????1. ??????????????????web???????IE???server???DB?????y???????????в??????????????script??????????????;app server????????????????????db server??????????Щ????????????????????ο????script????????Щcase???????????????????????????????????????????????script??????????????form?????????????????????????


????2. ???????????? ???web server????sql??????????????sql????????????????????????????????sql?????????????delete all??drop database??????????????????????????????!??????л???????inte.net??????????????????????У??ж???????????????????web????????????????????

????3. ??????????????????????ɡ?

????WEB???????????BUG???


????1??SQL INJETION

 

????2??????????????????????


????3??COOKIES?????

????4?????????????

 

??????SQL INJETION????????

 

????????

 

???????????????????????news.asp???ò?????????????????????

 

????http://www.xxx.com/news.asp?id=1????????????

????????????

????rs.open "select * from news where id=" &

????cstr(request("id"))??conn??1??1

???????????в????????????URL??????????????????????

????select * from news where id=1

 

????????SQL????????????????????????news???id?1???????????

??????????SQL SERVER??select???????????????е???????????URL???

????http://www.xxx.com/news.asp?id=1and 1=(select count(*) from admin

????where left(name??1)=a)


????SQL???????


????select * news where id=1 and 1=(select count(*)


????from admin where left(name??1)=a)

 

?????????admin?????????????????name??????????????a????news????id?1???????news????id?1?????????????????????????1&P????P??棬??????棬????????????????檔?????????????????????id?????2????????????????????????????ú??????????????????


?????????

 

????????治????SQL INJETION????????????????????URL??????http://www.xxx.com/news.asp?id=1and 1=1????http://www.xxx.com/news.asp?id=1and 1=2

 

???????????η???????????????η???????????????????????news.asp???????SQL INJETION????????ò???????????????????????????

?????? ?????????????????????????

 

????????

?????????????????????upload.asp?????????????書???????????п???????????????????????????????????????????????????????????????????????????????????????????????

 

?????????

 

?????????asp??php??jsp??cgi???????????????????

 

????????


??????????http://www.xxx.com/download/filespath.asp?path=../abc.zip

 

??????????????????

 

????http://www.xxx.com/download/filespath.asp?path=../conn.asp

????????????????Щasp??????????λ?ü????????????????

 

???????????к?????????????

?????? COOKIES?????


????????

 

????COOKIES??WEB?????????????COOKIES?????б????????????÷???????????????????????????????????????????á??????????????????COOKIES???????SESSION????????????????????SESSIONЧ????????????????????????????????????????????COOKIES????????????????????WEB?????????????????????LEADBBS????к????COOKIES??????????λ??????COOKIES????????ID????????????????????????

 

?????????

??????????MYBROWER???????????????????COOKIES???????????????????λ?á?


?????? ??????????????

 

????????

????Action???????????????????????WEB??????????????????????????????A??B??C??D?????VALUE??100??80??60??40??

 

??????????????Щ?????HTML?????????????????????????VALUE????????ACTION????ACTION??????????

?????????


?????????????????????汣????????????ü??±??????????????VALUE??????????????????

??????????????????????棬???????????л??????檔???????????????index.html????????????????檔??????????б????Щ?????????????????????????????

 

????????????????????????????????????????????????????????????????????????????δ????????????κ???????? ?? SCRIPT>alert("????!");

?????????????????????????????????????????????????????2000??XP??2003???й?????????????MS?????????????