Browse sogou input method web site, found that the presence ofSQL injectionvulnerabilities.
1. http://shouji.sogou.com/dict_show.php?sort=date&cate=0&keyword= Parameter keyword did not do the filter, the malicious input led to the error message, may be injected. Parameters of the sort the presence of the same error, but here to sort through some processing, it should be is the“union|select”key to do the replace, this parameter appears in the SQL statement order by position, with the blinds perhaps may be, I'm not the injection is successful, but still should be for malicious input process more stringent.
2. http://shouji.sogou.com/wap/index.php?c=down&a=content_all&id=2 6 Parameter id not do the filter, the same can be an error to inject. 3. http://shouji.sogou.com/wap/?c=skin&a=platform&platform_type=s60v2 Parameters platform_type http://shouji.sogou.com/wap/index.php?c=skin&a=info_gx&skin_id=1 5 3 6 5 1&pos=3 Parameters skin_id And 2 of the case.
http://shouji.sogou.com/wap/index.php?c=dict The search box present POST injection, submitted to the test'will error
Several injection points are a situation.
banner: '5.0.95-log' current user: 'email@example.com' Database: dt_ime_shouji_dictdata [3 2 tables]
The parameters of the input do strict filtering. The error handling more friendly to some, to avoid the database, the path information leakage.