逐浪cms SQL注入

14-05-31 來源：[db:作者]

收藏我要投稿

逐浪最新版x1.5sql注入

地址

http://demo.zoomla.cn/Customer.aspx

源碼如下

protected void Page_Load(object sender, EventArgs e)

{

    if (base.Request.QueryString["type"] != null)

    {

        if (base.Request.QueryString["type"] == "Seat")

        {

            this.GetSeat();

        }

        if (base.Request.QueryString["type"] == "add")

        {

            this.SetInfo(base.Request.Form.ToString());

        }

        bool flag1 = base.Request.QueryString["type"] == "answer";

        if ((base.Request.QueryString["type"] == "getservice") && (base.Request.QueryString["uid"] != null))

        {

            this.GetServerInfo(base.Request.QueryString["uid"].ToString(), base.Request.Cookies["Provisional"]["Uid"]); //跟進

        }

        if (base.Request.QueryString["type"] == "OnlineUsers")

        {

            this.GetOnlineUsers();

        }

        bool flag2 = base.Request.QueryString["type"] == "CallMe";

        if (base.Request.QueryString["type"] == "msg")

        {

            this.GetMsg(); //跟進

        }

        this.DelUser();

    }

}




private void GetMsg()

{

    StringBuilder builder = new StringBuilder();

    DataTable table = this.bcsbll.Select_Where(" CS_Type=0 and CS_OID=" + base.Request.Cookies["Provisional"]["Uid"], " DISTINCT CS_SendID,CS_SendName ", ""); //沒處理存在注入

    for (int i = 0; i < table.Rows.Count; i++)

    {

        builder.Append(string.Concat(new object[] { table.Rows[i]["CS_SendID"], ",", table.Rows[i]["CS_SendName"], ";" }));

    }

    string s = builder.ToString();

    if (s.EndsWith(";"))

    {

        s = s.Substring(0, s.Length - 1);

    }

    base.Response.Write(s);

}

另一處

private void GetServerInfo(string uid, string sessid)

{

    DataTable customerByUid = this.bcsbll.GetCustomerByUid(DataConverter.CLng(uid), sessid); //跟進

    StringBuilder builder = new StringBuilder();

    if (!string.IsNullOrEmpty(uid) && !string.IsNullOrEmpty(sessid))

    {

        for (int i = 0; i < customerByUid.Rows.Count; i++)

        {

            if (((customerByUid.Rows[i]["CS_OID"] != null) && (sessid == customerByUid.Rows[i]["CS_OID"].ToString())) && (customerByUid.Rows[i]["CS_SendID"].ToString() == sessid))

            {

                builder.Append(string.Concat(new object[] { customerByUid.Rows[i]["CS_AddTime"], "  你對", customerByUid.Rows[i]["CS_CtoName"], "說：<br />&nbsp;&nbsp;", customerByUid.Rows[i]["CS_Context"], "<br />" }));

            }

            else

            {

                builder.Append(string.Concat(new object[] { customerByUid.Rows[i]["CS_AddTime"].ToString(), "  ", customerByUid.Rows[i]["CS_SendName"], "對你說：<br />&nbsp;&nbsp;", customerByUid.Rows[i]["CS_Context"], "<br />" }));

            }

        }

    }

    base.Response.Write(builder.ToString());

}




public DataTable GetCustomerByUid(int id, string sessid)

{

    string strSQL = "";

    if (id > 0)

    {

        string str2 = strSQL;

        strSQL = str2 + " (CS_SendID=" + id.ToString() + " or CS_Ctouid=" + id.ToString() + ")";

    }

    if (!string.IsNullOrEmpty(sessid))

    {

        strSQL = strSQL + " and CS_OID='" + sessid + "'"; //沒處理存在注入

    }

    DataTable dt = this.SelectWhere(strSQL, " CS_ID,CS_Context,CS_SendName,CS_SendID,CS_CtoName,CS_AddTime,CS_OID ", " CS_AddTime asc");

    this.updateType(dt, id, sessid);

    return dt;

}

訪問

http://demo.zoomla.cn/

添加cookie值

然后訪問

http://demo.zoomla.cn/Customer.aspx?type=msg

或者訪問

http://demo.zoomla.cn/Customer.aspx?type=getservice&uid=1

cookie構造如下

修復方案：

對cookie進行處理

點擊復制鏈接與好友分享!回本站首頁

相關TAG標簽

上一篇：臺積電：絕大多數7nm客戶都會轉向6nm_IT新聞_博客園

下一篇：最后一頁

熱門專題推薦 vmware win7激活工具 win10激活工具 excel word office激活小馬激活工具重裝系統數據恢復 u盤啟動工具

圖文推薦