漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-079743
漏洞标题:100offer某点配置不当致全部数据库沦陷(涉及亚马逊的充值卡哦)
相关厂商:100offer.com
漏洞作者: 爱上平顶山
提交时间:2014-10-17 16:47
修复时间:2014-12-01 16:48
公开时间:2014-12-01 16:48
漏洞类型:系统/服务运维配置不当
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-10-17: 细节已通知厂商并且等待厂商处理中
2014-10-17: 厂商已经确认,细节仅向厂商公开
2014-10-27: 细节向核心白帽子及相关领域专家公开
2014-11-06: 细节向普通白帽子公开
2014-11-16: 细节向实习白帽子公开
2014-12-01: 细节向公众公开
简要描述:
0..0
2014年程序员该拿多少钱?
招聘一直是互联网行业里一个大难题,之前我公众号中推荐过的100offer很好地解决了程序员招聘的问题。100offer一反过去做法:程序员申请如通过100offer挑选后,100offer会邀请互联网公司来竞拍程序员,让优秀的程序员一次投递收到多家互联网公司的offer,体验是非常棒的。
so 有了《程序员跳槽指南》
这两天微信上很火的招聘100offer 是吧? so,今天没事看下,然后~有了这个~
详细说明:
100offer
标题是为了安全,其实是被me发现了一个注入~
商务合作:[email protected]
招聘体验师:[email protected]
意见与投诉:[email protected]
邀请朋友注册100offer.com, 您可以立即获得 15元亚马逊礼品卡或 1500元介绍奖金。
送我奖金呢还是礼品卡呢~
点:
https://100offer.com/company_list?l=A 唯一的点
web application technology: Nginx
back-end DBMS: MySQL 5.0.11
available databases [8]:
[*] db1s8z72o9v2c844
[*] information_schema
[*] jiguang_production
[*] jiguang_staging
[*] jiguanghr
[*] mysql
[*] performance_schema
[*] wordpress
current database: 'jiguang_production'
database management system users [1]:
[*] 'machenlei'@'%'
Database: jiguang_production
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| admin_histories | 36205 |
| skills_talents | 18089 |
| temp_temps | 16129 |
| talent_surveys | 14210 |
| talents | 10689 |
| weixin_tickets | 7388 |
| messages | 7292 |
| exp_works | 6060 |
| recruiter_resumes | 5735 |
| exp_educations | 4957 |
| admin_amazon_cards | 3000 |
| weixin_histories | 2994 |
| resumes | 2179 |
| socials | 2074 |
| exp_projects | 2054 |
| admin_coupons | 2000 |
| recruiters | 1648 |
| companies | 1521 |
| exp_cases | 1439 |
| resume_memos | 1398 |
| offers | 1152 |
| talent_domains | 1130 |
| company_images | 621 |
| company_media_pages | 399 |
| auctions | 258 |
| staff_talent_auctions | 227 |
| schema_migrations | 166 |
| survey_options | 60 |
| cms_contents | 24 |
| admin_campaigns | 21 |
| skills | 16 |
| admin_qas | 11 |
| staffs | 11 |
| settings | 8 |
| survey_questions | 7 |
| affairs | 3 |
| cms_categories | 1 |
| cms_widgets | 1 |
| weblinks | 1 |
+-----------------------+---------+
Database: jiguang_staging
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| admin_histories | 403 |
| schema_migrations | 169 |
| temp_temps | 111 |
| weixin_histories | 106 |
| invitations | 90 |
| messages | 50 |
| skills_talents | 42 |
| exp_educations | 38 |
| survey_options | 34 |
| admin_amazon_cards | 33 |
| weixin_tickets | 29 |
| exp_cases | 18 |
| socials | 16 |
| talent_surveys | 14 |
| admin_qas | 11 |
| skills | 11 |
| staff_talent_auctions | 10 |
| talent_domains | 9 |
| resumes | 8 |
| settings | 7 |
| survey_questions | 7 |
| company_images | 6 |
| offers | 6 |
| company_media_pages | 5 |
| staffs | 5 |
| recruiters | 3 |
| auctions | 2 |
| cms_contents | 2 |
| recruiter_resumes | 2 |
| resume_memos | 2 |
| talents | 2 |
| companies | 1 |
+-----------------------+---------+
不深入了 请解决~
漏洞证明:
如上
修复方案:
过滤
版权声明:转载请注明来源 爱上平顶山@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2014-10-17 17:23
厂商回复:
感谢爱上平顶山,漏洞已修复
最新状态:
暂无