1.漏洞代码。 在Bin\UserCenter.Pages.dll文件中,UserCenter.BackgroundPages.Modal.UserView类的Page_Load方法中,可以见到如下代码: ``` public void Page_Load(object sender, EventArgs e) { string text = base.Request.QueryString["UserName"]; //获取UserName bool flag2; bool flag = (flag2 ? 1u : 0u) > 4294967295u; ArrayList arrayList; if (!flag) { if (3 != 0) { this.xb9335f5bbebb5da2 = UserDataProvider.get_UserDAO().GetUserInfo(text); //传入GetUserInfo函数 if (2 != 0) { } ArrayList relatedIdentities = UserManager.GetRelatedIdentities(this.xb9335f5bbebb5da2.get_TypeID()); ArrayList tableStyleInfoArrayList = TableStyleManager.GetTableStyleInfoArrayList(11, ............................................................................................ } ``` 接着看看UserCenter.Provider.dll\UserCenter.Provider.Data.SqlServer/UserDAO.cs下的GetUserInfo函数 : ``` public UserInfo GetUserInfo(string userName) { UserInfo userInfo = null; UserInfo result; if (15 != 0) { while (!string.IsNullOrEmpty(userName)) { string text =...
1.漏洞代码。 在Bin\UserCenter.Pages.dll文件中,UserCenter.BackgroundPages.Modal.UserView类的Page_Load方法中,可以见到如下代码: ``` public void Page_Load(object sender, EventArgs e) { string text = base.Request.QueryString["UserName"]; //获取UserName bool flag2; bool flag = (flag2 ? 1u : 0u) > 4294967295u; ArrayList arrayList; if (!flag) { if (3 != 0) { this.xb9335f5bbebb5da2 = UserDataProvider.get_UserDAO().GetUserInfo(text); //传入GetUserInfo函数 if (2 != 0) { } ArrayList relatedIdentities = UserManager.GetRelatedIdentities(this.xb9335f5bbebb5da2.get_TypeID()); ArrayList tableStyleInfoArrayList = TableStyleManager.GetTableStyleInfoArrayList(11, ............................................................................................ } ``` 接着看看UserCenter.Provider.dll\UserCenter.Provider.Data.SqlServer/UserDAO.cs下的GetUserInfo函数 : ``` public UserInfo GetUserInfo(string userName) { UserInfo userInfo = null; UserInfo result; if (15 != 0) { while (!string.IsNullOrEmpty(userName)) { string text = string.Format("WHERE UserName = '{0}'", userName); //直接拼接sql语句,没有任何过滤 if (4 != 0) { string selectSqlString = BaiRongDataProvider.get_TableStructureDAO().GetSelectSqlString("bairong_Users", "*", text); IDataReader dataReader = base.ExecuteReader(selectSqlString); bool flag; try { flag = !dataReader.Read(); if (flag) { goto IL_C4; } ....................................................................................... ``` 2.漏洞构造 GetUserInfo没有过滤参数,Page_Load也没有过滤参数,导致了sql注入,构造“siteserver/userRole/modal_UserView.aspx?UserName=a' or[areaid]>db_name()--”即可测试是否存在注入