LebiShop商城系统最新版六处SQL注入三

### 简要描述： LebiShop商城系统官方下载最新版六处SQL注入，demo演示 ### 详细说明： LebiShop商城系统官方下载最新版六处SQL注入，demo演示 第一处SQL注入 ``` // Shop.Ajax.Ajax_userin public void Comment_Del() { if (this.CurrentUser.id > 0) { string id = RequestTool.RequestString("ids"); if (id == "") { base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}"); return; } B_Lebi_Comment.Delete(string.Concat(new object[] { "TableName = 'Product' and User_id=", this.CurrentUser.id, " and Parentid in (", id, ")" })); B_Lebi_Comment.Delete(string.Concat(new object[] { "Parentid = 0 and TableName = 'Product' and User_id=", this.CurrentUser.id, " and id in (", id, ")" })); base.Response.Write("{\"msg\":\"OK\"}"); } } ``` 参数id通过RequestTool.RequestString("ids")获取，这里的RequestString只是过滤了单引号 但是在进入in条件后，并没有单引号保护，导致sql注入 下面的sql注入原理同理，都是通过RequestString获取参数，但是在进入sql语句时并没有单引号保护，所以无需截断单引号，导致注入漏洞 第二处SQL注入 ``` // Shop.Ajax.Ajax_userin public void LikeToBasket() { string ids = RequestTool.RequestString("id"); string mes = ""; if (ids != "") { List<Lebi_User_Product> models = B_Lebi_User_Product.GetList(string.Concat(new object[] { "(Type_id_UserProductType=141 or Type_id_UserProductType=144) and User_id=", this.CurrentUser.id, " and id in (", ids, ")" }), ""); ``` 第三处SQL注入 ``` // Shop.Ajax.Ajax_userin public void Message_Delete() { if (this.CurrentUser.id > 0) { string id = RequestTool.RequestString("ids"); if (id == "") { base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}"); return; } B_Lebi_Message.Delete(string.Concat(new object[] { "(User_id_To=", this.CurrentUser.id, " or User_id_From=", this.CurrentUser.id, ") and id in (", id, ")" })); base.Response.Write("{\"msg\":\"OK\"}"); } } ``` 第四处SQL注入 ``` // Shop.Ajax.Ajax_userin public void UserLike_Del() { string ids = RequestTool.RequestString("id"); if (ids == "") { base.Response.Write("{\"msg\":\"OK\"}"); return; } List<Lebi_User_Product> models = B_Lebi_User_Product.GetList(string.Concat(new object[] { "User_id=", this.CurrentUser.id, " and id in (", ids, ")" }), ""); foreach (Lebi_User_Product model in models) { B_Lebi_User_Product.Delete(model.id); } base.Response.Write("{\"msg\":\"OK\"}"); } ``` 第五处SQL注入 ``` // Shop.Ajax.Ajax_userin public void UserOftenBuy_Del() { string ids = RequestTool.RequestString("id"); if (ids == "") { base.Response.Write("{\"msg\":\"OK\"}"); return; } List<Lebi_User_Product> models = B_Lebi_User_Product.GetList(string.Concat(new object[] { "User_id=", this.CurrentUser.id, " and id in (", ids, ")" }), ""); foreach (Lebi_User_Product model in models) { B_Lebi_User_Product.Delete(model.id); } base.Response.Write("{\"msg\":\"OK\"}"); } ``` 第六处SQL注入 ``` // Shop.Ajax.Ajax_userin public void UserOftenBuy_Update() { string id = RequestTool.RequestString("Uid"); List<Lebi_User_Product> models = B_Lebi_User_Product.GetList(string.Concat(new object[] { "User_id=", this.CurrentUser.id, " and id in (", id, ")" }), ""); foreach (Lebi_User_Product model in models) { model.count = RequestTool.RequestInt("Count" + model.id, 0); model.WarnDays = RequestTool.RequestInt("WarnDays" + model.id, 0); model.Time_addemail = DateTime.Now.Date.AddDays((double)model.WarnDays); B_Lebi_User_Product.Update(model); } base.Response.Write("{\"msg\":\"OK\"}"); } ``` ### 漏洞证明： 以第六处SQL注入为例 官方demo演示： [<img src="https://images.seebug.org/upload/201501/2011463299ffd117fab57928b73b17cae1d9f93b.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/2011463299ffd117fab57928b73b17cae1d9f93b.png) 在线案例演示： [<img src="https://images.seebug.org/upload/201501/201146489868761f7d6ae4eee01f9eb4471f71b9.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/201146489868761f7d6ae4eee01f9eb4471f71b9.png) 使用SQLmap可直接跑出全部数据