用.NET Reflector 反编译SiteServer.CMS.dll这个文件
查看代码如下:
public void Page_Load(object sender, EventArgs E)
{
int num;
Exception exception;
bool isPostBack;
int publishmentSystemID;
this.spContents.ControlToPaginate = this.rptContents;
if ((((uint) num) + ((uint) num)) >= 0)
{
this.spContents.ItemsPerPage = 0x19;
this.spContents.ConnectionString = BaiRongDataProvider.ConnectionString;
isPostBack = base.Request.QueryString["UserName"] != null;
if (!isPostBack)
{
this.spContents.SelectCommand = DataProvider.LogDAO.GetSelectCommend();
}
else
{
this.spContents.SelectCommand = DataProvider.LogDAO.GetSelectCommend(base.PublishmentSystemID, base.Request.QueryString["LogType"], base.Request.QueryString["UserName"], base.Request.QueryString["Keyword"], base.Request.QueryString["DateFrom"], base.Request.QueryString["DateTo"]);
}
this.spContents.SortField = "ID";
this.spContents.SortMode = SortMode.DESC;
goto Label_068A;
}
上面几个参数进入下面
public string GetSelectCommend(int publishmentSystemID, string logType, string userName, string keyword, string dateFrom, string dateTo)
{
// This item is obfuscated and can not be translated.
StringBuilder builder;
bool flag;
bool flag2;
if (publishmentSystemID != 0)
{
goto Label_0475;
}
while (!string.IsNullOrEmpty(logType))
{
if (!StringUtils.EqualsIgnoreCase(logType, "All"))
{
goto Label_0475;
}
if (3 == 0)
{
goto Label_0016;
}
if (((uint) publishmentSystemID) >= 0)
{
break;
}
}
if (!string.IsNullOrEmpty(userName) || !string.IsNullOrEmpty(keyword))
{
goto Label_0475;
}
goto Label_046C;
Label_0010:
if (!flag2)
{
goto Label_013D;
}
Label_0016:
return ("SELECT ID, PublishmentSystemID, ChannelID, ContentID, UserName, IPAddress, AddDate, Action, Summary FROM siteserver_Log " + builder.ToString());
......
Label_02C8:
flag = true;
builder.AppendFormat("(UserName = '{0}')", userName);
Label_02DD:
flag2 = string.IsNullOrEmpty(keyword);
goto Label_029C;
}
几个Request.QueryString['xxx']都是可注入点