IT博客汇 | 铁航一处SQL注入加未授权泄露超过27万机票订单

铁航一处SQL注入加未授权泄露超过27万机票订单

神刀发表于 2015-08-17 07:51:50

注入点:http://b2b.89898989.com/reports/printreceipt.aspx?orderno=406032011601 sa权限写shell失败可执行sql命令写shell也失败未授权:http://b2b.89898989.com/reports/printreceipt.aspx?orderno=406032011601 orderno参数可控生成个数字字典跑一下就OK