catalog
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
AspCMS管理系统有较多漏洞,涉及到SQL注入、密码泄漏、后台写SHELL等,本文逐一枚举这些入侵向量
Relevant Link:
http://www.qhwins.com/ShowNews/?11-200812616063028285.html http://www.webshell.cc/2914.html
2. 漏洞触发条件
0x1: 万能Cookie免登进入后台
0x2: 后台直接向配置文件写WEBSHELL
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
/admin/_system/AspCms_SettingFun.asp
/admin/_style/AspCms_StyleFun.asp
<!--#include file="../inc/AspCms_SettingClass.asp" --> <% dim action : action=getForm("action","get") ''' checklogin() '添加校验函数 '''
/inc/AspCms_CommonFun.asp
Function checkLogin() ''' if isnul(Session("adminlogin")) then alertMsgAndGo"您还没有登陆","/" '''增加校验admin登陆的session if isnul(rCookie("adminName")) or rCookie("adminName")="" then alertMsgAndGo"您还没有登陆","/" else dim Permissions Permissions=rCookie("groupMenu") if Permissions<>"all" and isnul(Permissions) then alertMsgAndGo"您没有访问权限","-1" end if end if End Function
/admin/login.asp
<!--#include file="../inc/AspCms_SettingClass.asp" --> <% dim action : action=getForm("action","get") if action = "login" then dim UserName,Password,sql,code,Rs UserName = filterPara(getForm("username","post")) Password = md5(getForm("Password","post"),16) code = getForm("code","post") if code <> Session("Code") then alertMsgAndGo "您填写的验证码错误!","-1" if isOutSubmit then alertMsgAndGo"非法外部提交被禁止","-1" ' User UserGroup ' LoginName 'Password 'GroupID 'IsAdmin sql = "select count(*) from {prefix}User where LoginName = '"& UserName &"' and Password='"&Password&"'" Dim rsObj : Set rsObj=Conn.Exec(sql,"r1") if rsObj(0)=1 then Set rsObj=Conn.Exec("select IsAdmin, GroupStatus,GroupName, UserStatus, UserID, GroupMenu, LanguageID from {prefix}User as a, {prefix}UserGroup as b where LoginName='"&UserName&"' and a.GroupID=b.GroupID","r1") if not rsObj.Eof Then if rsObj("IsAdmin")<>1 then alertMsgAndGo"对不起,你不是管理员!","-1" if rsObj("GroupStatus")<>1 then alertMsgAndGo"对不起,您所在用户组已被禁用!","-1" if rsObj("UserStatus")<>1 then alertMsgAndGo"对不起,您的账号已被禁用!","-1" ''' Session("adminlogin")=1 '增加admin的session ''' wCookie"adminName",UserName wCookie"GroupName",rsObj("GroupName") wCookie"adminId",rsObj("UserID") wCookie"groupMenu",repnull(rsObj("GroupMenu"))
这种修复方案会存在问题,session打标的代码和session验证的代码不在同一个文件中,而对于很多站长来说,它们会刻意修改login.asp文件,以此来防止自己的网站后台被黑客恶意扫描到,这导致了基于相对路径识别文件的过程中,会漏过对login.asp文件的修复,最终导致防御代码各逻辑部分的不一致
0x1: 最终修复方案
/inc/AspCms_CommonFun.asp
'获取参数值 Function getForm(element,ftype) Select case ftype case "get" getForm=trim(request.QueryString(element)) case "post" getForm=trim(request.Form(element)) case "both" if isNul(request.QueryString(element)) then getForm=trim(request.Form(element)) else getForm=trim(request.QueryString(element)) End Select '''' getForm=replace(getForm,CHR(34),""") : getForm=replace(getForm,CHR(39),"'") '''' End Function
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved