要描述:
4 W8 U% Q! g3 K; O& w h: E- q6 n/ a& ^
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试; @7 f: S/ @6 h2 x: I2 t. G
详细说明:
. `6 m: ?8 j& }. \+ b, xIslogin //判断登录的方法8 N+ m f% P8 u( M
. A3 C; g/ l. w Ysub islogin()/ r9 F7 X7 w9 R5 Z0 X
/ U6 s7 }- F7 i; }; ?
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
' i- {) R( i2 s- @7 m4 Z! ~' c& j
% B7 W O; C- @, D8 `8 g. ?dim t0,t1,t2
$ H- m( K7 Q3 J! K$ \ , B9 K# ~; B, V" z3 w3 `! r
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
# i5 B, t9 p/ a/ ?$ L3 | ; ^6 G* u$ ?3 w5 m' s9 k
t1=sdcms.loadcookie("islogin")
" W6 \/ V; N, P I$ I t0 o" `2 }5 e f
t2=sdcms.loadcookie("loginkey")
; v9 p0 C: g; n) H4 Y# A$ @
* w' T2 ]" j& { q2 fif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行 f; T8 k, ]; j; U6 h: q N: |* ?
2 T, C2 u4 J5 K @//
5 `( ]2 v. E$ q( q+ E $ { s) y# x$ ^) o4 t/ `4 y
sdcms.go "login.asp?act=out"
5 r/ ]" }* s# S% |3 J
/ n: Z$ S0 k; ^ h: }, R! ^7 cexit sub ~, n- \& X" Q+ {# s5 ?- z8 ]
5 h# L' s5 p" e$ S7 z* w
else A1 y+ w/ G1 M7 e
. w$ T; t ^* G" Odim data r1 o: |6 g$ \- G* a7 ^, y
5 [5 R! B0 W+ t5 f) w" m
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
1 _$ L, F$ g$ `% C 9 H4 i( i( G- f3 ?1 l
if ubound(data)<0 then0 U! c6 b$ d% K! l K
7 W* n/ d" ^ Y6 r' p) G; V% u
sdcms.go "login.asp?act=out"
6 |: v- ^3 B" |$ X# M6 Y
0 }: {5 f0 {. T* }+ d8 u- eexit sub
. t& n' v! C, ] ' ~4 [! h/ r! R
else
" T. ?! a; C" \3 @" B4 w
, }+ U3 Y0 k* w0 M, O5 tif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
0 m6 J8 e0 P- y3 @4 `: P# p6 I
3 ?8 L4 y+ i. f( u0 J5 \sdcms.go "login.asp?act=out"
) A2 V; H9 v# V1 H( K+ t " E3 O* S) h! T4 j( n
exit sub& T/ i" M% [" j+ O2 W0 b+ q
& b7 q7 K6 v3 S u' ~
else
& s9 k2 M. f: a1 Q6 n3 b( ?- Y 3 E5 V; G! L$ \% C- u5 |* n" r
adminid=data(0,0)% Y. n" Z* N. E$ x' p
! q; \! c0 X( F+ x: A9 e h
adminname=data(1,0). l$ F( r3 K& G8 _4 ^8 v( Z
8 T9 }; L, `- a0 _. K7 z eadmin_page_lever=data(5,0)
8 Z7 j6 c3 s6 }1 Q. H 2 S% V$ Y: _* C @ j
admin_cate_array=data(6,0)
4 j: j) Q7 N9 x
% B1 B' y- U$ n% B$ b) Eadmin_cate_lever=data(7,0)
" C3 a5 I1 n$ g6 N
$ N, o" c" K5 o. x/ m9 v$ W3 vif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
" R# p- h& Y' [( |+ v
9 Z O+ w% Z- X+ [$ l, Xif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0; N7 ~' C- |) X1 u) ^5 F: j( V
2 a( ]( t& y+ n; I# c g6 Eif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0. I: B/ N. Z6 v9 h$ {5 f2 K
' z* v9 T; O8 Y# Dif clng(admingroupid)<>0 then$ U* b+ O& M, S5 E, j3 O2 e
8 B, J0 D3 F7 x: T3 p. n7 q8 g
admin_lever_where=" and menuid in("&admin_page_lever&")"
- l; {2 [4 X" v 0 ~1 g! B! \, \+ j+ n
end if' Y0 B3 w5 G9 E$ m2 y6 T
3 y, u$ l" f7 }3 g( J* M
sdcms.setsession "adminid",adminid: o/ u# i8 Z, k
7 G3 R% g9 e2 d- i% A* Bsdcms.setsession "adminname",adminname& n, G) }! T& B) j9 U
& U! p, J3 a% \1 d8 A
sdcms.setsession "admingroupid",data(4,0)( `9 I x3 L, ^+ C/ h
8 V0 `$ z# _1 uend if2 W9 x( `: C$ \! v
: r8 ?7 n1 g' h8 N% m: Bend if
% w5 K- |4 ^ k6 H) q( v! {. Y8 i
! N9 x0 W* ~6 y: e$ _8 D, kend if) \6 K0 K& l6 |- z# o$ O. B
6 u, q* b* J" B3 m
else
4 U! T) a' U3 [+ g - A( y; U: Z! c5 i, }% J
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
# s( T7 _: q8 U% l$ t 3 H0 S: _6 a" a! C+ [; W
if ubound(data)<0 then0 c$ Z9 v) u: [9 X& A: v
- k. X! D) \5 Y
sdcms.go "login.asp?act=out"" X' X' U. a1 V+ ~4 Y
( S7 V0 A5 S+ N- G
exit sub
: H3 J" A) x8 t' j : D% Z. X1 t7 q4 A
else
% U- o* {7 N: z! T* Y/ g { ; K* o, z( t8 l/ C$ p
admin_page_lever=data(0,0)
# ?+ q* a& s3 b
# O" [% Y% Y. H0 o& Nadmin_cate_array=data(1,0)
9 U, E# d& W; e3 e % p5 u& j$ g/ A: q& u; ~9 W+ \, E
admin_cate_lever=data(2,0)/ h* o' H/ X t4 l& }- n* r
. s* z& w0 t$ V5 s
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0) l i7 C0 S* c0 F
9 z. x4 j7 Z4 L v
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0, r. r2 G3 m9 h& @
0 F( l1 e$ q- t8 l
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
# D( I0 e" p1 k% m6 Y3 _ z7 d
4 A% [) g2 ^$ k0 A6 P. Kif clng(admingroupid)<>0 then7 z: g, M' c! \; }1 y; m* `
3 b. x# h |( c7 @! H# R
admin_lever_where=" and menuid in("&admin_page_lever&")"5 W/ ~/ ~& Q C
% ^1 y `) W3 K$ ~
end if
) p3 h1 j9 h) m. W* s
: Q& k. D$ C$ M. Wend if
! @4 y4 O w& E* g$ B1 S 9 B# j* h% {+ q' a! } W
end if
/ }% y- X7 A) V
$ U! Y- |1 y t$ jend sub' a f5 `, _8 w# r2 f6 G
漏洞证明:
6 R: f! D. O* e. {9 C4 S/ ?+ F看看操作COOKIE的函数
: P. c& T: }. P# N6 s$ {, J5 ^ ! M5 A ^* r' Z/ g8 N2 J
public function loadcookie(t0) k. G6 v r( T: ^1 D; f
$ x) L% u! F) X3 b
loadcookie=request.cookies(prefix&t0)/ `7 _6 F* a( X- I X9 o3 i
% R1 K! g: q* a: [
end function. Z; }6 d- [) @" U* ]
1 e: h7 I0 b5 [( A! b- H f( fpublic sub setcookie(byval t0,byval t1)" ?' y6 u3 p8 b" [, [4 H) s
3 I3 H$ _( M% j% L$ Gresponse.cookies(prefix&t0)=t1
+ f1 r* g$ K% [* I- @ C5 [0 |# k/ o& j0 l @$ U
end sub7 \! S, l+ [$ Y1 Y
: C4 J7 n) T6 z# V5 d/ x
prefix
% Z% J# o, n! F) t0 b1 C
! n& @. ^, J! y9 |7 Z3 Q, j'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值4 r0 J0 Z. L' ^4 L
! n' f. T1 S" G
dim prefix2 f: s8 B3 R# G. t }: `6 k
/ ~( L6 k* S' x8 L# p; I& w8 Yprefix="1Jb8Ob"8 d! n/ Z/ S A4 O: g
: [4 `6 P: a1 ?4 F7 w3 k'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
2 l/ l& U; @6 X3 `0 k& ?% } # N4 @) W* l: s. t" e
sub out- j2 D+ F0 `2 a
( H* L! @$ _; [" b0 isdcms.setsession "adminid",""
4 Y9 @! U X. c) ^: k% f ( W6 M0 x5 L" w% P# W z
sdcms.setsession "adminname",""
; ~# ~! _# _$ w6 u* T8 [6 ]
6 r7 b @3 p% O! O4 i+ ^sdcms.setsession "admingroupid",""
7 v }, a" ^2 R" A8 z4 p 2 U% ~, j) {0 F# W; H' ^* G9 m* c
sdcms.setcookie "adminid",""/ a _5 \0 l4 s7 C7 i3 W5 ?& ]: a
4 U1 z2 G G1 Q0 i. [! Y+ t2 M4 O
sdcms.setcookie "loginkey",""
6 `9 i$ o+ T5 L9 p& M' w' G- Q 0 K. G* V8 g. M; Z% l6 ~) K& d+ G
sdcms.setcookie "islogin",""
: L+ ]: ?$ p2 t8 l; M% B
, k1 g0 Z, i, Y& k& a jsdcms.go "login.asp"
( i- a$ j, e0 ], K# ~( ` , i1 g# b2 N8 n: t& B( U& F# ~- e. z& `$ K
end sub) q0 W0 i3 a4 w5 V' v
4 O- r1 X9 t% h+ B" j( ]/ } 9 B4 ?! z- R- J" S0 H
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!: i, `9 Y5 @/ h8 ^( l, ?9 ~- V
修复方案:& a; Q, w8 I/ m# |) G
修改函数!
0 M4 R! O9 I4 ?4 I3 D |
发表于 2013-7-26 12:42:43
收藏
支持
反对