * from [lyhf] where lyid="&hyid&" order by id desc",conn,1,3
  if rs2.recordcount=0 then
    conn.Execute "insert into [lyhf] ([lyid],[content],[addtime],[tx],[ip]) values('"&hyid&"','"&content&"','"&addtime&"','../images/ly-00.gif','"&userip&"')"
  else
    rs2("content")=content
    rs2("addtime")=now()
    rs2.update
  end if
end if
if delid<>"" then
   conn.Execute "delete from [ly] where ID="&CInt(delid)
   conn.Execute "delete from [lyhf] where lyID="&CInt(delid)
end if 
 
if viewid<>"" then
	Set rs = Server.CreateObject("ADODB.RecordSet")
	rs.Open "select * from [ly] where id="&viewid&" order by id desc",conn,1,1
	if rs.recordcount<>0 then
	
	lb=rs("lb")
	if (not isNumeric(lb)) then
		lb=0
	end if
	set rs2 = Server.CreateObject("ADODB.RecordSet")
	rs2.Open "select * from [lylb] where id="&lb&" order by id desc",conn,1,1
	while not rs2.eof
		lb=rs2("lb")
	rs2.movenext
	wend
	rs2.close:set rs2=nothing
%>
	<table align=center border="1" cellpadding="5" width="700" id="table2" style="border-collapse: collapse" bordercolor="#C0C0C0" bgcolor="#FFFFFF">
		<tr>
			<td width="700" align="center" background="../images/bg1.gif" colspan="2">
			 <font color="#FFFFFF"><%=rs("title")%></font><font color="#FFFF00">(<%=lb%>)</font></td>
		</tr>
		<tr>
			<td width="201" align="center" style="line-height: 150%" valign="top"><img border=1 src=../<%=rs("tx")%>>
			<div align="center">
			<table border="0" cellpadding="2" cellspacing="0" width="201" id="table3">
			<tr>
			<td width="74" align="right">姓名:</td>
			<td width="127"><%=rs("adduser")%></td>
			</tr>
			<tr>
			<td width="74" align="right">来自:</td>
			<td width="127"><%=rs("ip")%></td>
			</tr>
			<tr>
			<td width="74" align="right">邮箱:</td>
			<td width="127"><a href="mailto:<%=rs("email")%>"><img border="0" src="../images/lymail.gif" width="16" height="16"></a></td>
			</tr>
			<tr>
			<td width="74" align="right">时间:</td>
			<td width="127"><%=rs("addtime")%></td>
			</tr>
			</table>
	</div>
			</td>
			<td width="476" valign="top"><%=rs("content")%></td>
		</tr>
		<!--webbot BOT="GeneratedScript" PREVIEW=" " startspan --><script Language="JavaScript" Type="text/javascript"><!--
function FrontPage_Form1_Validator(theForm)
{
  if (theForm.content.value == "")
  {
    alert("请在 回复 域中输入值。");
    theForm.content.focus();
    return (false);
  }
  if (theForm.content.value.length < 1)
  {
    alert("在 回复 域中,请至少输入 1 个字符。");
    theForm.content.focus();
    return (false);
  }
  return (true);
}
//--></script><!--webbot BOT="GeneratedScript" endspan --><form method="POST" action="admin_ly.asp?hyid=<%=viewid%>" name="FrontPage_Form1" onsubmit="return FrontPage_Form1_Validator(this)" language="JavaScript"><tr>
			<td width="677" align="center" style="line-height: 150%" valign="top" colspan="2">
			<%
			Set rs2 = Server.CreateObject("ADODB.RecordSet")
			rs2.Open "select * from [lyhf] where lyid="&viewid&" order by id desc",conn,1,1
			if rs2.recordcount<>0 then
			  content=rs2("content")
			end if
			%>
				<p>
				&nbsp;<!--webbot bot="Validation" s-display-name="回复" b-value-required="TRUE" i-minimum-length="1" --><textarea rows="9" name="content" cols="96"><%=content%></textarea><br>
				<input type="submit" value="提交" name="B1">&nbsp;&nbsp;&nbsp;&nbsp; <input type="reset" value="重置" name="B2"></p>
			
			</td>
		</tr></form>
	</table>
<%
end if 
end if
%>
<BR>
<div align="center">
	<table border="1" cellpadding="2" width="700" id="table5" style="border-collapse: collapse" bordercolor="#C0C0C0" background="../images/bj3.jpg" height="25">
		<tr>
			<td width="139" align="center"><a href="admin_ly_lb.asp">留言类别管理</a></td>
			<td width="139" align="center"><a target="_blank" href="../ly.asp">ly.asp页面链接</a></td>
			<td width="140" align="center"> </td>
			<td width="140" align="center"> </td>
			<td width="140" align="center"> </td>
		</tr>
	</table>
</div>
<BR></p>
<div align="center">
	<table border="1" cellpadding="4" width="700" id="table1" style="border-collapse: collapse" bordercolor="#C0C0C0">
		<tr>
			<td width="729" align="center"  height="25" colspan="3">
			<iframe name="IP3" id="ip3" width="100%" height="29" src="#" marginwidth="1" marginheight="1" scrolling="no" border="0" frameborder="0">
			</iframe></td>
		</tr>	
		<tr>
			<td background="../images/bj5.jpg" align="center" width="362">
			<font color="#FFFFFF">标&nbsp;&nbsp; 题</font></td>
			<td background="../images/bj5.jpg" align="center" width="199">
			<font color="#FFFFFF">发布者和时间</font></td>
			<td background="../images/bj5.jpg" align="center" width="111">
			<font color="#FFFFFF">操&nbsp; 作</font></td>
		</tr>
<%
Set rs = Server.CreateObject("ADODB.RecordSet")
rs.Open "select * from [ly]  order by id desc",conn,1,1
if rs.recordcount<>0 then
page=int(request("page"))
rs.PageSize=10
pagecount=rs.pagesize
if page<=0 then page=1
if request("page")="" then page=1
rs.AbsolutePage=page
for i=1 to pagecount
sh=rs("sh")
%>
		<tr>
			<td width="362">
			<%
			  if rs("bm")="1" then Response.Write "[保密]"
			
			Response.Write titleb(rs("title"),30)
			
			lb=rs("lb")
			if (not isNumeric(lb)) then
				lb=0
			end if
			set rs2 = Server.CreateObject("ADODB.RecordSet")
			rs2.Open "select * from [lylb] where id="&lb&" order by id desc",conn,1,1
			if rs2.recordcount<>0 then
				Response.Write "<font color=red>("&rs2("lb")&")</font>"
			end if
			rs2.close:set rs2=nothing
			%>
			<br>
			<a href="admin_ly.asp?viewid=<%=rs("id")%>"><font color="#C0C0C0"><%=titleb(glhtml(rs("content")),50)%></font></a></td>
			<td width="199"><%=rs("adduser")%>&nbsp;<a href='http://so.xuas.com/index.asp?lx=6&x=16&y=12&Word=<%=rs("ip")%>' target='_blank'><%=rs("IP")%>(来源)</a></acronym><br><%=rs("addtime")%></td>
			<td width="111" align=center>
			<%
			Set rs2 = Server.CreateObject("ADODB.RecordSet")
			rs2.Open "select * from [lyhf] where lyid="&rs("id")&" order by id desc",conn,1,1
			if rs2.recordcount<>0 then
			   Response.Write "已经回复&nbsp;"
			else
			   Response.Write "没有回复&nbsp;"
			end if
			rs2.close:set rs2=nothing
			
				if sh=1 then Response.Write "<a href=admin_ly.asp?shid="&rs("id")&"&sh=0>已经审核</a>"
				if sh=0 then Response.Write "<a href=admin_ly.asp?shid="&rs("id")&"&sh=1>没有审核</a>"
			%>
			<BR>
			<a href="?viewid=<%=rs("id")%>">查看回复</a>  
			<a onclick='{if(confirm("您确定删除吗?此操作将不能恢复!")){return true;}return false;}' href="admin_ly.asp?delid=<%=rs("id")%>">删除</a></td>
		</tr>
<%
rs.movenext
if rs.eof then exit for
next
else
  Response.Write "<tr><td colspan=3>暂无信息</td></tr>"
end if
%>
	</table>
</div>
<BR>
<center>
<%if rs.recordcount<>0 then
  if page>1 then
    response.write "<a href="&request.servervariables("URL")&"?page=1&lm="&trim(request("lm"))&"&lb="&trim(request("lb"))&"&word="&trim(request("word"))&">首页</a> "
    response.write "<a href="&request.servervariables("URL")&"?page="&page-1&"&lm="&trim(request("lm"))&"&lb="&trim(request("lb"))&"&word="&trim(request("word"))&">上一页</a> "
  end if
  if page<rs.pagecount then
    response.write "<a href="&request.servervariables("URL")&"?page="&page+1&"&lm="&trim(request("lm"))&"&lb="&trim(request("lb"))&"&word="&trim(request("word"))&">下一页</a> "
    response.write "<a href="&request.servervariables("URL")&"?page="&rs.pagecount&"&lm="&trim(request("lm"))&"&lb="&trim(request("lb"))&"&word="&trim(request("word"))&">尾页</a> "
  end if
    response.write "共"&rs.recordcount&"条 每页显示"&pagecount&"条 共"&rs.pagecount&"页 "
  %>
  <script language="JavaScript">
  <!--
  function FP_jumpMenu(el,frm,sel) {//v1.0
    var href=el.options[el.selectedIndex].value; if(sel) el.selectedIndex=0;
    if('_new'==frm) open(href); else eval(frm+".location='"+href+"'");
    }
    // -->
  </script>
  <select size="1" onchange="FP_jumpMenu(this,'window',false)" id="id1" name="D1" style="font-size: 9pt; border-style: solid; border-width: 1px">
   <%for i=1 to rs.pagecount%>
   <option value="<%=request.servervariables("URL")%>?page=<%=i%>&lm=<%=trim(request("lm"))%>&lb=<%=trim(request("lb"))%>&word=<%=trim(request("word"))%>" <%if page=i then response.write "selected"%> style="font-size: 9pt">第<%=i%>页</option>
    <%next%>
   </select>
<%end if%>
<%if Request.Cookies("admindj")="1" then%>
<br><br> <div align="center">
	<table border="1" cellpadding="3" width="700" id="table4" style="border-collapse: collapse" bordercolor="#C0C0C0">
		<tr>
			<td background="../images/bj6.jpg">留言调用:<br>
			&lt;script TYPE=&quot;text/javascript&quot; language=&quot;javascript&quot; src=&quot;<%=finddir(request.servervariables("URL"))%>js-ly.asp?list=10&amp;font=9&amp;color=000000&amp;n=30&amp;lb=0&amp;line=20&quot;&gt;&lt;/script&gt;</td>
		</tr>
		<tr>
			<td>list    显示留言的条数,默认是10条。<br>
			font    标题的字号,默认是9pt。<br>
			color    标题的颜色,默认是黑色,切记不要加#。<br>
			n      标题显示的字符数,默认是30个字符!<br>
			line     留言标题之间的行距大小,默认是20。<br>
			lb     留言类别的ID号,如果=0,显示所有类别。</td>
		</tr>
		</table>
</div>
<%
end if
rs.close:set rs=nothing
conn.close
set conn=nothing
%>


if viewid<>"" then


当获取变量viewid不等于空的时候执行sql语句而且没有对ip进行过滤 看以下代码

<table align=center border="1" cellpadding="5" width="700" id="table2" style="border-collapse: collapse" bordercolor="#C0C0C0" bgcolor="#FFFFFF">
		<tr>
			<td width="700" align="center" background="../images/bg1.gif" colspan="2">
			 <font color="#FFFFFF"><%=rs("title")%></font><font color="#FFFF00">(<%=lb%>)</font></td>
		</tr>
		<tr>
			<td width="201" align="center" style="line-height: 150%" valign="top"><img border=1 src=../<%=rs("tx")%>>
			<div align="center">
			<table border="0" cellpadding="2" cellspacing="0" width="201" id="table3">
			<tr>
			<td width="74" align="right">姓名:</td>
			<td width="127"><%=rs("adduser")%></td>
			</tr>
			<tr>
			<td width="74" align="right">来自:</td>
			<td width="127"><%=rs("ip")%></td>
			</tr>
			<tr>
			<td width="74" align="right">邮箱:</td>
			<td width="127"><a href="mailto:<%=rs("email")%>"><img border="0" src="../images/lymail.gif" width="16" height="16"></a></td>
			</tr>
			<tr>
			<td width="74" align="right">时间:</td>
			<td width="127"><%=rs("addtime")%></td>
			</tr>
			</table>


漏洞证明:

2222.png


3333.png


33.png


此套程序很多edu在用,很多地方 逻辑,变量同样是没有过滤过。
官方重视一下咯。
漏洞测试版本为最新版5.0
wooyun的管理员来个邀请码咯 !谢谢!

修复方案:

过滤!

版权声明:转载请注明来源 ckwave@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝