中国网络渗透测试联盟

标题: SDCMS后台绕过直接进入漏洞 [打印本页]
作者: admin    时间: 2013-7-26 12:42
标题: SDCMS后台绕过直接进入漏洞
要描述:9 q6 \5 d* D- y9 \
6 x  w; c. \9 ]3 ^
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
5 g0 {; }; i% E( Y8 q* n详细说明:
: @: n& R; q8 J/ p* \9 q* ?Islogin //判断登录的方法
; k: j5 q6 u! {7 _ $ t' n8 k( v" |3 [' P; P
sub islogin()5 T# \$ S  F* U: B5 }7 e6 M
7 G) ?, z6 Z2 h0 U! Z/ t8 ]2 P9 n& {
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 0 Q: I- R, p) Y7 P$ f( o: @. l
/ x3 n3 e2 R+ S8 R% n4 l! c
dim t0,t1,t2
6 t; A; X! S' {2 }  G5 f 9 [9 ?) U  M9 a5 G2 w
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie & c1 _6 H/ s+ p$ H: q4 f. q

! C; p2 c( J4 Nt1=sdcms.loadcookie("islogin")
8 U" T( |/ x' q
! b2 |# |& J) i+ z7 o( Dt2=sdcms.loadcookie("loginkey")0 u% R  q  L5 f& Z2 }7 I

, L4 [# r* p* b+ \8 _& yif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
1 v9 h) {4 O* E
, [0 |! j/ S- w$ M: X//' Z3 `4 c; p0 }; {
% y7 c( X: @& B8 G- B' z
sdcms.go "login.asp?act=out"
5 D1 _/ o0 b) l ' @3 F5 B+ F/ B
exit sub
- V; D* D, |  r# |
, B/ D% s, h8 S, e; k+ S/ H% P! uelse
! ]& p7 m$ A: j5 M; R, e! T : Y7 q' [5 {; c% W: {
dim data- d+ G2 U$ Y/ e. |/ p7 f# L2 i

0 ]% l3 ~; L9 i1 \5 ]$ i- P, qdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控+ B& f# c# a4 b4 D' B$ N7 G

6 w$ }2 [& D% y+ Tif ubound(data)<0 then
/ [2 M: w- [" A* i 8 i) l; R$ p: W. M+ ~- P" Y
sdcms.go "login.asp?act=out"1 F: l" Z' c5 ^6 P* z/ i8 f) k

; x( K6 q5 Y6 k# Rexit sub
2 x) |% m& n) O; N
: J, t9 I8 y9 J4 q) f# D! H- nelse1 s# n. T( q. B3 m

( B) e' e3 P; _' a/ K, Eif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
1 X" o8 T6 y( F2 g5 R" l : Y; W" ]' n9 H9 v% Y$ ~9 n
sdcms.go "login.asp?act=out"
' H- {* B7 ]6 @; F7 L 3 h8 u& M- s' d7 O- o. P
exit sub6 L( Z6 f8 ~$ F6 \6 q+ k' ~

5 e  b9 t1 q: L- p' n9 v$ ^6 D* y9 Belse
: C# D& X4 ^/ G/ S9 U4 e: C - S/ x1 Q2 D& q' b) D+ w! r
adminid=data(0,0)
% W. w. w* v0 n! Y, K
* Z# I; c3 O$ p: h4 tadminname=data(1,0)
* a! u7 d6 @! m8 p% d 2 {$ q; E2 S1 q- D8 _) G6 [
admin_page_lever=data(5,0)$ H) Q0 X; q" z" G7 ]

4 n3 {6 f. h5 [" S9 fadmin_cate_array=data(6,0)7 z# {7 Z: q; O
& y+ b0 N. `; S* V9 Y# A' a
admin_cate_lever=data(7,0)
; M& j1 o& {6 x7 P( c5 w7 H ; u' X3 h2 }% B' ~& d
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0, s7 g/ h+ k: y) i- i8 h

% ^5 M' i" L$ D, x- Eif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0# q( |3 _4 h3 e# s/ [1 I7 `

8 A1 u, ]! f6 _: b, R$ aif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
) J7 T4 o- b; [7 I3 X4 F* Y . A' C" B- m: p( Q
if clng(admingroupid)<>0 then" m" g: s) {( `  o7 I8 v2 K. `

2 S8 a% t; g' ]; D/ \admin_lever_where=" and menuid in("&admin_page_lever&")"2 H- N0 C% t5 ]; {- {+ x

  k7 F% ]6 g& b2 ]end if) L) c' f. E6 m6 c0 w% y
) z. c! i: A  c# @! Q! F9 M$ F
sdcms.setsession "adminid",adminid4 G# h( O% ]/ I: }% V2 y. S8 Q

+ Y$ I$ K. P% \% e% Csdcms.setsession "adminname",adminname) K! {# e) r" n; r! e

, G; L3 ]- W' @% {' p2 Tsdcms.setsession "admingroupid",data(4,0)- [$ h% g7 {5 w! k/ K! y. ]
, X4 v, a( @$ Y: \: D
end if. f$ r1 Q' w+ f; ?& t" _7 u

* M/ U# Y# O) K  a% r# Q& \end if
( M4 i6 E9 _; n0 X. i- w( ^7 U
5 b3 E/ m9 U3 Hend if
5 Y. L( }! @; i* m9 r, b9 |. P
; |/ @( u+ Y- w7 P, ?/ W+ m. uelse
5 R- Y. u1 X, ~* A 8 \- j+ i) }0 F- f7 v
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")8 X5 z4 ~0 U! `
% W+ r: ]7 R/ A' z* G
if ubound(data)<0 then
( w% \+ ]! Q: d5 y  d 4 \/ ]* |' ]& K; [/ @( M" ?
sdcms.go "login.asp?act=out"  g; i2 B, s* c9 Y6 A1 _! J

9 K& t, h" _$ `: Jexit sub
+ a( q7 k; V7 k2 G- N) B$ O
: O: W- ?1 i) Relse$ s# H1 t( Y' C5 z+ J
' m( Y* N% d4 H8 h3 W; }6 S9 e7 _
admin_page_lever=data(0,0)9 T+ w/ g9 v  u- M; E# V9 W- }
2 ]2 S4 f3 U; t# y$ ^
admin_cate_array=data(1,0)
$ H- z+ H8 o+ X: S( C* q' ] ( ?0 G( a$ L& d7 J
admin_cate_lever=data(2,0)
5 G. c$ `; g* u& U
+ w  V5 T& ^/ M# N) cif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0* k) ~1 J. g8 `8 n. b0 S* _
4 e: @- P. x2 ?# c$ C
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0# y8 R4 j/ W& V1 n& [7 c/ O

/ l2 G8 h! ~- q- C6 e1 i) P/ M9 zif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=01 X7 A9 h" V- W. {

/ W' E( G( Q9 A3 ]if clng(admingroupid)<>0 then3 A! E& r. E8 t, p1 J5 ^

: V0 F3 V& O6 g7 U( fadmin_lever_where=" and menuid in("&admin_page_lever&")"0 ?! |5 K" @$ {) z4 M% t% n
2 y9 n9 ^: o: W: ~1 z/ p
end if
2 W0 D* ]8 e% K! U( R- t- k! p # [& t2 {( G$ k  T' M" K/ T$ [
end if- @7 x' k1 n$ N! T5 K

# Z: _9 {7 T" G0 K/ u0 H- |end if
: U1 q9 g% r& d4 {3 R; k % K; I+ l4 f: k  P
end sub1 e: m; _4 \) v# j
漏洞证明:" H3 B% Y: b, }
看看操作COOKIE的函数, X( D. {, C% u* H

. e) E1 U9 m1 `* L' w- @, Ypublic function loadcookie(t0)
' N/ g, u: E2 D+ n % O" J- Z+ _4 u9 H0 ^
loadcookie=request.cookies(prefix&t0)  Q& M& T3 X* D+ S
5 X' l1 x7 ^  v4 Y. j
end function7 H; J' j6 j0 S9 m

, R) R1 Z4 s% r2 u% U8 Z# K4 mpublic sub setcookie(byval t0,byval t1)# A: \" Q* R# c

% G6 c; D' Z, Hresponse.cookies(prefix&t0)=t1
( R# T! ^; e7 i! X6 S + v6 `! C. x, N7 A! m2 B: q( W
end sub
) t! V: W$ |$ p  P; X# C% V
  D. [" T' n  Q- h, {# s) aprefix
, g' q. Y+ y5 Y! O5 l
2 G2 E! _" Q, W3 ?* @7 f! M. e% ?'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
$ z5 g& G' d- n9 Y/ r7 j$ Z
& ^' v$ l. P  [2 r3 Cdim prefix
  s5 j: T$ B5 _& z( x
4 s3 J8 d. w7 ~& F7 {; bprefix="1Jb8Ob"  {! R$ z+ p) O: r4 ]- O6 D
( g& d4 {+ q& D% }  _& h
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
5 x' E- q) p8 U# j7 a. P( O
- F* d; Y( C6 O, j4 Q2 R4 nsub out
! a  @1 G# U& Y/ E2 U7 ^ 0 U/ v4 C7 |0 p: s8 _2 M/ ^! v: G
sdcms.setsession "adminid",""
: k6 ?6 a1 _2 s& |
$ b0 ^8 _7 n! P3 b, x  k. xsdcms.setsession "adminname",""
4 R- v- ^) n; C" |* h! h- k % x% s' y$ P6 c0 B) G: s
sdcms.setsession "admingroupid",""1 C+ F% h5 M# u, O4 ~* B7 K
% I! o/ V: G/ k1 G# u
sdcms.setcookie "adminid",""
- l. ^: X8 m7 B: B
5 M! ]' [1 ^6 Q) W2 H" Osdcms.setcookie "loginkey",""
2 m  O2 N$ W& d2 g. }0 g / f! }2 X* w# `! A- V" g5 F7 x
sdcms.setcookie "islogin",""6 s1 T( a3 c6 x
" f, I5 F1 m( m0 y
sdcms.go "login.asp"
( o$ Z% O3 N4 i& c
, F3 c% d7 g+ u4 O7 N* H! R! x7 n; Hend sub& i. J) T7 P! H) k
- m3 w7 j$ L5 f- Y/ g) O3 N; F" M
, J; }# c& F* \+ ^5 q4 l
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
# ]2 v3 X" n8 u6 }, I3 O' }8 Y修复方案:5 f  I$ s9 M1 E  P' Y6 B9 h+ K9 ], w
修改函数!1 f* P3 ?. ]  D6 Z  r$ o5 {: Y$ D




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2