来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] 逐浪最新版x1 5sql注入地址http: demo zoomla cn Customer aspx源码如下protected void Page_Load(object sender, EventArgs e){ if (base Request QueryString[type] != null) {...
|
逐浪最新版x1.5sql注入
地址
http://demo.zoomla.cn/Customer.aspx
源码如下
protected void Page_Load(object sender, EventArgs e)
{
if (base.Request.QueryString["type"] != null)
{
if (base.Request.QueryString["type"] == "Seat")
{
this.GetSeat();
}
if (base.Request.QueryString["type"] == "add")
{
this.SetInfo(base.Request.Form.ToString());
}
bool flag1 = base.Request.QueryString["type"] == "answer";
if ((base.Request.QueryString["type"] == "getservice") && (base.Request.QueryString["uid"] != null))
{
this.GetServerInfo(base.Request.QueryString["uid"].ToString(), base.Request.Cookies["Provisional"]["Uid"]); //跟进
}
if (base.Request.QueryString["type"] == "OnlineUsers")
{
this.GetOnlineUsers();
}
bool flag2 = base.Request.QueryString["type"] == "CallMe";
if (base.Request.QueryString["type"] == "msg")
{
this.GetMsg(); //跟进
}
this.DelUser();
}
}
private void GetMsg()
{
StringBuilder builder = new StringBuilder();
DataTable table = this.bcsbll.Select_Where(" CS_Type=0 and CS_OID=" + base.Request.Cookies["Provisional"]["Uid"], " DISTINCT CS_SendID,CS_SendName ", ""); //没处理存在注入
for (int i = 0; i < table.Rows.Count; i++)
{
builder.Append(string.Concat(new object[] { table.Rows[i]["CS_SendID"], ",", table.Rows[i]["CS_SendName"], ";" }));
}
string s = builder.ToString();
if (s.EndsWith(";"))
{
s = s.Substring(0, s.Length - 1);
}
base.Response.Write(s);
}
另一处
private void GetServerInfo(string uid, string sessid)
{
DataTable customerByUid = this.bcsbll.GetCustomerByUid(DataConverter.CLng(uid), sessid); //跟进
StringBuilder builder = new StringBuilder();
if (!string.IsNullOrEmpty(uid) && !string.IsNullOrEmpty(sessid))
{
for (int i = 0; i < customerByUid.Rows.Count; i++)
{
if (((customerByUid.Rows[i]["CS_OID"] != null) && (sessid == customerByUid.Rows[i]["CS_OID"].ToString())) && (customerByUid.Rows[i]["CS_SendID"].ToString() == sessid))
{
builder.Append(string.Concat(new object[] { customerByUid.Rows[i]["CS_AddTime"], " 你对", customerByUid.Rows[i]["CS_CtoName"], "说:<br /> ", customerByUid.Rows[i]["CS_Context"], "<br />" }));
}
else
{
builder.Append(string.Concat(new object[] { customerByUid.Rows[i]["CS_AddTime"].ToString(), " ", customerByUid.Rows[i]["CS_SendName"], "对你说:<br /> ", customerByUid.Rows[i]["CS_Context"], "<br />" }));
}
}
}
base.Response.Write(builder.ToString());
}
public DataTable GetCustomerByUid(int id, string sessid)
{
string strSQL = "";
if (id > 0)
{
string str2 = strSQL;
strSQL = str2 + " (CS_SendID=" + id.ToString() + " or CS_Ctouid=" + id.ToString() + ")";
}
if (!string.IsNullOrEmpty(sessid))
{
strSQL = strSQL + " and CS_OID='" + sessid + "'"; //没处理存在注入
}
DataTable dt = this.SelectWhere(strSQL, " CS_ID,CS_Context,CS_SendName,CS_SendID,CS_CtoName,CS_AddTime,CS_OID ", " CS_AddTime asc");
this.updateType(dt, id, sessid);
return dt;
}
访问
http://demo.zoomla.cn/
添加cookie值
 然后访问
http://demo.zoomla.cn/Customer.aspx?type=msg
 或者访问
http://demo.zoomla.cn/Customer.aspx?type=getservice&uid=1
cookie构造如下
 修复方案:
对cookie进行处理
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
