1. user_reg.asp

'注册

case "user_reg_do"

 

        user_name = trim(request.form("user_name"))

        user_pass = trim(request.form("user_pass"))

        user_pass_again = trim(request.form("user_pass_again"))

        user_mail = trim(request.form("user_mail"))

        user_pass_question = trim(request.form("user_pass_question"))

        user_pass_answer = trim(request.form("user_pass_answer"))

        user_sex = trim(request.form("user_sex"))

        user_www = trim(request.form("user_www"))

        user_sign = trim(request.form("user_sign"))

        user_face = trim(request.form("user_face"))

        user_qq = trim(request.form("user_qq"))

        user_msn = trim(request.form("user_msn"))

        %>

简单过滤空格

if instr(user_name,"        ") > 0 or instr(user_name,"#") > 0 or instr(user_name,"`") > 0 or instr(user_name,"|") > 0 or instr(user_name," ") > 0 or instr(user_name,"　") > 0 or Instr(user_name,"%") > 0 or Instr(user_name,"&") > 0 or Instr(user_name,"ヴ") > 0 or Instr(user_name,"ヂ") > 0 or Instr(user_name,"ゼ") > 0 or Instr(user_name,"ヅ") > 0 or Instr(user_name," ") > 0 or Instr(user_name,"+") > 0 or Instr(user_name,"=") > 0  or Instr(user_name,"'") > 0 then

        session("message") = "<li>用户名中不能含有特殊符号</li>"

        session("message") = session("message") & "<li><a href=""javascript:history.back();"">返回</a></li>"

没有检测；分号   可以注册duos.asp;1的账户

有个特性是注册会员上传的头像是根据自己名字来保存图片 

注册duos.asp;1的账户==》上传脚本.jpg==》自动保存为duos.asp;1.jpg (这点可以利用IIS6.0的解析漏洞)

 

 

2.

XSS很多。  这个对论坛影响较大

 

来源：http://www.t00ls.net/thread-19635-1-1.html