appscan扫描结果:
SQL 盲注严重性: 高
测试类型: 应用程序
有漏洞的URL: [url]http://www.xxxx.com.cn/bhbank/admin/main[/url] (参数 = submit1)
修复任务: 过滤掉用户输入中的危险字符
1 的变体 1 [ID=17667]
以下更改已应用到原始请求:
• 已将参数“submit1”的值设置为“%27+%2B+%27%27+%2B+%27%E6%8F%90%E4%BA%A4”
请求/响应:
POST /bhbank/admin/main?transName=saveReporterInfo HTTP/1.0
Cookie: JSESSIONID=0000xDwE_zAUiZNX_TWsogX6O9D:-1
Content-Length: 198
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: [url]www.xxxx.com.cn[/url]
Content-Type: application/x-www-form-urlencoded
Referer: [url]http://www.xxxx.com.cn/bhbank/S101/iframeFile/meitizhongxin_1.htm[/url]
corporation=1234&name=&telephone=555-555-5555&mobile=1234&email=abc123%40acmehackme.
com&address=753+Main+Street&introduction=1234&submit1=%27+%2B+%27%27+%2B+%27%
E6%8F%90%E4%BA%A4&sex=%E7%94%841%A47
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=0000QIHg2zYmEqAw_LYigEMF27z:-1; path=/
Content-Length: 653
Date: Sun, 28 Nov 2010 17:43:27 GMT
Server: IBM_HTTP_Server/6.0.1 Apache/2.0.47 (Unix)
Last-Modified: Thu, 16 Aug 2007 08:23:14 GMT
Keep-Alive: timeout=10, max=2000
Xonnection: Xeep-Alive
Content-Type: text/html
Content-Language: zh-CN
<html >
<script language="javascript" type="text/javascript"
src="/bhbank/bloveoct.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
// parent.tt();
var ifr=parent.document.getElementById("iframe1");
ifr.height=200;
//-->
</SCRIPT>
<head>
<title>xxxx-错误提示页面</title>
<style type="text/css">
<!--
body {
margin-left: 0px;
margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
}
-->
</style>
<style type="text/css">
<!--
.STYLE1 {
color: #4EA0FC;
font-weight: bold;
}
-->
</style>
</head>
<body style="background:#F7F7F7;" >
<span class="STYLE1">您的信息已提交,感谢您对xxxx的关注与支持!
</body>
</html>
POST /bhbank/admin/main?transName=saveReporterInfo HTTP/1.0
Cookie: JSESSIONID=0000xDwE_zAUiZNX_TWsogX6O9D:-1
Content-Length: 195
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: [url]www.xxxx.com.cn[/url]
Content-Type: application/x-www-form-urlencoded
Referer: [url]http://www.xxxx.com.cn/bhbank/S101/iframeFile/meitizhongxin_1.htm[/url]
corporation=1234&name=&telephone=555-555-5555&mobile=1234&email=abc123%40acmehackme.
com&address=753+Main+Street&introduction=1234&submit1=%27+%2B+%27+%2B+%27%E6%
8F%90%E4%BA%A4&sex=%E7%94%841%A47
HTTP/1.1 404 Not Found
<HTML><HEAD><title>JSP ????</title><style type="text/css">#mybox{padding:
0.5em;border: noborder; border-width: thin; width: 100%;}</style><style
type="text/css">h2 { text-align: justify;color:#5555FF;font-size:15pt;font-family:
Verdana, Helvitica, sans-serif;font-weight:bold}</style></HEAD><BODY><h2>JSP ????
</h2><TABLE BORDER=2 BGCOLOR="#DDDDFF"><TR VALIGN="BOTTOM"><TD BGCOLOR="#C2B0D6"
><B><FONT FACE="Verdana, Helvitica, sans-serif" COLOR="black" SIZE="4PT">HTTP ?????
404</B><BR><BR></TD></TR><TR><TD><B>?????</B><div
id="mybox"><PRE>JSPG0036E: ?????? /admin/error.jsp<BR></PRE>
