Digital Campus2.0数字校园平台 classpubliccourse.aspx FullName参数SQL注入漏洞

2016-05-24T00:00:00
ID SSV:91654
Type seebug
Reporter fly520
Modified 2016-05-24T00:00:00

Description

文件:/code/teach/coursecenter/classpubliccourse.aspx

代码: code 区域 private void CheckCourse()

{

PublicCourseManager publicCourseManager = new PublicCourseManager();

string request = base.GetRequest("paramID");

string request2 = base.GetRequest("FullName");   //过滤不严,下面定义的是Int,字符型注入。

int num = publicCourseManager.CheckCourse(null, request, request2);

if (num > 0)

{

    base.Response.Write("{success:true}");

}

else

{

    base.Response.Write("{success:false}");

}

}