ASP.NET代码审计 SQL注入篇(简单记录)

sql注入，全局搜索

Request

QueryString

ToString()

select

select *

 aspx是设计页面，而aspx.cs是类页面，也就是说设计页面用到的类信息在这个页面里面，其实就是把设计和实现分离开来。

源码

using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using ZKSoftLib;
using ZKHotel.Class;namespace ZKHotel.Teacher.Case
{/// <summary>/// CaseList 的摘要说明。/// </summary>public partial class CaseList : System.Web.UI.Page{clsSql cls = new clsSql();string strid;protected void Page_Load(object sender, System.EventArgs e){// 在此处放置用户代码以初始化页面strid = Request.QueryString["strid"].ToString();if(!IsPostBack){this.SetDGBind();}}#region Web 窗体设计器生成的代码override protected void OnInit(EventArgs e){//// CODEGEN: 该调用是 ASP.NET Web 窗体设计器所必需的。//InitializeComponent();base.OnInit(e);}/// <summary>/// 设计器支持所需的方法 - 不要使用代码编辑器修改/// 此方法的内容。/// </summary>private void InitializeComponent(){    this.DataGrid1.ItemCommand += new System.Web.UI.WebControls.DataGridCommandEventHandler(this.DataGrid1_ItemCommand);this.DataGrid1.ItemDataBound += new System.Web.UI.WebControls.DataGridItemEventHandler(this.DataGrid1_ItemDataBound);this.ZKPager1.PageChanged += new ZheKe.ToolSuit.PageChangedEventHandler(this.ZKPager1_PageChanged);}#endregionpublic void SetDGBind(){string strSql = @"select * from HT_CASE_LIST a left join HT_CASE_CATALOG b on a.CL_CC_ID= b.CC_ID";if(strid!="0"){strSql = @"select * from HT_CASE_LIST a left join HT_CASE_CATALOG b on a.CL_CC_ID= b.CC_ID where a.CL_CC_ID="+strid;}this.ZKPager1.DataSource = this.cls.GetDataSet(strSql).Tables[0].DefaultView;this.DataGrid1.DataSource = this.ZKPager1.GetDataView();this.DataGrid1.DataBind();this.DataGrid1.DataKeyField = "CL_ID";}private void ZKPager1_PageChanged(object source, ZheKe.ToolSuit.PageChangedEventArgs e){this.ZKPager1.CurrentPageIndex = e.NewPageIndex;this.SetDGBind();}private void DataGrid1_ItemCommand(object source, System.Web.UI.WebControls.DataGridCommandEventArgs e){string CmdName = e.CommandName;string strIDD = e.Item.Cells[0].Text;if(CmdName == "Edit"){string url = "ShowCase.aspx?fid="+strid+"&strID="+ strIDD;Response.Write("<script language='javascript' defer>window.location.href='" + url + "'</script>");}}private void DataGrid1_ItemDataBound(object sender, System.Web.UI.WebControls.DataGridItemEventArgs e){if(e.Item.ItemType == ListItemType.Item && e.Item.ItemType == ListItemType.AlternatingItem){LinkButton LButton = e.Item.Cells[3].FindControl("lbtn_show") as LinkButton;LButton.Attributes.Add("onclick","");}}}
}

代码分析

这里传入参数strid

 这里把传入的strid直接拼接到sql语句中去执行导致sql注入

访问复现

单引号报错 

sqlmap验证