Change the password of all internal employees of the GreenTree Inn Hotel Management Group to enable entry of multiple internal sites

Change the password of all internal employees of the GreenTree Inn Hotel Management Group to enable entry of multiple internal sites

Change the password of all internal employees of the GreenTree Inn Hotel Management Group to enable access to multiple internal sites

PS: personal feeling, great harm.

Two days ago, he dug several holes in the GreenTree Inn Management Group. This evening, he was bored with looking at the repair situation and then got stuck.

1. WooYun: GetShell, the internal system of GreenTree Inn Hotel Management Group, the security of the hotel. The manufacturer modified the password of 121846 and deleted the Trojan horse. however, it is useless. wooYun: as mentioned in the packaging and submission of multiple vulnerabilities of the GreenTree Inn Hotel Management Group for hotel security, there are problems with more than 100 accounts. You can find two accounts 121956 and 121913 randomly in the posted accounts, login successful, OK!

2. The http://mis.998.com at the last position: 8065/Construct_Detail_New.aspx? Projectid = 17 upload Trojan again http://mis.998.com: 8065/upfiles/635756074685719847wooyun. aspx, successfully into the system.
 

3. Find Web. config and log on to the database, causing a large amount of internal data leakage.
 

The six Databases listed here have hundreds of tables, which are far from being used, causing great harm.
 

4. the subconscious felt that the username and password of the internal employee should be retrieved. It took some time to find the employee

The database is located at 10.2.100.211, and the database user name and password are not pasted out, proving that the data is found.
 

5. What should I do if I find my password is encrypted and cannot be decrypted? The 121913 password is rSdSDpsPQkg =, and I know that its plaintext is 121913. Therefore, the SQL statement is executed.

Update js_user set pwd = 'rsdsdpspqkg = 'where truename = '***'

So that the password is modified. PS: this is not a new idea.

6. All accounts can be modified. Here, only a small number of accounts are used for testing. After the test, the original password has been changed back. Please rest assured.

Test account 1: CEO Xu Shuguang (all internal employee information is leaked in the OA system)

Username: axu password: 121913 (the test code password has been changed back)
 

 

7. Access Multiple systems
 

IT service platform under the service department Platform
 

vcyoLmpwZw==" onerror="javascript：errimg(this);" src="http://www.bkjia.com/uploads/allimg/150918/04205Ca9-8.jpg" width="600" />

Service Department platform hotel project Comprehensive Information Platform
 

 

 

Customer Service
 

 

Marketing Department
 

 

 

E-commerce channels
 

 

New business platform
 

All hotel address books
 

PS: I will not list them one by one, which is very harmful. There are still many systems that seem to be logged on using the password of this database. vendors should be familiar with this.

7. Find that the CEO cannot enter the IT platform. Okay, you guys = |

Find an IT employee, Gong Yilin, and use the following methods to test IT,
 

 

Insufficient permissions. You can search for accounts, modify accounts, and then go deep.

PS: hazards are not enough. You can add them!

Solution:

1. rectify the loose account system. If necessary, you can provide more than 100 accounts for free.

2. Verify the uploaded files on the server side and delete the server script files.