记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

siteserver最新版3.6.4 sql inject 第十蛋

2014-02-25 18:20
第11个注入存在/siteserver/cms/console_logSite.aspx
 
用.NET Reflector 反编译SiteServer.CMS.dll这个文件
 
查看代码如下:
 

public void Page_Load(object sender, EventArgs E)

{

int num;

Exception exception;

bool isPostBack;

int publishmentSystemID;

this.spContents.ControlToPaginate = this.rptContents;

if ((((uint) num) + ((uint) num)) >= 0)

{

this.spContents.ItemsPerPage = 0x19;

this.spContents.ConnectionString = BaiRongDataProvider.ConnectionString;

isPostBack = base.Request.QueryString["UserName"] != null;

if (!isPostBack)

{

this.spContents.SelectCommand = DataProvider.LogDAO.GetSelectCommend();

}

else

{

this.spContents.SelectCommand = DataProvider.LogDAO.GetSelectCommend(base.PublishmentSystemID, base.Request.QueryString["LogType"], base.Request.QueryString["UserName"], base.Request.QueryString["Keyword"], base.Request.QueryString["DateFrom"], base.Request.QueryString["DateTo"]);

}

this.spContents.SortField = "ID";

this.spContents.SortMode = SortMode.DESC;

goto Label_068A;

}

 

 
 
 
 
上面几个参数进入下面
 
 
 

public string GetSelectCommend(int publishmentSystemID, string logType, string userName, string keyword, string dateFrom, string dateTo)

{

// This item is obfuscated and can not be translated.

StringBuilder builder;

bool flag;

bool flag2;

if (publishmentSystemID != 0)

{

goto Label_0475;

}

while (!string.IsNullOrEmpty(logType))

{

if (!StringUtils.EqualsIgnoreCase(logType, "All"))

{

goto Label_0475;

}

if (3 == 0)

{

goto Label_0016;

}

if (((uint) publishmentSystemID) >= 0)

{

break;

}

}

if (!string.IsNullOrEmpty(userName) || !string.IsNullOrEmpty(keyword))

{

goto Label_0475;

}

goto Label_046C;

Label_0010:

if (!flag2)

{

goto Label_013D;

}

Label_0016:

return ("SELECT ID, PublishmentSystemID, ChannelID, ContentID, UserName, IPAddress, AddDate, Action, Summary FROM siteserver_Log " + builder.ToString());



......

Label_02C8:

flag = true;

builder.AppendFormat("(UserName = '{0}')", userName);

Label_02DD:

flag2 = string.IsNullOrEmpty(keyword);

goto Label_029C;





}

 

 
 
 
 
几个Request.QueryString['xxx']都是可注入点

知识来源: www.2cto.com/Article/201402/281275.html

阅读:165941 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“siteserver最新版3.6.4 sql inject 第十蛋”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

黑帝公告 📢

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

↓赞助商 🙇🧎

标签云 ☁