catalog
. 漏洞描述
. 漏洞触发条件
. 漏洞影响范围
. 漏洞代码分析
. 防御方法
. 攻防思考
1. 漏洞描述
AspCMS管理系统有较多漏洞,涉及到SQL注入、密码泄漏、后台写SHELL等,本文逐一枚举这些入侵向量
Relevant Link:
http://www.qhwins.com/ShowNews/?11-200812616063028285.html
http://www.webshell.cc/2914.html
2. 漏洞触发条件
0x1: 万能Cookie免登进入后台
0x2: 后台直接向配置文件写WEBSHELL
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
/admin/_system/AspCms_SettingFun.asp
/admin/_style/AspCms_StyleFun.asp
<!--#include file="../inc/AspCms_SettingClass.asp" -->
<% dim action : action=getForm("action","get") '''
checklogin() '添加校验函数
'''
/inc/AspCms_CommonFun.asp
Function checkLogin()
'''
if isnul(Session("adminlogin")) then
alertMsgAndGo"您还没有登陆","/"
'''增加校验admin登陆的session
if isnul(rCookie("adminName")) or rCookie("adminName")="" then
alertMsgAndGo"您还没有登陆","/"
else
dim Permissions
Permissions=rCookie("groupMenu")
if Permissions<>"all" and isnul(Permissions) then
alertMsgAndGo"您没有访问权限","-1"
end if
end if
End Function
/admin/login.asp
<!--#include file="../inc/AspCms_SettingClass.asp" -->
<%
dim action : action=getForm("action","get")
if action = "login" then
dim UserName,Password,sql,code,Rs
UserName = filterPara(getForm("username","post"))
Password = md5(getForm("Password","post"),)
code = getForm("code","post")
if code <> Session("Code") then alertMsgAndGo "您填写的验证码错误!","-1"
if isOutSubmit then alertMsgAndGo"非法外部提交被禁止","-1" ' User UserGroup
' LoginName
'Password
'GroupID
'IsAdmin
sql = "select count(*) from {prefix}User where LoginName = '"& UserName &"' and Password='"&Password&"'"
Dim rsObj : Set rsObj=Conn.Exec(sql,"r1")
if rsObj()= then
Set rsObj=Conn.Exec("select IsAdmin, GroupStatus,GroupName, UserStatus, UserID, GroupMenu, LanguageID from {prefix}User as a, {prefix}UserGroup as b where LoginName='"&UserName&"' and a.GroupID=b.GroupID","r1") if not rsObj.Eof Then
if rsObj("IsAdmin")<> then alertMsgAndGo"对不起,你不是管理员!","-1"
if rsObj("GroupStatus")<> then alertMsgAndGo"对不起,您所在用户组已被禁用!","-1"
if rsObj("UserStatus")<> then alertMsgAndGo"对不起,您的账号已被禁用!","-1"
'''
Session("adminlogin")= '增加admin的session
'''
wCookie"adminName",UserName
wCookie"GroupName",rsObj("GroupName")
wCookie"adminId",rsObj("UserID")
wCookie"groupMenu",repnull(rsObj("GroupMenu"))
这种修复方案会存在问题,session打标的代码和session验证的代码不在同一个文件中,而对于很多站长来说,它们会刻意修改login.asp文件,以此来防止自己的网站后台被黑客恶意扫描到,这导致了基于相对路径识别文件的过程中,会漏过对login.asp文件的修复,最终导致防御代码各逻辑部分的不一致
0x1: 最终修复方案
/inc/AspCms_CommonFun.asp
'获取参数值
Function getForm(element,ftype)
Select case ftype
case "get"
getForm=trim(request.QueryString(element))
case "post"
getForm=trim(request.Form(element))
case "both"
if isNul(request.QueryString(element)) then getForm=trim(request.Form(element)) else getForm=trim(request.QueryString(element))
End Select
''''
getForm=replace(getForm,CHR(),""") : getForm=replace(getForm,CHR(),"'")
''''
End Function
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved