仙游旅游网站管理系统v1.0 SQL注入漏洞

仙游旅行社网站系统”是一套专门为旅行社企业定制开发的集线路、酒店、景区、机票、扩展服务、汽车租赁等多种功能模块于一体的一体化在线管理系统，无论在稳定性、代码优化、运行效率、负载能力、安全等级、功能可操控性和权限严密性等方面都居国内外同类型产品领先地位

官方网站http://www.lxscms.com

默认数据库  ./admin/#a&_as12=b.as.mdb

漏洞文件：line_list.asp

<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%><!--#include file="conn.asp"--><!--#include file="sub_top_foot.asp"--><%
sid = trim(request("sid"))
bid = trim(request("bid"))
key = trim(request("s"))
tid = trim(request("tid"))
mdd = trim(request("mdd"))
sminame = "旅游线路 >> "
sminameurl = "<a href='line_list.asp'>旅游线路</a> >> "
meattitle = sminame
response.write htmlheader(""& meattitle &"","","","","")
response.write "<div class=""container"">"
response.write topheader
response.write "<div class=""container1"">"
response.write header("4",""& sid &"","","","")
response.write "<div id=""main""><div id=""main_l"">"
response.write new_zhixuns
response.write newline("4","","","","")
response.write ads("2","img","images/ad/ad01.gif","205","55")
response.write left_linelei("4","","","","")
response.write "</div>"
response.write "<div id=""main_r""><div class=""borders""><h2 class=""snav8"">"&sminameurl&"</h2><div class=""newslists"">"
if sid<>"" then
swhere = " and smallid="& sid &""
else
swhere = ""
end if  
if tid<>"" then
tdwhere = " and tian="& tid &""
else
tdwhere = ""
end if  
if mdd<>"" then
mddwhere = " and mudidi='"& mdd &"'"
else
mddwhere = ""
end if  
if key<>"" then
kwhere = " and (title like '%"& key &"%' or shuomin like '%"& key &"%' or jindian like '%"& key &"%' or xinchen like '%"& key &"%' or beizhu like '%"& key &"%')"
else
kwhere = ""
end if
idsql="select * from lxscms_l where shenhe=1"& mddwhere & tdwhere & swhere & kwhere &" order by id desc"
set rs=server.CreateObject("adodb.recordset")
rs.open idsql,conn,1,1  
if rs.eof and rs.eof then
response.write "<p class=""datanull"">没有找到任何相关信息</p>"
else
Dim page,recordsperpage
recordsperpage=10
call intpage("")
response.write("<div class=""pro_data"">" & vbcrlf)
response.write("<table cellpadding=""0"" cellspacing=""0"" class=""ttable2"">")
Do While rs.Eof=False and recordsperpage>0
response.write("<tr class=""tb_tr1"" onMouseOver=""this.className='tb_tr2'"" onMouseOut=""this.className='tb_tr1'"">" & vbcrlf)
response.write("<td class=""tb2_td1""><a href=""line.asp?id="&rs("id")&""" title="""&rs("title")&"""><img src="""&imgsrcok(rs("img"),"images/wuimg.jpg")&"""></a></td>" & vbcrlf)
response.write("<td class=""tb2_td2""><span><a href=""line.asp?id="&rs("id")&""" title="""&rs("title")&""">"&rs("title")&"</a></span></td>" & vbcrlf)
response.write("<td class=""tb2_td3"">网订价:<span class='yd1'>￥"&rs("wsjiage")&"</span><br />" & vbcrlf)
response.write("门市价:<span class='yd2'>￥"&rs("baojaiss")&"</span></td>" & vbcrlf)
response.write("<td class=""tb2_td4"">出发地："&rs("chuafadi")&"<br />目的地："&rs("mudidi")&"</td>" & vbcrlf)
response.write("<td class=""tb2_td5""><a href=""line.asp?id="&rs("id")&""" title="""&rs("title")&""" target=""_blank"">查阅全文...</a></td>" & vbcrlf)
response.write("</tr>")
recordsperpage=recordsperpage-1
rs.MoveNext
Loop
response.write("</table></div>")
response.write gotogape("line_list.asp?s="&key&"&sid="&sid&"&bid="&bid&"&","","","")
end if
closer(rs)
response.write "</div></div></div><div class='clear1'></div>"
response.write footer("1","","","","")
response.write "</div></div></div>"
response.write footer_bei("1","","")
closer(conn)
bodyhtml
%>

过滤不严，直接导致漏洞的产生 ，默认表名：lxscms_u   列名：qwbmuname    qwbmupwds

默认后台：/admin

by;hack情