中国网络渗透测试联盟

标题: SDCMS后台绕过直接进入漏洞 [打印本页]
作者: admin    时间: 2013-7-26 12:42
标题: SDCMS后台绕过直接进入漏洞
要描述:& B1 V0 ^  F* O, {. Y! Q

5 j" @3 j) }* E/ P& n; b: l  n) Q, ^SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试8 S4 G/ P2 I5 M. {% V( W
详细说明:
, [! b8 l$ ]0 n* \4 v; S" IIslogin //判断登录的方法% S! D% N/ E& E5 X

6 R) t4 Q, z8 r8 f' Nsub islogin(); T' ?  z. A5 M
6 h/ B: @" m; b) r/ E: [" v
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
  L& K0 [+ u' c: w& `& N 8 @) X6 r' N. ]4 T7 `# B
dim t0,t1,t2 ! X9 K5 `9 O! n: \, k5 S
* P. \. l  s( N8 H, H
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie , P5 Y5 \6 Y) t+ m

& ?. ~* V) {( ~0 xt1=sdcms.loadcookie("islogin")
% O! I. C! q" M7 \
& \1 i7 U9 {2 J# b& B5 pt2=sdcms.loadcookie("loginkey"); y7 I1 t8 \& P2 W2 k7 U
( i% ~' R: R* \- b7 i- e6 E( n) f
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行: n3 |  ~) x. {0 ]

0 W" i2 H! ~# p" a  ]//  E$ B* Q4 T# x

8 F+ o9 l- B; r: A/ @  S. y* [sdcms.go "login.asp?act=out"
$ s& [, n2 i0 v: y9 }
2 Z& p" G, q' h9 rexit sub& e5 D9 E& k# s* ~- B  }
% j- S: Z( n1 ]& e! u( [& R
else8 A5 I, f( d2 e6 T
/ D% t9 `; I; \3 c9 @
dim data& ~2 H. q6 r9 R/ G3 N
9 s6 c/ u- R7 [+ J8 f0 Y) o" q
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
6 n* e7 P( N2 a8 o& i- |
, l* ~9 V: ]7 z6 p* m. ?. z' U1 o9 Yif ubound(data)<0 then
2 b* h% l1 L9 N$ P! W
9 d9 c. N% [- s' `- h* Dsdcms.go "login.asp?act=out"
; W/ j/ i# }; f1 b# d: L7 i
' Y1 G+ v; N- p: h( D8 @exit sub4 w! l3 B) N. P; R- V/ `4 L

5 c9 A1 Z: n8 Melse
% n; F1 I8 n0 f, p$ x, t" B2 m: i5 s
! U7 C+ A+ R% @) C# Q' J3 W+ L& K4 Hif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then+ A$ @( ]0 A, W. ~; H( D/ y
5 q3 X( N' U4 P( w" ~
sdcms.go "login.asp?act=out"; j! Y3 H' {. Q2 {2 Y* k

/ x% G# p( k$ ^5 l5 Iexit sub1 d, ^/ ]4 {& r! x) i& G9 H% m

; t. l+ N9 Z: x1 T% |) oelse
: m0 y, p" G. W9 h
9 Q4 a5 D# N! badminid=data(0,0)- M0 ]0 [9 `2 r" `) {& _  L

3 {. N# j$ l2 g- Sadminname=data(1,0)
: G/ Q% e2 g4 E: V+ Z
0 A+ t* U9 R8 T1 u+ I  }admin_page_lever=data(5,0)
6 `8 o1 l+ L& ~2 y( Q ) ?- f7 o, y0 m7 E+ i/ X7 X: z; F
admin_cate_array=data(6,0)9 Z4 c$ |. z7 W% Z' m* u+ @
$ w6 n- P4 {( k: P3 q5 S0 l
admin_cate_lever=data(7,0)
1 g. Z- Z& V" o) u, e 5 L& g0 A5 {- J' I3 h
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
9 P) w  d8 @. w& X! j ; W5 D: [& h: X/ X
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0' j% Z9 O- Y6 r. m+ J" K, M
8 J8 T; M4 [, c. N8 P
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
! O: [3 W, ?; F  A# {, C! [6 e
7 X( l. Y( J, @4 k# [* f  Q, Sif clng(admingroupid)<>0 then
* Y* Z! W9 [, n5 q  X 2 E1 T9 r! }' B; {8 I) K6 W
admin_lever_where=" and menuid in("&admin_page_lever&")"
; `4 a4 r( f  P7 y/ L . E" ^2 w3 Y2 P- b
end if  J" e, A5 V2 P7 M9 J6 c
) D, ]  _! s8 @6 v
sdcms.setsession "adminid",adminid
# j8 ?# R) k  Q- h# e 7 W) D- q& p: t; a  y
sdcms.setsession "adminname",adminname
4 u& U, r% ]/ e' h
- P7 Z3 `9 ^- |sdcms.setsession "admingroupid",data(4,0)$ F3 V# Y; Y9 V' @: g- r5 r! t# E* @

, [. f- u$ v  l( zend if$ `) ^* m: |) x" v) k

( P9 f' q4 \+ ~$ }* D8 P6 wend if& h2 J% Q# W# ^

2 b5 Z! Z8 I: Y) zend if* n2 m3 Q( h& u& r6 a' s4 b

7 F! g* c& D: Q% u% S5 r+ ]$ n9 w% M8 Pelse  \: N$ L5 I) c( R- C* e1 a6 {+ b
1 o4 ~3 \8 Q! o" s; d, k
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")6 O  g1 {/ I! R8 T/ s- ]* S
, G9 Q( T! w' A5 n
if ubound(data)<0 then
3 J: g/ t$ _. D5 x5 t8 } 9 ]. I. b, q) I2 K
sdcms.go "login.asp?act=out"
. d' U6 E' k9 M1 i% F- d" }' ?# z' ?
( Q4 l4 ^0 ]4 _3 H) Eexit sub7 f* Y4 L% A' R  B: g
, w+ t. w- Q% M6 ]
else
: f2 h0 C  x7 c& X
  E+ Z+ @; R, Y, t2 z# Qadmin_page_lever=data(0,0)) I+ H. {( s; ]+ z
( e; Z* p1 N5 h: A
admin_cate_array=data(1,0)( }; I! H9 C5 N$ R, e

  b. Y1 o2 }" H- S: Tadmin_cate_lever=data(2,0); {2 n( S- X3 |2 p+ S. K" L
. @  p# D- {2 u$ B8 W
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0" s5 z5 W) B/ C: F; Q. v

# r: x' I0 |4 q, y' M( ]6 Pif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=07 K" `' H4 V6 a1 {4 [

9 P3 D/ V: _5 C$ c, Z% [0 ?5 `6 ]if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=05 n7 x, n; B& u; y" B9 u  ^

# v" n* z. X% j9 |+ }- Cif clng(admingroupid)<>0 then
" g' Y: L; K# F/ m, r" s! H5 r 0 W2 e6 m7 y7 U. P+ i
admin_lever_where=" and menuid in("&admin_page_lever&")"+ `. u$ N- w) `/ l& D# t
3 d% S( m9 ^" \/ F3 W' [; j
end if
  s1 K! m5 z8 W) w 6 v* v: d7 H9 e/ @  ?; a; ~
end if
! v; d2 S" D. ?
4 [+ n4 g% b# a* i. |5 y$ oend if
/ s) L" q; O: o" Q& k2 l9 S4 n0 a( f0 k
4 y* Z) M: J! N% k! C+ m  Eend sub
  F$ v3 _2 V8 k6 p% f9 B漏洞证明:
# z! N# u3 M  L- o1 Q7 [8 A看看操作COOKIE的函数
4 {1 }, ~5 @3 b* h * S5 z1 l  V& w9 ^
public function loadcookie(t0)
4 B" z0 m2 e+ Q3 T
* u  m6 s9 s3 }6 l7 m" g9 C- {! m& {# Qloadcookie=request.cookies(prefix&t0)" n% b; ]; O  E& l% t7 Y6 [

5 k/ n+ J6 G+ G. I0 C+ r3 e, Rend function
9 @8 b' p4 M; u% L
1 N/ Y* S4 y+ P- \# O' @public sub setcookie(byval t0,byval t1). M& S9 U( S3 R; T" U$ S5 O

8 T6 x! `4 F" o9 K! u9 j" P0 @response.cookies(prefix&t0)=t1
- T- M5 w4 p0 C% x4 V
: d5 B7 ~5 D7 Tend sub0 A5 S* l9 }" P: p& S

8 R. O2 d  y' w  ?. jprefix2 P/ v- w3 K: K% g1 x( _" }+ w

7 U3 m6 ~1 [, C2 s9 [" q/ e, ?'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值6 U- H4 E$ q" S8 R, z6 z. U2 [
8 [6 x8 {4 n& X1 V
dim prefix
( }. P% R0 g$ d) w/ E, @5 k # a$ F0 j9 U- X; h# \, [. d
prefix="1Jb8Ob"( R4 X# L! d# M4 c" w8 r
. e$ g" B& ~6 I/ v9 a! P4 i2 l
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 % m3 W% F# O6 H: z* g$ }

* d% j7 X4 t1 Y/ Fsub out
% A: C; C5 L" H3 y3 B: w2 M 0 H) I1 g, v4 u+ U% i% P4 P7 T
sdcms.setsession "adminid",""
! }. P) s3 P6 q5 l5 {" `/ F! e
* ^7 F; h* O+ b4 J; M% i  ]sdcms.setsession "adminname",""
0 |4 ]9 ^# G- A. ?   Y& o0 u9 {( F# [- Y. e2 J; k
sdcms.setsession "admingroupid",""
& ?7 m  T' p+ M5 y/ @7 c
+ m  {4 S& f7 C# Z, ssdcms.setcookie "adminid",""! \+ I) Y# y4 v  S- \0 \
1 l9 o9 @' z( S3 b. D
sdcms.setcookie "loginkey",""1 M- ~4 O, R) F8 O& V. e6 x# M

$ Y. h* D$ _: @6 Jsdcms.setcookie "islogin",""
( Z8 E6 j$ J  Q% V7 E: Y
4 Z2 w: {" x$ y0 o4 n% I6 Rsdcms.go "login.asp"
* g0 t& D$ ?9 R& l
1 ?* A# t+ G- b3 a# p4 r. F* [& Gend sub8 s, l" H6 i9 o% c
; T, Y" \7 |% }& A( x
; j9 w, h/ c  l( w. o
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!: B6 E6 e/ d% q
修复方案:! ^9 K2 C8 _  Y* S, s
修改函数!
9 X  m0 E1 u2 C



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2