100e an xss problem may lead to management and site crash

A major problem caused by a small xss 1.100e website has a business: One hundred Yi Cheng recruited agents from all districts/counties across the country, it seems to be a bigger look http://100e.com/business/v3/index.html2 Unfortunately, the xss portal exists on this page. I have applied for a registration proxy and can insert xss code in the [main business], [contact address], and [proxy plan! As follows: 3. Send a registration proxy request, and the diligent administrator will be hooked up in a few minutes: 4. Go to the background to see how the background is so cold! 5. there is SQL injection in the background. Just open a connection and inject it: 6. after SQLMAP runs, there are still many tables of 100eDB in the database: + member + | member | Admin | Admin_Member | Admin_MemberRight | Admin_Question | Admin_Record | Admin_Right | Article_Media | author | Article_UserTip | BenefitCode | CPUErrLog | CS_Phone_Record | CS_Record | CS_Work | CS_Work_Result | Chat_AddFriend | Chat_Friend | City_Guest Book | City_Post | catalog | City_ServerInfo | CommendBook | CommendUser | CreditCard_info | Dealer | catalog | DealerUser | DownloadParth | catalog | EC_MainProduct_Area | EC_MainProduct_Career | EC_MainProduct_Client | EC_MainProduct_Free | EC_MainProduct_UseRelate | EC_MainProduct_Version | EC_Order_Client | EC_Order_Course | EC _ Order_Offline | item | EC_Promotion | item | EC_SubProduct | EC_SubProduct1 | EC_Subproduct_2 | EC_UserOrder | item | ErrTemp | FAQ | item | Flash_Category | Flash_Product | Head_Size | KeyCode | MarketFreeUser | Member_Career | Msg_In | Msg_Out | My100e_Book | My100e_Sentence | OnlineUserCount | PayOut_Record | PayOut_Type | Pay_Age Ncy | Pay_Apply | Pay_CallOrder | Pay_Cart | percent | Pay_ChargeCode | percent | Pay_ChargeCode_Ban | percent | Pay_ChargeCode_ServiceDate | percent | Pay_Record | percent | Pay_Record_Free | Pay_Record_FreeChargeCode | Pay_Record_JS | Pay_UserType | ProductContent | Pro Providers | ProviderUsers | Provider_Apply | Provider_Member | Provider_Pay | Providers | Seller_Apply | Seller_City | region | Seller_Order | Region | Seller_Order_True | Seller_Pay | Seller_PayType | Seller_School_Apply | Seller_School_Member | Seller_Service | Table_Noise | Teacher | Teacher_Apply | principal | Teacher_Order | Teacher_Video | UpLoadTypes | UserInfoForDisk | UserInfoForDiskSummary | principal | UserSummary | UserUploads | | UserUploadsBBS | VIPUnion | Zone_City | Zone_Country | Zone_Province | mymember | mymember_LogIn | tmobile | + ---------------------------- ----- + 8. Without authorization, I did not dare to proceed further.

Solution:

It is not a big problem, but it is better to solve it. I hope to pay attention to it!