中国网络渗透测试联盟

标题: SDCMS后台绕过直接进入漏洞 [打印本页]

作者: admin    时间: 2013-7-26 12:42
标题: SDCMS后台绕过直接进入漏洞
要描述:, e/ k" M0 B# V  q

( e2 ]+ v% h! P, C; e- ~$ w  qSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试. l7 m, U6 X* I# R0 \2 i/ D
详细说明:5 x( E- h* Y( u& F9 ^
Islogin //判断登录的方法- U, \- o7 Q0 B3 K" m! U

- z: P! n' M3 ?% i9 Hsub islogin(); g# F: k% x& X) X$ @) ?

; D5 b& A- t( p3 Lif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
8 s$ u( A( F8 B. P
: G0 k4 _- S! O$ P" hdim t0,t1,t2 2 z' n) |! I# g) H8 Q; \+ m# z5 t. B

% i7 \0 u9 m) a. V6 h- Tt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
9 i9 U& ^& V" Y 9 X* H2 Q' \; p; v
t1=sdcms.loadcookie("islogin")
% c- s. i, K& r3 R1 v
% K+ V* {4 s4 ?" at2=sdcms.loadcookie("loginkey")9 \8 b1 A( b. q; \( t

8 S% V$ _, T6 {) lif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
8 H- o2 [; e% k5 j3 ~
, G2 n7 N" ]& t; g2 Z//. K) P" b' p) u

2 `' Z% f6 |+ G& d" Nsdcms.go "login.asp?act=out"" ~& A: w& k- B$ W) p* [4 @
0 L. j3 _" A. b$ Q; y' Y
exit sub4 R8 [% a% D3 c1 s# t9 {  J
, m8 B6 U8 \6 W% g* d0 t9 m
else
1 P8 m! G# g0 w' c! m/ j' N% U ) L/ {( E7 T& l
dim data
6 X, Y5 ?; J/ E. ]8 \  X- @5 Z$ _ % r1 c: v* F, c0 V: I( o
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控( j! t! D5 p0 Q; G7 d/ {( B3 q
0 j& A% F/ E8 b" J, {8 D, g, }
if ubound(data)<0 then
/ e8 _- B* a6 q  i, K4 o/ L* v 5 `  e" Y3 c1 z# W9 ?2 V# M
sdcms.go "login.asp?act=out"
4 r; k8 @- D( g5 u* W' k2 X7 k% Y - I6 g; [( O& d" [& D, U
exit sub' g2 ]8 h! F) }
: [+ B& b9 V  U9 C$ k! |
else: l1 [# }% ^1 g1 ]
: E/ ~: b8 D6 A
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then+ r9 B  T- Q7 |* {2 b

+ f: s" ~# ~* Q. q- G. P9 wsdcms.go "login.asp?act=out"
9 C1 U1 A& o% V 4 I$ [, B* ?/ \" Y' v9 Q) d, H! Y$ I1 J
exit sub  q+ _4 S+ M  U: ^9 j  H

# d# W6 `' D2 `/ {; celse3 P& u9 o2 Z$ d

; B  g: A- ], L8 qadminid=data(0,0)
; j" h) n. @# W, l
0 l" l1 C& [" O2 Cadminname=data(1,0)( E- h8 C5 V2 u

. |6 n3 D  k, j6 E. z8 }* Tadmin_page_lever=data(5,0)
% v' j; v# W3 y' m
! [  q# G3 o# g) qadmin_cate_array=data(6,0)
( C  ^' [" y) H! z- t" Q5 G - F9 `# {% C! `& X( J
admin_cate_lever=data(7,0)
. v- p: I) [) ?& ^0 N& L8 v
" r8 d$ o# _: R: }3 d& `3 Bif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0, `! A+ p; s* s  h, E' c+ ~* j. ]1 M

7 ~/ ^" U+ t5 {8 |if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
  E) h: U6 W! V3 r% M4 L2 u% t
6 N& R9 z9 J; L' e6 Kif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
  N% l6 e: @, a, k+ S5 [8 B
5 H2 S# W) K: m. nif clng(admingroupid)<>0 then
1 g$ l$ ~1 d: p; [/ H0 \6 Y
# h0 P! E" P; e' Nadmin_lever_where=" and menuid in("&admin_page_lever&")"
& y! F# T; i2 d; O" h! u 3 r( Y9 W5 Q+ v
end if* }& o" }2 M- ]/ E

* J, C2 w  `8 Vsdcms.setsession "adminid",adminid/ \" O4 O$ f8 m1 k
/ ~% A# W; O7 o0 q0 L% N) U3 p6 N* {
sdcms.setsession "adminname",adminname
0 G2 h3 M+ u& h& m 3 D& k/ A# F3 ]" p. z1 g, s2 ]. ^
sdcms.setsession "admingroupid",data(4,0)
3 G, r) P) A0 T3 d
5 e' t2 N2 F5 p  S* x' ]0 gend if% G1 j. ~; J  N+ y+ u
8 w% N! r: N, z
end if+ \. v, A/ o; W+ u- _
$ r7 t, ]2 G4 ^
end if! _3 Z3 `$ w* G- [0 E" n

) ]1 O' {) a( B! Helse
4 u3 f7 X! e4 ` 4 }) Y: }, k, ~, g
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")) n7 C, l- D1 {0 ?9 F' O
& C! R4 m9 e7 ~0 v+ W. ?6 m
if ubound(data)<0 then
1 |' d6 x; u8 R" g4 \" q- Q
* F8 c8 d) J% u& \# ~sdcms.go "login.asp?act=out"
; E& @. L! I! x; w; V
- Y8 J) B' c2 J- b3 D- bexit sub4 ]7 H- b: I3 A1 I- O

' h; J" w4 h2 r9 ?0 ^+ celse# E! c' R1 ^" |: P! j# b& R8 b
+ n+ M/ V0 E" i% B( K2 S% y: n" x4 }
admin_page_lever=data(0,0)
! f, ]$ b# h* z' Z) @& o2 f- @! N 5 M9 q, _1 N2 ]+ Y+ M
admin_cate_array=data(1,0)
3 w# o9 m( U8 h% f) r' h  W
! x- o# u6 s! u% o5 |- ~admin_cate_lever=data(2,0)
- c- Y$ u8 @# D; K9 b
: t% b; I0 X, k( G) C) d, Kif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
8 E0 i  ?7 G, ?   T$ k1 ?4 Q6 P, E9 l: g5 J
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
: {  g8 b5 Y/ e" c2 ^8 n
  e- q) ^" N: L8 U% Fif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0" D7 w; I6 C  t3 @

5 E9 t+ O& ^' F; g6 j! g( q" c* o$ ]if clng(admingroupid)<>0 then
7 p1 ^3 v6 R+ f 9 d4 Y4 J& @1 h( B6 e
admin_lever_where=" and menuid in("&admin_page_lever&")"
! S8 V# _* ?# }* m. u7 K1 [
- s" E% S6 I2 }end if( r: @8 ~4 a. z( k" \- m

/ ?3 q6 V' |7 q2 F, L& w& Yend if
' R% E) R/ L& K. e* B
. M& X. u% O6 e: J- @; c  }end if
5 \9 y* Z$ G4 u6 P- `4 I% W  E
% h9 J2 N# C# T: |( s$ qend sub
, x- @1 H  }! s5 p' `+ B% `漏洞证明:- ]( k+ Z9 V8 `
看看操作COOKIE的函数! _: n) k9 |0 d  N2 A$ I0 `* B' k
& N/ \1 a: z; J8 y- ^% {: @
public function loadcookie(t0): E+ }/ e  T. d. U4 f" ?& I

( P/ V/ d6 s: Zloadcookie=request.cookies(prefix&t0)
: a: r3 F6 {# ^1 ^# r0 } 7 y0 j% y  J9 V; C, `" N
end function: g+ Y. g/ N, b
( Z/ I! Z+ K6 x
public sub setcookie(byval t0,byval t1)# h' Z2 V, ^  R: e2 G( m1 R3 x
  B7 c. f0 N) v- j4 O' Q
response.cookies(prefix&t0)=t1
$ g! b' \+ A8 R+ ] & P' k  R, H) o1 R+ s' H: e  _3 D
end sub  z0 n1 e) v; Y7 Z" }

) N/ e3 G! [% a6 f; B: }prefix" D" L1 R+ {" q6 R8 g' ^2 d) t5 |6 f
; M7 f( k. l0 N+ P- ^
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值+ q/ G. ?& c. }+ O1 o2 v6 h

" Q4 f, Y# ~# @4 `dim prefix
+ E3 g. F: Z8 H; s# L# T8 n6 ^4 b 7 H1 c& u$ N( [; m
prefix="1Jb8Ob"7 X& C% B! G# M6 d

- w9 ]4 x- R4 s& G7 _'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
' c/ Y8 A6 N0 r2 W. C& y' w5 A: B . Q7 H4 g3 k2 Y, K! S* h
sub out
7 p6 _4 n! [  Q: E
( f7 H4 S# E+ O3 vsdcms.setsession "adminid",""
; _% t) n: \2 z4 n
' X6 a* c3 e8 Q: U5 [sdcms.setsession "adminname",""
5 P/ i; }% m* @- c5 F. L
6 \0 U7 O& v5 f( _sdcms.setsession "admingroupid",""
/ O1 r  o- ~1 ]( {+ q( a8 @
' n" c# K- k1 a# u9 }5 N4 Osdcms.setcookie "adminid",""; a8 b# Q( \2 ]1 x! Y( o
6 k& K- t! p# `4 i9 H
sdcms.setcookie "loginkey",""& w3 Y  z  v- H) x0 ^) Q. K

/ Q7 ^1 w) r! W2 j' j- ^9 _7 asdcms.setcookie "islogin",""2 H! g( d! |, A# m9 s: R
" @9 x: C. i3 p7 u: A. s9 t+ V
sdcms.go "login.asp"
/ X2 J$ l& }# g
6 x: Q2 w7 K  }; tend sub
4 J7 \9 z4 z( w
2 |5 R" U4 Q. L
1 T! i: C. s" R$ Z, _利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
& x$ E% i6 W; D# D! N/ f修复方案:
+ \/ g7 A  M8 M5 P: L3 h修改函数!0 k0 J) Z/ `4 x





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2