当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115458

漏洞标题:饿了么订单部分内容超海量泄露

相关厂商:饿了么

漏洞作者: if、so

提交时间:2015-05-22 09:14

修复时间:2015-07-01 09:20

公开时间:2015-07-01 09:20

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-22: 细节已通知厂商并且等待厂商处理中
2015-05-22: 厂商已经确认,细节仅向厂商公开
2015-06-01: 细节向核心白帽子及相关领域专家公开
2015-06-11: 细节向普通白帽子公开
2015-06-21: 细节向实习白帽子公开
2015-07-01: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

最近有点烦。闲来没事发现了饿了么订单部分内容海量泄露,没看错的话都是上千万条,上亿条。

详细说明:

找个不被人注意的地方下手搞搞几率比较大,于是盯上了ele.to这个二级域名
扫到一个域名www.ele.to
a目录可列

qqqq.png


发现备份文件,下载回来发现好大

wwww.png


使用编辑器打开发现很多数据库,

sql3.png


sql4.png


编辑器打开数据文件发现海量订单内容,请看行数

SQL1.png


sql2.png


吓尿。。
疑似核心数据库密码文件泄露

mask 区域
*****;mysql*****
*****NAMES b*****
*****IGN_KEY_C*****
*****E='+00*****
***** `user*****
*****uot;,"Y","Y","Y","Y","Y","Y","Y","Y","Y",&quot*****
*****,"Y","Y","Y","Y","Y","Y","Y","Y","Y","Y*****
*****t;,"Y","Y","Y","Y","Y","Y","Y","Y","Y",&quot*****
*****,"Y","Y","Y","Y","Y","Y","Y","Y","Y","Y&qu*****
*****"N","N","N","N","N","N","N","Y","N","N&qu*****
*****uot;N","N","Y","N","N","N","N","N","Y","N&quo*****
*****uot;N","N","Y","N","N","N","N","Y","Y","N&quot*****
*****uot;,"N","N","N","N","N","N","N","N","N",&q*****
*****t;N","N","N","N","N","N","N","Y","Y","N"*****
*****t;N","N","N","N","N","N","N","Y","Y","N&quot*****
*****t;N","N","N","N","N","N","N","Y","Y","N&quot*****
*****ot;N","N","N","N","N","N","N","N","N","N&quot*****
*****uot;Y","N","N","N","N","N","Y","N","N",*****
*****N","N","Y","N","N","N","N","Y","Y","N"*****
*****quot;,"N","N","N","N","N","N","Y","Y","N",*****
*****quot;,"N","N","N","N","N","N","N","N","N",&*****
*****"N","N","N","N","N","N","N","Y","Y","N&qu*****
*****,"N","N","N","N","N","N","N","Y","Y","N&qu*****
*****uot;N","N","Y","N","N","N","N","N","Y","N&quot*****
*****uot;N","N","N","N","N","N","N","Y","Y","N&quot*****
*****t;N","N","N","N","N","N","N","N","N","N&quot*****
*****uot;N","N","N","Y","N","Y","N","N","N","N&quo*****
*****quot;Y","Y","Y","Y","Y","Y","Y","Y","Y","Y&quo*****
*****ot;,"Y","Y","Y","Y","Y","Y","Y","Y","Y",&q*****
*****,"N","N","N","N","N","N","N","N","N","N&q*****
*****;,"N","N","N","N","N","N","Y","N","N","N",&*****
*****"N","N","N","N","N","N","Y","N","N","N",&q*****
*****;Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",&quot*****
*****t;N","N","N","N","N","N","N","N","N","N",&quot*****
*****","Y","Y","Y","Y","Y","Y","Y","Y","Y","*****
*****;Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","*****
*****uot;Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",&qu*****
*****,"N","Y","N","N","N","N","Y","Y","N","Y",&*****
*****t;N","N","N","Y","N","Y","N","N","N","N",&quot*****
*****uot;N","N","N","N","N","N","N","Y","N","N",&qu*****
*****cod*****

漏洞证明:

qqqq.png


wwww.png


sql3.png


sql4.png


SQL1.png


sql2.png


mask 区域
*****;mysql*****
*****NAMES b*****
*****IGN_KEY_C*****
*****E='+00*****
***** `user*****
*****uot;,"Y","Y","Y","Y","Y","Y","Y","Y","Y",&quot*****
*****,"Y","Y","Y","Y","Y","Y","Y","Y","Y","Y*****
*****t;,"Y","Y","Y","Y","Y","Y","Y","Y","Y",&quot*****
*****,"Y","Y","Y","Y","Y","Y","Y","Y","Y","Y&qu*****
*****"N","N","N","N","N","N","N","Y","N","N&qu*****
*****uot;N","N","Y","N","N","N","N","N","Y","N&quo*****
*****uot;N","N","Y","N","N","N","N","Y","Y","N&quot*****
*****uot;,"N","N","N","N","N","N","N","N","N",&q*****
*****t;N","N","N","N","N","N","N","Y","Y","N"*****
*****t;N","N","N","N","N","N","N","Y","Y","N&quot*****
*****t;N","N","N","N","N","N","N","Y","Y","N&quot*****
*****ot;N","N","N","N","N","N","N","N","N","N&quot*****
*****uot;Y","N","N","N","N","N","Y","N","N",*****
*****N","N","Y","N","N","N","N","Y","Y","N"*****
*****quot;,"N","N","N","N","N","N","Y","Y","N",*****
*****quot;,"N","N","N","N","N","N","N","N","N",&*****
*****"N","N","N","N","N","N","N","Y","Y","N&qu*****
*****,"N","N","N","N","N","N","N","Y","Y","N&qu*****
*****uot;N","N","Y","N","N","N","N","N","Y","N&quot*****
*****uot;N","N","N","N","N","N","N","Y","Y","N&quot*****
*****t;N","N","N","N","N","N","N","N","N","N&quot*****
*****uot;N","N","N","Y","N","Y","N","N","N","N&quo*****
*****quot;Y","Y","Y","Y","Y","Y","Y","Y","Y","Y&quo*****
*****ot;,"Y","Y","Y","Y","Y","Y","Y","Y","Y",&q*****
*****,"N","N","N","N","N","N","N","N","N","N&q*****
*****;,"N","N","N","N","N","N","Y","N","N","N",&*****
*****"N","N","N","N","N","N","Y","N","N","N",&q*****
*****;Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",&quot*****
*****t;N","N","N","N","N","N","N","N","N","N",&quot*****
*****","Y","Y","Y","Y","Y","Y","Y","Y","Y","*****
*****;Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","*****
*****uot;Y","Y","Y","Y","Y","Y","Y","Y","Y","Y",&qu*****
*****,"N","Y","N","N","N","N","Y","Y","N","Y",&*****
*****t;N","N","N","Y","N","Y","N","N","N","N",&quot*****
*****uot;N","N","N","N","N","N","N","Y","N","N",&qu*****
*****cod*****

修复方案:

版权声明:转载请注明来源 if、so@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-05-22 16:16

厂商回复:

确认问题存在,但日记中的数据未测试用的临时数据,没有生产环境用户的敏感信息,感谢你对饿了么安全的关注。

最新状态:

2015-07-01:漏洞已修复,感谢对饿了么的关注。


漏洞评价:

评论

  1. 2015-05-22 11:27 | px1624 ( 普通白帽子 | Rank:1036 漏洞数:175 | px1624)

    前天还用饿了么免费吃了顿饭

  2. 2015-05-22 12:33 | 左手 ( 实习白帽子 | Rank:33 漏洞数:13 | Touch<touch@bxbsec.com>)

    坏人