中国网络渗透测试联盟

标题: SDCMS后台绕过直接进入漏洞 [打印本页]
作者: admin    时间: 2013-7-26 12:42
标题: SDCMS后台绕过直接进入漏洞
要描述:+ }: J/ x0 |$ M

! \! e# t) {8 t/ ^1 ^7 X8 R% ?SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
2 ^8 t: c" }7 u详细说明:
6 g4 [# A% b$ T/ X! M  k: i3 tIslogin //判断登录的方法
$ I* p* b( K( f" c6 ]
& d8 n% ?& W8 A, E  S5 Ssub islogin()
+ x- T) B3 S% P. {
7 L  n5 f' R! ~! v! Kif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
% K. o" w( A, X1 D
! D5 {  R7 O" d: S0 W+ F6 ldim t0,t1,t2 ! e8 ~' r( {0 u0 C

) \8 d9 n- ^% Z; n$ et0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
8 N$ V# Q! r$ M; a
+ N& b' s* [$ j0 Xt1=sdcms.loadcookie("islogin")
" m; H  a9 `2 z1 R / k; w2 k2 w5 k4 U
t2=sdcms.loadcookie("loginkey")+ X7 Q8 u4 j, y8 t" ^5 S- w1 j
8 ^: Q. |  ^. O, ?/ Z" u) U
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
! G) \8 L! E$ s+ X/ X) x6 W 4 }4 u3 N9 N4 ?
//
& ]' ^- d. d6 b) Q : x" _5 g1 z- m! P: f
sdcms.go "login.asp?act=out". Z' v/ y( l( x1 b+ k$ j' e5 h7 l

. a0 T! B, i. g9 oexit sub
4 d  [7 ?' l( a# t% o8 }
  C" @! K3 k5 E! j  h3 K1 e# k- }! e; P2 L) Jelse
0 b) [1 W  L' O$ I
. l2 B, [; I' u1 O! U, z0 G, g- udim data2 P% o, \1 \5 [# Q+ O) `
0 `+ L' l+ c* x4 |4 j2 W+ ^1 W3 K- \
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控' R1 ~# h: D) e$ i
4 [; N6 \9 `' R; f( ]4 x+ c
if ubound(data)<0 then0 E% v, y# y' U: q

5 x" F% `$ q- B# Tsdcms.go "login.asp?act=out"% k  w, t: ]# E/ \; ~
$ M" S3 e, M: z
exit sub2 W; {' w3 \$ E  G* `
/ {( H! V& }6 Q+ g. D* [0 l
else
$ r9 j  Y* h" O/ r& s
1 j% y2 y2 X0 s7 T; fif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then. Y5 c3 M: ~' O; n

- j: u6 N+ J$ J' a- @7 ysdcms.go "login.asp?act=out"
7 k/ R) j5 k; y' E5 D8 r, O9 \
; E6 ~$ L# S% o5 \' @  p7 @, S2 }) xexit sub
- A2 U$ B  Q+ u5 o% `( m. I * E% n) D3 S7 n% m  ~0 E
else5 S- d: n# i( N& _
: T) X0 X) U$ u! U7 a* e- [
adminid=data(0,0)
# ^+ G5 ^3 E! _9 d
$ g' h- N/ i. T/ Zadminname=data(1,0)
  F! O  a4 M+ h# K ( D% \$ {2 ~- _/ G
admin_page_lever=data(5,0). D' m0 y( F8 H) n9 a1 A

8 }4 R2 i" ^. Q8 Q! n, A+ qadmin_cate_array=data(6,0)+ g3 v$ p) {' v- p' A5 f: v

+ R  A' \- E! o9 |admin_cate_lever=data(7,0)
# j# N$ |* p: a* L; ]/ y  }8 I6 L
) [, Y( P6 n; V% r! \& {if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
1 D4 I$ p" q8 y  b% q 3 p- {0 E: w1 S3 C
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
  l" G8 F' W' s  a 0 ~, i; Z! B( Y' ^- L
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0. d0 l. Z8 M+ I! r8 k
8 v5 s8 D2 g4 ]0 p. Z+ b7 @
if clng(admingroupid)<>0 then# v- J, h2 v' ~8 J, k' @$ N
7 y* x. {  X1 Q# V; r0 p) K  g
admin_lever_where=" and menuid in("&admin_page_lever&")"
. N2 F2 p& n7 B- x  Y( \' y' ?4 {/ x / d0 e+ \3 e8 C" d# J. u% z, G( u0 ~
end if
/ s2 [1 X) o" ]. l* K/ {- p" v
+ W' O# `. a0 Msdcms.setsession "adminid",adminid
- U; I# j# \* | 8 J" L" r+ m9 b' \4 h3 P
sdcms.setsession "adminname",adminname7 \8 h4 K; e0 s  h0 S
! Z6 I$ {; {" m. U0 w
sdcms.setsession "admingroupid",data(4,0)+ H' L: G, x( n, f
: D; p2 O% [8 N# w  H( y: ~7 f
end if; ?: r7 |- x3 J) E8 Y

, v: D8 y1 d' E0 pend if
' q2 t. {, M4 J. S
4 m0 P; B" A9 G3 B( o- xend if
& y6 C5 A+ d3 G4 H/ X" \
  w9 u' f( o. w9 Melse8 @# e6 _+ C6 N9 f
' X6 x- b9 ?% L7 x% E8 L5 B
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
$ ~/ Z9 U, T/ i* e4 r
/ c9 x) m, d5 i3 d2 ?; i" o$ k' yif ubound(data)<0 then: ?2 W. L( N( i* ~/ O( g8 l
" I" x2 Q: l: U" N, F- ]! R- u
sdcms.go "login.asp?act=out"
/ |. b9 u7 @" O, X 7 Z0 I( y5 W0 C& q" \
exit sub
  b8 u. v) |' Z4 }7 Z
2 b) i2 _& ~( P( {else$ i3 W5 e% a6 s! a! `
4 q9 I5 T; p/ E& C, w: T" B5 m
admin_page_lever=data(0,0)
4 T6 [2 f% m+ t$ X
$ w0 {  U# F) r. Cadmin_cate_array=data(1,0)6 }9 R% S% Z( |9 W9 g* g
" k7 H/ e$ Z  s+ S
admin_cate_lever=data(2,0)
' ]: h8 e# s0 N/ b ) n. h# J" ]* k+ b1 E( Y: l' }
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
6 f+ T7 W. z( V0 J( X : h7 n# Y' o, C  G
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
$ a5 W/ I9 \" Z9 ~! p  w
0 {/ R2 Z  R5 [: Y+ b+ ^if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
" u# Q3 B% R7 p8 Z( f% b
7 V3 D1 U* e* Q/ U& a7 Z  Y9 `if clng(admingroupid)<>0 then& q7 E+ t2 n: I: b. ?

  w" C: [* u3 }+ {' @admin_lever_where=" and menuid in("&admin_page_lever&")": `9 b4 [( f8 o$ b. ]/ A
- f. E& g5 p+ c" c$ a& n: w
end if: ^7 w: _- n; a8 x  T- H5 R( @2 `
3 u6 T* q7 }) l# ]
end if7 j2 f% X  e# h+ E& N0 Q- R
# J) v6 z$ b4 Z! n- L  @
end if
( X2 d2 `5 r8 f( W
$ q* L4 m8 P6 E1 l7 }* y0 }end sub7 z( R  h7 B: ^+ N1 ~5 G
漏洞证明:$ F- ?4 U7 B, P+ P" ?) V7 B
看看操作COOKIE的函数4 e. E2 b4 N: t7 s# ~

9 `- R: W! P3 p3 ?' D0 {public function loadcookie(t0)
, e7 R0 a; y9 k1 F% w) I
! g! {+ _, N( B$ ]8 |+ uloadcookie=request.cookies(prefix&t0)
1 w8 W, _3 p- T3 O' D! ?* l1 B 6 A5 P7 p7 p  N# Q4 }
end function
0 L) V3 O* `; J/ p
1 e) x& n: c6 U$ |' }public sub setcookie(byval t0,byval t1)8 s: `& [1 N4 z( [0 {, `0 \
; x. i+ k& f) {0 R4 v" Z6 j
response.cookies(prefix&t0)=t1
" `1 M% A8 k$ Y# b % [0 t5 d8 J* U; b0 c7 r; @" J
end sub9 x# L: |2 S7 I
( D0 c3 s2 ?4 S
prefix, x. z5 U9 L1 l) {- |& w# @  N3 o

' L. C  h8 z. I( L9 d'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值; ]( i2 {  w' |4 D# h$ k3 F) |# l

$ L: q8 o. m4 R  ?dim prefix
1 |$ I9 Y3 L* f2 I1 G
9 e# X6 w7 l; O$ z% J7 Mprefix="1Jb8Ob"
  N: _' I# E" C2 V   F8 |& @% B& |" W' e
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
0 d- F2 d* J% E7 _% E3 }7 n  p* H 6 A9 L, |% M, f
sub out4 s+ w4 l7 }* q% B3 I3 V6 z; Q1 V
0 w" p- {( H  A2 Y  n
sdcms.setsession "adminid",""* e! s$ d$ D; P

! D8 m' a+ }$ T7 E3 k8 E9 ysdcms.setsession "adminname","", w7 i8 ], {1 |; s8 M

+ @! E' p) v- V8 ?/ q9 y  wsdcms.setsession "admingroupid","", y; Z3 l; P7 _" C

( P8 P) N* v# t+ m& y( Esdcms.setcookie "adminid",""1 U8 L- K; w' C

& V1 }# k' l  Psdcms.setcookie "loginkey",""! W7 p% y) w# {+ G. {, y" ~
; z/ R8 M$ K9 i% g
sdcms.setcookie "islogin",""  U, U( i6 v3 l2 E- K) w

# c2 O2 ?$ L+ f* |+ ksdcms.go "login.asp"
0 P1 p5 q% d2 z+ c$ L3 k 8 n) c5 [+ [7 J% k
end sub
; ^5 u- j, L0 V( l. u , h( y$ S+ a* y
( I( a1 S5 y7 t* t
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!6 f! \6 n9 O- F; M" G
修复方案:
; r9 c9 ~- l, i( O+ o8 b! @修改函数!
. [- Y' c' {2 b) H/ }# G



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2