中国网络渗透测试联盟

标题: SDCMS后台绕过直接进入漏洞 [打印本页]
作者: admin    时间: 2013-7-26 12:42
标题: SDCMS后台绕过直接进入漏洞
要描述:/ x' ]! J7 o  q, c, \7 q$ r

- V( ~5 B- _$ r& F# |5 `2 s8 qSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
- b  u! ?* I8 o8 y  Y0 V9 N: }( V详细说明:! {2 R" X- |! S
Islogin //判断登录的方法) {  a3 k# {; e4 T; ?3 y& O( {

* B0 v: [. f3 osub islogin()) Y8 X2 e* N( J' {3 c6 X

; T: F$ m. B; ?6 j5 a4 aif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 9 J3 C, @  y0 Q
& p1 J: Q/ W/ M6 S. T
dim t0,t1,t2 ; W% Q' y: B4 ^
3 W. z* ?& k% a
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
/ j. \% T! U3 |  I/ ?- @) ?
4 P* t% C  o5 Et1=sdcms.loadcookie("islogin")
) @% g5 C) |+ C4 Z6 S* g& N1 t
& Y& Z5 L, x" M# N; b* lt2=sdcms.loadcookie("loginkey")
) y$ a( h. M4 N/ L  Z# i ' i# l; Q5 M* N; ?
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
1 G* x2 I% _3 m+ A9 k
$ F3 [5 q5 [6 M1 f7 t//9 Q0 Q( O2 |5 d8 p" y: m& u: I6 I
. [% O8 h3 N- P/ s" l7 A. v
sdcms.go "login.asp?act=out"
% F. K$ N! v4 t: `% p
0 J0 b3 m; G, O8 ^2 n& cexit sub
( ?, j6 ]" x3 k9 F) L8 x/ N& S
- M" A7 p) L1 h8 ~4 g3 ?3 b: t: selse
& Q) z3 a5 L1 x' r8 z# w' b
& X! Z  B' A  @% jdim data
# O, S1 b3 k& X3 j' K$ f$ F
/ S. R5 P+ K( adata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
& x0 ^. q7 t( }3 _
. E: @: P" ~# q) h" q: S8 C, p9 jif ubound(data)<0 then
! }1 E9 E* ^9 m5 p3 h( ]
' L6 a( b4 H; g% X% ?" hsdcms.go "login.asp?act=out"
+ S7 P4 d5 r- w# c: y 4 F+ A4 w6 w! l' y1 ~) @# q
exit sub
, N3 p1 c! ?7 T. h ( E7 y. y# F& V/ u8 L  L
else% n3 n3 z! y' ^& l4 q2 s9 ]+ C

  D/ [, \5 r5 v5 J  I4 N% Sif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then7 z& k8 ~- n0 j6 m8 w" _
- [) M9 C) G* ^# S6 g2 K
sdcms.go "login.asp?act=out"- N% X5 `  g* k' l* n. E& ~6 D

9 }6 D- I) D; A% I, N) zexit sub# f4 u+ Z7 q; g2 Z* p
! G9 l9 r% X: _, u* O# j8 i
else) Z. d) L/ O8 ?: a

5 J& ^4 }2 C7 j# K$ M- g4 ^adminid=data(0,0)
- S& P" J2 Q( W: u& A, M! N( d ; O+ t8 o8 _' G7 Y/ k" }2 ?
adminname=data(1,0)1 G2 m# x2 W$ l& Y9 o; k$ v/ \

, k: `! O9 N' S0 Eadmin_page_lever=data(5,0)) r) ~9 W- W# ?- _

: F1 b6 V9 c( M1 Badmin_cate_array=data(6,0)
) o+ B$ K8 m5 u6 B3 B. k0 n9 B0 | ! c- A/ f  \; m- n' V- @  c6 r
admin_cate_lever=data(7,0)% B7 N/ g4 H* J% j5 x% |3 ?
5 W3 j- n) y  q: I& b, W% j0 m
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0+ p5 `! F% D% K. {8 {
1 v( }/ O* o' V, g7 b; V
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
# T  f. `% S: C# ^6 Z5 i) { 3 f/ W( T* J. }' N& Q! l- {
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=09 @1 r9 X7 f9 r( i) R
$ ~) ^, M2 I% R  O7 ]
if clng(admingroupid)<>0 then
, `: e$ X8 S3 m 0 o2 D& m  U0 l" M: S& e
admin_lever_where=" and menuid in("&admin_page_lever&")"
6 j0 Y. R; u, S" B: }
; w0 E! Q5 H2 [1 T* d! Nend if
) r+ R  k6 C5 @# B5 M 8 q. J6 W1 o- W  ]# F: e
sdcms.setsession "adminid",adminid5 D* |+ l; g1 \% i2 c

% [4 L3 H3 n, ~1 tsdcms.setsession "adminname",adminname
& N- Z) A/ N' ^. m+ A7 D ! D6 l$ l" F: T$ x9 j2 t( E
sdcms.setsession "admingroupid",data(4,0)
! P4 r5 D) J: m. `: d & M: i' [1 J0 ~6 {0 e& t) b/ ~
end if
# E# {1 `7 _" @. u+ Z ' c( _" V2 u1 T1 P2 \" l
end if
- I# Y- |" ?& L. g 4 T& @' H$ m: n& M, ?  D
end if/ V" P& i" R- Y# ^* P; K2 d0 h; E( [( Q
3 J! y) \4 s) D, ?! z: n8 d
else5 {: Z4 ?! L4 R; t1 @( {0 J
3 u) d' \3 ~: f; R+ \* }
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
. O) D1 B4 c" Z - p4 t9 h, Y* h
if ubound(data)<0 then
% s  P9 z9 ^  o: F$ L+ N / d9 b/ I& f7 G3 Z
sdcms.go "login.asp?act=out"5 R$ L3 o; F9 E% m  a: P' K! x
: C5 n8 ~$ p6 x3 r! r1 D
exit sub
2 C6 }" U8 @# A/ o1 N & S. H6 ]; @1 n3 s8 m5 a, R
else  r) Y2 X# f8 }+ U8 C6 m$ [

* ^( M3 @8 ]6 r# N3 u. s# Sadmin_page_lever=data(0,0)
3 q6 \5 }# Z  J% t7 v- e
3 W9 `8 S0 M: F! Z% X! l. Badmin_cate_array=data(1,0)* Q7 B  W0 u9 S2 y  i$ x

# n2 T/ P. r9 m5 `admin_cate_lever=data(2,0)1 W% s) q( _; d7 E6 y9 t2 O8 _
5 p9 Q, {3 b& i6 i3 j, c
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0, \# a' U; K; Y, s( M4 @) [" L% g
0 i9 N- |( {+ l: j/ U. g* {
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
7 N+ j. X  ?( L, x' C
/ R! f5 W3 [0 N* ^if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=04 ?5 ~" h- p. i; c+ O4 R1 Y' z: r
3 r; B4 @! `! ~( k! f. H
if clng(admingroupid)<>0 then
' w" w* q/ c) \; g! _5 U + x2 l* I* J3 i. F$ B  w% t& u9 m
admin_lever_where=" and menuid in("&admin_page_lever&")"
# P0 V( `% x* H
9 x. m7 K9 M" Y' Z- T& L) A& s$ }end if' ~4 j/ C* @+ ?

# g5 }9 l) Q/ M8 W6 _end if
, n6 B& ?  p3 k4 J/ c6 e4 B+ r5 {
! ?# \5 O. r/ jend if1 }1 |. P% R1 p
0 j. D# F0 n3 Z
end sub
! y2 [& n4 x- T8 q' i! h" n. e漏洞证明:) B; r: q) z* k+ v% C- q  x1 z
看看操作COOKIE的函数; S- g9 L" t0 `

7 S; l' _$ z  e& a/ C( t) e) q. |; wpublic function loadcookie(t0)
" S" ?% G) W5 B5 j: o! z
8 Q2 z& {/ l. I2 \% _loadcookie=request.cookies(prefix&t0)5 N8 ]& n/ n9 U0 C; Z

3 g8 x  m: z' X- R- J" U7 iend function: \" M. v: G1 v. F

7 H& }3 V) P2 m  dpublic sub setcookie(byval t0,byval t1)
4 t  r0 y/ R% R3 o 2 p% I4 P" v, M
response.cookies(prefix&t0)=t1' j) X2 V& B& W( O- Y
6 x4 G; F  E; _5 b- j0 G
end sub1 D2 A3 Q2 c# s8 ]

# ?/ T( L" W# i7 f) U$ \8 p. Aprefix& I- E' Y8 f3 g; ^( x* N* A
/ \# p7 _0 L, _4 N
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
% W6 d; T7 ]8 h- Q; S0 f% e$ [  E2 _
9 t3 c, j) U) f1 Ndim prefix5 C2 s. I8 Q0 _5 s9 g" N
7 j: n$ e7 R9 |9 G
prefix="1Jb8Ob"
$ n! V$ c% N9 p+ o, P+ n& V ' T. Y) O9 o7 y/ Z( `5 \
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里   r: _; [5 C  _% B

; U( R# P7 z" ^7 Esub out
# O$ M( n: k8 ^! s5 s
' w5 z) I5 P, i1 l. ssdcms.setsession "adminid",""! ]; N7 Z" a: g  W& Y

4 M, u7 q' A. fsdcms.setsession "adminname",""; n0 b5 m9 n2 I7 T5 e

% x! L  ]2 k, j0 ^; e6 d# N8 Vsdcms.setsession "admingroupid",""
: Q( s9 k2 R1 [5 V, Q; _, E% W  F 2 D+ n: ?4 ]7 \
sdcms.setcookie "adminid",""3 c2 h. f; [* p4 C4 z' F% q, u
7 Q! G$ g3 o: s! z- N- G) d
sdcms.setcookie "loginkey",""
4 s3 P  `; ~& [* {7 D2 \+ h" Y% O
( `! h: a3 l' N6 P' }sdcms.setcookie "islogin",""
; o# c7 B0 ]; F& l8 w! h- i 8 G# @$ N$ J* W1 q5 I7 q
sdcms.go "login.asp"
0 y9 M% `: q3 \0 X; k
4 G( O; d9 ?- X4 F/ f, X5 l4 H( |* aend sub
* R' ?9 b% ^; S, Q9 E/ ^ ) X! a7 k) K% N1 L( h0 n' I2 Y' `# A

4 U# O: P8 Y. f4 k) R8 @' S3 V利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!; D/ S" E0 c, ~: y
修复方案:- r  c3 ^( V5 |. I
修改函数!
- S/ p# O! ~; P9 n$ N



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2