|
user目录下的Article.asp code: Dim ArticleTitle,AuthorName,CopyFrom,Editor,KeyWord,IsHot,IsTop,IsElite,yn,Content,ReadLevel,ReadPoint,VIPReadPoint,PaginationType,MaxCharPerPage,ClassID,IncludePic,IndexPicUrl,Hits
Dim TitleFontColor,CSSID,TemplateID
Dim ChannelID,ChannelName,ChannelItemName,InfoRs,AuthorWords,EditorWords,CopyFromWords,KeyWords,UploadFiles
Dim AdminItemConfig,ChannelItemUnit,SpecialID Dim Public_aRs if Request("ChannelID") <> "" then //没有过滤直接得到数据
ChannelID = LzRequest("ChannelID",1)
else
ChannelID = 0
end if if Request("ClassID") <> "" then////没有过滤直接得到数据
ClassID = LzRequest("ClassID",1)
else
ClassID = 0
end if if ChannelID = "" Or ChannelID = 0 then
ErrMsg = "<li> 请选择“频道ID丢失”!"
LZ8.ShowErr()
Else
Set InfoRs = lz8.Execute("Select ChannelName,ChannelItemName,AuthorWords,EditorWords,CopyFromWords,KeyWords,ChannelDir,AdminItemConfig,ChannelItemUnit From [LZ8_Channel] Where ChannelID="& ChannelID )////没有过滤直接进到数据库
ChannelName = InfoRs(0)
ChannelItemName = InfoRs(1)
AuthorWords = InfoRs(2)
EditorWords = InfoRs(3)
CopyFromWords = InfoRs(4)
KeyWords = InfoRs(5)
ChannelDir = InfoRs(6)
AdminItemConfig = Split(InfoRs(7),"|||")
ChannelItemUnit = InfoRs(8)
InfoRs.Close:Set InfoRs=Nothing
end if %> 还有一个跨站漏洞! 代码就不说了 很乱的在Article.asp 中!直接发布文章 在文章内容加入 跨站代码就可以了
|
