乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-11: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-02-09: 厂商已经主动忽略漏洞,细节向公众公开
SQL注入
下载地址:http://down.chinaz.com/soft/34989.htm漏洞参数:id漏洞文件:1.common.asp
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%><!--#include file="xyconn.asp"--><!--#include file="Inc/xycms.asp" --><!--#include file="Inc/config.asp" --><%id=request.QueryString("id")if id="" or not isnumeric(id) thenresponse.write "<script>alert('¾¯¸æ!·Ç·¨²ÎÊý£¡');window.location.href='index.html';</script>" Response.End()end ifset rs=server.createobject("adodb.recordset") exec="select * from common where id="&id //直接带入查询rs.open exec,conn,1,1%>
2.down_detail.asp
<%id=request.QueryString("id")set rs=server.createobject("adodb.recordset") exec="select * from [down] where id="& idrs.open exec,conn,1,1if rs.eof thenresponse.Write "<div style=""padding:10px"">ûÓÐÏà¹ØÐÅÏ¢£¡</a>"response.End()end if%>
3.news.asp
<%id=request.QueryString("id")if not isnumeric(id) thenResponse.Write "<script>alert('¾¯¸æ£¡²ÎÊý´íÎó£¡');history.go(-1);</script>" Response.End()end ifset rs=server.createobject("adodb.recordset") if id="" thenexec="select * from news order by id desc"elseexec="select * from news where ssfl="&id&" order by id desc"end ifrs.open exec,conn,1,1%>
4.job_detail.asp
<%id=request.QueryString("id")set rs=server.createobject("adodb.recordset") exec="select * from zpxx where id="& idrs.open exec,conn,1,1if rs.eof thenresponse.Write "<div style=""padding:10px"">ûÓÐÏà¹ØÐÅÏ¢£¡</a>"response.End()end if%>
5.news_detail.asp6.team_detail.asp7.adv_dir.asp
1.://**.**.**//www.wooyun.org/bugs/wooyun-2010-066498的案例:_2.http://**.**.**3.http://**.**.**/common.aspid=1%20and%201=1 相同_4.http://**.**.**/common.aspid=1%20and%201=2 报错_*****6cf39eda5ad9918dd40c6d.jpg**********ba67f02a96dca17c9b6681.jpg*****5.http://**.**.**/down_detail.aspid=1&6.http://**.**.**/news.aspid=1&
id参数过滤
未能联系到厂商或者厂商积极拒绝