An enterprise-level call system has 11 SQL Injection Vulnerabilities (no DBA permission required)
The same system is identified by multiple vendors. The case is evidence.
This call does not require logon. Eleven files have the SQL injection vulnerability. (The most widely used case is the call system of Shenzhen yunqi communication Co., Ltd)
First, POST/justadmin/index.html HTTP/1.1Content-Length: 87Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer :**. **. **. **: 81/Cookie: PHPSESSID = ffe0i1_milab2mb60355k4ra00host :**. **. **. **: 81 Connection: Keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) chrome/41.0.2228.0 Safari/537.21 Accept: */* username = admin & password = admin parameter password and parameter username second POST/justadmin/include/status.html HTTP/1.1Content-Length: 79Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer :**. **. **. **: 81/Cookie: PHPSESSID = ffe0i1_milab2mb60355k4ra00host :**. **. **. **: 81 Connection: Keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) chrome/41.0.2228.0 Safari/537.21 Accept: */* username = admin & password = admin parameter password and parameter username third position POST/justadmin/include/javascript/status.html HTTP/1.1Content-Length: 79Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer :**. **. **. **: 81/Cookie: PHPSESSID = ffe0i1_milab2mb60355k4ra00host :**. **. **. **: 81 Connection: Keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) chrome/41.0.2228.0 Safari/537.21 Accept: */* username = admin & password = admin parameter password and parameter username 4: POST/justadmin/include/javascript/HTTP/1.1Content-Length: 79Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer :**. **. **. **: 81/Cookie: PHPSESSID = ffe0i1_milab2mb60355k4ra00host :**. **. **. **: 81 Connection: Keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) chrome/41.0.2228.0 Safari/537.21 Accept: */* username = admin & password = admin parameter password and parameter username fifth place: POST/justadmin/include/images/status.html HTTP/1.1Content-Length: 79Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer :**. **. **. **/Cookie: PHPSESSID = ffe0i1_milab2mb60355k4ra00host :**. **. **. ** Connection: Keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) chrome/41.0.2228.0 Safari/537.21 Accept: */* username = admin & password = admin parameter password and parameter username sixth place: POST/justadmin/include/images/alert/status.html HTTP/1.1Content-Length: 79Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer :**. **. **. **: 8000/Cookie: PHPSESSID = ffe0i1_milab2mb60355k4ra00host :**. **. **. **: 8000 Connection: Keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) chrome/41.0.2228.0 Safari/537.21 Accept: */* username = admin & password = admin parameter password and parameter username 7: POST/justadmin/include/images/alert/HTTP/1.1Content-Length: 79Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer :**. **. **. **: 81/Cookie: PHPSESSID = ffe0i1_milab2mb60355k4ra00host :**. **. **. **: 81 Connection: Keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) chrome/41.0.2228.0 Safari/537.21 Accept: */* username = admin & password = admin parameter password and parameter username eighth place: POST/justadmin/include/images/HTTP/1.1Content-Length: 79Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer :**. **. **. **: 81/Cookie: PHPSESSID = ffe0i1_milab2mb60355k4ra00host :**. **. **. **: 81 Connection: Keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) chrome/41.0.2228.0 Safari/537.21 Accept: */* username = admin & password = admin parameter password and parameter username 9th: POST/justadmin/include/css/status.html HTTP/1.1Content-Length: 79Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer :**. **. **. **: 81/Cookie: PHPSESSID = ffe0i1_milab2mb60355k4ra00host :**. **. **. **: 81 Connection: Keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) chrome/41.0.2228.0 Safari/537.21 Accept: */* username = admin & password = admin parameter password and parameter username 10: POST/justadmin/include/css/HTTP/1.1Content-Length: 79Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer :**. **. **. **: 81/Cookie: PHPSESSID = ffe0i1_milab2mb60355k4ra00host :**. **. **. **: 81 Connection: Keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) chrome/41.0.2228.0 Safari/537.21 Accept: */* username = admin & password = admin parameter password and parameter username 11th: POST/justadmin/include/HTTP/1.1Content-Length: 79Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer :**. **. **. **: 81/Cookie: PHPSESSID = ffe0i1_milab2mb60355k4ra00host :**. **. **. **: 81 Connection: Keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) chrome/41.0.2228.0 Safari/537.21 Accept: */* username = admin & password = admin parameter password and parameter username
Solution:
Filter