Lenovo's website background security defects and SQL injection (including repair ideas)
Security defects in the background: Find SQL injection, read files, and log on to the background
Http://css.lenovo.com/lxymanage/login.php. The verification code is displayed on the backend.
Direct packet try brute force cracking, not successful, scan, crawler crawled to an address http://css.lenovo.com/lxymanage/indexindex.php
Access will jump to 302, but there is no exit. The html source code is returned.
If it is a js background jump, there is a little trick, fiddler writes bpu login in the command line. php (automatically changed according to the actual jump page), so that the page will be blocked by fiddler before jump, and other background function pages can be used normally.
But here 302 jump can not be directly through the interception jump page to achieve normal access, we have to combine the returned html content to see whether it can be used in depth, access to a few functional pages, found such an address http://css.lenovo.com/lxymanage/member_upd1.php? Id = 36
Simple and 1 = 1 and 1 = 2 tests, it was found to be an injection point, so sqlmap ran and got the Administrator account rxllajig/c4ca4238a0b923820dcc509a6f75849b, the md5 value is 1 and the file content can be read.
When I log on with this account, I am prompted that the password length cannot be less than 2. However, this is determined by js, and there are multiple methods to bypass it, the simplest thing is to use the debugging function of the browser to directly remove the corresponding js and log on to the background successfully.
Solution:
1. Verification Code backend Verification
2. exit after the background authentication file jumps to prevent execution of the logic below the program
3. id parameter intval Processing
4. Change the administrator password and increase the complexity of the password.
5. web connection mysql account downgrading