1.漏洞代码。
在Bin\UserCenter.Pages.dll文件中,UserCenter.BackgroundPages.Modal.UserView类的Page_Load方法中,可以见到如下代码:
```
public void Page_Load(object sender, EventArgs e)
{
string text = base.Request.QueryString["UserName"]; //获取UserName
bool flag2;
bool flag = (flag2 ? 1u : 0u) > 4294967295u;
ArrayList arrayList;
if (!flag)
{
if (3 != 0)
{
this.xb9335f5bbebb5da2 = UserDataProvider.get_UserDAO().GetUserInfo(text); //传入GetUserInfo函数
if (2 != 0)
{
}
ArrayList relatedIdentities = UserManager.GetRelatedIdentities(this.xb9335f5bbebb5da2.get_TypeID());
ArrayList tableStyleInfoArrayList = TableStyleManager.GetTableStyleInfoArrayList(11,
............................................................................................
}
```
接着看看UserCenter.Provider.dll\UserCenter.Provider.Data.SqlServer/UserDAO.cs下的GetUserInfo函数 :
```
public UserInfo GetUserInfo(string userName)
{
UserInfo userInfo = null;
UserInfo result;
if (15 != 0)
{
while (!string.IsNullOrEmpty(userName))
{
string text = string.Format("WHERE UserName = '{0}'", userName); //直接拼接sql语句,没有任何过滤
if (4 != 0)
{
string selectSqlString = BaiRongDataProvider.get_TableStructureDAO().GetSelectSqlString("bairong_Users", "*", text);
IDataReader dataReader = base.ExecuteReader(selectSqlString);
bool flag;
try
{
flag = !dataReader.Read();
if (flag)
{
goto IL_C4;
}
.......................................................................................
```
2.漏洞构造
GetUserInfo没有过滤参数,Page_Load也没有过滤参数,导致了sql注入,构造“siteserver/userRole/modal_UserView.aspx?UserName=a' or[areaid]>db_name()--”即可测试是否存在注入
京公网安备 11010502034610号
暂无评论