标题: SDCMS后台绕过直接进入漏洞 [打印本页] 作者: admin 时间: 2013-7-26 12:42 标题: SDCMS后台绕过直接进入漏洞 要描述:; {) Q% ^. e7 e! C5 w+ Z
! s7 l# r5 Z- p$ c7 N8 Z- V( V
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试 # B+ H2 t& [) o0 T L0 ]详细说明: # ]/ a% \& N0 u2 N# i1 lIslogin //判断登录的方法 7 l ^/ W4 ?9 ?6 K1 ? L 2 v1 P, g/ j% g m5 v# ^% Fsub islogin() ) x3 G1 ]4 g5 Z& {7 a+ Q3 R 6 t. e& r9 ] \, p- y
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then % x. M3 b* m+ U- h4 b + e, p! h/ L- h% i4 u; k% y2 l' m. B* g
dim t0,t1,t2 8 z/ h; e! m1 k: `5 ^, N- a ; g( x0 U; m9 q. E
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 7 J7 `" Z3 x, u5 M- x \* F' D2 [
2 @3 z6 F% _9 H" ut1=sdcms.loadcookie("islogin") |+ |) n W- ?. I) D1 X: N7 {* M 3 ?% y6 k+ c8 D" o
t2=sdcms.loadcookie("loginkey")! p! E/ m) t p) S7 C7 ]' A
4 t4 p% t1 g( s& u. z" m; X+ Iif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行$ I3 Y' O- o* n1 k7 t8 C
, x* _5 [ f4 _9 A" g8 u) T
// & M$ j% [2 x! Z+ h- O 7 }1 A( j. }4 R9 y- I
sdcms.go "login.asp?act=out" 0 j+ J, ]1 G0 m% Y % k9 Y) h7 R7 y B% uexit sub0 K) [4 P9 q1 h
; K0 P3 x: l9 d6 `" ]" Celse 2 M9 E T( o' p( s* ]- H - F' ~2 L! M( { l+ ~$ L3 p8 h2 C, s
dim data h. p) e* b& o
9 w: v3 k8 ~9 t# u/ l) Rdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控/ T3 e- k8 D# I/ n, Y/ a7 \" I. W
# O5 m0 E: U8 \4 P5 r; [9 z0 r4 y
if ubound(data)<0 then: S8 o3 d8 r# m& G: h# i
* [# X. O$ R( V( b( A& X; g6 Qif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then + |! D A5 ~1 D$ |( Y7 K) j , f9 P3 @* E, U1 f3 V5 Psdcms.go "login.asp?act=out" / w5 E$ h$ t, Y: c& p7 Q( J5 W, w , ?$ l! L0 M X5 _/ U
exit sub* \" A8 B" |, y
8 u, \" R( ?$ ?) H' @( ?! l3 Melse1 h1 u9 N5 ^3 |+ I" {) A- F9 F
0 {' B; V$ R# n- r
adminid=data(0,0) : u3 Y& \7 f' z5 x- ^/ q5 j3 `1 V8 h % B7 D( c ?* U# u) I; F& Yadminname=data(1,0) - q- w/ V0 y7 G {$ K7 W3 a1 h+ }3 |" Z
admin_page_lever=data(5,0) 0 @( |* ]) x( G. n( p6 y $ j. c. ]- |* x' h7 U5 ]admin_cate_array=data(6,0); Y& f4 x, Q, X3 J
3 J6 g" b/ B; Y: N l/ }admin_cate_lever=data(7,0) q# ^7 {/ x7 I $ u2 [1 i/ ]$ L) kif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0 ( l& a2 J& D Q& B 4 {7 u9 r" e9 Y
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=05 }& I9 M/ Z! o% R
8 w3 l' s. K5 L0 l" K2 N8 p& a/ Wif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0" {0 v- s" }9 |! ^! X! \: p. _
& _8 v: _ m5 Y% K
if clng(admingroupid)<>0 then7 I+ k" l ]- t }2 O5 }# m4 x' o
, o* V. s; ]$ X o3 G
admin_lever_where=" and menuid in("&admin_page_lever&")" 3 t, j& D9 @6 @, U! i" f ! F$ X6 ~: p5 r# b7 x6 B) Aend if * H' t% Q: k+ W7 o" W# V & B' S- C0 }! z! k3 u6 Osdcms.setsession "adminid",adminid % _; s1 J% Y! L3 n( F/ g: T4 U * ]5 ^ p' f; E# e" W0 L* C- ysdcms.setsession "adminname",adminname 0 b6 j7 R8 L2 O. p ( z2 y, ^; x M8 fsdcms.setsession "admingroupid",data(4,0) ) V+ u! J+ m$ x# Q( P9 o* d3 n ' |3 @/ P, V+ }( r
end if0 P# ~6 F) }' i3 o5 b
, _( O) t% o3 M! A4 [: Z# _' F' Iend if $ {0 e9 W: l2 C# M7 Y9 y ' t0 v4 a/ P) w
end if- A8 o, v7 o$ q% t! W# s5 I: M* q
$ e$ M" m8 A2 p
else/ d: J b) V: v' ^* a6 v) t0 {
4 o' `' U; @3 e( ^; a; j
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")- Q, [5 I$ F, U6 W! t
( _2 e! ~, q* h; b
if ubound(data)<0 then4 n7 I: `4 K. s* a2 J
; z0 y6 |* D1 L) {) H+ c" Msdcms.go "login.asp?act=out": m1 k& D7 P5 [+ o2 {- r
! j$ N( }* Q1 R$ Z$ X7 C
exit sub6 w8 s H/ i: x9 R |2 v
: C; \% f( b2 B0 y" ^$ Kelse4 {) O( B8 j7 n! n6 [. M2 z& s* C
0 G* V* B' G# D8 [. i- X% n. w
admin_page_lever=data(0,0) / w: A# ^! I+ e6 P+ q% B' l ' h! v7 H4 {+ \7 [2 [4 M6 [
admin_cate_array=data(1,0) - }! D- D2 k7 h8 x + i) w) ]0 K3 k1 F/ W$ R. W( yadmin_cate_lever=data(2,0) . Y- h; _. D+ t2 L * N1 a5 f8 R8 q) k4 @" h% @) p
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=00 @( j+ Z+ [* x
w" r; j( d) y, y0 \
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0 0 A1 m, M2 s* {4 j* B3 f % r" H/ }. S. C/ \4 r1 j2 Y" X8 E9 Tif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0 3 i$ f4 t5 s5 W5 a8 W/ C2 e ( u6 w: ^* h8 D3 k7 A4 Y
if clng(admingroupid)<>0 then0 z6 a' L$ {: U7 c! z# w" E) Q/ N
# P8 W: O/ R* Y% E1 madmin_lever_where=" and menuid in("&admin_page_lever&")"$ g! ^3 z% |6 v% {: Y
# _& \6 I5 k/ U# U' g% G8 z( i/ fend if - G0 Y9 G8 j1 V I) m3 @ 6 T& |4 w1 ?- o! `% kend if! {1 w$ ~& ~3 M" U, F" B: t q& r
8 K5 p, \9 j; S7 e2 {& `end if 5 |- g3 ?9 c. X3 F' r 4 H% p) Q( n( N! b. }8 q3 |end sub. Q- `; d M. j; O% p% u l
漏洞证明: 4 ?/ v* Q) z3 y6 ]4 R看看操作COOKIE的函数6 a, @: I6 w6 ^0 I- a; m
1 s7 J* ~/ n# t& k- M
public function loadcookie(t0) ' y* i" K$ L5 |) Y$ z" q * d# W. K6 ^7 Q& J) p2 jloadcookie=request.cookies(prefix&t0)/ E# @) J! @( q6 w8 U
, f# d2 O& a! C7 S3 s, m& D
end function 5 [6 i. Z3 u- E/ {5 F8 r , I& O0 L* b* f0 U" E) I6 Q; cpublic sub setcookie(byval t0,byval t1) \- r$ p+ V+ H 6 X) w$ D- A# h. L( Aresponse.cookies(prefix&t0)=t1 1 P* q8 U* o6 {+ J 9 c1 W7 j& J5 ^end sub - _! I8 {( @1 x4 L0 Q# L# i % _, p# u! u; a: _prefix$ ~: W% L) y* g! l/ u3 s3 N# Z
/ D0 [6 l4 z3 r+ n, x# i'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值 A) F- N( y2 R , z: u+ S" @' S4 `
dim prefix; e' I9 X1 z& o' y' c8 k
9 Y; e2 p/ g6 ~2 h6 u9 W. Qprefix="1Jb8Ob" . l/ |0 U* s F- L" ~' q, d0 X ' P2 f- q1 f0 t! h# v5 z'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 ' I0 c+ H5 J, D1 i$ U
4 Z5 Y! l# b" P2 I7 R
sub out " \( ~: f: o4 T0 y9 w# F " \& g6 |9 B. A) v) Rsdcms.setsession "adminid","" ) M5 |( w3 A6 P: e; J# \ 9 m- A8 f, [1 Y; q/ l) ~3 q
sdcms.setsession "adminname","" ( G9 @8 l! X9 I; W& S % R- y4 c" b' c( fsdcms.setsession "admingroupid","" $ p1 ]0 y$ J% j0 D1 S8 U 9 M) j7 |" s6 [$ W" xsdcms.setcookie "adminid","" - v! j h* O3 t8 ]2 v 8 G9 a+ d+ G3 k, C4 G8 |; A
sdcms.setcookie "loginkey",""% e4 M; y$ }8 J. Z5 r& _
C6 t7 ?+ B2 \+ V( {0 z
sdcms.setcookie "islogin","" ' F$ G3 w, y( T 1 f( `$ X& R/ D+ j4 e
sdcms.go "login.asp" 2 q: ]) R9 J# w p6 W3 n " I9 t( p& R; }7 l, P2 B5 T" J( iend sub ! e" Z# Y4 S$ G+ s1 x! H% d 8 n! F* Q; R+ `2 T. z
4 y# `2 O" a- {7 i) f" y利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!9 n6 {, P' \' P% k$ f4 [7 R
修复方案: X- S% j0 a; [( }5 ?' m' l! B. z4 \) b% h
修改函数! / Q. {. {2 Y: t. [+ h* v2 o