乐视网某APP存在两处SQL注入漏洞乐视看球app
GET /sports/api/my_teams?devId=864394014414512&version=2.2&pcode=120110183 HTTP/1.1
User-Agent: Dalvik/1.4.0 (Linux; U; Android 2.3.6; K-Touch W619 Build/GRK39F)
Host: sports.app.m.letv.com
Accept-Encoding: gzip
Proxy-Connection: close
Connection: close
注入点:devId
GET /dynamic.php?pcode=120110183&devId=864394014414512&act=matches_remind&version=2.2&ctl=index&mod=api20 HTTP/1.1
User-Agent: Dalvik/1.4.0 (Linux; U; Android 2.3.6; K-Touch W619 Build/GRK39F)
Host: sports.app.m.letv.com
Accept-Encoding: gzip
Proxy-Connection: close
Connection: close
注入点还是devId
修复方案:
这个app很多注入啊