### 简要描述: shop7z 注入漏洞 ### 详细说明: ``` Advsearchadmin.asp kindnum=trim(request("kindnum")) pipai=trim(request("pipai")) model=trim(request("model")) productname=trim(request("productname")) price11=trim(request("price11")) price12=trim(request("price12")) price21=trim(request("price21")) price22=trim(request("price22")) if price11="" then price11="0" if price12="" then price12="9999999" if price21="" then price21="0" if price22="" then price22="9999999" sqlcon=" where pkid>0 and updown='1' " if kindnum<>"" then sqlcon = sqlcon &" and kind like '"&kindnum&"%' "//都没过滤 end if if pipai<>"" then sqlcon = sqlcon &" and pipai like '%"&pipai&"%' " end if if model<>"" then sqlcon = sqlcon &" and model like '%"&model&"%' " end if if productname<>"" then sqlcon = sqlcon &" and productname like '%"&productname&"%' " end if sql="select pkid,model,productname,smallpicpath,price1,price"&session("customkind")&",kindname,pipai,addtime from view_product "&sqlcon&" order by pkid desc" 'response.write...
### 简要描述: shop7z 注入漏洞 ### 详细说明: ``` Advsearchadmin.asp kindnum=trim(request("kindnum")) pipai=trim(request("pipai")) model=trim(request("model")) productname=trim(request("productname")) price11=trim(request("price11")) price12=trim(request("price12")) price21=trim(request("price21")) price22=trim(request("price22")) if price11="" then price11="0" if price12="" then price12="9999999" if price21="" then price21="0" if price22="" then price22="9999999" sqlcon=" where pkid>0 and updown='1' " if kindnum<>"" then sqlcon = sqlcon &" and kind like '"&kindnum&"%' "//都没过滤 end if if pipai<>"" then sqlcon = sqlcon &" and pipai like '%"&pipai&"%' " end if if model<>"" then sqlcon = sqlcon &" and model like '%"&model&"%' " end if if productname<>"" then sqlcon = sqlcon &" and productname like '%"&productname&"%' " end if sql="select pkid,model,productname,smallpicpath,price1,price"&session("customkind")&",kindname,pipai,addtime from view_product "&sqlcon&" order by pkid desc" 'response.write sql ``` ### 漏洞证明: 测试URL 192.168.236.131/Advsearchadmin.asp?kindnum=1' [<img src="https://images.seebug.org/upload/201406/07220549ffa4dd259c3826824abc94357c6b4c6f.png" alt="QQ截图20131103142401.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/07220549ffa4dd259c3826824abc94357c6b4c6f.png)