来源:自学PHP网 时间:2015-04-16 23:15 作者: 阅读:次
[导读] 第三个注入存在usercenter platform user aspx用 NET Reflector 反编译UserCenter Pages dll这个文件查看代码如下:if (!string IsNullOrEmpty(base Request QueryString[Lock])) {...
|
第三个注入存在usercenter/platform/user.aspx
用.NET Reflector 反编译UserCenter.Pages.dll这个文件
查看代码如下:
if (!string.IsNullOrEmpty(base.Request.QueryString["Lock"]))
{
str = base.Request.QueryString["UserNameCollection"];
userNameArrayList = TranslateUtils.StringCollectionToArrayList(str);
UserDataProvider.UserDAO.Lock(userNameArrayList, true);
LogUtils.AddLog("用户:" + UserDataProvider.UserDAO.CurrentUserName, "锁定用户", string.Format("用户:{0}", str));
}
Lock不为空即可,UserNameCollection就带入了UserDataProvider.UserDAO.Lock函数内
public void Lock(ArrayList userNameArrayList, bool isLockOut)
{
string commandText = string.Format("UPDATE bairong_Users SET IsLockedOut = '{0}' WHERE [UserName] IN ({1})", isLockOut.ToString(), TranslateUtils.ObjectCollectionToSqlInStringWithQuote(userNameArrayList));
base.ExecuteNonQuery(commandText);
UserManager.Clear();
}
第四个注入存在/siteserver/bbs/background_keywordsFilting.aspx 用.NET Reflector 反编译SiteServer.BBS.dll这个文件 查看代码如下:
this.spContents.ItemsPerPage = 20;
this.spContents.ConnectionString = DataProvider.ConnectionString;
this.spContents.SelectCommand = DataProvider.KeywordsFilterDAO.GetSelectCommend(ConvertHelper.GetInteger(base.Request.QueryString["grade"]), ConvertHelper.GetInteger(base.Request.QueryString["categoryid"]), ConvertHelper.GetString(base.Request.QueryString["keyword"]));
this.spContents.SortField = "Taxis";
if ((((uint) num) | 15) == 0)
{
goto Label_00A0;
}
this.spContents.SortMode = SortMode.ASC;
this.btnDelAll.Attributes.Add("onclick", "return checkstate('myform','删除');");
isPostBack = base.Request.QueryString["Delete"] == null;
goto Label_00D8;
public string GetSelectCommend(int grade, int categoryid, string keyword)
{
string str;
StringBuilder builder = new StringBuilder();
builder.Append("SELECT * FROM bbs_KeywordsFilter WHERE CategoryID !=0 ");
bool flag = grade == 0;
goto Label_00D6;
Label_0095:
flag = string.IsNullOrEmpty(keyword);
if (!flag)
{
builder.Append(" AND Name like '%" + keyword + "%'");
if ((((uint) categoryid) | uint.MaxValue) != 0)
{
}
}
builder.Append(" ORDER BY Taxis DESC");
if ((((uint) categoryid) + ((uint) categoryid)) <= uint.MaxValue)
{
if (((uint) grade) <= uint.MaxValue)
{
return builder.ToString();
}
goto Label_00D6;
}
Label_00AA:
builder.Append(" AND CategoryID=" + categoryid);
if (((uint) categoryid) <= uint.MaxValue)
{
goto Label_0095;
}
return str;
Label_00D6:
if (!flag)
{
builder.Append(" AND Grade=" + grade);
}
flag = categoryid == 0;
if (flag)
{
goto Label_0095;
}
goto Label_00AA;
}
修复方案: 第五个注入存在/siteserver/userRole/background_administrator.aspx 用.NET Reflector 反编译UserCenter.Pages.dll这个文件 查看代码如下:
this.spContents.SelectCommand = UserDataProvider.AdministratorDAO.GetSelectCommand(base.Request.QueryString["Keyword"], base.Request.QueryString["RoleName"], TranslateUtils.ToInt(base.Request.QueryString["LastActivityDate"]), PermissionsManager.Current.IsConsoleAdministrator, AdminManager.Current.UserName, num, TranslateUtils.ToInt(base.Request.QueryString["AreaID"]));
this.spContents.SortField = base.Request.QueryString["Order"];
isPostBack = !StringUtils.EqualsIgnoreCase(this.spContents.SortField, "UserName");
if (0xff == 0)
{
goto Label_0624;
}
goto Label_07B8;
注意RoleName和Keyword
str = string.Empty;
bool flag = string.IsNullOrEmpty(roleName);
if (!flag)
{
flag = builder.Length <= 0;
}
else
{
string str3;
if (builder.Length <= 0)
{
goto Label_000D;
}
str = string.Format("WHERE {0}", builder.ToString());
if (0 == 0)
{
goto Label_000D;
}
return str3;
}
if (!flag)
{
str = string.Format("AND {0}", builder.ToString());
if ((((uint) areaID) + ((uint) areaID)) > uint.MaxValue)
{
goto Label_000D;
}
}
str = string.Format("WHERE (UserName IN (SELECT UserName FROM bairong_AdministratorsInRoles WHERE RoleName = '{0}')) {1}", roleName, str);
goto Label_000D;
builder.AppendFormat("(UserName LIKE '%{0}%' OR EMAIL LIKE '%{0}%' OR DisplayName LIKE '%{0}%')", searchWord);
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
