SQL Injection on a website in Digital China to obtain a large amount of database information
SQL Injection on a website in Digital China to obtain a large amount of database information
Vulnerability url: http://servexpress.digitalchina.com/sms/login.asp
1: post injection exists,
POST /sms/login.asp HTTP/1.1Host: servexpress.digitalchina.comConnection: keep-aliveContent-Length: 27Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://servexpress.digitalchina.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://servexpress.digitalchina.com/sms/login.aspAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,und;q=0.4Cookie: Hm_lvt_95801fed4c3f7373790df805816308b4=1417056865; Hm_lpvt_95801fed4c3f7373790df805816308b4=1417056865; ASPSESSIONIDQCCQCBQR=MLDINHADLPFNKAAELKIJEBJAloginid=111111&password=123
2: attackers can obtain information about a large number of databases.
3. Obtain a large amount of user information
4: Don't tell me the data is not important!
Solution: Filter