要描述:
! X3 }' Y s: N4 y& @
+ d: T- O+ d& z3 D8 |SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试$ m& l) s. s' A3 k6 x Y
详细说明:4 A9 ?* O5 E# A
Islogin //判断登录的方法% t, k6 n) G% m! o" n& n5 Y
) @* E: ^: ?1 ^% c% qsub islogin()
) ]" C/ s! W/ e' O4 T! z6 J6 J
* m' K `( L9 b' f4 uif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then # h/ g5 }1 M# f
0 S9 Q. r: `, n( ~2 g: U! ?% c
dim t0,t1,t2
8 I+ ?5 Y1 \; ~3 P# b3 d4 ^6 W
' t9 d* y p( `t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
6 j( S/ l6 Y A+ _9 L
, _/ ?( x3 D! D/ M8 jt1=sdcms.loadcookie("islogin")
7 O9 B( l; J5 n5 o# z0 K
% ~1 A# ^$ ?4 Dt2=sdcms.loadcookie("loginkey")
/ [+ j" h$ d7 j/ i 6 L6 I. H9 `7 Y% @) P
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
( }, p( d8 j& F. o D, r( E 8 _5 F2 J: w) S+ I; s5 j! i
//
2 p. ?/ }5 W8 B) T! J% d' Z
7 X: H. |' j9 H; }$ d+ g- v0 v- Zsdcms.go "login.asp?act=out"
/ i% S3 ? {& d4 L
& Z( F% t( L& G, _$ Zexit sub9 t1 m4 J$ d+ B, M
3 ^) ?! \0 y \
else# k/ K! v3 z7 C' q3 q5 c- @" ^/ |' {
6 ~6 o. O6 e1 L: U9 q
dim data
& W% J3 |/ M+ J& [. ]
* X: d& `8 y. edata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
# q( i! l( G) F: z, @2 _
' o/ H; v4 n* ^; |if ubound(data)<0 then
! `: L2 `6 `: d+ N ; k' i [. U- {
sdcms.go "login.asp?act=out"
: w$ w3 S1 v; t6 k, \ n $ L/ m3 C! j, T* r: D5 s
exit sub- @; E; }; A8 Z2 G1 C" k- |' b
/ g, Z ]4 b4 s) }% f" `else
4 ]7 m, _ k; h9 Y8 T. K$ d 1 i1 m- _; p' k9 W: t8 x2 Z
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then z; T9 y/ V: W, p+ [! Z0 J' D
: d9 ~) [! ]/ U8 Y* s; k
sdcms.go "login.asp?act=out"# |& c& T& Z* v' b
$ Q) C: [2 |) t* b* ?; l1 E5 {, v
exit sub
! P' T8 c+ E+ Z5 A, y8 u/ w1 e3 U
& j6 U* D9 w3 Gelse# J+ R1 m9 d' I- w7 |% F4 |) `
( M' k5 n; b1 E! V& e, wadminid=data(0,0)
- Y# W8 v- G5 O' s 2 o2 d8 c/ ^" R3 p! N& f
adminname=data(1,0)
- S! W, b, T! d+ |+ ~9 B) ~$ P$ ^% F
' q) x# j _2 k- [admin_page_lever=data(5,0)
3 z F- k; K( a' h" J
* W1 o* q+ {5 Q1 {admin_cate_array=data(6,0)
: `0 R+ ~% e1 l. l
& ^. j0 K3 B3 V/ A& hadmin_cate_lever=data(7,0)6 a! g( F1 q! U
5 J6 r h7 B gif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
; J$ R. d5 E6 n
0 g& K3 k. |. [( rif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
) o& C k3 M |6 L1 p- F. c
8 y1 [9 G! h. ^$ c4 Uif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=04 L* M b/ y7 T' J1 ?' w$ h( f6 u5 W
: K4 R0 H" ^% }8 u8 H4 R# K" y
if clng(admingroupid)<>0 then& ~& V4 J6 ?* t1 L1 `/ n& O
1 W" m0 M p H+ W: ], ]- |' Madmin_lever_where=" and menuid in("&admin_page_lever&")"
! e% W8 u/ e9 R) r2 a- I: _, p
* X' X: f1 u& Z6 ]: n5 xend if9 R0 ~, O/ q% P. @1 m8 b$ [' u$ {+ H
8 N1 y3 h: R' Z% O: g8 @ l9 G
sdcms.setsession "adminid",adminid
7 J0 m( Q5 G& h/ S4 x+ ]- T0 C' j% m ! h+ i/ L9 e7 y( o/ _
sdcms.setsession "adminname",adminname
7 r" Q, Q' t) @2 `0 S' \$ G& Q * K" L1 h+ @' b+ o# h0 n
sdcms.setsession "admingroupid",data(4,0); O# s3 N7 G5 l6 N/ f8 ?
8 y% e( l5 m, c4 nend if9 C/ t' z+ O6 f$ S0 `- S
, \4 T1 J0 G9 Kend if0 K( P" J4 H& A# x
, _" I! R( v2 z! Q0 E
end if
- h! a7 `/ J1 n- W - i4 c( V I0 o! W
else! A7 f R2 ?/ @% o' e+ }
6 y( Z7 |6 x2 P8 {: ydata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")) `) @; E$ w& t) ~! h3 h
D: f' o4 F6 N- U1 c& f' Pif ubound(data)<0 then3 H4 ~) E9 O* ^( E7 ^
4 e& K* |8 H5 {" V
sdcms.go "login.asp?act=out"
9 e) g+ y, m+ ?& G . T' {. Y% J7 P8 g( B2 K. B
exit sub
& j$ c8 p; P6 W/ M' ` 5 q% S* r' ^: c9 l4 G
else9 O9 d& n4 Z; |. D" U& a0 i
, a0 m) }" [. Q$ e0 g: z
admin_page_lever=data(0,0)
: t9 X. p3 U+ X0 x 9 g( D% Z% a: d( r! w; A8 e0 [
admin_cate_array=data(1,0)8 ^% Z; c d6 K- F" }( ^+ v* Z
! y8 i( A/ A: R8 `
admin_cate_lever=data(2,0)2 J' g; {0 @9 n0 d" f0 i
# f' z, `5 q5 O
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
# G; q- v+ ~9 m ' i/ @, f, I& G# i* I0 ]4 {
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
9 i0 M0 }7 h$ b) b* g
) g( p. }8 X; M! w7 Q% m2 s. ^if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
) e4 K) V; x4 V/ o( K1 H 0 w, I {) Z( h' ^: G/ {1 Q
if clng(admingroupid)<>0 then; |" b. T. j- |; g
4 ?' H4 N2 ?9 x* j+ g4 cadmin_lever_where=" and menuid in("&admin_page_lever&")". k9 h( a$ Y3 K
8 g6 R( B" @* U' a/ E& N
end if
- A. p( u3 [* `* y$ r, P 4 v o1 k( Q: K% T, ?) B J/ M
end if
8 _, X7 [# p3 P, X+ A* D7 A - N8 B# Z9 Z2 e' \5 _: `
end if) O- y3 ?6 j+ i5 e
B4 e5 Y1 Y& G0 L$ lend sub
1 l) o0 ^8 l z( J漏洞证明:: _! }, G8 D6 k# O+ p: u2 L6 a- M5 U
看看操作COOKIE的函数9 k7 V+ u/ a! l0 J
+ d" t! p% b& m6 ?: Tpublic function loadcookie(t0)
. ]+ A4 x( Q! C1 C
( ?, i( E+ \' Rloadcookie=request.cookies(prefix&t0)5 b) J) O; h( K+ D
3 {3 @ L, O) `4 ?
end function$ p+ a; }! b" A& H) i3 x; d
# C6 p# q: {) V/ W8 Z# V! ~
public sub setcookie(byval t0,byval t1) {/ L9 Q4 k+ I! E
1 H* H; P# A& u3 Q I+ k4 L/ V9 q# J
response.cookies(prefix&t0)=t1
; ?) x& X( @2 b. @5 ^ 4 N/ |- ~: _6 \8 d, d
end sub
" X {6 f1 E. U8 \
2 f. o" d+ a% F( h0 Yprefix5 i3 g7 X. F7 @) A- g! w
0 J$ @; B( G V, y, J, V6 o'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值7 r! m/ d3 B& @8 E' B9 r, F4 R' p
/ O9 B+ s7 V$ f4 {
dim prefix
3 ]7 u2 F2 W7 @( V
* L& Z# b+ T: n% D }prefix="1Jb8Ob"
0 b0 w& g# R% C* S0 C 7 Y- w2 E3 V4 n7 o. P2 O, z
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 $ ^7 Y) V: F* ~- e! { e
$ Q7 w$ k! a6 G, x% k6 S
sub out1 l4 a3 \: Q- \. A! f
; f. ^( @+ \6 m( O- {! ysdcms.setsession "adminid",""6 `2 g x% D( W# ?7 Y1 n
* ^) A( a4 b( k: a" @! Y8 Osdcms.setsession "adminname","") o0 c" `* O. |0 B( Q' U' Q
) j K- [: K' Z: o$ i# lsdcms.setsession "admingroupid",""0 O( V* Q* O- D. B2 l
6 r; U# z' I8 [7 _% Ssdcms.setcookie "adminid",""
u. N! H) H- x" R9 w/ M% i / P+ H7 ]# B' B% G
sdcms.setcookie "loginkey",""
" u6 n& w' e$ k! ~0 @1 S/ j
( D( G6 z5 X6 H& Rsdcms.setcookie "islogin",""
# t* E8 ], ~# |2 T - H1 C3 N) }7 W' V4 F
sdcms.go "login.asp"7 n) i! D! w$ L) A! y# j
6 c m3 G- W9 [2 K" S' ?+ ]end sub/ u1 X) A' d* w
V$ j0 I+ Q* T! L# Y/ `3 ~3 K) [9 h
% S: L( k' g5 x利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!3 r: R: {6 @- C' F! w4 a8 ~8 V
修复方案:
9 x# X$ F/ }4 i, ]/ P1 J! M修改函数!% C" F o) J5 e5 v
|
发表于 2013-7-26 12:42:43
收藏
支持
反对