中国网络渗透测试联盟

标题: SDCMS后台绕过直接进入漏洞 [打印本页]
作者: admin    时间: 2013-7-26 12:42
标题: SDCMS后台绕过直接进入漏洞
要描述:* o' {+ v5 N" E
; V# ^$ L5 }+ l2 U# m! E$ ^$ Y$ Z
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
4 g! c2 A9 H0 A% D详细说明:
! B1 ?& I/ G- D/ _- w8 a9 cIslogin //判断登录的方法
2 u0 C: j6 C2 t: b' q( _ + n/ _/ v- q) G# {; O
sub islogin()4 u2 p5 y$ z4 x3 D/ M8 X

+ V9 Y+ {* P7 O9 Z+ Kif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then * [7 S' E4 [8 }. {

9 e- K# g( }! g/ [dim t0,t1,t2
8 q8 X# Y) P  z4 X5 _
) f8 _# [, I3 g+ b+ C* Q( T  i2 dt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie # D0 U" ^; N/ @& _
$ e! L! d! G" Y( p: }* j1 M* m; p' z4 S# b
t1=sdcms.loadcookie("islogin")$ A4 W- |+ u4 p$ r. N" s  K' j

  b2 a, E7 K7 X" A. \t2=sdcms.loadcookie("loginkey")
7 A6 p/ e1 ^( w/ S
" a  h3 \: F$ X2 ?if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行/ U( a. M2 x( s6 e( S5 p

" [6 {" N, \3 E: V6 k//
, R1 z6 |" \) W0 a( d! v+ v
8 ^4 H+ h3 W" h+ \! asdcms.go "login.asp?act=out"
$ M  @, F8 _2 U/ _ 6 x, Q9 A1 L9 {/ y  t
exit sub
' A2 @+ S2 m  k4 }) \8 i) V # g* U4 ^$ ^7 U/ ^
else6 W2 ]1 C% Z7 P% S  b' }

  n7 c9 Y  a. h$ R" c* ~4 o& Kdim data' k' X6 s" a8 E* ^2 e% l+ h

* q% _7 l- t: L* ]data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
9 H+ F: P" C8 n, Q
1 d( e; b) q8 r7 oif ubound(data)<0 then
4 [# T/ ]( \& B4 }* Q : {+ L! R) c3 R% [
sdcms.go "login.asp?act=out"( P0 h2 b0 u, C! x1 S

% O8 \2 u2 P2 W' A& zexit sub
+ z6 b) T  C5 C3 r' `
  j" e& Q$ V! F7 g7 J$ aelse6 A  g3 }9 i( S# W1 E3 J+ n* v

- ^+ v3 X; Y% r& q" Tif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
- {, e% \) ~9 L) d& V6 R2 u2 m : j3 w- {/ p  K- }# g6 t( @
sdcms.go "login.asp?act=out". c! t8 [- N7 Z% P7 ~

1 K2 J# _  B. q+ i' Q  M2 Fexit sub
. ^# \! ^, }- }8 X $ `& E" |6 z3 s9 K3 }
else  ?7 ]2 ^+ ^9 }1 W2 ^

* ~1 i4 i0 q5 y' i. K4 X! Cadminid=data(0,0)+ K1 }; H7 D% I& ^  \$ v% t

3 D' n6 P* {1 _3 S0 zadminname=data(1,0)+ B* W# f+ k- h1 f

: ?/ h5 [: [( C! S, {# U+ j# Iadmin_page_lever=data(5,0)
( v" x, F! {4 x4 t7 |0 x  M
$ K0 _3 p) `* }" k. S- l* nadmin_cate_array=data(6,0)
( T  c5 M' A+ z/ F3 x
: {3 ?% ^8 A! ^. V+ n& g4 B4 Y  E9 gadmin_cate_lever=data(7,0)
  y4 c$ M$ f$ ^" h 3 I2 t) D  s* o' _" o
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0* x6 n! m! z0 N. K

4 K4 j" a8 [6 d" p$ [6 Uif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0% X+ ~5 S( _* J! E1 Y2 Z

  ?0 {, P0 k0 o) C4 x* }  d4 vif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
  r. g; i5 c. g: i5 Y9 S' b
; ^+ c: e- e0 _if clng(admingroupid)<>0 then) J$ R0 w- F; I+ p  {& o' T
# J! i& z( P8 Q( D
admin_lever_where=" and menuid in("&admin_page_lever&")"
! B: a9 T9 N+ [: T6 M' @4 C   u# j# s' a; F- [3 |" n+ E/ X  {
end if; Q" i9 E3 n& R3 q! ~/ d# _
& r) A( Z8 O5 A
sdcms.setsession "adminid",adminid1 ]. J# V. T' C9 j! U4 r  u

; q8 W  s, g4 \1 C2 Z" O5 w% \7 \' o$ psdcms.setsession "adminname",adminname
) G; ]$ s* `7 J / e/ t  Q) {; O# O. w2 L, H% N
sdcms.setsession "admingroupid",data(4,0)  ]* u' |( ^# G/ w' k
3 v9 c2 ^8 F" \5 M
end if3 q* s% T4 \/ ^& u
2 t0 O8 y4 u2 \, ?2 e  f
end if
8 \5 c7 F0 V, L9 ^
9 k; G9 E6 N- E3 R. Gend if& t# v$ b% z, C. _

! w& A9 Z0 Y( q! Y1 p' c' telse! T/ [* f( P6 f# E* X( w$ ]6 s
4 x. W6 [0 |& p8 E0 R
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
2 M/ A( r& g. m6 d. V
9 |: T4 l, l5 W  I; N. kif ubound(data)<0 then/ V" X+ K. p3 ~. ~* y" t

. g% ~( C  B* G1 O2 zsdcms.go "login.asp?act=out"0 l6 G. n' }: e- R- \

) N$ ?+ W& W" k1 M, mexit sub
$ g* j7 S7 n1 G- o 5 H* ~5 T  e8 Q9 J  w
else
" r- j* }8 X  [3 F 1 }1 q3 o% K; F/ t
admin_page_lever=data(0,0)
- r+ }0 I$ X" x( i% ` ) k' K7 W% o  X* y1 \& p% H
admin_cate_array=data(1,0)" Z# L" }- M# c1 B6 d

( g5 y$ H/ b" t& N- Gadmin_cate_lever=data(2,0)
( d- w( N' t" @8 c * G& H2 e+ u7 t1 b5 ~# u
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0. S) E0 v) `5 z7 ^3 l
- w5 [$ b# ?, W$ ^/ W: Q
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0$ ^8 q% N  I' q+ f0 L2 \
3 K; u! w% O4 ^  ], X/ y& L6 w
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
7 E" t0 F1 h, C4 H4 I
1 _- T! [& ?$ }% Wif clng(admingroupid)<>0 then, S0 ~1 S& h9 z' k
/ c" J2 ~9 \  E
admin_lever_where=" and menuid in("&admin_page_lever&")"
# c$ E7 h7 C  e ' j/ d% ~3 x  ^- Q3 d2 {, _6 d  q
end if) l2 F* v) H2 }8 ~
+ r$ R, v' [5 Z: Y" E$ ]' h
end if
( X. y( P/ k9 k8 ]& r7 w& @2 e( k
( D, z7 n5 y" u8 Q: l4 \+ y) zend if9 Q+ i) m( Z. i4 N- ~: S0 s

7 i1 M- v3 E$ [5 vend sub  l% c" s6 U; |' q
漏洞证明:; h1 V, s) F* O! o/ k
看看操作COOKIE的函数
& W: S8 f- H5 U 0 C% c. I0 D, a' A$ Y
public function loadcookie(t0)$ |! Y6 R( z& b0 g; c; m9 J
+ n& a9 h1 J' ^7 E8 n; G
loadcookie=request.cookies(prefix&t0)8 E, Q( ]( i9 r

. b' t! h% M& k0 j6 dend function- X) H5 a7 F6 V8 V7 `

( L* Z: n( \% j3 M% k/ v: Apublic sub setcookie(byval t0,byval t1)- x& s+ F5 D8 x# B( ?
# ^/ J  i. W! \& y1 b
response.cookies(prefix&t0)=t1
' i* u1 s  N, O3 m
) D7 M$ Q) j7 f8 {# Rend sub
. D' f) O2 N) i8 `! R( M7 s 7 J$ x! }4 e+ Z1 H
prefix
$ ~8 @, m; E( _ & j% P) o+ ^- r0 }* W9 Y: R# x# C
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值. H' K& @# o$ h3 ?  D

/ r- {  G6 K4 b: G7 R1 m1 Idim prefix0 u; k; A- d7 T& v# m$ }( A
* r3 P" o, a2 ]2 g
prefix="1Jb8Ob") \/ q+ R2 }, [6 ?" ]
7 Y/ m9 E. s0 I( Q
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 9 e- A7 `; I+ J& N9 _
; D6 O$ d" d- H
sub out
; T9 l5 O! [) t( {/ i
! y$ F: ^3 b0 c# F2 ~% s  a7 zsdcms.setsession "adminid",""* d$ z" E8 t8 l3 q, C. {

+ a/ r- R3 ~/ asdcms.setsession "adminname",""
7 p: y% I9 s0 {$ n% h6 f1 `4 ] 6 Z, k$ b+ h: `& T4 B
sdcms.setsession "admingroupid",""3 ?; Z5 Y, \( s% F
: M% ^7 b+ V$ D' L6 s9 a7 H
sdcms.setcookie "adminid","": r0 l1 p0 M' G! i& {0 _# w; j
8 H, v; J1 b/ f
sdcms.setcookie "loginkey",""
7 Q8 f% }$ ^; ~; I2 L% `8 G+ r' E 1 m5 K4 q; L% G& T/ |9 j, Q  q
sdcms.setcookie "islogin",""
7 N5 K4 b" r& M4 d3 I & x8 v# o9 [" {& O
sdcms.go "login.asp"
% ~+ z: g- F3 ] ! a3 C! C# W2 \# X
end sub/ m+ ]5 T7 S3 g1 x
. L7 M! q4 p% d0 f1 I/ [

8 q2 _/ g+ T- g" i& L) x  z利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
) A$ V9 Q& U5 Z9 P7 f修复方案:. J6 [( r# ?  E8 F! b7 T7 D2 r$ T
修改函数!  d; q+ o" b4 ]




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2