|
以下是处理某网站输入后的错误提示信息,其中红色加粗的为可输入的部分,
我试了一些我知道的方法不能奏效,还请各位发表高见!我将参照各位提供的方法进行实验,成功了我就把好消息告诉大家!
数据库貌似是Oracle的
错误提示为不能执行以下SQL语句:
select count(*) as cnt from ( select d.org_name as master_org,o.org_id,o.org_name as org_name,o.linkman as linkman,o.email as email,o.tel as tel, decode(o.org_status_id,'1','娲诲姩','鍏抽棴') as org_status,'<div class=orgstauts org_id='||o.org_id||' status_id='||o.org_status_id||' org_name='||o.org_name||'></div>' as operate from asp_config.site s,mem_organization o,(select org_id,org_name from mem_organization start with org_id = '11073' connect by prior org_id=parent_org_id) d where d.org_id=s.org_id and o.siteno=s.siteno and o.org_name like '%''<script>alert('xss hole #n');</script>%' and o.org_id= any (select client_org_id from mem_org_client_rela where org_id='''<script>alert('xss hole #n');</script>') and o.org_status_id = '''<script>alert('xss hole #n');</script>' and o.org_id = any (select org_id from mem_org_app_rela where version= '''<script>alert('xss hole #n');</script>') |
|