ApsCMS AspCms_SettingFun.asp、AspCms-qqkfFun.asp、AspCms_Slide.asp、AspCms_StyleFun.asp、login.asp、AspCms_CommonFun.asp Vul

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

 

1. 漏洞描述

AspCMS管理系统有较多漏洞，涉及到SQL注入、密码泄漏、后台写SHELL等，本文逐一枚举这些入侵向量

Relevant Link:

http://www.qhwins.com/ShowNews/?11-200812616063028285.html
http://www.webshell.cc/2914.html

2. 漏洞触发条件

0x1: 万能Cookie免登进入后台

0x2: 后台直接向配置文件写WEBSHELL

3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法

/admin/_system/AspCms_SettingFun.asp
/admin/_style/AspCms_StyleFun.asp

<!--#include file="../inc/AspCms_SettingClass.asp" -->
<% 

dim action : action=getForm("action","get") 

'''
checklogin() '添加校验函数
'''

/inc/AspCms_CommonFun.asp

Function checkLogin()
    '''
    if isnul(Session("adminlogin")) then
        alertMsgAndGo"您还没有登陆","/"
    '''增加校验admin登陆的session
    if isnul(rCookie("adminName")) or rCookie("adminName")="" then
        alertMsgAndGo"您还没有登陆","/"
    else
        dim Permissions
        Permissions=rCookie("groupMenu")
        if Permissions<>"all" and isnul(Permissions) then
            alertMsgAndGo"您没有访问权限","-1"
        end if
    end if
End Function

/admin/login.asp

<!--#include file="../inc/AspCms_SettingClass.asp" -->
<%
dim action : action=getForm("action","get")
if action = "login" then
    dim UserName,Password,sql,code,Rs
    UserName = filterPara(getForm("username","post"))
    Password = md5(getForm("Password","post"),16)
    code     = getForm("code","post")
    if code <> Session("Code") then alertMsgAndGo "您填写的验证码错误!","-1"
    if isOutSubmit then  alertMsgAndGo"非法外部提交被禁止","-1"

'   User UserGroup
'   LoginName
'Password
'GroupID
'IsAdmin
    sql = "select count(*) from {prefix}User where LoginName = '"& UserName &"' and Password='"&Password&"'"
    Dim rsObj : Set rsObj=Conn.Exec(sql,"r1")
    if rsObj(0)=1 then
        Set rsObj=Conn.Exec("select IsAdmin, GroupStatus,GroupName, UserStatus, UserID, GroupMenu, LanguageID from {prefix}User as a, {prefix}UserGroup as b where LoginName='"&UserName&"' and a.GroupID=b.GroupID","r1")

        if not rsObj.Eof Then
            if rsObj("IsAdmin")<>1 then alertMsgAndGo"对不起，你不是管理员！","-1"
            if rsObj("GroupStatus")<>1 then alertMsgAndGo"对不起，您所在用户组已被禁用！","-1"
            if rsObj("UserStatus")<>1 then alertMsgAndGo"对不起，您的账号已被禁用！","-1"
            '''
            Session("adminlogin")=1 '增加admin的session
            '''
            wCookie"adminName",UserName
            wCookie"GroupName",rsObj("GroupName")
            wCookie"adminId",rsObj("UserID")
            wCookie"groupMenu",repnull(rsObj("GroupMenu"))

这种修复方案会存在问题，session打标的代码和session验证的代码不在同一个文件中，而对于很多站长来说，它们会刻意修改login.asp文件，以此来防止自己的网站后台被黑客恶意扫描到，这导致了基于相对路径识别文件的过程中，会漏过对login.asp文件的修复，最终导致防御代码各逻辑部分的不一致

0x1: 最终修复方案

/inc/AspCms_CommonFun.asp

'获取参数值
Function getForm(element,ftype)
    Select case ftype
        case "get"
            getForm=trim(request.QueryString(element))
        case "post"
            getForm=trim(request.Form(element))
        case "both"
            if isNul(request.QueryString(element)) then getForm=trim(request.Form(element)) else getForm=trim(request.QueryString(element))
    End Select    
    ''''
    getForm=replace(getForm,CHR(34),""") : getForm=replace(getForm,CHR(39),"'")
    ''''
End Function

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved