|LebiShop商城系统最新版十一处SQL注入六 - VULHUB开源网络安全威胁库

LebiShop商城系统最新版十一处SQL注入六

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： LebiShop商城系统最新版十一处SQL注入六 ### 详细说明： LebiShop商城系统最新版十一处SQL注入这里也是需要有商家账号权限首先注册普通用户账户，然后申请注册商家账户申请商家用户是默认开发注册的 Shop.Supplier.Ajax.ajax_config文件第一处SQL注入 ``` // Shop.Supplier.Ajax.ajax_config public void Bank_Del() { if (!base.Power("supplier_bank_list", "收款账号")) { base.AjaxNoPower(); return; } string id = RequestTool.RequestString("Fid"); if (id == "") { base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}"); return; } B_Lebi_Supplier_Bank.Delete(string.Concat(new object[] { "id in (", id,//注入产生 ") and Supplier_id = ", this.CurrentSupplier.id })); Log.Add("删除收款账号", "Bank", id.ToString(), this.CurrentSupplier, id.ToString()); base.Response.Write("{\"msg\":\"OK\"}"); } ``` 第二处SQL注入 ``` // Shop.Supplier.Ajax.ajax_config public void BillType_Del() { if (!base.Power("supplier_billtype_list", "发票管理")) { base.AjaxNoPower(); return; } string id = RequestTool.RequestString("Fid"); if (id == "") { base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}"); return; } B_Lebi_Supplier_BillType.Delete(string.Concat(new object[] { "id in (", id,//注入产生 ") and Supplier_id = ", this.CurrentSupplier.id })); Log.Add("删除发票类型", "BillType", id.ToString(), this.CurrentSupplier, id.ToString()); base.Response.Write("{\"msg\":\"OK\"}"); } ``` 第三处SQL注入 ``` // Shop.Supplier.Ajax.ajax_config public void indeximage_Del() { if (!EX_Admin.Power("indeximage_del", "删除店铺幻灯")) { base.AjaxNoPower(); return; } string id = RequestTool.RequestString("ids"); if (id == "") { base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}"); return; } B_Lebi_Page.Delete(string.Concat(new object[] { "id in (", id,//注入产生 ") and Supplier_id=", this.CurrentSupplier.id })); Log.Add("删除店铺幻灯", "Page", id.ToString(), this.CurrentSupplier, id.ToString()); base.Response.Write("{\"msg\":\"OK\"}"); } ``` 第四处SQL注入 ``` // Shop.Supplier.Ajax.ajax_config public void Message_Del() { if (!base.Power("supplier_message", "站内信")) { base.AjaxNoPower(); return; } string id = RequestTool.RequestString("ids"); if (id == "") { base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}"); return; } B_Lebi_Message.Delete(string.Concat(new object[] { "Supplier_id=", this.CurrentSupplier.id, " and id in (", id,//注入产生 ")" })); Log.Add("删除站内信", "Message", id.ToString(), this.CurrentSupplier, id.ToString()); base.Response.Write("{\"msg\":\"OK\"}"); } ``` 第五处SQL注入 ``` // Shop.Supplier.Ajax.ajax_config public void ServicePanel_Del() { if (!base.Power("supplier_servicepanel_list", "客服面板")) { base.AjaxNoPower(); return; } string id = RequestTool.RequestString("ids"); if (id == "") { base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}"); return; } B_Lebi_ServicePanel.Delete(string.Concat(new object[] { "Supplier_id = ", this.CurrentSupplier.id, " and id in (", id,//注入产生 ")" })); Log.Add("删除客服成员", "ServicePanel", id.ToString(), this.CurrentSupplier, id.ToString()); base.Response.Write("{\"msg\":\"OK\"}"); } ``` 第六处SQL注入 ``` // Shop.Supplier.Ajax.ajax_config public void ServicePanel_Group_Del() { if (!base.Power("supplier_servicepanel_list", "客服面板")) { base.AjaxNoPower(); return; } string id = RequestTool.RequestString("ids"); if (id == "") { base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}"); return; } B_Lebi_ServicePanel_Group.Delete(string.Concat(new object[] { "Supplier_id = ", this.CurrentSupplier.id, " and id in (", id,//注入产生 ")" })); Log.Add("删除客服部门", "ServicePanel_Group", id.ToString(), this.CurrentSupplier, id.ToString()); base.Response.Write("{\"msg\":\"OK\"}"); } ``` 第七处SQL注入 ``` // Shop.Supplier.Ajax.ajax_config public void ServicePanel_Group_Update() { if (!base.Power("supplier_servicepanel_list", "客服面板")) { base.AjaxNoPower(); return; } string id = RequestTool.RequestString("Uid"); List<Lebi_ServicePanel_Group> models = B_Lebi_ServicePanel_Group.GetList(string.Concat(new object[] { "Supplier_id = ", this.CurrentSupplier.id, " and id in (", id,//注入产生 ")" }), ""); foreach (Lebi_ServicePanel_Group model in models) { model.Sort = RequestTool.RequestInt("Sort" + model.id, 0); model.Name = RequestTool.RequestString("Name" + model.id); B_Lebi_ServicePanel_Group.Update(model); } Log.Add("编辑客服部门", "ServicePanel_Group", id.ToString(), this.CurrentSupplier, id.ToString()); base.Response.Write("{\"msg\":\"OK\"}"); } ``` 第八处SQL注入 ``` // Shop.Supplier.Ajax.ajax_config public void ServicePanel_Update() { if (!base.Power("supplier_servicepanel_list", "客服面板")) { base.AjaxNoPower(); return; } string id = RequestTool.RequestString("Uid"); List<Lebi_ServicePanel> models = B_Lebi_ServicePanel.GetList(string.Concat(new object[] { "Supplier_id = ", this.CurrentSupplier.id, " and id in (", id,//注入产生 ")" }), ""); foreach (Lebi_ServicePanel model in models) { model.Sort = RequestTool.RequestInt("Sort" + model.id, 0); model.Name = RequestTool.RequestString("Name" + model.id); model.Account = RequestTool.RequestString("Account" + model.id); B_Lebi_ServicePanel.Update(model); } Log.Add("编辑客服成员", "ServicePanel", id.ToString(), this.CurrentSupplier, id.ToString()); base.Response.Write("{\"msg\":\"OK\"}"); } ``` 第九处SQL注入 ``` // Shop.Supplier.Ajax.ajax_config public void Transport_Price_Del() { if (!base.Power("supplier_transport_list", "配送方式")) { base.AjaxNoPower(); return; } string id = RequestTool.RequestString("Fid"); if (id == "") { base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}"); return; } B_Lebi_Transport_Price.Delete(string.Concat(new object[] { "id in (", id,//注入产生 ") and Supplier_id = ", this.CurrentSupplier.id })); Log.Add("删除配送区域", "Transport_Price", id.ToString(), this.CurrentSupplier, id.ToString()); base.Response.Write("{\"msg\":\"OK\"}"); } ``` 第十处SQL注入 ``` // Shop.Supplier.Ajax.ajax_config public void Transport_Price_Edit() { ...... else { string aids = RequestTool.RequestString("Area_ids"); if (aids == "") { aids = "0"; } List<Lebi_Area> areas = B_Lebi_Area.GetList("id in (" + aids + ")", ""); ``` 参数aids在GetList方法中的in条件语句中产生注入第十一处SQL注入 ``` // Shop.Supplier.Ajax.ajax_config public void Transport_Price_Update() { if (!base.Power("supplier_transport_list", "配送方式")) { base.AjaxNoPower(); return; } int tid = RequestTool.RequestInt("tid", 0); string id = RequestTool.RequestString("Uid"); Lebi_Transport tmodel = B_Lebi_Transport.GetModel(tid); List<Lebi_Transport_Price> models = B_Lebi_Transport_Price.GetList(string.Concat(new object[] { "id in (", id,//注入产生 ") and Transport_id=", tid, " and Supplier_id = ", this.CurrentSupplier.id }), ""); foreach (Lebi_Transport_Price model in models) { model.Price = RequestTool.GetFormDecimal("Price" + model.id, 0m); model.Weight_Start = RequestTool.GetFormDecimal("Weight_Start" + model.id, 0m); model.Weight_Step = RequestTool.GetFormDecimal("Weight_Step" + model.id, 0m); model.Price_Step = RequestTool.GetFormDecimal("Price_Step" + model.id, 0m); B_Lebi_Transport_Price.Update(model); } Log.Add("编辑配送区域", "Transport_Price", id.ToString(), this.CurrentSupplier, tmodel.Name); base.Response.Write("{\"msg\":\"OK\"}"); } ``` 上述SQL注入都是在通过RequestTool.RequestString方法获取参数值这里只是进行了单引号的转义然后参数值进入了数据库执行的in条件SQL语句在in条件语句中没有单引号保护，导致RequestTool.RequestString的处理无效导致恶意sql语句进入sql条件语句中，最终导致SQL注入产生 ### 漏洞证明：以第一处sql注入为例官方demo演示报出当前数据库信息 ``` http://plus.demo.lebi.cn/supplier/ajax/ajax_config.aspx?__Action=Bank_Del&url=/ Fid=db_name() ``` [<img src="https://images.seebug.org/upload/201501/20172557b117b19d91e429abcaac2a5e47536666.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/20172557b117b19d91e429abcaac2a5e47536666.png) 使用SQLmap即可跑出数据

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™