### 简要描述: shop7z sql注入漏洞 ### 详细说明: getpassword3.asp ``` if session("verifycode")<>request.Form("code") then response.write " <div align=center><a href=javascript:window.history.back()>请输入正确的验证码,点击这里返回重试</a></div>" response.end end if username=trim(request.Form("username")) password_Answer=trim(request.Form("password_Answer")) mail=trim(request.Form("mail")) if InStr(password_Answer,"'")>0 or InStr(password_Answer,"--")>0 or InStr(password_Answer,"(")>0 or InStr(password_Answer,";")>0 then response.write "密码提示答案不合法。" response.end END IF if InStr(mail,"'")>0 or InStr(mail,"(")>0 or InStr(mail,";")>0 then response.write "mail不合法。" response.end END IF sql="select password from x_huiyuan where username='"&username&"' and password_Answer='"&password_Answer&"' and email='"&mail&"' "//注入 set rs=server.createobject("adodb.recordset") rs.open sql,conn,1,1 ``` 测试 192.168.236.131/getpassword3.asp POST 内容 username=1111'&password_Answer=111&mail=ddd@qq.com ### 漏洞证明: [<img...
### 简要描述: shop7z sql注入漏洞 ### 详细说明: getpassword3.asp ``` if session("verifycode")<>request.Form("code") then response.write " <div align=center><a href=javascript:window.history.back()>请输入正确的验证码,点击这里返回重试</a></div>" response.end end if username=trim(request.Form("username")) password_Answer=trim(request.Form("password_Answer")) mail=trim(request.Form("mail")) if InStr(password_Answer,"'")>0 or InStr(password_Answer,"--")>0 or InStr(password_Answer,"(")>0 or InStr(password_Answer,";")>0 then response.write "密码提示答案不合法。" response.end END IF if InStr(mail,"'")>0 or InStr(mail,"(")>0 or InStr(mail,";")>0 then response.write "mail不合法。" response.end END IF sql="select password from x_huiyuan where username='"&username&"' and password_Answer='"&password_Answer&"' and email='"&mail&"' "//注入 set rs=server.createobject("adodb.recordset") rs.open sql,conn,1,1 ``` 测试 192.168.236.131/getpassword3.asp POST 内容 username=1111'&password_Answer=111&mail=ddd@qq.com ### 漏洞证明: [<img src="https://images.seebug.org/upload/201311/051920057232ec3fe3324814f57f37e0724a6f26.png" alt="QQ截图20131103142126.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/051920057232ec3fe3324814f57f37e0724a6f26.png)
