OBLOG js.asp漏洞

2007-04-26T00:00:00
ID SSV:1691
Type seebug
Reporter Root
Modified 2007-04-26T00:00:00

Description

漏洞文件:js.asp 看代码 "" And teamid"0" Then teamid=Replace(teamid,"|",",") Sql=Sql & " And teamid In (" & teamid & ") " End If Sql=Sql & " Order by postid Desc" Set rs=oblog.Execute(Sql) sRet="" Do While Not rs.Eof sAddon="" sRet=sRet & "" & oblog.Filt_html(Left(rs(2),l)) & "" If u=1 Then sAddon=rs(4) if t=1 Then If sAddon"" Then sAddon=sAddon & "," sAddon=sAddon & rs(3) End If If sAddon"" Then sAddon="(" & sAddon & ")" sRet=sRet & sAddon & "" rs.Movenext Loop Set rs = Nothing sRet=sRet & "" Response.write oblog.htm2js (sRet,True) End Sub 很明显就看到TID没有经过过滤就直接递交给TEAMID了 TEAMID只过滤了"|" 就直接进SQL语句了,

OBLOG4.0 OBLOG4.5 临时解决办法: 搜索:teamid=Request(”tid”)这个,将这个替换为: teamid=Replace(Replace(request("tid"),"'",""),")",""), 就是将一些危险字符过滤下就ok了! 注意一下,下面的这段代码: teamid=Replace(teamid,”|”,”,”) 是将多个tid通过“|”链接起来,然后在这里还原为用“,”链接,以便下面的sql语句中直接使用: If teamid<>“” And teamid<>“0″ Then teamid=Replace(teamid,”|”,”,”) Sql=Sql & ” And teamid In (” & teamid & “) ” End If

官方:<a href="http://www.oblog.com.cn" target="_blank">http://www.oblog.com.cn</a>

                                        
                                            
                                                
http://www.wolfexp.net/forum/viewthread.php?tid=4246&amp;extra=page%3D1&nbsp;