sql注入,全局搜索
Request
QueryString
ToString()
select
select *
aspx是设计页面,而aspx.cs是类页面,也就是说设计页面用到的类信息在这个页面里面,其实就是把设计和实现分离开来。
源码
cs
using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using ZKSoftLib;
using ZKHotel.Class;
namespace ZKHotel.Teacher.Case
{
/// <summary>
/// CaseList 的摘要说明。
/// </summary>
public partial class CaseList : System.Web.UI.Page
{
clsSql cls = new clsSql();
string strid;
protected void Page_Load(object sender, System.EventArgs e)
{
// 在此处放置用户代码以初始化页面
strid = Request.QueryString["strid"].ToString();
if(!IsPostBack)
{
this.SetDGBind();
}
}
#region Web 窗体设计器生成的代码
override protected void OnInit(EventArgs e)
{
//
// CODEGEN: 该调用是 ASP.NET Web 窗体设计器所必需的。
//
InitializeComponent();
base.OnInit(e);
}
/// <summary>
/// 设计器支持所需的方法 - 不要使用代码编辑器修改
/// 此方法的内容。
/// </summary>
private void InitializeComponent()
{
this.DataGrid1.ItemCommand += new System.Web.UI.WebControls.DataGridCommandEventHandler(this.DataGrid1_ItemCommand);
this.DataGrid1.ItemDataBound += new System.Web.UI.WebControls.DataGridItemEventHandler(this.DataGrid1_ItemDataBound);
this.ZKPager1.PageChanged += new ZheKe.ToolSuit.PageChangedEventHandler(this.ZKPager1_PageChanged);
}
#endregion
public void SetDGBind()
{
string strSql = @"select * from HT_CASE_LIST a left join HT_CASE_CATALOG b on a.CL_CC_ID= b.CC_ID";
if(strid!="0")
{
strSql = @"select * from HT_CASE_LIST a left join HT_CASE_CATALOG b on a.CL_CC_ID= b.CC_ID where a.CL_CC_ID="+strid;
}
this.ZKPager1.DataSource = this.cls.GetDataSet(strSql).Tables[0].DefaultView;
this.DataGrid1.DataSource = this.ZKPager1.GetDataView();
this.DataGrid1.DataBind();
this.DataGrid1.DataKeyField = "CL_ID";
}
private void ZKPager1_PageChanged(object source, ZheKe.ToolSuit.PageChangedEventArgs e)
{
this.ZKPager1.CurrentPageIndex = e.NewPageIndex;
this.SetDGBind();
}
private void DataGrid1_ItemCommand(object source, System.Web.UI.WebControls.DataGridCommandEventArgs e)
{
string CmdName = e.CommandName;
string strIDD = e.Item.Cells[0].Text;
if(CmdName == "Edit")
{
string url = "ShowCase.aspx?fid="+strid+"&strID="+ strIDD;
Response.Write("<script language='javascript' defer>window.location.href='" + url + "'</script>");
}
}
private void DataGrid1_ItemDataBound(object sender, System.Web.UI.WebControls.DataGridItemEventArgs e)
{
if(e.Item.ItemType == ListItemType.Item && e.Item.ItemType == ListItemType.AlternatingItem)
{
LinkButton LButton = e.Item.Cells[3].FindControl("lbtn_show") as LinkButton;
LButton.Attributes.Add("onclick","");
}
}
}
}代码分析
这里传入参数strid
这里把传入的strid直接拼接到sql语句中去执行导致sql注入
访问复现
单引号报错 
sqlmap验证
