founder:小帅
转载请注明出处: 小帅's blog http://blog.0kee.com/xiaoshuai

<%
id=request("id")
postuser=request("postuser")
sql="select friend from clubuser where clubuser_name='"&request.cookies("name")&"'"
set rs=server.createobject("adodb.recordset")
rs.open sql,conn,1,1

name变量没有仔细验证，在客户端直接获取丢进数据库造成cookie注入。

if request.Form("addblog")="Y" then
userip=request.servervariables("remote_addr")
sql ="select * from ftblog_type where blogtype='默认分类'
and userid="& request.cookies("clubuser_id")&" and blogphoto=0 order by id desc"
set rs=server.createobject("adodb.recordset")
rs.open sql,conn,1,3

check.asp页面对clubuser_id没过滤。

admin_blog_editor.asp

if request.form("act")="y" then
id=request.form("id")
blogtitle=htmlencode2(request.form("blogtitle"))
blogqs=request.form("blogqs")
blogtypeid=request.form("blogtypeid")
xinqin=request.form("DiaryHeart")
writedate=request.form("writedate")
remenu=request.form("remenu")
blogtag=request.form("blogtag")
bbstag=request.form("bbstag")
userip=request.servervariables("remote_addr")
userid=request.cookies("clubuser_id")
plqs=request.form("plqs")
bloghtmfile=request.form("bloghtmfile")

if len(remenu)<=0 then
response.write "<SCRIPT language=JavaScript>alert('内容不能为空！');history.go(-1);</script>"
response.end
end if

remenu=htmlencode2(remenu)
remenu=ftHTMLCode(remenu)
remenu=ubbcode(remenu)
str="update ftblog set blogtitle='"&blogtitle&"',blogcontent='"&remenu&"',
blogtypeid="&blogtypeid&",blogqs="&blogqs&",
writedate='"&writedate&"',xinqin='"&xinqin&"',userip='"&userip&"',blogtag='"&blogtag&"',
plqs="&plqs&",bloghtmfile='"&bloghtmfile&"' where id="&id
conn.execute(str)
response.redirect request("reurl")
end if
sql="select * from ftblog where id="&request("id")
set rsblog=server.createobject("adodb.recordset")
rsblog.open sql,conn,3,1

对id变量也没过滤，直接丢进数据库。造成SQL注入。

本文固定链接: http://www.daopo.org/2008/04/07/actcms-site-cookie-management-system-into-the/ | 天晴轩