ASP.NET开发篇&预编译架构&DLL反编译&用友畅捷通T&文件上传挖掘
#DLL反编译工具:
dnSpy = ILSpy => Reflector
https://github.com/dnSpy/dnSpy
https://github.com/icsharpcode/ILSpy
https://www.xitongzhijia.net/soft/44725.html
#案例1:文件上传-某商学院-V2020
搜上传关键字(SaveAs)->List_Edit.aspx->WeiSha.WebControl.FileUpload fuLoad->FileAllow->后缀增加上传
#案例2:文件上传-用友畅捷通T-V17.0
常规:aspx->dll(cs)
预编译: *.aspx->*.compiled->dll(cs)
预编译影响:
1、审计追踪多了一层compiled
2、文件解析多了一层compiled
-正向分析漏洞利用点:
https://blog.csdn.net/qq_43878255/article/details/127302920
https://blog.csdn.net/xiayu729100940/article/details/126646035
1、上传点缺陷
/tplus/SM/SetupAccount/Upload.aspx
/bin/upload.aspx.9475d17f.compiled
App_Web_upload.aspx.9475d17f.dll
CommonPage_SetupAccount_Upload -> Files1表单名 MIME验证绕过
2、未授权绕过
App_global.asax
App_Web_global.asax.cs.cdcab7d2
Ufida.T.Web.Http.Global.Application_PreRequestHandlerExecute -> ?preload=1
3、预编译解析
参考:https://www.buaq.net/go-53733.html
C:\Windows\WinSxS\wow64_aspnet_compiler_b03f5f7f11d50a3a_4.0.15840.3_none_9d95d60805091f79\aspnet_compiler.exe -v \ -p C:\Users\Administrator\Desktop\NET\gsl -D C:\Users\Administrator\Desktop\NET\123
-p 哥斯拉木马所在的目录
-D 表示要生成的那个目录
-逆向分析漏洞挖掘点:
1、搜上传关键字(上传安全点)(SaveAs)->App_Web_upload.aspx.9475d17f.dll->/bin/upload.aspx.9475d17f.compiled->/tplus/SM/SetupAccount/Upload.aspx(路由)
2、找绕过检验(鉴权绕过点)
App_global.asax->App_Web_global.asax.cs.cdcab7d2->Ufida.T.Web.Http.Global.Application_PreRequestHandlerExecute->?preload=1(绕过)
