Ajaxtopicinfo. ascx poster SQL Injection Vulnerability
Arbitrary User Control calling vulnerability combined with ajax. aspx
In the admin/UserControls/ajaxtopicinfo. ascx File
Go to the GetCondition function (WebsiteManage. cs) // 62 rows if (posterlist! = "") {String [] poster = posterlist. split (','); condition = "AND [poster] in ("; string tempposerlist = ""; foreach (string p in poster) {tempposerlist = "'" p "',";} if (tempposerlist! = "") Tempposerlisttempposerlist = tempposerlist. Substring (0, tempposerlist. Length-1); condition = tempposerlist ")";}
Posterlist variables are not filtered and are directly queried by SQL statements, resulting in SQL injection.
Test method:
Http: // localhost: 25594/admin/ajax. aspx? AjaxTemplate = ajaxtopicinfo. ascx & poster = 1 ′)
String ') AND [tid]> = 1 AND [tid] <= 1. The quotation marks are incomplete.
The error message is hidden, but the SQL statement is executed.