中国网络渗透测试联盟

标题: SDCMS后台绕过直接进入漏洞 [打印本页]
作者: admin    时间: 2013-7-26 12:42
标题: SDCMS后台绕过直接进入漏洞
要描述:
  n6 J: |' e8 J% H+ ]% {$ J: R5 a  |# K& d& \
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试6 A% [* A6 h- T
详细说明:+ v; y9 y, G$ m& E. H0 T  ?8 L
Islogin //判断登录的方法" _3 L9 C  y3 F

0 G% P1 D- t2 P. csub islogin()4 T! I8 F0 f& G& X) p) t6 g
& I4 U& q# n- Z2 B
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then & l9 _4 e* P( `  j! |4 o, t' h
2 O2 y8 O. P; {2 d; J. W$ Q
dim t0,t1,t2 2 F8 ?! h2 o2 ^4 F

1 p% A1 B& H# U$ O6 {& It0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
* F& O: i9 n- x5 D6 K% p$ S
* ]% ~7 g, @+ [$ p5 O" H. |# Bt1=sdcms.loadcookie("islogin")
' S" D6 Z6 V' t& H& u& N- P% i
9 M/ a: @/ i1 h* ~# mt2=sdcms.loadcookie("loginkey"): G6 N* c) F3 @/ t' I

" _, f3 `2 V9 W0 c: x2 Q6 p/ ?$ Eif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
4 O: v+ ~0 N7 q6 f ' r, s+ R; x& p- t  D5 p
//
8 n$ N/ ^' s! t5 X3 r7 e+ |; X
, b6 z; O- j1 Ksdcms.go "login.asp?act=out"
9 Z3 b. a4 O+ ^
7 k! Q- j6 S& x8 a7 Qexit sub
- L6 z' N; p, K# @ : E- E9 Y! {4 _# C1 T6 Z
else, T# F) x& a6 c* o3 c2 _

- R5 x( L+ _0 c- N7 Ndim data
& @  K8 ^  W4 B1 X% E$ E 4 U8 s, {: s8 P9 t
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控1 z* k- F+ \0 L( ^4 b
+ v, e, x# e) S* P/ u
if ubound(data)<0 then
- A( v2 F+ ?! m$ [0 R$ s* P! v# Q1 b: _
$ a8 S( j- w/ C  L- d( Dsdcms.go "login.asp?act=out"
5 J+ f2 z) `0 E; Q2 ^
, G) J# M" P( R6 P- H' Eexit sub8 ^; K; n' R1 p! D* c  }2 ^
( d/ h1 v) U. u4 ~) g# p4 }6 l
else
7 b$ [' {( O) L+ L- N
% B; x' W: B1 I/ tif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
5 ]; p& F  o* x0 f3 e4 }* O
0 W2 w9 r& E% t' bsdcms.go "login.asp?act=out"8 m9 q2 ~' A; \) @1 o, N. J
0 @: @' V. T  D5 \$ Z
exit sub
* z1 j9 W: X; V5 K 2 G  Z( t1 I& k/ D* |3 y! J
else
6 \" @# ~+ y% _. b' s6 L
/ p4 @% h, J/ r6 x$ v; badminid=data(0,0)& A' P0 Y: g7 q) G/ N# u
8 G9 F1 C# i% B1 V. y) B& Y2 X# K
adminname=data(1,0)1 w# o% M! O* m' j; q

* ?8 E3 l" Q3 T/ A7 j3 `admin_page_lever=data(5,0)
- ~% E* g3 c4 e2 o- j
5 @( V, n. r+ l6 N, z  Y. Sadmin_cate_array=data(6,0)
$ U, S7 e, R9 R) W 7 R$ m4 U4 k* p
admin_cate_lever=data(7,0)$ j/ u) Y" M/ ?7 |7 K( C

# K3 _8 ?$ C4 T4 v+ O- aif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0+ {( m; g9 I) C3 ?, A5 |
  q4 c* }: G7 J" }, l$ R
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
9 q7 O. R9 j% Q
. h5 w/ C: {/ Y9 L$ g. b/ dif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0( {, J9 `" r+ W- @

0 W& o" W% g4 i: o# |& h0 rif clng(admingroupid)<>0 then
6 ^. [3 F; r% K7 z# V, N9 w
) ^5 [* `/ k4 ]" Z, @admin_lever_where=" and menuid in("&admin_page_lever&")", G8 D" b3 f* R
8 I$ ~* p( o7 x
end if
+ N) H& _& R, d" g* z3 t' ?5 z) w
' m! u& r5 K) u( A7 S/ xsdcms.setsession "adminid",adminid
' O" |0 g; Z  {/ D6 t
* y) a. e" q' V: P4 U/ n  D" _sdcms.setsession "adminname",adminname
4 I4 y! z& h) Y9 I 4 h5 d9 V3 p/ M9 ?; ?/ ^
sdcms.setsession "admingroupid",data(4,0)2 s) \' g0 ]! Z/ p4 S# c# ~
2 ]; m, L9 w* V* n
end if
: P' P* a# Q& R7 f- C$ l
" h  B6 s. j% T5 tend if
7 w+ d; O) I; n
8 F# n; Q5 F& [: {* i6 h( uend if; |, ?: X  U7 g; `& q4 U' E% N

8 a4 _% K' r" Telse
( d8 ^5 s/ G  B0 u  X  U* m
( h' B+ B6 W0 I0 ndata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
; u5 A; C; W! ^- e
, X% r* j' z8 B' r3 Q/ \- `if ubound(data)<0 then3 h* X' N2 e0 \6 |3 w$ F( A
+ S5 ^$ A7 F: i
sdcms.go "login.asp?act=out"
+ i4 z5 q) [7 h6 }9 X, X
  j/ O& m' Q& ?5 c" T: ]exit sub4 a! V# ]3 V6 |! j& w" [
" C" g6 Z' X' F) e. M  @6 R+ O# K3 p
else* Z3 `) q' B; ]( A" {9 k) X' B) @
; y' b2 C# B8 \- K0 y3 {# k
admin_page_lever=data(0,0)1 S/ e, F9 u, g9 b

' p+ d3 s9 B: a6 x; a: Badmin_cate_array=data(1,0)
& |0 b1 E6 \8 p9 f) j
2 ~0 ?8 s3 m+ N' Y2 ladmin_cate_lever=data(2,0)
2 Z4 `; H. z3 P; J, {, R! K. e0 o 8 ^1 D+ d/ C5 F! s2 i5 N* J* V
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
2 J# b! n" b  r2 K2 z- j; @- Q
3 A6 C7 j! D  t% X: yif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
2 h' z) o2 L! B5 Q- ]* \ ( ^9 @6 ?* M0 ~/ \$ X% p0 Z
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0) _8 M! q2 [" ^

: l5 T8 @. G" iif clng(admingroupid)<>0 then
) K6 y& u9 ]3 y1 ~% L , Z7 ^% z1 \+ ]  e: o4 L
admin_lever_where=" and menuid in("&admin_page_lever&")"
5 [% T" M' x% B) C4 E
- X0 z$ D' u8 C" d* b( T: D, I/ Vend if
& f: ]) M  K6 J: Y * `: B" a6 n1 h# w) E! B
end if
9 _' W( Z# O1 e: i7 V
- Y1 y, R- i8 hend if
$ X4 D/ @" X2 ~$ L) Z6 m' d
  f+ q2 A" ~& }  b! l, C! x6 [end sub
4 A8 g  Z* b7 r6 _% U漏洞证明:
# F, s3 c0 ~$ ^# g$ h+ \; S看看操作COOKIE的函数& T4 J& \( k- O0 w  A3 ~6 h0 X+ w
$ s, F( K& ~) a
public function loadcookie(t0)
# n/ \& b$ H- V& `; m0 n
2 [/ t5 D! o% N- Y- X+ V  eloadcookie=request.cookies(prefix&t0)
) o+ m  H/ V" U2 [; w
# A; C: [' h$ D- [end function
% }9 n% \4 J- x0 W  J
% d( X1 B+ P+ o# I/ h% _* y  `public sub setcookie(byval t0,byval t1)7 d) r* W& l9 N% u# G! s, b
7 k$ Q. G* f" M5 q# k
response.cookies(prefix&t0)=t1
( x% l1 Q5 v* T5 ^0 ?4 @1 _4 E* w 6 H' u$ d; v) }+ D. g7 x7 O. ~% V" U
end sub+ B( T, T  t- R0 w# X

7 p7 m  M6 D: P" _prefix
. P4 f; E( x* R
) n/ O- p, v/ L# I$ P6 @'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
% D7 L: _; }6 h% p4 n( u, R- c 0 P5 H9 u3 ~! Z$ B! [4 G$ L6 s# R! h  \7 ^
dim prefix
3 F3 t; Y0 y: c. K# S1 u * b6 n) R' q5 N3 F+ I; N
prefix="1Jb8Ob"* J7 S- g; P. }7 V* m# ~

0 B8 G; R" I/ Z# Q6 U2 ~; i' T+ D'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
( }3 x9 _0 P8 ~: o; W6 p6 P" n
: s( C% ^$ `, [& p9 esub out5 T: }8 q5 a8 o2 ~8 M
* g/ u$ d+ J6 E+ P% `
sdcms.setsession "adminid",""2 g' D" `& E3 [7 f7 I, |; N; n

8 {/ P/ {8 I4 psdcms.setsession "adminname",""
; D! H, K; h0 ]) }, Z+ Z % R7 U1 G8 d# w; M
sdcms.setsession "admingroupid",""* m5 `3 v1 d6 i- L4 P' Z. U
/ _7 o" t: n8 h% x. |! P8 u# l
sdcms.setcookie "adminid",""
  k1 N1 F* r3 c8 L4 {* d
# O) V& _  W6 P& p1 x/ O0 fsdcms.setcookie "loginkey",""
/ w8 G; C. j6 T" X6 d" @8 z 4 |- c: Z. ~, G' E
sdcms.setcookie "islogin",""
: h& d( X% b; g: g! q! \% L
# w4 S4 U* W' h0 ]  @9 l: p; csdcms.go "login.asp"9 f# p8 \7 V' U. B, F
. D" `5 K7 X  w7 g: [* `
end sub; s3 u4 G" W7 [0 e6 J+ V

2 Z. e# b7 z5 u 4 w" ^. b7 k5 A
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!# z& _# h& X) g& c- g6 c
修复方案:* \, Y2 T: D2 H: Z2 D: n, w
修改函数!
) H. T: l3 v5 \( S; q



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2