麻蛋突然找不到源码的dll文件了!
public static string FindSQLCmd(string[] aryQry, string pIP, string pURL, string pUserID, string pSwitch)
{
string result = "";
if (pUserID == null)
{
pUserID = "";
}
string text = "1.05";
string[] array = new string[]
{
"select",
"sysobjects",
"exec",
"creat",
"drop",
"insert",
"update",
"delete",
"truncate",
"xp_cmdshell",
"declare",
"char(",
"/**/",
"<script",
"<iframe",
"user",
"host_name",
"system_user",
"@@version",
"quotename",
"db_name"
};
string text2 = "";
string text3 = "";
for (int i = 0; i < aryQry.Length; i++)
{
string text4 = aryQry[i].ToLower();
for (int j = 0; j < array.Length; j++)
{
if (text4.IndexOf(array[j].Trim()) >= 0 && text4.Length > 11)
{
text3 = array[j];
text2 = text4;
break;
}
}
if (text2 != "")
{
break;
}
}
if (text2 != "")
{
result = "log";
if (pSwitch == "1")
{
result = "<script>alert('系统警告!参数中不能使用敏感字符串(" + text3 + ")。');</script>";
}
else if (pSwitch == "2")
{
result = "<script>alert('系统警告!参数中不能使用敏感字符。');</script>";
string text4 = string.Concat(new string[]
{
"http://i.kingosoft.net/s10/?v=",
text,
"&ip=",
pIP,
"&uid=",
pUserID,
"&kwd=",
text3,
"&url=",
pURL.Replace("http:/", "/")
});
if (pURL.IndexOf("?") == -1)
{
text4 = text4 + "&post=" + text2;
}
Safe.PushData(text4);
Log.WriteFile(string.Concat(new string[]
{
"【SQL注入警告V",
text,
"】来自IP",
pIP,
" 参数",
text2,
" ",
pUserID,
" ",
pURL.Substring(pURL.IndexOf("/", 10)),
""
}));
}
else if (pSwitch == "9")
{
Log.WriteFile(string.Concat(new string[]
{
"【SQL注入警告V",
text,
"】来自IP",
pIP,
" 参数",
text2,
" ",
pUserID,
" ",
pURL.Substring(pURL.IndexOf("/", 10)),
""
}));
}
}
return result;
}
以上为sql防注入,看着确实无懈可击但我们看看调用点
private void StartProcessRequest(string kg)
{
string text = base.Request.Url.ToString();
if (!Global.IsExcept(text))
{
string userZH = new FilesAccessControl().getUserZH();
if (base.Request.QueryString.ToString() != string.Empty)
{
int count = base.Request.QueryString.Keys.Count;
string[] array = new string[count];
base.Request.QueryString.CopyTo(array, 0);
string text2 = Outer.FindSQLCmd(array, base.Request.ServerVariables["REMOTE_HOST"], text, userZH, kg);
if (text2 != "")
{
if (text2 != "log")
{
base.Response.Write(text2);
}
base.Response.End();
}
}
if (base.Request.Form.ToString() != string.Empty)
{
int count = base.Request.Form.Keys.Count;
string[] array = new string[count];
base.Request.Form.CopyTo(array, 0);
string text2 = Outer.FindSQLCmd(array, base.Request.ServerVariables["REMOTE_HOST"], text, userZH, kg);
if (text2 != "")
{
if (text2 != "log")
{
base.Response.Write(text2);
}
base.Response.End();
}
}
}
}
当get以及post的时候则调用这处sql注入拦截但我们cookie时则不受影响所有我们需要找request获取或cookie获取或server获取的导致的注入,当然大佬可以绕过这也行。
/KSSW/tea_ksap_jkap_xsinfo.aspx
cookie xn参数注入