来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] 第三个注入存在usercenter platform user aspx用 NET Reflector 反编译UserCenter Pages dll这个文件查看代码如下:if (!string IsNullOrEmpty(base Request QueryString[Lock])) {...
第三个注入存在usercenter/platform/user.aspx
用.NET Reflector 反编译UserCenter.Pages.dll这个文件
查看代码如下: if (!string.IsNullOrEmpty(base.Request.QueryString["Lock"])) { str = base.Request.QueryString["UserNameCollection"]; userNameArrayList = TranslateUtils.StringCollectionToArrayList(str); UserDataProvider.UserDAO.Lock(userNameArrayList, true); LogUtils.AddLog("用户:" + UserDataProvider.UserDAO.CurrentUserName, "锁定用户", string.Format("用户:{0}", str)); } Lock不为空即可,UserNameCollection就带入了UserDataProvider.UserDAO.Lock函数内 public void Lock(ArrayList userNameArrayList, bool isLockOut) { string commandText = string.Format("UPDATE bairong_Users SET IsLockedOut = '{0}' WHERE [UserName] IN ({1})", isLockOut.ToString(), TranslateUtils.ObjectCollectionToSqlInStringWithQuote(userNameArrayList)); base.ExecuteNonQuery(commandText); UserManager.Clear(); }
第四个注入存在/siteserver/bbs/background_keywordsFilting.aspx 用.NET Reflector 反编译SiteServer.BBS.dll这个文件 查看代码如下: this.spContents.ItemsPerPage = 20; this.spContents.ConnectionString = DataProvider.ConnectionString; this.spContents.SelectCommand = DataProvider.KeywordsFilterDAO.GetSelectCommend(ConvertHelper.GetInteger(base.Request.QueryString["grade"]), ConvertHelper.GetInteger(base.Request.QueryString["categoryid"]), ConvertHelper.GetString(base.Request.QueryString["keyword"])); this.spContents.SortField = "Taxis"; if ((((uint) num) | 15) == 0) { goto Label_00A0; } this.spContents.SortMode = SortMode.ASC; this.btnDelAll.Attributes.Add("onclick", "return checkstate('myform','删除');"); isPostBack = base.Request.QueryString["Delete"] == null; goto Label_00D8;
public string GetSelectCommend(int grade, int categoryid, string keyword) { string str; StringBuilder builder = new StringBuilder(); builder.Append("SELECT * FROM bbs_KeywordsFilter WHERE CategoryID !=0 "); bool flag = grade == 0; goto Label_00D6; Label_0095: flag = string.IsNullOrEmpty(keyword); if (!flag) { builder.Append(" AND Name like '%" + keyword + "%'"); if ((((uint) categoryid) | uint.MaxValue) != 0) { } } builder.Append(" ORDER BY Taxis DESC"); if ((((uint) categoryid) + ((uint) categoryid)) <= uint.MaxValue) { if (((uint) grade) <= uint.MaxValue) { return builder.ToString(); } goto Label_00D6; } Label_00AA: builder.Append(" AND CategoryID=" + categoryid); if (((uint) categoryid) <= uint.MaxValue) { goto Label_0095; } return str; Label_00D6: if (!flag) { builder.Append(" AND Grade=" + grade); } flag = categoryid == 0; if (flag) { goto Label_0095; } goto Label_00AA; }
修复方案: 第五个注入存在/siteserver/userRole/background_administrator.aspx 用.NET Reflector 反编译UserCenter.Pages.dll这个文件 查看代码如下: this.spContents.SelectCommand = UserDataProvider.AdministratorDAO.GetSelectCommand(base.Request.QueryString["Keyword"], base.Request.QueryString["RoleName"], TranslateUtils.ToInt(base.Request.QueryString["LastActivityDate"]), PermissionsManager.Current.IsConsoleAdministrator, AdminManager.Current.UserName, num, TranslateUtils.ToInt(base.Request.QueryString["AreaID"])); this.spContents.SortField = base.Request.QueryString["Order"]; isPostBack = !StringUtils.EqualsIgnoreCase(this.spContents.SortField, "UserName"); if (0xff == 0) { goto Label_0624; } goto Label_07B8; 注意RoleName和Keyword str = string.Empty; bool flag = string.IsNullOrEmpty(roleName); if (!flag) { flag = builder.Length <= 0; } else { string str3; if (builder.Length <= 0) { goto Label_000D; } str = string.Format("WHERE {0}", builder.ToString()); if (0 == 0) { goto Label_000D; } return str3; } if (!flag) { str = string.Format("AND {0}", builder.ToString()); if ((((uint) areaID) + ((uint) areaID)) > uint.MaxValue) { goto Label_000D; } } str = string.Format("WHERE (UserName IN (SELECT UserName FROM bairong_AdministratorsInRoles WHERE RoleName = '{0}')) {1}", roleName, str); goto Label_000D;
builder.AppendFormat("(UserName LIKE '%{0}%' OR EMAIL LIKE '%{0}%' OR DisplayName LIKE '%{0}%')", searchWord);
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com