中国网络渗透测试联盟

标题: SDCMS后台绕过直接进入漏洞 [打印本页]
作者: admin    时间: 2013-7-26 12:42
标题: SDCMS后台绕过直接进入漏洞
要描述:
. r2 a+ T+ j5 }' ]6 U; _+ }$ t- u# A/ t
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
. K" L- s2 |- F5 ]8 f: [" ~5 ^9 k详细说明:8 Y! d& e% l- @/ O' G8 ]
Islogin //判断登录的方法" G4 H3 q  j% k9 H' _
* k& f6 R2 G1 k# Q; `  [8 G) r
sub islogin()
' k+ x9 ]# A9 n2 j
: g5 G! [% R) n: eif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
% e2 X% ~. v! y* [/ c! U( p) x
0 q6 ~8 B8 w  \3 H+ ~5 R, A7 ydim t0,t1,t2
+ Q. m! x! P! Z2 R( o5 U- k   F" }$ w, e! ^7 I, W. f
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
& `7 T# l# B% W) Q+ ]4 \ ; ^. v" u( N( S( O
t1=sdcms.loadcookie("islogin")
2 o& ^/ }8 i' h3 j8 l 3 Q/ Y, }5 F$ Z( Y7 ^+ ~6 w$ e/ C* w9 _4 s
t2=sdcms.loadcookie("loginkey")
# C) K8 n5 o% f+ {( a; }7 n
- k, [( L0 g1 y0 d: ]- Jif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行0 F$ c2 }! t! {: {- m9 x; K1 ]

( i; Q( Y- V6 l; l) s/ h0 `/ j0 U. n//+ k: |5 q) |* m/ Y3 w+ t6 W( W% x6 s
, Q* f1 v7 K8 Y0 E  P/ f0 o
sdcms.go "login.asp?act=out"6 |# ~0 E* T9 L: A" _
4 h" s9 O( |9 O/ L
exit sub3 W0 I9 i6 `3 P. K

+ ~% X, a) [5 M0 \! S7 ?0 \else- Z& |* u- R: [/ \: Y
( Q" h, I3 y# v0 Y! y' w" n5 Q/ [
dim data+ y  i, I( U3 D4 f5 R/ e: U6 c- `; v

5 @/ q! H2 g7 p. [2 \' o! jdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
. A. `0 u1 V3 i0 P, A+ c6 c
( W7 E8 R+ u( u; @if ubound(data)<0 then& L, q" A9 ^' e$ b- j
- \. I5 [5 t; l6 |/ B" b
sdcms.go "login.asp?act=out"
7 l/ e- @. k2 c7 }0 L 9 y  q9 x# r  r( t$ I2 V
exit sub
. f* E8 Y' X6 H- t  x" p
& K2 J) H9 W  G( oelse3 G0 _& l* U; d* G9 p0 E

, S' O) i; Q; u' T4 B4 d: zif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
5 Y' B) r# I. m4 b
( m3 m$ X$ Z. osdcms.go "login.asp?act=out"2 J; t. n4 W' @- ]) K
8 E& J; V, `- L# d6 b' r
exit sub
# V1 y  D8 O, u: F " X( D& B' f; U  b; X
else( e, f+ D. g$ P/ W
- t1 r" L5 P/ @
adminid=data(0,0)9 z5 Z. ]6 T! y0 J

. S' {- F+ j/ r1 madminname=data(1,0)
% T4 j% p4 U, [8 y
4 r8 G3 K* N. E0 o( v8 k0 v4 `admin_page_lever=data(5,0)6 ?: k! `6 V  n$ X
# u; r- {$ ?' M
admin_cate_array=data(6,0)
, T: J4 v! y$ }" J4 ?- k/ g
7 i: x7 o$ A: Y. T% X6 w0 P- S9 Madmin_cate_lever=data(7,0)+ P& l* j  w  G. J* n

+ L1 n  G2 h% ^# g  Z0 x& jif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
9 {4 M: i7 o# Q3 x0 k! t - a7 p, d( G2 H$ K, T
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
4 d5 U8 C4 g# {: d5 A
% ]  f- ?# G: x) ?: p3 _if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
! T* B1 ?4 Y7 i* A7 c
+ `2 |& k  T0 b' Zif clng(admingroupid)<>0 then
2 I9 Y9 h/ h4 ~& v$ R9 f( y4 g
/ u7 I0 p3 R0 w- `2 s9 {admin_lever_where=" and menuid in("&admin_page_lever&")"
! L2 b! O) ?8 f+ H6 z 8 S6 J6 Y) Y* K% p  |
end if
7 g4 v( E1 c4 J; j
6 Z, j* i) W, J8 W! A; \+ l; gsdcms.setsession "adminid",adminid( ?6 `6 ~9 A+ ?
2 p! u& i- }9 u3 X. m* C
sdcms.setsession "adminname",adminname3 I" \( i- a+ U  `7 [2 a  c7 N) c& m
& w9 J  V  T! B$ k, Q: p
sdcms.setsession "admingroupid",data(4,0)2 t+ u2 C, l' Y

( X( F7 S5 P3 _end if! Q) z" \( A! H( Z' u, i
3 I1 W* M- p9 ]& Q
end if
6 x/ ?. b8 b- ?; U) y , D$ Y' G2 B1 p& }( B- o& [1 X, N3 p4 ~
end if, B9 e8 _) y# @1 g3 V' Z

& R( m1 z% d7 A6 V! ?else
/ p( H5 Y! Q0 Y1 ?# f1 ]* @ ! i2 ~* b  N. R  e1 |1 z/ g
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")3 N4 t. K9 G* A5 q) d. `

' k# @+ N/ a$ v7 }if ubound(data)<0 then5 N: s+ {, a4 \/ J

  |5 b" A3 D' K& H& W9 Rsdcms.go "login.asp?act=out"
' t7 _. x/ i9 f& J$ t & E+ K. w% I" f( g! E
exit sub
+ m( |" X* A* f* z( P; ^7 Q1 e
3 B$ k$ W- d4 ?8 X# K8 t; {; ~; g0 _else
/ @4 v* z0 l* Z8 [2 Z0 r * R' a$ o: b$ b. S
admin_page_lever=data(0,0)& d" i1 Z/ Q* b- ~0 B2 X: c( r: M1 O

4 \# n+ B' B9 U; H3 Gadmin_cate_array=data(1,0)
0 l. O/ ~* P( I9 j% ], {% q
" V9 D! t# a. [$ l- Badmin_cate_lever=data(2,0)& d; w. B& p$ V$ L0 L

7 |4 x+ t7 z+ w) f4 s& f- Xif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
- m4 E8 Z* ]% s- O& i+ x6 G ) v( ^# b- }- U& \# \& B
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=07 R) L) R. W4 _. P# p4 ~4 l
8 }% _+ \1 o: i
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0, p( B5 n# N- P/ ~& K
( S. K( K. r8 F0 X0 W
if clng(admingroupid)<>0 then" q% z; h' A6 e$ @- ]9 [
4 C7 k' {5 L5 b* J5 r7 G
admin_lever_where=" and menuid in("&admin_page_lever&")"% I* ^4 m5 C7 d* X/ i5 s! _
# G0 r" t& V4 D# ]! U! D  G3 y
end if9 f9 B. Z* o- Z
6 {5 ]0 j" ^/ v4 z0 r% E' y
end if" ?; }9 D* i6 K2 X7 ]

* R3 V7 v3 f2 ^$ r) s4 Qend if
, H% @3 `: F- e/ @7 o
: {- E: z: q/ N& U" @) e# zend sub
* h* i- D& t) I7 _1 y5 T' _2 Q7 i漏洞证明:
' d' W" S" r4 ~9 o+ R6 e) g看看操作COOKIE的函数
( Y8 Z$ x0 O) w
+ N/ o( u& l1 d" R; e2 k" N: d1 Zpublic function loadcookie(t0)
! r. m- u. f& o ; A6 r. Q1 Y0 [* f1 [
loadcookie=request.cookies(prefix&t0)6 e6 y8 M& I; t
- c8 |% d5 d( X- R, ]" G, I
end function
( N9 ]& i4 |! J! E5 C
7 U8 j/ m9 Z7 c1 G: Kpublic sub setcookie(byval t0,byval t1)
/ V) s9 c+ {- X; j7 b1 ^$ @! h1 ` 3 x: v8 Z8 Q" m
response.cookies(prefix&t0)=t1# t' l0 U  ]/ Z

2 x. L3 e* [# G. D% J( V$ xend sub
9 }; B, R5 Y) Y( F
6 C9 i4 z7 d& a/ z% w2 u5 a( O* hprefix
4 A$ s) }  p4 }) g- g
5 C; S6 j+ T+ ]5 l9 G- w; h/ x- r'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
1 x7 C( x+ P4 h- I" C6 E' q& J 3 z/ U' W/ t% o1 e2 c8 K3 |; \# G
dim prefix
2 H. Z; T  V5 E; k9 R
+ Y- Z8 k) P3 p' U+ I& q5 Jprefix="1Jb8Ob"
# U$ e. Y# `3 O* e 8 D( J4 D- s5 S7 e! L8 i7 x
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
& w2 a+ Q! m! E0 G( a) _ 2 n5 Q3 W/ Q; t/ w* u$ }
sub out1 ^6 ], d, l1 C$ ~) f9 }6 n

# N( ^# {6 Q) ^& Osdcms.setsession "adminid",""
1 y, @5 j1 p0 b; h  D& G* N ' `( Y% c+ Q4 B
sdcms.setsession "adminname",""
+ f1 Y  Q/ m+ q3 t
7 u' ~- b+ j9 G  w& n9 ]+ M4 Osdcms.setsession "admingroupid","": ^8 n+ y+ {& |# c
0 ?) G( e5 Q& |. q+ G
sdcms.setcookie "adminid",""
7 h2 I  g, H. S) F) r 9 d/ W. t+ S2 v+ u5 B, x5 Z
sdcms.setcookie "loginkey",""# b5 `8 h" V2 ]! B
% t/ ^4 V  p1 ]
sdcms.setcookie "islogin",""
: |" F% e. P! R" Q - N2 w' E% I2 E( w- p
sdcms.go "login.asp", v" |, z4 D% z2 d1 ~& L3 E
1 q) O3 `2 T) z6 v( G4 @
end sub
8 h' m( ^6 @- ~; }. d
' Q0 k: K8 F# Y# T$ t 4 E( i8 N* b) J! i  V
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!, E1 c* p; p. R* R8 P; ?. j+ g
修复方案:+ P/ `2 n3 F. K0 d0 t8 e
修改函数!/ \: P/ }( E. {# b5 b. g% K! f




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2