Arbitrary Command Execution & amp; SQL Injection for uploading an O & M Monitoring System File
This is where the problem occurs: http: // 59.151.102.92/. This ip segment should be an easy-to-use car... Of course.
This host uses the opmanager O & M monitoring system. This system has two problems: File Upload, the war package can be uploaded to execute system commands, and the SQL injection. Metaspoodle has the File Upload Vulnerability. Use exp to try it.
Payload has been uploaded successfully, and war has been deployed, but I don't have a public ip address. The session cannot be played back. I can only prove it by using the deployment path. Ah, the poor cannot afford vps for penetration.
I set up the same environment on the Intranet. This system is installed with the system permission, and the returned meterpreter is the highest permission.
SQL Injection has three points.
/Servlet/APMBVHandler? OPERATION_TYPE = Delete & OPM_BVNAME = [SQLi]
/Servlet/com. manageengine. opmanager. servlet. UpdateProbeUpgradeStatus? UpgradeStatus = success & probeName = [SQLi]
/Servlet/DataComparisonServlet? Operation = compare & numPrimaryKey = 1337 & query = [SQLi]
You can simply write SQL statements in it. By default, mysql is used and the system permission is used. If you do not show back, I will not demonstrate it.
Patch
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
