XYCMS心理咨询中心建站系统存在SQL注入

2014-06-30T00:00:00
ID SSV:95632
Type seebug
Reporter Root
Modified 2014-06-30T00:00:00

Description

简要描述:

。。。

详细说明:

下载地址:http://down.chinaz.com/soft/34989.htm 漏洞存在于: pxxm_detail.asp

id=request.QueryString("id") set rs=server.createobject("adodb.recordset") exec="select * from [pxxm] where id="& id rs.open exec,conn,1,1 if rs.eof then response.Write "<div style=""padding:10px"">没有相关信息!</a>" response.End() end if

未加入过滤代码导致注入产生

漏洞证明:

<img src="https://images.seebug.org/upload/201406/280942344bf1d38e8ba5c3502a19a97394780393.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">

关键字: inurl:pxxm_detail.asp?id= 多个实例 http://www.tzjyedu.cn/pxxm_detail.asp?id=70 http://www.zzczxx.com/pxxm_detail.asp?id=60 http://www.tsinghuasimu.com/pxxm_detail.asp?id=53 http://www.allyfarm.com/pxxm_detail.asp?id=75 http://www.jskcedu.com/pxxm_detail.asp?id=88