SQL injection vulnerability in the APP on the official website of hailoan

SQL injection vulnerability in the APP on the official website of hailoan

SQL injection vulnerability in the APP on the official website of hailoan

Purpose: To detect the APP of good loan network and find SQL injection in the following places: (iu_id, UNION QUERY, Boolean/time blind injection in POST)
POST/capi/Intentuser/get_order_one HTTP/1.1
Content-Length: 324
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://interface.api.haodai.com/capi/Intentuser/get_order_one
Cookie: PHPSESSID = e%hgd9hj%il73hff0nocu6
Host: interface.api.haodai.com
Connection: Keep-alive
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept :*/*
Appid = 2 & app_version = 27000 & auth_did = 218372 & auth_dsig = Hangzhou & auth_tms = 20151103002125 & auth_uid = 402888 & auth_usig = Hangzhou & channel = xiaomi & imei = A0000038000000 & iu_id = 864520 & OS _type = 1 & uid = 402888
1. Vulnerability proof

2. Current Database User

3. list all databases

4. Check the user table in the current database. The number of loan managers is more than 0.7 million, and the number of loan users is more than 0.6 million. The specific data will not run. Pay attention to P2P financial security.