Hua three-letter spare parts management system for the presence of SQL injection vulnerabilities and fixes-vulnerability warning-the black bar safety net

ID MYHACK58:62201131587
Type myhack58
Reporter 佚名
Modified 2011-08-15T00:00:00


Detailed description: The registration page for the user name test page, no input filter

Vulnerability to prove: return "account: admin is already registered, please change a user name registered!"'%20and%2 0'a'='b returns a "no one registered admin' and 'a'='b This account, you can use this account to register."'%20or%2 0'a'='b return "account: admin'Or 'a'='b someone has a request, please change a user name to register it!."

Can trying to detect the database is Oracle, with a modified test is not performed

Solution: the recommendations of the manufacturers to increase their own SQL detection