2015-05-22: 细节已通知厂商并且等待厂商处理中 2015-05-22: 厂商已经确认,细节仅向厂商公开 2015-06-01: 细节向核心白帽子及相关领域专家公开 2015-06-11: 细节向普通白帽子公开 2015-06-21: 细节向实习白帽子公开 2015-07-01: 厂商已经修复漏洞并主动公开,细节向公众公开
最近有点烦。闲来没事发现了饿了么订单部分内容海量泄露,没看错的话都是上千万条,上亿条。
找个不被人注意的地方下手搞搞几率比较大,于是盯上了ele.to这个二级域名扫到一个域名www.ele.toa目录可列
发现备份文件,下载回来发现好大
使用编辑器打开发现很多数据库,
编辑器打开数据文件发现海量订单内容,请看行数
吓尿。。疑似核心数据库密码文件泄露
*****;mysql**********NAMES b**********IGN_KEY_C**********E='+00********** `user**********uot;,"Y","Y","Y","Y","Y","Y","Y","Y","Y","**********,"Y","Y","Y","Y","Y","Y","Y","Y","Y","Y**********t;,"Y","Y","Y","Y","Y","Y","Y","Y","Y","**********,"Y","Y","Y","Y","Y","Y","Y","Y","Y","Y&qu**********"N","N","N","N","N","N","N","Y","N","N&qu**********uot;N","N","Y","N","N","N","N","N","Y","N&quo**********uot;N","N","Y","N","N","N","N","Y","Y","N"**********uot;,"N","N","N","N","N","N","N","N","N",&q**********t;N","N","N","N","N","N","N","Y","Y","N"**********t;N","N","N","N","N","N","N","Y","Y","N"**********t;N","N","N","N","N","N","N","Y","Y","N"**********ot;N","N","N","N","N","N","N","N","N","N"**********uot;Y","N","N","N","N","N","Y","N","N",**********N","N","Y","N","N","N","N","Y","Y","N"**********quot;,"N","N","N","N","N","N","Y","Y","N",**********quot;,"N","N","N","N","N","N","N","N","N",&**********"N","N","N","N","N","N","N","Y","Y","N&qu**********,"N","N","N","N","N","N","N","Y","Y","N&qu**********uot;N","N","Y","N","N","N","N","N","Y","N"**********uot;N","N","N","N","N","N","N","Y","Y","N"**********t;N","N","N","N","N","N","N","N","N","N"**********uot;N","N","N","Y","N","Y","N","N","N","N&quo**********quot;Y","Y","Y","Y","Y","Y","Y","Y","Y","Y&quo**********ot;,"Y","Y","Y","Y","Y","Y","Y","Y","Y",&q**********,"N","N","N","N","N","N","N","N","N","N&q**********;,"N","N","N","N","N","N","Y","N","N","N",&**********"N","N","N","N","N","N","Y","N","N","N",&q**********;Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","**********t;N","N","N","N","N","N","N","N","N","N","**********","Y","Y","Y","Y","Y","Y","Y","Y","Y","**********;Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","**********uot;Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",&qu**********,"N","Y","N","N","N","N","Y","Y","N","Y",&**********t;N","N","N","Y","N","Y","N","N","N","N","**********uot;N","N","N","N","N","N","N","Y","N","N",&qu**********cod*****
危害等级:中
漏洞Rank:5
确认时间:2015-05-22 16:16
确认问题存在,但日记中的数据未测试用的临时数据,没有生产环境用户的敏感信息,感谢你对饿了么安全的关注。
2015-07-01:漏洞已修复,感谢对饿了么的关注。
前天还用饿了么免费吃了顿饭
坏人