122 Star 486 Fork 188

siteserver / cms

 / 详情

指定内容表有sql注入风险

Backlog
Opened this issue  
2021-11-09 17:15

https://github.com/siteserver/cms/blob/master/src/SSCMS.Web/Controllers/Admin/Settings/Sites/SitesAddController.Submit.cs

https://github.com/siteserver/cms/blob/master/src/SSCMS.Web/Controllers/Admin/Settings/Sites/SitesController.Update.cs

以上没有做任何过滤

https://github.com/siteserver/cms/blob/master/src/Datory/Database.cs

public async Task<bool> IsTableExistsAsync(string tableName)
{
    bool exists;
    var databaseName = DatabaseName;

    try
    {
        if (DatabaseType == DatabaseType.SQLite)
        {
            var sql = $"SELECT count(*) FROM sqlite_master WHERE type='table' AND name='{tableName}'";

            using var connection = GetConnection();
            exists = await connection.ExecuteScalarAsync<int>(sql) == 1;
        }
        else if (DatabaseType == DatabaseType.PostgreSql || DatabaseType == DatabaseType.SqlServer)
        {
            var sql = $"SELECT COUNT(*) FROM information_schema.tables WHERE table_catalog = '{databaseName}' AND table_name = '{tableName}'";

            using var connection = GetConnection();
            exists = await connection.ExecuteScalarAsync<int>(sql) == 1;
        }
        else
        {
            var sql = $"SELECT COUNT(*) FROM information_schema.tables WHERE (table_schema = '{databaseName}') AND table_name  = '{tableName}'";

            using var connection = GetConnection();
            exists = await connection.ExecuteScalarAsync<int>(sql) == 1;
        }
    }
    catch
    {
        try
        {
            var sql = $"select 1 from {tableName} where 1 = 0";

            using var connection = GetConnection();
            exists = await connection.ExecuteScalarAsync<int>(sql) == 1;
        }
        catch
        {
            exists = false;
        }
    }

    return exists;
}

Comments (1)

codepassport created任务
codepassport changed description
codepassport changed description
Expand operation logs

已修复,下个版本更新即可

Sign in to comment

Status
Assignees
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
参与者(2)
1828720 siteserver 1578960647
C#
1
https://gitee.com/siteserver/cms.git
git@gitee.com:siteserver/cms.git
siteserver
cms
cms

Search