SDCMS后台绕过直接进入,一种不常见的设计失误案例漏洞预警 -电脑资料

简要描述：

SDCMS后台绕过直接进入：测试版本2.0 beta2 其他版本未测试

详细说明：

Islogin //判断登录的方法

sub islogin()

if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then

dim t0,t1,t2

t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie

t1=sdcms.loadcookie("islogin")

t2=sdcms.loadcookie("loginkey")

if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行

//

sdcms.go "login.asp?act=out"

exit sub

else

dim data

data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控

if ubound(data)<0 then

sdcms.go "login.asp?act=out"

exit sub

else

if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then

sdcms.go "login.asp?act=out"

exit sub

else

adminid=data(0,0)

adminname=data(1,0)

admin_page_lever=data(5,0)

admin_cate_array=data(6,0)

admin_cate_lever=data(7,0)

if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0

if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0

if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0

if clng(admingroupid)<>0 then

admin_lever_where=" and menuid in("&admin_page_lever&")"

end if

sdcms.setsession "adminid",adminid

sdcms.setsession "adminname",adminname

sdcms.setsession "admingroupid",data(4,0)

end if

end if

end if

else

data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")

if ubound(data)<0 then

sdcms.go "login.asp?act=out"

exit sub

else

admin_page_lever=data(0,0)

admin_cate_array=data(1,0)

admin_cate_lever=data(2,0)

if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0

if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0

if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0

if clng(admingroupid)<>0 then

admin_lever_where=" and menuid in("&admin_page_lever&")"

end if

end if

end if

end sub

漏洞证明：

看看操作COOKIE的函数

public function loadcookie(t0)

loadcookie=request.cookies(prefix&t0)

end function

public sub setcookie(byval t0,byval t1)

response.cookies(prefix&t0)=t1

end sub

prefix

'变量前缀，如一个空间下多次使用本程序的话，请每个程序配置不同的值

dim prefix

prefix="1Jb8Ob"

'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里

sub out

sdcms.setsession "adminid",""

sdcms.setsession "adminnam

sdcms.setsession "admingroupid",""

sdcms.setcookie "adminid",""

sdcms.setcookie "loginkey",""

sdcms.setcookie "islogin",""

sdcms.go "login.asp"

end sub

利用方法：设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台，就可以了！

修复方案：

修改函数！