VULHUB ™

### 简要描述： shop7z 注入漏洞2 ### 详细说明： ``` News.asp <TD vAlign=bottom height=32><IMG height=19 src="images/dian04.gif" width=10 align=absMiddle> <STRONG>&nbsp;<FONT color=#ff6600> <% sql3="select l_title from e_left where l_id="&request.QueryString("l_id")&"" set rs3=server.CreateObject("adodb.recordset") rs3.open sql3,conn,1,1 if rs3.bof or rs3.eof then else l_title=rs3("l_title") response.write l_title end if rs3.close set rs3=nothing %> ``` ### 漏洞证明： 测试 192.168.236.131/news.asp?l_id=1' http://www.shop7z.com/Demo/news.asp?l_id=1%27 [<img src="https://images.seebug.org/upload/201406/072207175050d166a9ed30004e156d28a017c71f.png" alt="QQ截图20131103143435.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/072207175050d166a9ed30004e156d28a017c71f.png)

### 简要描述： shop7z 注入漏洞2 ### 详细说明： ``` News.asp <TD vAlign=bottom height=32><IMG height=19 src="images/dian04.gif" width=10 align=absMiddle> <STRONG>&nbsp;<FONT color=#ff6600> <% sql3="select l_title from e_left where l_id="&request.QueryString("l_id")&"" set rs3=server.CreateObject("adodb.recordset") rs3.open sql3,conn,1,1 if rs3.bof or rs3.eof then else l_title=rs3("l_title") response.write l_title end if rs3.close set rs3=nothing %> ``` ### 漏洞证明： 测试 192.168.236.131/news.asp?l_id=1' http://www.shop7z.com/Demo/news.asp?l_id=1%27 [<img src="https://images.seebug.org/upload/201406/072207175050d166a9ed30004e156d28a017c71f.png" alt="QQ截图20131103143435.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/072207175050d166a9ed30004e156d28a017c71f.png)