中国网络渗透测试联盟
标题:
SDCMS后台绕过直接进入漏洞
[打印本页]
作者:
admin
时间:
2013-7-26 12:42
标题:
SDCMS后台绕过直接进入漏洞
要描述:
- N( G" }; H* {2 e2 g
B3 t& m+ G3 x, d i
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
$ Y- c, h/ i0 B- l, {: Y
详细说明:
v% X# x6 y% A; J- S4 R
Islogin //判断登录的方法
3 g. o5 E0 \/ G8 {/ l
% ]1 ]9 ?% g* l1 _( v1 ?
sub islogin()
+ u$ |6 P5 d9 Q" X/ W: p% ^) F
& Q8 T3 S, X0 l0 O) H3 L( m
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
( I z& c2 s0 B3 J: z8 c
7 G* E3 p/ _9 }7 m
dim t0,t1,t2
9 _# d) j+ Z/ b; H5 U
1 v6 M% }; O& Z4 v
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
A/ L" P' _' B$ i8 x4 w
- h7 C3 k9 e K0 v) ?% E3 d2 w
t1=sdcms.loadcookie("islogin")
" T0 J* V3 r& ~" S* g; G& Q( N
, M$ ^, l! O: i( b: y/ U
t2=sdcms.loadcookie("loginkey")
; E* l: E! E5 l
' U' k, g4 W3 ]3 ~" {
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
6 }7 v% r, k0 S6 j
( a1 L' D7 \+ u' L2 N. |4 n, Q4 w
//
% y" f5 T2 w' _: x/ `
) I: A8 Q6 h5 @# \. ]; @0 W' \
sdcms.go "login.asp?act=out"
9 K7 P$ ^ F! \. d- O6 H
) c7 \( ^- Q4 T- O8 S3 E( o
exit sub
$ p9 x! }- w N3 e8 O
7 V4 }0 h8 }( m2 c8 a
else
. D1 T& b+ A2 {
& p7 ^" A5 L. Y
dim data
) e. l* S! X* k5 T6 K% O8 \
" k0 M& Q" m# S* F* f
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
4 @" n# q4 X/ y: J* z# p* e
5 G5 o! J, b& P y0 \
if ubound(data)<0 then
& z4 Q+ M0 e: w( e- g
; @* i7 E5 `6 ~$ G4 S c7 w# K
sdcms.go "login.asp?act=out"
6 S2 L# U, y3 M5 C+ z
. m4 @/ r" X& i! _ p
exit sub
, J m' X( a! O
6 }1 ~/ G! j. S$ ^% j( Z& n, v- j
else
' I- ^; W+ V1 [2 y: G0 Q
7 T! r# T( e$ j
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
% {! B/ E9 x0 _( a
1 L& k" W# t, O+ A' J- l( q/ f
sdcms.go "login.asp?act=out"
z- m: b) H, d$ F& `
. p% u4 f, @0 i. C, g$ O
exit sub
6 W5 }, Y8 G2 V: v5 l* ^/ F
5 ^0 e V+ q! L0 p& Q1 A
else
8 \3 E5 S2 J9 K! h: B F
`* S5 l" T' `% T
adminid=data(0,0)
' p- |( M) D' O2 m9 v8 } A9 n
% l" a6 l, T8 k! y7 y9 {
adminname=data(1,0)
4 ?3 J6 J# o; g$ Q$ @! K8 J
# Z; e: k" n1 c5 o2 Z0 `
admin_page_lever=data(5,0)
: R% _; y2 M- z% z
3 H$ t- Z6 B, K ~! J8 t
admin_cate_array=data(6,0)
! A) F+ ?. A) r* k
, J# y7 T7 Z" x8 [6 {8 B
admin_cate_lever=data(7,0)
" Q3 D* _$ b1 }2 j5 b6 f0 D
& R' N" A1 g; N2 C) y) B1 s
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
4 _* }% ?& k: J) d
) Q) W* ` W2 t4 Z
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
9 N* F' ~" ]: L) Y
" [; G; u- G! p8 i7 b
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
% j6 B: J/ _9 C/ E* D
+ k# J8 p; V, F9 K7 B* s
if clng(admingroupid)<>0 then
! {5 @/ F( ^( N. L9 C
$ P( ^8 n! p# ?+ M' z4 a
admin_lever_where=" and menuid in("&admin_page_lever&")"
' `0 o+ y, W% ]1 b# J* l' n) v+ Z
_5 j. k8 |5 j) H
end if
0 R2 i# E. T+ q) ~) x0 `3 @6 ~; ?# M
& x7 n4 i) V4 O+ ]5 N! I
sdcms.setsession "adminid",adminid
2 `& |* o- F9 l$ A
: e, {& @! ?7 v+ H" B
sdcms.setsession "adminname",adminname
" {9 E# z( _4 S" \/ f
" w2 t9 q7 { G6 b: C* P
sdcms.setsession "admingroupid",data(4,0)
5 c1 e3 v0 P8 R+ s. x3 K7 e
1 H/ t$ x5 x! S) \
end if
6 i3 D# ^* H O/ j7 A* x7 E/ X. a' v
; ^; ^! a. V; l" T* K( R
end if
- a! \, u+ m' E: U( I0 n* A
! d5 r% z C4 G6 _
end if
9 x( P# R- o9 W& x0 H. n
0 n- n5 g+ ?' S X& U3 k, W# o7 o# F
else
, U: a0 [9 h, r, L I5 H- i' z# a
; e& m( v; Q0 L. M
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
7 G9 _" w- x0 J. K" l
. X# M) j2 D* G+ P' i" W) ~( x& S
if ubound(data)<0 then
' y4 _, V" o- s! I9 @8 y
) l* H: n& R; c, o' H+ \) w
sdcms.go "login.asp?act=out"
0 f, S4 _5 j6 h8 |7 Y p
$ [4 r9 ?2 L. p+ [2 @( { b7 {
exit sub
9 o8 T6 |- L; X6 o) ~( k
# z! u* {6 U, _0 T! ` r5 H) Q
else
1 c3 b. Y+ V' g! F; J. _
@% \9 Z# z7 X7 h& W) T" v: r) D
admin_page_lever=data(0,0)
9 R5 z2 N$ L% G# r; q
' c/ ~, V- m5 p+ Y4 T, z
admin_cate_array=data(1,0)
# ]- q* q* K8 P0 H& n- D" d! Y
) q+ G9 Z2 O, e% `
admin_cate_lever=data(2,0)
: ?1 T l7 t% e! l1 q7 v* s
# \5 p6 n1 ~& r8 G1 W k
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
( d; Y8 X, _4 A& m; {% E& I0 N
" s7 d& k# i, R9 g) _* F9 T* {
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
d) \8 g/ `& O+ E" A
# ?, `# M* [# {, c
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
2 G1 ]* m+ z `! o Q
( `3 u3 n$ a- G# {3 w! U5 [, k1 D. [5 j
if clng(admingroupid)<>0 then
, G9 y5 E5 r/ M
# ?6 {, J ]1 L% { I% ]! {" x) d7 ], P
admin_lever_where=" and menuid in("&admin_page_lever&")"
# |' e6 F* K, ?, N0 h! K
% E/ i N, l, N+ n' r1 F" O
end if
, G# g; l3 u& |- `
' y& H1 Z, ]" s1 g' N% s) n& d* N
end if
% i& G6 G# R8 W& }$ A& d" U) D
) |$ p! t% E0 e
end if
( o+ }8 d+ D; m: g) k- B
, Z8 |; N* f! @; I9 h0 y9 F
end sub
! _& T% i; }1 J% V. @) U4 f
漏洞证明:
# U5 [7 R5 R' s: F( U( e- w6 `9 c1 L
看看操作COOKIE的函数
/ U- j7 p: ]. M( U |, d# N& [
~3 A& w( M' ^) e3 O0 q1 @
public function loadcookie(t0)
! w' ]6 [# V3 ^% X& Q7 X# z+ K2 S
3 r$ a3 O8 \, C0 @
loadcookie=request.cookies(prefix&t0)
: \/ l( s0 F$ u
/ r# X" r( Z( `3 w l& I& B' }; N
end function
2 J! N# b% L. f
- z7 |" i$ @% N0 m
public sub setcookie(byval t0,byval t1)
6 k2 r) c' D" C: L4 c
1 M3 \6 ~& B4 f2 H) z E
response.cookies(prefix&t0)=t1
; I6 ?$ ~3 A& Z: d' b
! ^& y2 X$ B, I6 u7 w& x
end sub
7 v$ o1 a$ x9 I
* u3 W0 v% |& R/ o w1 f
prefix
4 ~( L. U) T5 F, G0 {4 ]7 L# K
+ y$ Z( N! E1 |. a( @6 ]1 f
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
) v/ }* p- b1 k
# j( Y( |3 o- ?* G
dim prefix
6 {! L) i+ `" F' P% W) W
/ P& u/ A( Z ?/ E
prefix="1Jb8Ob"
F$ K! I. ~) U, O
! T) S8 s2 \* I! |; t5 V0 X3 s
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
?* n; h( n' B3 Q4 [; }6 `
2 V9 Y! B, w& E# T# H
sub out
: b3 _$ B8 c( b5 H
3 j4 I, R: L: r: Y$ Q1 Q
sdcms.setsession "adminid",""
1 h7 c8 `2 W) f5 ]7 E7 I
$ o# ^4 v1 A7 x# k3 X( H# y6 r4 {
sdcms.setsession "adminname",""
$ ?4 p- C& {, H4 v x0 p8 t; u' D
5 g, @; c5 d; K0 \5 B; l" g
sdcms.setsession "admingroupid",""
2 d7 I/ m0 e4 j5 C9 ~. a$ u, S4 Y
% K# g, h, P: y" T
sdcms.setcookie "adminid",""
3 b. E4 `% W( Y- F, q& J2 l
3 c% T% |: o, o; w9 w
sdcms.setcookie "loginkey",""
7 ^# d6 @5 Y6 H3 a
V' `" F+ |& d- h4 ~% H
sdcms.setcookie "islogin",""
+ [* W# E% P9 Q* W/ N/ T
& I5 J' j4 {9 p% x* B
sdcms.go "login.asp"
( v% c! M+ u% A$ ]. v" X8 n: E
1 o$ { M! R; [) n1 j
end sub
; b2 j4 k }: s- p9 S/ P, x& ?( F
7 e9 E. v) k9 E: A1 Y: @, N+ K
+ c) o O! T5 m, N1 j
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
' j5 C4 [# A3 T% t& M5 Z4 |
修复方案:
* {8 S7 `. G% e, m' t0 W3 l9 W1 m* p
修改函数!
$ C5 X. ]# \. F/ Z, Y/ ~, ^
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2