网站地图    收藏   

主页 > 后端 > 网站安全 >

siteserver最新版3.6.4 sql inject 第十蛋 - 网站安全

来源:自学PHP网    时间:2015-04-16 23:15 作者: 阅读:

[导读] 第11个注入存在 siteserver cms console_logSite aspx用 NET Reflector 反编译SiteServer CMS dll这个文件查看代码如下:public void Page_Load(object sender, EventArgs E){ int num; E...

第11个注入存在/siteserver/cms/console_logSite.aspx
 
用.NET Reflector 反编译SiteServer.CMS.dll这个文件
 
查看代码如下:
 
public void Page_Load(object sender, EventArgs E)

{

    int num;

    Exception exception;

    bool isPostBack;

    int publishmentSystemID;

    this.spContents.ControlToPaginate = this.rptContents;

    if ((((uint) num) + ((uint) num)) >= 0)

    {

        this.spContents.ItemsPerPage = 0x19;

        this.spContents.ConnectionString = BaiRongDataProvider.ConnectionString;

        isPostBack = base.Request.QueryString["UserName"] != null;

        if (!isPostBack)

        {

            this.spContents.SelectCommand = DataProvider.LogDAO.GetSelectCommend();

        }

        else

        {

            this.spContents.SelectCommand = DataProvider.LogDAO.GetSelectCommend(base.PublishmentSystemID, base.Request.QueryString["LogType"], base.Request.QueryString["UserName"], base.Request.QueryString["Keyword"], base.Request.QueryString["DateFrom"], base.Request.QueryString["DateTo"]);

        }

        this.spContents.SortField = "ID";

        this.spContents.SortMode = SortMode.DESC;

        goto Label_068A;

    }

 

 
 
 
 
上面几个参数进入下面
 
 
 
public string GetSelectCommend(int publishmentSystemID, string logType, string userName, string keyword, string dateFrom, string dateTo)

{

    // This item is obfuscated and can not be translated.

    StringBuilder builder;

    bool flag;

    bool flag2;

    if (publishmentSystemID != 0)

    {

        goto Label_0475;

    }

    while (!string.IsNullOrEmpty(logType))

    {

        if (!StringUtils.EqualsIgnoreCase(logType, "All"))

        {

            goto Label_0475;

        }

        if (3 == 0)

        {

            goto Label_0016;

        }

        if (((uint) publishmentSystemID) >= 0)

        {

            break;

        }

    }

    if (!string.IsNullOrEmpty(userName) || !string.IsNullOrEmpty(keyword))

    {

        goto Label_0475;

    }

    goto Label_046C;

Label_0010:

    if (!flag2)

    {

        goto Label_013D;

    }

Label_0016:

    return ("SELECT ID, PublishmentSystemID, ChannelID, ContentID, UserName, IPAddress, AddDate, Action, Summary FROM siteserver_Log " + builder.ToString());



......

Label_02C8:

    flag = true;

    builder.AppendFormat("(UserName = '{0}')", userName);

Label_02DD:

    flag2 = string.IsNullOrEmpty(keyword);

    goto Label_029C;





}

 

 
 
 
 
几个Request.QueryString['xxx']都是可注入点

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论