New Injection of the most vulnerable user information for a general system is leaked (no login required)
New Injection of the most vulnerable user information for a general system is leaked (no login required)
This system is a new smartbos management system, and the new software is currently one of China's largest learning management software providers. The usage of the system is very large, and some cases are captured.
Let's talk about this vulnerability. First, there are multiple injection vulnerabilities:
/Site/ajax/WebSiteAjax. aspx? Type = hits & amp; ContentUid = 123
The ContentUid here is injected.
I found several cases on the Internet to test:
http://elearning.dahuatech.com:8080/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://live.lifan.net//site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://60.190.166.50:89/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://www.dlzhifeng.com:8080/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://218.61.202.30:8080//site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://60.191.246.18:8888/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://dskc.nenu.edu.cn//site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://exam.ecustmde.com/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://volvo.infolearning.so/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://elearning.900950.com//site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://exam.qdgw.edu.cn/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://exp.chinaopenschool.com/kl/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://rlk.chinaopenschool.com/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://61.186.173.202:8088/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://222.195.242.203/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://wk185.wangkao.sczsxx.org/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://www.chinaopenschool.com/gsedu_admin/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://chrysler.infolearning.so/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://180.166.112.32/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://211.155.225.155/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://211.147.233.3/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://cpe.hongjingedu.com//site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://edu-f.gcl-power.com/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://elearning.dahuatech.com:8080/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://live.lifan.net/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://60.190.166.50:89/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://60.191.246.18:8888/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://www.dlzhifeng.com:8080/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://elearning.900950.com/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://218.61.202.30:8080/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://dskc.nenu.edu.cn/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123http://219.144.128.183:9999/cloud/site/ajax/WebSiteAjax.aspx?type=hits&ContentUid=123
Here we will choose one to do a verification. We will choose "East China University of Technology" for testing.
Http://exam.ecustmde.com/site/ajax/WebSiteAjax.aspx? Type = hits & amp; ContentUid = 123
Injection parameter contentUid
Let's take a look at the injection point.
From the figure above, we can see that back-end DBMS: Microsoft SQL Server 2008, and we know that xp_cmdshell of this version is disabled by default. If we want to use it, you must open it first.
Opening xp_mongoshell requires the permissions we have obtained. Let's take a look at the permissions for this injection point.
I am happy to see this. With sa, the subsequent operations will be even smoother.
First enable xp_cmdshell
Then you can get the OS-shell
Here, we can do more things. Click here.
Database
So many tables, the amount of information should be small.
Check the Administrator information in the nv_user table.
Try to decrypt it.
Username: yaojundPassword: mde123 Login
There are more than pieces of data that can be obtained from the database, including their passwords.
Point to end
Solution:
Filter.