漏洞文件:js.asp
看代码
"" And teamid"0" Then
teamid=Replace(teamid,"|",",")
Sql=Sql & " And teamid In (" & teamid & ") "
End If
Sql=Sql & " Order by postid Desc"
Set rs=oblog.Execute(Sql)
sRet=""
Do While Not rs.Eof
sAddon=""
sRet=sRet & "" & oblog.Filt_html(Left(rs(2),l)) & ""
If u=1 Then sAddon=rs(4)
if t=1 Then
If sAddon"" Then sAddon=sAddon & ","
sAddon=sAddon & rs(3)
End If
If sAddon"" Then sAddon="(" & sAddon & ")"
sRet=sRet & sAddon & ""
rs.Movenext
Loop
Set rs = Nothing
sRet=sRet & ""
Response.write oblog.htm2js (sRet,True)
End Sub
很明显就看到TID没有经过过滤就直接递交给TEAMID了 TEAMID只过滤了"|" 就直接进SQL语句了,
OBLOG4.0
OBLOG4.5
临时解决办法:
搜索:teamid=Request(”tid”)这个,将这个替换为:
teamid=Replace(Replace(request("tid"),"'",""),")",""),
就是将一些危险字符过滤下就ok了!
注意一下,下面的这段代码:
teamid=Replace(teamid,”|”,”,”)
是将多个tid通过“|”链接起来,然后在这里还原为用“,”链接,以便下面的sql语句中直接使用:
If teamid<>“” And teamid<>“0″ Then
teamid=Replace(teamid,”|”,”,”)
Sql=Sql & ” And teamid In (” & teamid & “) ”
End If
官方:<a href="http://www.oblog.com.cn" target="_blank">http://www.oblog.com.cn</a>
共 1 兑换
京公网安备 11010502034610号
暂无评论