Mobile microblog SQL injection and 1 3 9 mailbox defects,can enter others 1 3 9 mailbox-vulnerability warning-the black bar safety net

2013-05-2700:00:00

佚名

www.myhack58.com

JSON

Mobile modest system underSQL injection, and did not attempt cross-database
1 3 9 mailbox password to retrieve defect

Implantation where the parameters app_key

Such as:

http://talk.shequ.10086.cn/apps/vshare/share.php?title=在线客服_中国移动通信&url=http%3A%2F%2Fwww. 1 0 0 8 6. cn%2Fonlineservice%2Fcom_ask%2FSaS_H_F_Mobile%2F201209%2Ft20120908_38479. htm&app_key=809d94dc9e84f39e3646ee5c72f473f4

Not supported error, the union may perform, but also not an echo: the

Only tools go to the stopwatch running field to run the content, 8 Table, wherein the(0 0 9):sms_admin more obvious to store the administrator account, access to the data content:

According to the domain rules（*. shequ. 1 0 0 8 6. cn is determined to get back the address is likely to be http://administrator. talk. shequ. 1 0 0 8 6. cn/, but cannot access, may limit the network, guessing the reason for it is http://admin. talk. shequ. 1 0 0 8 6. cn/this does not exist in the domain the operator is prompted not exist, and the administrator can’t access.

Back to you find, think about how to get the maximum of the data information.

Try to use the username and password in Twitter ordinary user login at login, find the you must use the phone number to log, and the remaining few use the user name to log in to the local testing few passwords do not match.

Information to determine the administrator with a mailbox on the system: staff.139.com that aspirehld.com that aspirecn.com the latter two are the same

Here is found a second flaw, 1 3 9 mailbox allow user name and phone number of two kinds of login mode, in the“Forgot Password”by user name to get the phone verification code to reset the password and in the Enter the code interface, the phone number is fully displayed, that is, by 1 3 9 mailbox-user name to give the mailbox the phone number, according to get the administrator 1 3 9 mailbox access to the user’s mobile phone number

Two-bit the use 1 3 9 mailbox the Administrator’s mailbox password and meager management password is not used, and therefore can not log in directly to the mailbox.

Now although couldn’t get into the background, but with one phone number and management password to log in to modest, can be found log in, and then Unified Access way, so…

Can into the Address Book

Of course you can also directly into the mailbox.

在里面发现她也是 aspirecn.com the people that should be the mobile microblogging project interface.

If turning mail, then certainly there will be more to harvest, such as some of the sensitive processes, account information, etc., no need to play with further testing to find more the system defects on behalf of the To Go sifting through people mail, after all, intended to just test, not to do the penetration to get to more sensitive information, there really to say about the vulnerability of the words as long as get rid of thehackinginjection, the latter of these includes top of the mailbox what are not get in, so then get more of the system permissions that they have a vulnerability pure bullshit, as long as this injection is gone, at least this thought process will go nowhere, but the mobile thinking it’s unique…1 of 8 The Administrator at least has determined that 1 6 not move the person, as a has been the on-line system, the NB is!

Although she’s not mobile, but as the interface person, the mailbox to see a few seals and Guangdong mobile micro-blog project the exchange of mail, including a new interface development…as will and customers to communicate technical issues interface people, don’t know to her mailbox to Guangdong email that found the system had a little problem, need to replace a few code file, then the php back door sent in the past…

Repair solutions:

sql injectionthe Filter parameter value

1 3 9 mailbox password to retrieve the phone number display*

JSON