第11个注入存在/siteserver/cms/console_logSite. asp x
用.NET Reflector 反编译SiteServer.CMS.dll这个文件
查看代码如下:
public void Page_Load(object sender, EventArgs E) { int num; Exception exception; bool isPostBack; int publishmentSystemID; this.spContents.ControlToPaginate = this.rptContents; if ((((uint) num) + ((uint) num)) >= 0) { this.spContents.ItemsPerPage = 0x19; this.spContents.ConnectionString = BaiRongDataProvider.ConnectionString; isPostBack = base.Request.QueryString["UserName"] != null; if (!isPostBack) { this.spContents.SelectCommand = DataProvider.LogDAO.GetSelectCommend(); } else { this.spContents.SelectCommand = DataProvider.LogDAO.GetSelectCommend(base.PublishmentSystemID, base.Request.QueryString["LogType"], base.Request.QueryString["UserName"], base.Request.QueryString["Keyword"], base.Request.QueryString["DateFrom"], base.Request.QueryString["DateTo"]); } this.spContents.SortField = "ID"; this.spContents.SortMode = SortMode.DESC; goto Label_068A; }
上面几个参数进入下面
public string GetSelectCommend(int publishmentSystemID, string logType, string userName, string keyword, string dateFrom, string dateTo) { // This item is obfuscated and can not be translated. StringBuilder builder; bool flag; bool flag2; if (publishmentSystemID != 0) { goto Label_0475; } while (!string.IsNullOrEmpty(logType)) { if (!StringUtils.EqualsIgnoreCase(logType, "All")) { goto Label_0475; } if (3 == 0) { goto Label_0016; } if (((uint) publishmentSystemID) >= 0) { break; } } if (!string.IsNullOrEmpty(userName) || !string.IsNullOrEmpty(keyword)) { goto Label_0475; } goto Label_046C; Label_0010: if (!flag2) { goto Label_013D; } Label_0016: return ("SELECT ID, PublishmentSystemID, ChannelID, ContentID, UserName, IPAddress, AddDate, Action, Summary FROM siteserver_Log " + builder.ToString()); ...... Label_02C8: flag = true; builder.AppendFormat("(UserName = '{0}')", userName); Label_02DD: flag2 = string.IsNullOrEmpty(keyword); goto Label_029C; }
几个Request.QueryString['xxx']都是可注入点
查看更多关于siteserver最新版3.6.4 sql inject 第十蛋 - 网站安全的详细内容...