标题: SDCMS后台绕过直接进入漏洞 [打印本页] 作者: admin 时间: 2013-7-26 12:42 标题: SDCMS后台绕过直接进入漏洞 要描述: 2 W% W4 X5 o1 f( d0 ~! O1 _. ]; T5 l/ d4 E5 ~, N
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试 p. D. x7 c, b' W$ l! E. O详细说明:, c# U1 k/ j s8 Y
Islogin //判断登录的方法 ) b: d% b: q0 s1 a8 U# {) S " Y& w. }4 Y% @! e# w2 _
sub islogin()5 h9 d" L$ c8 P0 h& u) m
, e- j9 u. S4 }& {, k
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then & i+ y- G4 p# A/ a: @' c; \) B
( B# V* T1 L) G; Ydim t0,t1,t2 * f& f* e4 m5 {6 _+ i
6 l' T+ g& K8 B+ p: \2 A# O
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 4 o& ]! F3 W' r( q) _8 V 8 d; C9 g+ D ]. u/ Q
t1=sdcms.loadcookie("islogin") Z' n; t" x/ q8 }, a- v
' f/ u! h1 U4 Q/ H( d
t2=sdcms.loadcookie("loginkey")3 `; z* i8 ]4 N) u ^
g7 ]) _! A2 G; ]
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行 & U) i; S7 m8 t% Y) |/ C * \: v7 R/ u" Z, B
// ! {. K+ {. ^2 t ! i3 \* `3 }7 B4 wsdcms.go "login.asp?act=out"8 |0 W1 U( I9 g
$ l3 R1 K0 J w* q8 ^
exit sub , x& T6 o: y3 Z- ^ : D3 M/ T2 e" |) w) L! y7 d
else6 O- _/ m V3 }- K! R; }
0 a' R; j& {- _
dim data R) g' M! P @! }8 M
9 g8 K! i! T1 A( n1 Gdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控' {$ p" G: w* w2 u% l+ J
2 h9 X6 V1 }- ?1 H- Iif ubound(data)<0 then ' X" l" s& t: T8 q0 `: T" i 7 U# f" m& [: g" L0 Bsdcms.go "login.asp?act=out"0 z* ]2 ?1 ]" U; h! u
h- z2 r: @0 ?: e7 v3 W9 |/ U
exit sub8 k* W G4 |( A" j L3 b+ K
8 Y) T3 E: V5 a6 ?0 C
else $ q6 A; ?: I# Q1 y1 ?5 Y' Z6 I ) V+ `- i6 U7 a$ P' Eif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then6 p) G8 Y) V8 N& T8 `4 b
5 X5 [6 R% Q6 t b$ \% j5 D6 v
sdcms.go "login.asp?act=out" 3 j! j- L# H( C K N7 C : z, X# A. G2 s1 a5 r5 U1 jexit sub" V+ x. v% X- N0 Z" J' `
( L; C# o: O6 W* Ielse. o2 G8 h0 ]) H3 t C
# L8 t! d$ o% M3 m9 D
adminid=data(0,0)/ N% ?9 B* `& s
- q2 V0 L( |# K. z6 U
adminname=data(1,0). ~4 c; @% Z$ O
5 e* U4 r( |' Z0 g' \admin_page_lever=data(5,0)0 U! \8 N( u! A
; B, `' D& y; w) @: x- R
admin_cate_array=data(6,0) 0 I: r: V2 L1 ^ i i4 B 4 \9 q3 W9 C% O- z4 x+ Y/ s) b
admin_cate_lever=data(7,0): t) l$ R1 h$ E R# y
. {! Q. C! E, B$ M7 Lif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0 . T: T( w, w: H4 N& [1 j : l6 Y9 U6 ^1 A: q: H
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0! J+ G: \- {8 h( t2 b" B% d
6 [& Y& o/ f7 F5 E& f* d; }6 Jif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0 . Q7 m2 E8 B2 [ Q a+ g . v* t( S' S( D& P' R
if clng(admingroupid)<>0 then 9 n1 w5 ~: l5 W. K: Z* W* l - d- d1 I k) A$ H# S- `! I
admin_lever_where=" and menuid in("&admin_page_lever&")" 6 \7 `- D+ w1 o. Q# U7 {) ^. R& m' H - Q- m6 v2 I5 I( b+ M- ~# p% kend if- |3 T; A- l" x& X: S; [
9 |) A' R3 S' N \3 Osdcms.setsession "adminid",adminid/ I1 f% a& b: G
6 {5 G2 G7 H7 B8 D
sdcms.setsession "adminname",adminname , ?$ Z$ B4 j+ x2 G1 @$ J4 A A/ F7 ~# i0 s- w" f% g; T3 nsdcms.setsession "admingroupid",data(4,0) # T7 c! K0 I/ X k ' j0 K) G! S% ^) s" yend if " W5 V7 q+ k- v 6 t. D0 _8 g- F& q8 U- z- @' c& vend if ( W0 K4 H1 Z4 M& q% }; L O7 S( b 0 l2 ?* W% F, S
end if2 T- {- m2 j1 Z. x0 j/ ~
G) C9 r3 d+ l- n& m4 Selse% V2 J, c, r! y4 z& L
9 C Y9 G7 B" ^# A# t& ?data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")' V3 ?: P" v& r3 K d
0 [0 V' N- Z) k1 m2 Pif ubound(data)<0 then , d3 ^2 L6 w0 h0 f * z. o* s- b7 x/ xsdcms.go "login.asp?act=out"0 p% K+ g& V1 j/ b
/ @. o: u4 S$ ]
exit sub 2 m& W0 r( V4 H) a ; Z/ I/ Y* I- z/ m
else3 l- `$ @6 \5 {( v$ D6 N& s
. T9 a3 s) q/ @1 hadmin_page_lever=data(0,0)2 U" ]5 W7 A# [( @
3 m, J- t: a" b+ I3 j
admin_cate_array=data(1,0)8 I4 V0 {. X4 {# Q% g
S1 \, q; y0 R: @9 ?% Y
admin_cate_lever=data(2,0) 3 f* a5 k' K4 H9 ~ e' {+ r! s: V , m1 R# R: d! w& H
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0 7 _9 _6 z6 X; Q4 `7 m# F: q6 ] ' i% X0 i3 Q2 I0 _9 ~8 w3 g/ h
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0, ]$ O: k- Q6 a; `- K7 p! `8 R
8 x, O# C% c/ z* f7 s/ j; sif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0 1 e. h. I# E( r' A. `& Q( a5 F ' @: p3 ?* `5 w+ {" Y, K/ O4 Vif clng(admingroupid)<>0 then . J$ _7 _6 k$ \ 9 v0 N6 Y4 D' }) n. {5 Yadmin_lever_where=" and menuid in("&admin_page_lever&")"" Q! H- A: {/ q
0 t e5 u$ E( l# s
end if r* q+ _+ Z t 3 Y+ u1 w5 U5 Y. M [0 S, e- O
end if 2 Y; C; Q! s$ M 6 r- i" q. Y- `+ ^end if# \6 p# i2 J6 u1 z( D
8 C; B& i6 o: n& [( b5 Qend sub 2 Z2 I) P3 k* j) P9 L& S漏洞证明:4 `: F {, C ~
看看操作COOKIE的函数 . A9 S( ?* v1 h2 s 3 F1 p0 g% u. E5 J" `' m. B# d
public function loadcookie(t0) 8 ]( j3 \' |* t ( s- Z% q1 P1 a% ?loadcookie=request.cookies(prefix&t0)7 G; E- I x" w& w( R
! B2 k: E' h# r b* Fend function; G" Z9 ^# K! ?1 D. r3 U+ {% s
0 u' k2 [5 Z1 Vpublic sub setcookie(byval t0,byval t1)! k7 ^- X5 g+ X/ s3 p0 N7 U
- E+ a0 g& c$ D7 o' J4 iresponse.cookies(prefix&t0)=t1" ?7 Y- x$ ^! q
( T3 ]2 u L4 I6 G/ T
end sub0 V) t# ^5 H3 F' }6 _
3 k) u, K7 A* N. @! P; G V6 Lprefix ( j6 j9 ]! H4 o2 b! f) w; l A0 {0 ]5 h6 j2 {! `) S
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值+ W, L! E$ v( e- P: X! u
; r% o' u7 I. U. I/ q; d6 L- Adim prefix& c( m4 J; V- Y) _; J1 x
. \% ?1 u3 D( Y9 N q$ F, h, x. u
prefix="1Jb8Ob" 1 i7 }4 i+ M- J& Q8 `, R# z 2 y6 e- c! w8 i0 R5 m
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 1 X+ d' r0 u$ Y" j8 p: o6 C - i; h8 V' I R1 v
sub out. o8 p/ |. ?. v2 V6 i
5 m6 B1 J; E: b' Nsdcms.setsession "adminid","" ( {# K7 b* z1 M2 X $ v* B; f2 ?0 U4 k/ usdcms.setsession "adminname",""4 M. x" i- M. W- g: \
# q5 L8 D; P4 Usdcms.setsession "admingroupid","" 1 Q+ |; B2 |+ N9 `% h $ N k/ b z: U4 ssdcms.setcookie "adminid","" * {, Y/ l$ x- g" h* j , g& B& ?: ]! n+ ]sdcms.setcookie "loginkey","" . H6 x! A; _5 r7 y$ i$ {, W9 K) b 0 f3 Z- j8 d5 T& u. G8 b) N- Lsdcms.setcookie "islogin","" 2 H3 f5 x j9 u* o; ?' o1 E% } ' Z0 X) g) N ] Tsdcms.go "login.asp" 5 I! V9 e3 R. ]2 H. Q ) z7 \7 z/ r5 k+ r- f p$ D
end sub. i% F; z/ K5 }7 C7 @, S