要描述:
# n) n1 S$ f. Z; P7 @/ P, L
6 G. s: K' Z' m1 BSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试8 w& n$ H- g( v- E
详细说明:% J7 x, m/ }0 w( \2 h- a0 Y' G' k
Islogin //判断登录的方法
: B- e) Z8 O& G' o0 a8 N $ f" W' {8 \5 h5 X
sub islogin()
n& }4 h2 q& b' Q6 s
) b5 n, Q/ f& o; g. oif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
- p, B3 E: B9 `: {7 H % B }) K( q# c. H5 E. D
dim t0,t1,t2 0 t- V4 p4 J8 H Z; r H. X" [ @
3 ]' H" P0 n0 s* u( j* Y+ B
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
9 C! f. D( [" O, K! c2 l5 F3 B. Q
8 p* N8 R; M. H2 x" Xt1=sdcms.loadcookie("islogin"), W2 r/ | `! d1 v
8 g0 `$ Z- p9 Kt2=sdcms.loadcookie("loginkey"): G% L1 M& v5 O& n
; Q( B! A; i" e, q: |/ [: `if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
; p+ B6 F3 u- J0 H2 c+ b' m# A: ~% M2 x 4 h4 c0 N* m6 O$ v- t$ k
//
; G% h# G6 g; b/ d: l5 n# W& Z5 { % Z( F- |8 l" Y( C) S Z
sdcms.go "login.asp?act=out"
- y8 A& D7 O2 p0 X- f: R
) w- x& Y6 Q4 N/ ?3 R' `exit sub
. Y0 z- ^; J2 s7 _3 U+ b# Y' m; @ 4 M# w/ D7 `; ~6 j7 p" b$ I
else
, T. E; F* }- F$ y( u- a
( }( |4 M4 D5 o& q5 V: O4 ddim data
* F! C% k& \6 u- r* f 4 T4 d; R# T* k. h1 d" e
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控1 n3 b4 K! L/ f) m
0 r% }8 M$ r9 r! wif ubound(data)<0 then, w: c8 j* c5 G" N/ i
/ M8 Y7 o6 F! F. D
sdcms.go "login.asp?act=out"7 l9 w2 j. `- L8 O( P$ a0 h
_$ w4 z; ^6 S% C0 G5 ^exit sub
0 S5 i; K. p( d
' k+ |$ y5 J3 felse
% s" C$ \, U1 o d0 r1 Z 9 v& F& I+ n; C$ \1 u8 ?/ a+ X# w
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then7 G+ G/ ? ~: }( S+ t
- |( f) K# y: k: e# V" Osdcms.go "login.asp?act=out"
* M. w6 d# X7 q5 y r$ D0 ?% R1 }. s # Q/ i2 o, ?9 z- d+ c, V5 M; [
exit sub
$ J+ d4 X& {# x6 ^/ c D 1 B$ G4 m9 u# w# R
else
9 }$ c; _" I; C, U; h) S) c# D( N( B
y6 y+ f" z4 d" a4 J8 B/ Ladminid=data(0,0)
, Z5 ]' R+ q& Z% V1 G/ B) M
! @" ?+ F+ {+ fadminname=data(1,0)
& y8 x; l0 X, n: C3 a
8 e; k0 n- p2 c- [ Zadmin_page_lever=data(5,0)
4 e* M1 n; }0 U+ x- J2 p3 R6 [% l0 w' L % v9 {# r) G$ @" C$ i( c
admin_cate_array=data(6,0)
5 i" f" f5 I) }1 [. q e , Q4 Q: R. J8 a' e! f+ r) N6 ?* _/ @
admin_cate_lever=data(7,0)
* B- n7 V" l# W4 u* [% l
7 w3 g- D* {1 q, x; ^% ?3 Iif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
7 Z+ R. Z! h1 |% O8 H4 [- `, l
/ x4 |5 h" m! K( ?; B! @if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0; D: ^: }! G* @7 V7 V& |" g
/ t/ H5 A4 c: a
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=08 _& Q) r7 _1 \& N0 N
5 U! @" k9 u, X1 k. }6 \ B
if clng(admingroupid)<>0 then- Q$ X; ^3 y1 ~( e% x+ n
6 x4 k3 K7 @) S& i& j
admin_lever_where=" and menuid in("&admin_page_lever&")"
# X; F. p4 C. _; J8 B3 ] ! `% [- N1 q3 ~& d& B% `
end if' k9 g2 h0 v- S7 [( o7 N
$ p2 q5 l* N& M& Y/ K& Bsdcms.setsession "adminid",adminid
' A" `; S" b* F# P s4 }, a8 `6 M
! _: U2 F$ B4 `9 msdcms.setsession "adminname",adminname5 ^5 {8 g$ { I$ t/ r
" Z1 `- _2 H7 Q: `
sdcms.setsession "admingroupid",data(4,0)% M3 |! j8 _) ~9 F% {, n7 ?
" `& D5 p7 X$ a! y$ w7 L7 O6 aend if" c- l1 |/ S6 B0 T$ e ]
4 ^1 Q+ _5 }7 P, {6 |- o2 Fend if
: S5 S: r' k& K0 Z* A: V5 B
9 q7 W% l# i: P$ Z7 y. [+ Eend if) P1 I7 q/ C9 v; J2 ?2 P
) G8 b' u1 _. U- T4 J4 \0 y8 Q
else
% ?; R7 A1 B8 q7 \
3 m. E8 A6 x4 {0 \' ^data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","") O. ?5 C0 U! V
7 O2 N7 j- s7 D& V) N: H- Yif ubound(data)<0 then
5 D) M7 e% J( ~. X: f
/ i* k9 k: a2 ?. J8 L9 csdcms.go "login.asp?act=out"
: N P3 L* j4 G$ r- H# a
( u; r8 |& Y2 Cexit sub$ B u @9 d3 A/ T f: m3 k
* N9 o+ Q. ~4 @5 M* Celse
% }, R3 A- O9 Z' n- s 5 S( I* u$ y/ _ \5 c4 [: d
admin_page_lever=data(0,0); y$ [- s' C8 f0 o1 g% f
, O5 S4 p) y) Y* I
admin_cate_array=data(1,0)8 Y; _' w, U: d" Y& W
( g& y- r7 j6 a6 A2 Y/ | l3 _
admin_cate_lever=data(2,0)+ ]' e2 {" ]8 z' U( T
8 r% X' L7 P- |: ?6 O; g
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
6 q7 U( Y, ^ z. f# y : ?# F( X% `& m2 w
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0, L& k3 T! S1 V$ e U6 V1 ? b$ Y
7 V7 T5 |& S/ ^
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
* o q* V8 v- u4 J" A0 r3 D6 w
& R; P4 n; m% ?4 Bif clng(admingroupid)<>0 then+ T# w7 s4 Y: ~4 A3 U A+ }
, x- c) E4 Z" i, s9 ~- |% o* Qadmin_lever_where=" and menuid in("&admin_page_lever&")"
" t; ?! E, g I. n! @1 E, o" l
! p% T+ |$ `( w0 J% `+ a5 uend if
' ]9 \ c: w% E2 O; n 2 k* J7 G# \1 F# @) S( P" Q
end if7 C' u1 k* `: E9 \
7 [! {5 i( N0 N% uend if
" w2 P' z$ l9 ?: N 8 t$ k2 j% r& ~ B& K- b
end sub# k/ O/ b; ^1 v+ k! {4 ?* a, |
漏洞证明:2 n+ C/ ~3 {! w$ }$ Z0 F
看看操作COOKIE的函数
6 q4 p, F+ U; H( b+ x
1 B- r( z- Q! P. ]/ Mpublic function loadcookie(t0)
1 o( L/ h/ f" ^( c
/ H q" T' t7 a. aloadcookie=request.cookies(prefix&t0)4 H: s4 z3 m4 f3 ?5 \: y& A
9 [8 ^5 o; q! {7 k- A
end function
% ?) h J; ]% Z* J6 N4 K$ y J$ T
! W' m8 h$ P9 R' n2 k( ypublic sub setcookie(byval t0,byval t1)+ @& e* L# s0 p
/ E; K' V, m- G: w3 o8 G) aresponse.cookies(prefix&t0)=t1
0 R4 N* j& S& o' t6 X- ^- x h7 ^
9 s4 h" f0 j4 M" {6 g" t( lend sub
4 \8 e4 C5 y' R+ F
j# w* H1 }; [. _" }, w) C' X- L+ }prefix
$ B$ O$ a% A; b& ~. e: W7 p . s1 ?5 a* i- b8 Y3 j
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
* [& O$ z* D3 w9 r 1 g. y% S# e& i" A' R* t; I5 r2 A
dim prefix$ z0 q2 |3 L1 k U0 n
' h `. @% c# c2 Zprefix="1Jb8Ob" k9 z" ]3 N: t( Z$ m# B
7 m( _: d0 [3 t0 v2 I'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
! h' `; B' ~, u6 N$ f3 S) ^; y 9 J7 o5 M1 v# {# F, S3 I) ~
sub out
5 t; e+ `3 c) C
8 u+ |% h; @1 p4 _- S" F+ Isdcms.setsession "adminid",""- q9 k9 d+ [0 `; G$ v: Q. }/ T
+ a8 ?) r3 f6 }. I! j/ c: v+ w( |
sdcms.setsession "adminname",""
8 g" c; Y4 }4 S3 B' }! ^. ^/ k: M9 l0 t
c, M/ ]: g' R/ C) }sdcms.setsession "admingroupid",""
2 w; @2 Q( I3 Q. t 8 N7 r4 \/ F4 M# ?: ?% P9 K$ A0 X
sdcms.setcookie "adminid",""/ P9 C8 V% N( ^! q$ P* O' p
5 ?# w) l1 k: B1 ^* Y5 s
sdcms.setcookie "loginkey",""
& g6 C p V1 H/ L . j2 Y0 z0 c& V; U' q& u+ l- \- S
sdcms.setcookie "islogin",""% v8 {& A! f, V. [$ w4 I
1 E4 t4 a' }% C X, l
sdcms.go "login.asp"
5 w6 b- R- O/ {2 b1 y
7 Y- L$ ^1 W9 @' O" _6 aend sub/ e6 v7 r- T5 _
0 p8 {$ f. ]+ m2 W& V! k 2 Q; L4 D4 u1 Y l' P u" [
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!- j5 V/ C( V2 w [$ |9 r
修复方案:! d1 h+ C- y. ~( J- Z
修改函数!& m I2 A- [- q0 P/ D5 H) _
|
发表于 2013-7-26 12:42:43
收藏
支持
反对