要描述:
y# o* e' }4 B
0 { B- a4 o, a; Q) G) bSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试+ ~* N# V2 x- q i4 \! M0 T
详细说明:4 F8 ?$ [$ X3 m7 V E
Islogin //判断登录的方法
! T( z& w4 @5 [: c7 B4 G0 {) E
* ]0 @6 M! t& h8 b8 ~1 Y. ]& [sub islogin()
' P' ^6 f0 W: Y: j$ g/ L + D1 [ k2 D8 C7 D8 A% l
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then ! ]5 n2 O7 _ ~' I0 B, Z) [& n2 U
& p- M8 t" a" tdim t0,t1,t2 ( V3 c7 j) w/ K9 G. v( k1 V
5 _% u( B$ S# r6 }. _' vt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 2 [! H3 j v1 f
' \; ~* u) y+ P d9 `( Bt1=sdcms.loadcookie("islogin")9 x0 n0 t5 H' ~: U3 B; X m
0 _$ O. N. ^8 r: a1 h E
t2=sdcms.loadcookie("loginkey")
5 `( J% c Q0 j9 D- P& K
8 Z' g6 Y- y$ Y% t) c% c4 x, ]/ q2 pif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
* J7 O$ [5 {6 }) p# j/ t7 B
' Y2 p% K( n% V//
& b* W6 M4 Y+ e+ {# }0 h# j% G/ @ 2 P- J( d, M7 t: i% D" D
sdcms.go "login.asp?act=out"
. @( g+ }9 d9 C6 q4 w 4 G9 _* {) Z6 L
exit sub
9 i, ?: W! L& v 5 q- ^# C5 O8 y
else8 D7 ?: n. H/ T8 ~' {0 b# y* K$ n
* k5 y7 k# b: e |+ l
dim data {, @. L U) K' p2 x
' i: B2 i4 Q/ u2 [data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
0 E! R# Z( l; O1 S * e5 ]5 `" K, }: p8 h
if ubound(data)<0 then4 A( I2 i# ?9 B$ a. T/ q |4 l$ q
+ i& p( @) h% r) r! xsdcms.go "login.asp?act=out", O; e8 A+ ?" Q4 A
1 i2 j5 Z+ {, \2 t( J) w. C
exit sub% ], o) T9 S2 m; X B' A7 u* O6 A
5 ~- y! X' o x2 D0 delse7 v( D9 y0 _# N% J
% n0 ? O- v2 w* F8 q) Uif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then0 u: A7 Z6 X+ E3 q) G9 b
5 F' h! ?( x6 X; m, L8 k- J9 jsdcms.go "login.asp?act=out"( ]% }0 G1 s2 K" |
2 Q8 N* n5 U# v- q3 o" p( X
exit sub
4 B5 Z& X" u" O- E# o1 v
9 [% G. z/ p0 S" o% uelse2 ~/ s: l8 p- o/ D9 |( W0 \! S
$ W) ]2 a% w; v6 d' X! ]; oadminid=data(0,0)
+ H( A9 t! s* L5 S! e7 ] ' m1 H( s3 i: W0 p' i
adminname=data(1,0)
' \% K) @' p% N
- s* e1 e0 x: k$ l P8 i) oadmin_page_lever=data(5,0)
/ v$ R# ]2 B; o5 G
9 {0 G- B7 Y9 F! ?% Ladmin_cate_array=data(6,0)
4 s& U8 A) G9 j
5 Y6 l$ Z% E! J# x" \admin_cate_lever=data(7,0)
' m* c7 a3 P$ V3 L/ G/ m* e$ Q v
3 e7 l* ?- E }, w* Dif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=06 V* e% M" Q% z. L: H" x6 X
2 O m1 p9 ^$ c) M
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=08 \& L0 x+ o3 a9 }7 N* k
: f) o9 g' F4 |9 e* G
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0 J6 w6 }+ J; w0 Q- i# x
2 H4 p2 [- i0 T. e& S$ [7 D* {
if clng(admingroupid)<>0 then
8 f) {) P% G( h/ N% G
4 u( _! r$ |1 V& v8 ^admin_lever_where=" and menuid in("&admin_page_lever&")"
( k, o% t2 V9 V4 ~! J% {1 k T3 o* n- Z, t- B- k
end if
4 c- W$ C m x6 ^7 ^ - d8 Z* r" ^& _# J8 Q
sdcms.setsession "adminid",adminid K0 B! h- K" N+ u' ?
, W0 {8 c) g& i' ^( s8 D# ^
sdcms.setsession "adminname",adminname
6 W. M$ G# {; m. A% V! W% m/ Q
1 q$ J+ R/ N) \0 L/ l+ w" Lsdcms.setsession "admingroupid",data(4,0)% l5 g y9 B \* v0 O) |3 X
: E- e: g5 r- E1 h* p! ?
end if' d+ Y% ]# N9 g5 e% m7 Y4 ^9 J
- z! _% a4 F4 V5 |end if
6 w" [+ l- O0 z, S# V6 y }3 N , i3 j9 o# R3 A$ n% z" i: p
end if! @0 c7 C8 [2 Z7 m
3 r6 i5 D, v0 d* [else' m/ r9 C( [& x d
& D1 y) T( r4 ], u8 F8 V. udata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")% O; F: G. P; u" J: E, J6 O \* u
7 L+ D# F" o* N l! mif ubound(data)<0 then8 W( A/ W' Z. ?7 c
% K# L) t* L5 R, Vsdcms.go "login.asp?act=out"1 k4 ~( r. `# d. U
O+ k7 |, n2 r) A) _ G* N
exit sub
" G+ g. M/ k" w" t& o
( N( {& A5 p% |3 O4 a* s4 O+ Q1 pelse j7 `# _" e9 w1 [5 Y
5 U6 ~/ Y# \" W4 R
admin_page_lever=data(0,0)
+ l, j0 k( A; D! s7 T3 ^) M, k
6 P2 s {7 w! J5 R( o C/ l# ^9 ?admin_cate_array=data(1,0)
) G) s+ T k0 }& F9 |6 e1 e
9 H1 D9 S! L8 `( \/ O$ I% M9 T4 A; s( madmin_cate_lever=data(2,0)
8 f: w) q+ r9 k0 M: G: [0 w1 d 5 u) I, d. k8 I: ~3 p
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=05 ^9 m8 r3 @" Y$ y/ U
5 L3 j! U6 Q# ?4 K5 {' Iif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0) Y- Y$ J8 Z5 E. P0 H- v0 j+ o. A9 J
; h# E0 |8 v5 P0 i
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0- i6 G& {' {% T8 _: D
8 b! C0 f r6 |* _( P* h2 W d
if clng(admingroupid)<>0 then0 u( ?8 f& l- t. g) L9 w/ L. ~* z
& [9 X- c: D A) M! eadmin_lever_where=" and menuid in("&admin_page_lever&")"
% Y2 I% K( _/ H4 ^* A( {
- I) ^* |0 J' K+ _5 ]end if
' k% k% w6 a1 ]' \ 8 B- \0 e) y$ U. Q
end if q' x2 t0 y2 h3 L) p1 G, p' E
. l& B/ g' @7 o i* }& o; G
end if
- }$ z+ q( D% O& r8 [: U G9 {0 g$ R! M- m. b# A- s
end sub
0 R% _. R9 M5 |) V+ L, X3 S漏洞证明:
; F ?0 b) Y* q I3 g3 }$ M) R看看操作COOKIE的函数
- `3 S# N1 V: H' O3 q: Q% s& Z / V N& {( h7 U) ]% N
public function loadcookie(t0)
, I6 u- s' p$ V# R
* U. _. h" T) m1 A0 J/ W$ kloadcookie=request.cookies(prefix&t0)
6 F4 H: S4 w* H$ x7 Y6 F0 T
; e, q' s; r r' tend function
5 a) N" e" f- K " I- w# z* X. m6 f+ }/ z
public sub setcookie(byval t0,byval t1). B' Y- n* I1 x$ j# z2 u- f# Z0 r% G
6 }0 ]) m3 a/ L. M- sresponse.cookies(prefix&t0)=t1
) Z1 P% \% b8 v1 g e ( o9 L, a& }9 R2 }/ s* h, f" d
end sub
" `( v$ X1 r) t# V0 O* p+ A
& I4 W# g( O: l. ?prefix
" _% M' N4 V$ q) n8 E+ d. e- y/ a 7 q) H1 u+ F* h2 k
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值, e' M( G. J, K6 O8 x* `
; ]3 ^2 _3 P' |6 k$ ddim prefix
$ X2 _; ~' }% Z1 t0 N0 ^, T
, A# N. \: Q9 Z( A3 qprefix="1Jb8Ob"
5 ~# r4 w% A' W# c$ V4 M$ Q- v : K+ E2 ^4 |9 M" t. D3 _3 T
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
; d2 L6 f# I& Q- x1 ~5 o 1 Z0 H z3 d. G9 E7 l$ `5 \
sub out- e9 G1 W7 f6 `
, W {/ Y, _+ N' d: csdcms.setsession "adminid",""+ A. Y" c3 P2 M; Q Y
$ `7 O& w9 a' b. u4 E3 Esdcms.setsession "adminname",""
& z. a& ]* e% Z7 J8 S) T @
( i1 W# g& [* {, Y. C& esdcms.setsession "admingroupid",""
) K S" Q4 n3 @: v+ k1 Q
) `: f2 h( J- E0 F4 G6 _0 Xsdcms.setcookie "adminid","") n f2 c& S5 g4 N, v, y& |
& F+ `; |0 M" h! C ^' `
sdcms.setcookie "loginkey","". O+ C8 ~7 u! H, i0 J/ @/ O
( e6 N* F2 e* Z" ?2 p, r1 Y3 o$ i
sdcms.setcookie "islogin",""
& U+ q& t0 Q# [$ E& `, I * ^2 h% p; X. B8 S1 c
sdcms.go "login.asp"
. V+ R$ W4 Q9 `3 E8 U, f7 f% L
- P# e# _. H# m$ k4 D& Nend sub
L: n' o# Z7 n& ` 2 V( W5 Q( x9 q5 k7 h1 K) l
! K5 d) m8 Q+ y/ `
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
: i! Q% p; V& o修复方案:, k9 ~4 w6 S. L& s' x8 A$ T; V
修改函数!
+ Y3 \8 B) k) o, s* `$ } |
发表于 2013-7-26 12:42:43
收藏
支持
反对