A Spam-related case (no money on travel from now on) and Solutions

A Spam-related case (no money on travel from now on) and Solutions

Open the email link and go to a travel agency's website. After a rough check, no major vulnerabilities were found, and the dongle looked at it. I was going to take a look at the side station. As a result, I saw a link to the "all-social-tourism system", so I clicked in:

Http://www.xinyour.net/

It seems that hundreds of travel agencies in China are using them. If you want to download an audit, all the results will be paid. Students and dogs are under great pressure:
 

Then I found that "all social networks" is a travel system built on "travel to the world", and "travel to the world" feels amazing:



Xin you network, the first network of China's tourism chuangfu, is China's first commercial model connecting China's Private Car platform, China's air ticket hotel ticket platform, and China's travel line trading platform with BMC (supplier-Media Center-consumer, it provides multiple users with a fast, affordable, easy-to-use, and real-time travel and tourism entrepreneurship network.

Http://www.xinyour.com/About-3.html



So I ran a subdomain name of xinyour.com, added google hack, and found a Management Platform:

Http://manage.xinyour.com/

I tried a universal password:
 

However, it seems that the IP address is limited:
 

So I ran SQL map first, and the sa permission was:
 

web server operating system: Windows Vistaweb application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.0back-end DBMS: Microsoft SQL Server 2005available databases [49]:[*] _XinYour.AppStore[*] _XinYour.Base[*] _XinYour.ConfigCenter[*] _XinYour.EHotel[*] _XinYour.Flight[*] _XinYour.kt[*] _XinYour.SMS[*] _XinYour.Travel[*] _XinYour.UCenter[*] _XinYour.WWW[*] _XinYour.XinPay[*] Alipay_Trans[*] aqimdb[*] BBS[*] db_fdxh[*] distribution[*] drsWeb[*] EBPP[*] ecar_bbs[*] ECarSys[*] eche_bbs[*] ECManageSys[*] eHotel[*] EPcar[*] HongShi[*] JobXinyour[*] master[*] MeiHu[*] MemberC[*] MenPiaoSys[*] MenPiaoWeb[*] model[*] msdb[*] newByCar[*] News[*] PDMWLH[*] SceBK[*] szlxx.com[*] tempdb[*] Ticket[*] uncard[*] UserCore[*] weather[*] wlhdb[*] XinYour.TravelTest[*] XueHuaEnroll[*] xy_test2[*] XySce[*] zxySince

 

Database: _XinYour.UCenter+-------------------+---------+| Table             | Entries |+-------------------+---------+| dbo.UCenter_Users | 215776  |+-------------------+---------+

However, there is only one injection point that is useless. When I look at the page source code, there is a hidden input:
 

The partner said it may be a background jump link, so he tried to change the value to '/' -- the result was:
 

Millions of monthly subscriptions:
 

More than 0.2 million users:
 

Finally, I found an upload and passed the Pony:

There are more than one backup station:
 

 

The permission was quite high. At last, the port was recovered and connected to the database. How can I change the account balance ......

 

Shell address: http://manage.xinyour.com/pictures/WWW/News/201545205546141.aspx


 

 

Database: _XinYour.UCenter+-------------------+---------+| Table             | Entries |+-------------------+---------+| dbo.UCenter_Users | 215776  |+-------------------+---------+

 

Solution:

1. Rewrite background logon.

2. Do I not add any passwords in plaintext in many tables?

3. Restrict upload directory execution Permissions

4. the whole Community travel system will not report any small issues of excessive authority.

5. Various weak passwords

6. There is no verification code for oa and other systems.