来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] 某OA系统越权、多处SQL注入及任意用户登陆包括管理员大量案例中招,官网demo中招,多处漏洞广州市颖峰信息科技有限公司http: www yfidea com product asp官方demo地址:http: demo yfidea com 官方成...
某OA系统越权、多处SQL注入及任意用户登陆包括管理员大量案例中招,官网demo中招,多处漏洞 官方demo地址: 0x001 越权访问+SQL注入 <p> <% strId=request("id") tname=request("tname") Set rs=Server.CreateObject("Adodb.Recordset") sql="select * from varset where ID='"&strID& "'" rs.open sql,conn,1,1 %> </p>
<p> <% strId=request("id") tname=request("tname") Set rs=Server.CreateObject("Adodb.Recordset") sql="select * from varset where ID='"&strID& "'" rs.open sql,conn,1,1 %>
<p> <% strId=request("id") tname=request("tname") Set rs=Server.CreateObject("Adodb.Recordset") sql="select * from varset where ID='"&strID& "'" rs.open sql,conn,1,1 %>
<p> <% var=request("var") vargroup=request("vargroup") set Rsvar= Conn.Execute("select * from varset where name='"&var&"'") %> </p> <p> </p> <p> </p> <form id="form3" name="form3" method="post" action="savemodifysys.asp?var=<%=var%>&vargroup=<%=vargroup%>" onSubmit="return form_check();"> <p> </p> <table width="442" border="0" align="center" cellspacing="0" bordercolorlight="#11b1ff" bordercolordark="#f0f8ff"> <tr align="middle"> <td width="64" class="STYLE1"> </td> <td width="61" height="41" class="STYLE1"><div align="right">参数</div></td> <td width="315" align="center" valign="middle" class="STYLE1"><div align="left"> <select name="vname" id="vname"> <option><%=Rsvar( "vname" )%></option> <% Set RSsel = Conn.Execute("select * from varset where name='"&vargroup& "' order by vid" ) While NOT RSsel.EOF %> <option value="<%=RSsel( "vname" )%>"><%=RSsel( "vname" )%></option> <% RSsel.MoveNext Wend %> </select> <input name="Submit" type="submit" class="topanniu" value="保存修改" /> </div> </label></td> <td width="8"> </td> </tr> </table> <p> </p> <p> </p> <p align="center">说明:<%=Rsvar( "shuoming" )%></p> <% RSsel.Close Rsvar.close%> </form>
<p> <% strId=request("id") varname=request("varname") Set rs=Server.CreateObject("Adodb.Recordset") sql="select * from varset where ID='"&strID& "'" rs.open sql,conn,1,1 %> </p>
<!--#include file="../SQLconn.asp"--> <% dim strID strId=request("id") dim fjsql dim fjrs dim strfilename fjsql="select * from wendangfile where fid='"&strId& "'" Set fjrs= Server.CreateObject("ADODB.Recordset") fjrs.open fjsql,conn,1,1 Response.ContentType = fjrs("fileContentType") 'Response.AddHeader "Content-Disposition","attachment; filename="&fjrs("filename") Response.AddHeader "Content-Disposition","inline; filename="&fjrs("filename") Response.BinaryWrite fjrs("filevalue").getChunk(21212121) fjrs.close set fjrs=nothing set conn=nothing %>
<% id=request("id") Set Rslist=Server.CreateObject("Adodb.Recordset") sqllist="select * from Employee where id='"&ID& "'" Rslist.open sqllist,conn,1,1 %>
<% strip=Request.ServerVariables("REMOTE_ADDR") Set MyOAASPObj = Server.CreateObject("YFSchoolOApro.YFSchoolDll") str=MyOAASPObj.OA_Login(strip) set MyOAASPObj=nothing dim str1 str1=split(str,"|",-1,1) response.cookies("Tname")=str1(0) response.cookies("imgdir")=str1(1) response.cookies("nowxueqi")=str1(2) response.cookies("filelength")=10 '这个1是表示上传文件的长度不能超过1M,控制整个系统的文件大小 if str1(3)="888" then response.redirect("OA/user/password.asp") else response.redirect("OA/Index.asp") end if %>
<% '登陆控制,防止未登录查看 if request.cookies("tname")="" then response.redirect("../Index.asp") end if %>
也可以添加cookie: 修复方案:最主要的控制权限,过滤
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com