D33Ds公司今天(7月12日)曝光了45万雅虎用户数据。黑客称利用union-based SQL注入漏洞获得了XXX.yahoo.com的用户数据。其中包括453492条用户数据记录,超过2700个数据库表和列名,298个MySQL参数。在曝光的数据中有一条HOSTNAME =>> dbb1.ac.bf1.yahoo.com该域名属于Yahoo Voice应用。因此很可能就是Yahoo Voice应用被成功入侵了。
####################################### #[ - Owned and Exposed - ] # # Brought to you by the D33Ds Company # # # # Target: <censored>.yahoo.com # # Method: Union-based SQL Injection # # # ####################################### ------------- Jump to: 1. MySQL Variables 2. Database/Table/Column Names 3. email:pass dump (450k users) 4. Final Notes ------------- 1. MySQL Variables ------------------ MAX_PREPARED_STMT_COUNT =>> 16382 CHARACTER_SETS_DIR =>> /home/y/share/mysql/charsets/ HAVE_CRYPT =>> YES CONNECT_TIMEOUT =>> 10 ...... 2. Database/Table/Column Names ------------------------------- [ * ] schema_name ==> table_name :::: column_name information_schema =>> CHARACTER_SETS :::: CHARACTER_SET_NAME information_schema =>> CHARACTER_SETS :::: DEFAULT_COLLATE_NAME information_schema =>> CHARACTER_SETS :::: DESCRIPTION information_schema =>> CHARACTER_SETS :::: MAXLEN ...... 3. email:pass dump (450k users) -------------------------------- count() = 453491 user_id : user_name : clear_passwd : passwd 1:[email protected]:@fl!pm0de@ 4:[email protected]:pass 5:[email protected]:steveol 6:[email protected]:chotzi .... 366641:[email protected]:uplgmotv
http://burnbit.com/torrent/206849/yahoo_disclosure_txt