Jiangnan keyou bastion host xss + unauthorized + kill SQL injection vulnerability 1 (No Logon required)

Jiangnan keyou bastion host xss + unauthorized + kill SQL injection vulnerability 1 (No Logon required)

This is an official statistics. In daily work, many energy units and financial units often see the Jiangnan keyou bastion host .. Therefore, the impact scope will not be mentioned.

Check the analysis.



0x01 reflected xss
 

In rdplogout. php, </script> <body> <div align = "center"> <font color = "red"> resources <? Phpecho $ _ GET ['res _ name']; // output directly to generate xss?> </Font> </div>

The link is as follows:

Https: // 1.1.1.1/rdplogout. php? Res_name = <script> alert (222) </script>
 

0x02 unauthorized and information leakage (physical path)

Https: // 1.1.1.1/system/ADD_VDH_Protocl.php

The code will not be analyzed. No permission verification is provided, so you can add protocol-related information at will.
 

https://1.1.1.1/system/download_cert.php?down_cret=1
 

0x03 kill SQL Injection Vulnerability
 

In system/download_cert.php, if (isset ($ _ GET ['manager']) & isset ($ _ GET ['user _ id']) in 31 rows & isset ($ _ GET ['cert _ psw']) {$ db = new SystemDB (); $ cert_msg = $ db-> getCertById ('', $ _ GET ['user _ id'], $ _ GET ['manager']); if (! Empty ($ cert_msg )){

 

Let's track the getCertById method.

public function getCertById($id=null,$user_id=null,$userflag=null)     {    try     {    if(!empty($id) && empty($user_id))    $sql = "select * from cert where id = ".$id;    else if(empty($id) && !empty($user_id))    {    $sql = "select * from cert where user_id=".$user_id." and userflag=".$userflag;    }    //echo $sql;    $stmt = $this->dbh->prepare($sql);    $stmt->execute();

If $ id is not empty or $ user_id is empty, Run "select * from cert where id =". $ id;

Is $ id filtered? No, so note it directly, and it has an explicit error mode.

The https://1.x.x. 98/system/download_cert.php? User_id = 2 & cert_psw = 3 & manager = 1
 

 

 

 

 

 

I believe everyone knows about the bastion host, Baidu.

The Intranet machine on the bastion host won't be involved...

We control it, which is equivalent to controlling all hosts on the Intranet ....
 

Proof of vulnerability:

https://1.x.x.98/system/download_cert.php?user_id=2&cert_psw=3&manager=1
 

 

 

 

 

 

I believe everyone knows about the bastion host, Baidu.

The Intranet machine on the bastion host won't be involved...

We control it, which is equivalent to controlling all hosts on the Intranet ....

Solution:

Enhanced Filtering