A flaw in a management system of Ctrip leads to a large number of merchant password leaks (which affects the security of merchant Funds)
It involves Ctrip merchant accounts, information leakage, various background permissions, merchant income amount, bank card numbers, and so on.
The problem occurs in the Ctrip hotel management system.
Page address: https://ebooking.ctrip.com/hotel-supplier-ebookinglogin/EbookingLogin.aspx
The verification code is restricted. The verification code will be refreshed after a logon error occurs.
However, security is a whole, and negligence in details leads to a battle failure.
Page address: m.ebooking.ctrip.com
The WAP login page has no restrictions.
As a result, the merchant account can be fuzzing
Packet Capture Data
POST /Hotel-Supplier-EBookingAPP/Home/Login.aspx HTTP/1.1Host: m.ebooking.ctrip.comProxy-Connection: keep-aliveContent-Length: 78Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://m.ebooking.ctrip.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://m.ebooking.ctrip.com/Hotel-Supplier-EBookingAPP/Home/Login.aspxAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: _abtest_userid=c4af9012-b1d5-48ae-8025-519515c183f9; _ga=GA1.2.2123208696.1423463476; Session=SmartLinkCode=U455496&SmartLinkKeyWord=&SmartLinkQuary=&SmartLinkHost=&SmartLinkLanguage=zh; AX=ffffffff0900113145525d5f4f58455e445a4a423660; ASP.NET_SessionId=x41whx1gkuismbq20opxb4vj; _bfa=1.1423463476329.43a1dn.1.1423463476329.1425467461158.2.11; _bfs=1.10; _bfi=p1%3D233001%26p2%3D800056%26v1%3D9%26v2%3D5htryw8kwgldr7p9vwn5ael1p1zghw43g=admin&rbv1lo84bhy43sx6ab9gdzlglgz9p4fq=admin
The account and password are in plain text. I can find a username dictionary to test the password.
Burpsuite started fuzz Testing
Then:
Various bills can be downloaded, room information can be modified, prices, etc.
Solution:
Filter