Xuehesi sensitive information leakage caused by an unfixed SQL injection vulnerability in a substation

Xuehesi sensitive information leakage caused by an unfixed SQL injection vulnerability in a substation

SQL injection vulnerability in a business

This is an SQL injection vulnerability in the talent recruitment system. It is generally considered that such injection produces information that does not have much value for testers (job information and the account of job seekers ), unable to cause more serious impact, so the vendor did not fix it after confirmation.

However, apart from logging system configurations to a file, many websites also save the configurations in the database. In this case, the SQL injection vulnerability may cause more sensitive information leakage.

Taking this injection vulnerability as an example, the database job.xueersi.org contains the following table:
 

……| system_config || system_contract || system_custom || system_custom_title || system_custom_title_option || system_identitycheck || system_identitycheck_log || system_interview || system_job_level || system_job_type || system_mail || system_set || system_sms || system_sms_log || system_sms_payment_log || system_tool || system_user_from || system_user_type |……

Simple verification shows that system configurations stored in system_config, system_mail, system_set, and system_sms contain sensitive information.

System_mail:
 

Job_id, system_mail_id, kernel, system_mail_port, kernel, kernel, system_mail_isspa, kernel, system_mail_status, system_mail_account, system_mail_password, keys, 19,0, 110, <blank>, 0, 0, 0, 123@xueersi.com, * ** mosaic **, POPCOM.263XMAIL. COM0, 20, 0, 110, <blank>, zhaopinzu@100tal.com, t *** mosaic *** 3, POP.100TAL. COM85, 110, <blank>, zkzhaopin@xueersi.com, zhi *** mosaic *** 011, POPCOM.263XMAIL. COM84, 110, <blank>, zhaopin1@xueersi.com, z *** mosaic *** 3, POPCOM.263XMAIL. COM0, 110, <blank>, campus@100tal.com, t *** mosaic *** 3, POP.100TAL. COM0, 24, 0, 110, <blank>, jiaoshizhaopin@100tal.com, t *** mosaic *** 3, pop.100tal.com

System_set:
 

310. Whether to send text messages at the same time, whether to send text messages at the same time, <blank>, <blank>, 0320, system outbound email settings, system outbound email settings, <blank>, "a: 3: {s: 11:" "mail_sender" "; s: 15:" "Future Education" "; s: 6:" "isSmtp"; s: 1: "" 1 ""; s: 4: "" smtp ""; a: 7: {s: 12: "" mail_account ""; s: 14: "" job@100tal.com ""; s: 13: "" mail_password ""; s: 13: "" hwl *** mosaic *** @ # $ ""; s: 14: "" mail_smtp_addr ""; s: 15: "" smtp.100tal.com ""; s: 9: "" mail_port ""; s: 2: "25" "; s: 10: "" mail_isssl ""; s: 1: "" 0 ""; s: 10: "" mail_istls ""; s: 1: "" 0 ""; s: 10: "" mail_isspa ""; s: 1: "" 1 "" ;}}", 1330, internal staff verification, internal staff verification, <blank>, ": 3: {s: 3: "" set "; I: 2; s: 3:" "pwd" "; s: 6: "" *** mosaic *** ""; s: 4: "" code ""; s: 30: "" ewn *** mosaic *** 4sh "";} ", 1340, Exam Score validity period, Exam Score validity period, <blank>

System_sms:
 

Examples, examples, examples, system_sms_left, system_sms_type, system_sms_init, system_sms_name, system_sms_total, system_sms_status, system_sms_return, example, system_sms_account, system_sms_service, http://sdkhttp.eucp.b2m.cn/sdk/SDKService? Wsdl, <blank>, 0, yi_mei_ruan_tong, "a: 8: {I: 0; s: 18:" sms sent successfully ""; I: 17; s: 18: "" failed to send message ""; I: 18; s: 24: "failed to send scheduled message" "; I: 303; s: 21: "" client network fault ""; I: 305; s: 45: "" server return error, returned error ""; I: 307; s: 71: "" The target phone number does not comply with the rules. The phone number must start with 0 or 1 ""; I: 997; s: 72: "" the platform cannot find the timeout message, ""; I: 998; s: 93: "" cannot be determined if the message sending times out due to client network problems "";} ", <blank>, 70, UTF-8, 3SDK *** mosaic *** MKSLK, <blank>, 6 ***** mosaic *** 3

To sum up, the database stores the internal recruitment password and SMS sending interface account configuration.
 

 

In addition, the above table leaked a total of six internal email accounts through smtp configuration, you can log on successfully, including a large number of emails.
 

zhaopinzu@100tal.comzkzhaopin@xueersi.comzhaopin1@xueersi.comcampus@100tal.comjiaoshizhaopin@100tal.comjob@100tal.com

 

 

 

The mailbox contains the entire group address book. In addition, one mailbox can also be used to log on to the group's public account.
 

 

VcyoLmpwZw = "src =" http://www.bkjia.com/uploads/allimg/141211/04151UZ6-6.jpg "width =" 600 "/>

Further exploitation (Analysis of behavior information in the Log table, database hit attacks by email addresses, and use of recruitment email addresses to send false information) may bring greater risks. Not in-depth.

Solution:

#1. filter parameters

#2. Modify the leaked password (mainly six internal mailboxes and one public account)