https://www.exploit-db.com/exploits/21434
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-488

SpookyLogin是一款商业WEB访问控制和帐户管理软件，由Outfront分发和维护，设计用于MicrosoftIISWeb服务器。SpookyLogin对用户提交的密码字段的数据缺少正确充分的检查，可导致远程攻击者操作SQL查询绕过验证访问系统。由于SpookyLogin在判别密码字段的SQL查询逻辑不正确，攻击者可以构建特殊的数据提交给SpookyLogin登录页面的密码字段，无需知道密码就可以绕过验证机制，攻击者可能以管理员权限访问系统。<**>

source: http://www.securityfocus.com/bid/4661/info

Spooky Login is a commerical web access control and account management software package. It is distributed and maintained by Outfront, and is designed for Microsoft IIS Webservers.

Under some circumstances, it may be possible for a remote user to gain unauthorized access to pages protected by Spooky Login. The problem is a SQL query manipulation vulnerability in the authentication component.

It is possible for remote attackers to corrupt the logic of queries such that a successful login will occur regardless of the supplied password. 

User: admin (this selects the first index from the table)
Password: ' OR ''='

来源:XF
名称:spooky-login-sql-injection(8991)
链接:http://xforce.iss.net/xforce/xfdb/8991
来源:BID
名称:4661
链接:http://www.securityfocus.com/bid/4661
来源:www.securiteam.com
链接:http://www.securiteam.com/windowsntfocus/5VP030K75G.html
来源：NSFOCUS
名称：2723
链接：http://www.nsfocus.net/vulndb/2723