口袋购物微店注入可获取敏感数据 - 网站安全

口袋购物微店站点存在sql注入、跨站等。

 

注入点：http://wd.koudai.com/vshop/1/H5/H5ShopInfo.php?userid=52&callback=jsonpcallback_1400737639575_8703400159720331&ver=51402 userid存在注入

+-------------------------+ | account_statistics | | account_type | | active | | address | | address_book | | admin_contact | | android_info | | black_list | | bmb_task | | buyer_action | | buyer_identity | | buyer_info | | buyer_note | | buyer_ua | | cate_info | | cate_item | | complaint | | csc_task | | csc_task_process | | custom | | custom_detail | | custom_group | | custom_order | | express_info | | express_note | | express_state_info | | friend_dynamic | | gps | | ios_info | | item_bg_category | | item_info | | item_sku | | item_souce | | login_info | | market_apply | | market_record | | market_seller_item | | market_user | | offer_price | | order_chargeback | | order_desc_info | | order_discount | | order_fr | | order_fr_info | | order_info | | order_pay | | order_refund | | order_status_history | | order_warrant | | pay_batch_no | | pay_commission_batch_no | | pay_commission_note | | pay_detail | | pay_history | | pay_note | | pay_seller_id | | pay_task | | pay_withdrawals_num | | phone_valid | | role_action | | role_info | | seal_off | | sell_summary | | shop_friend | | sms_log | | summary_info | | tb_move_status | | unpay_detail | | unpay_list | | unpay_order | | update_bank_num | | user_action | | user_bank | | user_device | | user_discount | | user_feedback | | user_info | | user_key | | user_token | | user_truename_note | | user_union | | user_union_msg | | user_wallet | | user_wallet_workflow | | web_feedback | | web_notice | | white_list | | wholesale_info | +-------------------------+

另外callback参数也没做好过滤 http://wd.koudai.com/wd/cate/getList?callback=jsonpcallback_1400737646118_061060125241056085%22%27%3E%3C%2Fiframe%3E%3CIFRAME+SRC%3D%22www.baidu.com%22%3E&ver=51402¶m=123

修复方案：

做好过滤

查看更多关于口袋购物微店注入可获取敏感数据 - 网站安全的详细内容...