siteserver最新版3.6.4 sql inject（第六七蛋） - 网站安

第六个注入存在/siteserver/userRole/background_user. asp x

用.NET Reflector 反编译UserCenter.Pages.dll这个文件

查看代码如下：

this.spContents.SelectCommand = UserDataProvider.UserDAO.GetSelectCommand(base.Request.QueryString["Keyword"], TranslateUtils.ToInt(base.Request.QueryString["CreateDate"]), TranslateUtils.ToInt(base.Request.QueryString["LastActivityDate"]), true, TranslateUtils.ToInt(base.Request.QueryString["TypeID"]), TranslateUtils.ToInt(base.Request.QueryString["DepartmentID"]), TranslateUtils.ToInt(base.Request.QueryString["AreaID"]));

可以明显看到能利用的点为keyword 修复方案： 对keyword进行过滤  

第七个注入存在/UserCenter/cms/contents.aspx

用.NET Reflector 反编译UserCenter.Pages.dll这个文件

查看代码如下：

int totalCount; bool flag; string keyword = this.Keyword.Text.Trim(); if ((((uint) totalCount) - ((uint) flag)) <= uint.MaxValue) { string start = this.start.Value; if (0 != 0) { return; } string end = this.end.Value; if ((((uint) flag) - ((uint) flag)) <= uint.MaxValue) { base.SetPublishmentSystemID(TranslateUtils.ToInt(this.ddlPublishmentSystemID.SelectedValue)); this.spContents.ControlToPaginate = this.dlContents; this.dlContents.ItemDataBound += new RepeaterItemEventHandler(this.x140df91522580d1f); this.spContents.ItemsPerPage = 30; this.spContents.ConnectionString = BaiRongDataProvider.ConnectionString; this.spContents.SelectCommand = DataProvider.ContentDAO.GetSelectCommendOfTouGao(base.PublishmentSystemInfo.AuxiliaryTableForContent, base.PublishmentSystemID, start, end, keyword, base.UserName, this.touGaoType); } this.spContents.SortField = "ID"; 关注keyword public string GetSelectCommendOfTouGao(string tableName, int publishmentSystemID, string start, string end, string keyword, string userName, ETouGaoType touGaoType) { .... builder.AppendFormat("AND (Title LIKE '%{0}%' OR Content LIKE '%{0}%')", keyword);

 

很明显的注入  

修复方案： 对keyword进行过滤\  

查看更多关于siteserver最新版3.6.4 sql inject（第六七蛋） - 网站安的详细内容...