另类的注射攻击----cookie注射(图)

====================code==========================
<% if request.cookies("userid")="" or request.cookies("password")="" then //首先要保证我们的cookie中userid和password的值不为空
response.write"<script>alert('没有登陆无法修改！');</Script>"
response.write"<script Language=Javascript>location.href = 'index.asp';</script>"
end if
if request.cookies("oktt")="yes" then
response.write"<script>alert('网吧用户无权进入！');</Script>"
response.write"<script Language=Javascript>location.href = 'index.asp';</script>"
end if
dim rs
dim sql
set rs=server.createobject("adodb.recordset")
sql="select * from users where userid='"&request.cookies("userid")&"' and password='"&request.cookies("password")&"'" //sql语句中可以看到userid和password的查询是来自客户端的cookie,并且没有验证
rs.open sql,conn,1,3
id=rs("id")
userid=rs("userid")
password=rs("password")
name=rs("name")
email=rs("email")
sex=rs("sex")
Province=rs("Province")
dat=rs("date")
%>
====================code==========================
通过上面的简要分析我们可以知道,userid和password并没有过滤,userid和password全来自客户端的cookie,所以我们只要在客户端中的cookie构造注射语句就可以进行注射.
怎么利用这里暂不介绍,下面会提到.
朋友告诉我,有一个站www.chinaxxx.net其member.asp存在cookie注射漏洞,其权限为sa.
二、渗透之旅
下面为其member.asp的代码:
====================code==========================
<%
 Response.CacheControl = "no-cache"
 Email = Request.Cookies("Email")
 Userid = Request.Cookies("Userid")

 if Len(Email)=0 then Response.Redirect "login.htm"
%>

<%

if Len(Email)>3 then
 set objConn = Server.CreateObject("ADODB.Connection")
 objConn.Open strQ

 strQ = "select * from tb_users where usertype>0 and email='" &Email & "' and Userid=" &Userid
 set objRs = Server.CreateObject("ADODB.Recordset")

 objRs.Open strQ,objConn,1,3
 if not objRs.EOF then
  ExpDays = DateDiff("d",now(),objRs("expdate"))
  ExpDate = FormatDateTime(objRs("expdate"),2)
  Username = objRs("Username")

  if ExpDays <=0 then
   objRs("usertype") = 3
   ExpDays = 0
  else
   objRs("usertype") = 9
  end if

  objRs.Update
%>
====================code==========================