标题: SDCMS后台绕过直接进入漏洞 [打印本页] 作者: admin 时间: 2013-7-26 12:42 标题: SDCMS后台绕过直接进入漏洞 要描述:8 h) }6 Z u5 Y- f
7 c( N3 m; O$ c1 s: E( e5 ZSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试7 g) y- L! n$ m7 k" s$ F
详细说明:$ U% _; {) J% v
Islogin //判断登录的方法 6 x3 @) |) e* m4 O# X! [) s ! U2 ^% z: b! M6 N. V9 s
sub islogin()% l5 w O, U% O* H: M [
5 s, t* D* A# P; R
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 4 L7 c! |" c z! ~) t! Y
1 l+ y6 O8 n+ t: t9 c+ j" i. l
dim t0,t1,t2 C/ K9 e" p1 ], K
! K8 f! I6 R/ O# {/ V% B
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie : f4 m8 {' G u8 _
; }$ T, W7 e4 y1 N- d! _t1=sdcms.loadcookie("islogin") 4 L+ G. X1 R% T; J0 t 4 N6 S/ U. q: \1 l) x& \5 ?+ F& i, |t2=sdcms.loadcookie("loginkey")# M) e: ]7 Y2 o7 r) n9 n* g5 z
! m* T' Z7 t+ Mif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行& U, U2 r& l2 S1 y& p3 l
5 x5 R ~9 p5 E( _
// : ~, N! U q3 @7 K! n6 p& z + S* i h/ m/ X$ l( {% K% R) gsdcms.go "login.asp?act=out"3 w0 \8 M. H% ~' Y) I
, p1 e8 R; j1 x
exit sub : U6 E. A f. { $ S1 ^/ e0 L2 R# Delse : }; @+ f. X4 H! B m+ ~. k. T+ R) Z) E/ N+ zdim data P, S# p& @ }
) A' N p3 A& T% S" ~+ }$ t
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控 7 j# ]/ k8 y3 Y! g ; t5 t! a/ X! Vif ubound(data)<0 then : a i! d$ m# A( [ : G+ l) @+ p7 y( Vsdcms.go "login.asp?act=out" ) L; Y: G1 J4 f, g( Q* X6 T ) [2 y# b n# a$ t9 m6 }
exit sub6 P# t1 N0 ?" @5 x+ X! b
7 x8 Y. G. y- l8 r4 e( }0 }7 D( |8 ~else1 e/ _. L/ ~$ @1 R
+ `9 u& S a9 r }5 Cif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then" k' J4 @0 ~, Q* Q6 r6 h
: A, i8 G( h& r$ F
sdcms.go "login.asp?act=out" ' X" C. {2 x0 u - J5 P6 V8 D* Eexit sub0 D$ d& f" {; j! G5 p: {* k
% |0 O' C& ]. }" Y- i
else / K( g3 j! t% `5 N/ \# B0 Z4 } ; ~9 t& q; ^. Q( F: o5 R& jadminid=data(0,0) ) f2 X! L( C5 ]5 y0 p & S& s9 r, D6 Y* v4 u4 t) Radminname=data(1,0) 8 a1 t0 ]0 ]0 n4 c8 V, ]1 o 9 }) O- R( ~ m# O% o* R& i1 z
admin_page_lever=data(5,0) . C/ }* g8 c; [% Z! B7 c$ Q ! v5 t5 X% A4 Nadmin_cate_array=data(6,0)7 a, K, ?" J; K! p
: Z) h- t( d6 m7 c3 yadmin_cate_lever=data(7,0) 1 I( R+ ~' l7 D0 B9 ~- p; D* s - a J2 N- w" A; S) f/ H
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0$ h& `8 z, b7 |% d9 |& ^
) k' L7 G! c8 A! \% r+ K/ Iif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0 2 f3 F1 a& ^9 h! m6 c 0 v! u( Z) R0 O+ ~. D) m
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=05 m' }7 \" e9 B3 t* ?8 |
5 B+ W* r0 T S; i' m/ Z
if clng(admingroupid)<>0 then+ J/ s$ H: t6 W6 Q- d7 _
/ U3 v0 J+ K0 E5 ~0 J
admin_lever_where=" and menuid in("&admin_page_lever&")" 0 N6 d, @ G$ e% a8 R X1 k' N: N; L# `' Y- e+ rend if . C `! D/ ^7 T& I! T 6 c; @) m3 t M' @" [" v* k
sdcms.setsession "adminid",adminid ( b# M7 f6 \! T4 i# G 4 \' J4 ^+ Q& x8 D& ]. Q
sdcms.setsession "adminname",adminname ' |5 x R% g) @6 ` ( M( v, U3 D6 Usdcms.setsession "admingroupid",data(4,0) x" k$ c9 j$ f' ], R \/ C8 t% [ & o0 K1 |& O' e+ F& B% B( V2 Wend if8 O. B% y* g; A3 {
! t- S/ {6 [% P! N4 \& M# pend if . Z! f$ B1 w8 n, _, A 9 A5 d( _! {) g/ d7 H
end if , A7 j' Z) S* h9 v' _' K- a 7 r% p9 m# `0 i$ ~else : n0 l% W) v: \6 ? $ X7 N, B5 j. X5 `data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","") 7 o" D* a/ F9 n& R 7 E2 `! A- L1 Z C K2 m- xif ubound(data)<0 then( a1 \# f ?# l& r" V3 n
$ b+ q4 p; U: U+ M7 }. T. @sdcms.go "login.asp?act=out"7 R+ b0 E; }/ h7 B
1 h" ?- ~4 \+ @9 Q" c8 lelse . R1 C6 y# t, b+ G $ c! G( B$ S9 X1 V
admin_page_lever=data(0,0)6 d$ s+ c2 G( T7 l
& j% X& T1 e5 k' R* ^0 e2 a# l. F0 A
admin_cate_array=data(1,0) [) a4 p% ?( H0 s6 Y
5 V4 D! K( \' N8 @" s* ?4 i
admin_cate_lever=data(2,0)8 q% _: j! Y5 d+ I( l
5 [* U8 F% u8 r: ?8 F7 Fif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0 % o* P0 Z; @. t s! z% A' a 7 e* U, Q: e% N' h2 gif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0+ C/ w, F% C3 i8 e3 d2 }6 J, \
3 ?3 q5 l' ], J2 H5 i2 B: I, E
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0. J; M) J+ _# A' v d
; }) |" ~9 O N: ~" y* X, H
if clng(admingroupid)<>0 then, x1 ^7 V* e: O! B# W3 [# J/ p
! Y1 p# _; H1 v4 Iadmin_lever_where=" and menuid in("&admin_page_lever&")" % n5 o/ D: ~$ }# B9 W) ? 6 s p2 V' C2 D7 Z* u n0 pend if + t0 Y8 k; ]; I- X 8 q) k: W4 Z0 u) L$ l
end if/ x1 ?9 H' q: m9 m( j2 X9 _* y
* h9 s @/ ^* S' Q/ a
end if . |) }2 Z) U6 q " {) d7 [1 `. kend sub" M/ V. d7 _# N4 a" n4 ]
漏洞证明:+ S( Q6 }% } f% X2 {
看看操作COOKIE的函数% z0 {1 X$ k: ^$ r0 C, L
' P6 q7 ^- W- B& B+ J/ J; u+ ?) cpublic function loadcookie(t0) $ I6 u- g2 W8 x M/ x, E7 m7 [ 3 C) b/ D! g8 i# W- `1 A
loadcookie=request.cookies(prefix&t0) ; q2 @2 } t0 S 0 x* @: P9 ]- A/ O. e9 J' @end function - x5 T, k9 G! S3 b& @+ r6 i. O1 [" @ : A& @7 m; @4 @" A( d" `public sub setcookie(byval t0,byval t1) 3 F, o8 o- u$ W1 V : i% v0 r. z. I0 r$ R4 l: yresponse.cookies(prefix&t0)=t1! W4 M( F5 q2 r* ^( R, ]
- R/ h7 h ~0 h( [% F# }
end sub + N+ n2 e% d, M1 ~+ a+ w* | 0 [" D& w6 ~; [) lprefix8 r6 X9 Q0 g/ m! v4 H$ z
; g9 e$ t5 r5 F2 L'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值 ( T) T) E4 U$ [! ` w+ y3 _! `2 F, e' B0 I+ mdim prefix ( Q( i4 W1 E, v. g! K. d4 ^ " L# A. c: A7 h1 dprefix="1Jb8Ob" : J, n @* y5 K9 F , g. D1 m8 D! S7 [% [: g1 M'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 3 h5 G3 d" h( F, @7 m6 }7 i9 _
/ J7 B" b3 ^. j5 }sub out2 r. X. n2 W) k. X: _7 |% m7 }
4 O' @9 k" b6 V; r7 r4 l. s3 E9 J
sdcms.setsession "adminid",""7 T, a' P9 ?. B) n
4 n9 R; h* t. ^; d/ J5 t
sdcms.setsession "adminname","" & J- ]- j, R! {+ K) x 2 Q5 C0 G8 Q7 \- n! d9 f6 z$ Q
sdcms.setsession "admingroupid",""( @, \* n* ?* d/ j1 a; @
* I+ j9 {' M) `& t1 `3 u- t
sdcms.setcookie "adminid","" ' ]2 q# O9 K) K" z u/ E; V% X ; D+ { \$ H8 m8 ^* K
sdcms.setcookie "loginkey",""" g* o: O2 P& q6 M5 Y
5 P w( l/ M% u) J+ v8 K8 D: C- A
sdcms.setcookie "islogin","" " N4 b) D; R/ D4 h4 i & K% J2 X3 }7 }% hsdcms.go "login.asp"* ]2 ]3 H9 C: w i3 @
2 U$ F- I1 g3 Oend sub( Z, `- |& I9 q9 N2 s2 _" l
- ]8 u q1 E! W$ E7 q, ^9 c : u9 o- ]0 n, m1 z利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了! W6 {1 I0 {! m
修复方案:2 A: r1 v( S' [" M
修改函数! . \( y1 F) j3 X0 D. p