SDCMS后台绕过直接进入漏洞

admin

要描述：
$ `( x  {( W% R
. O8 a8 x7 i; S8 g6 T& GSDCMS后台绕过直接进入：测试版本2.0 beta2 其他版本未测试
9 J: I8 Y2 A" ?0 a, d$ e! M详细说明：
Islogin //判断登录的方法

8 c2 x" O! {1 K- B- ]3 ksub islogin()

" p% r0 R( m: G. bif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
, ^  e; k2 W  \3 ^. D
, ?( H3 q1 `+ Vdim t0,t1,t2
8 Q, e/ `; g  |5 t. T% F
5 n: I; x" u7 W  i+ H! {5 Ct0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
+ q6 e6 _* x3 E2 \' ]3 W% s" A0 c
; H. ^; q7 y5 A$ e$ G! lt1=sdcms.loadcookie("islogin")
" g1 v9 k# e+ d. H( ^) w* M
t2=sdcms.loadcookie("loginkey")

if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行

//
5 e# T4 G; b; l2 C" k+ Y* H
) c6 C1 ~% F. M7 I! W& s  }sdcms.go "login.asp?act=out"

exit sub

else
" S% J$ P3 u0 f6 u1 F
dim data

data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
/ _2 o: I# h+ k7 c1 O' c* k& R
if ubound(data)<0 then

4 j: G' `0 s- X  [0 e) s1 Jsdcms.go "login.asp?act=out"

9 v, z$ h3 u" o1 o% ^exit sub

else
; c. j' ?- ~) I! \
  h  y+ \( C; D4 W% vif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then

4 ^2 K( y3 r8 m1 j$ A9 Lsdcms.go "login.asp?act=out"
- C* G* Z0 |# C5 }
exit sub
, S" M( ^+ Y/ e3 F4 A
( Q  `0 K$ p0 |, [; @: T- g# Celse
; o8 a8 \6 Z6 }; g; E. |
adminid=data(0,0)

8 q. v0 f; x" `; badminname=data(1,0)
7 B! a3 q0 q, \, m+ Q0 @
admin_page_lever=data(5,0)

admin_cate_array=data(6,0)

( C. e0 Y. n/ U1 b8 vadmin_cate_lever=data(7,0)

if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
5 P0 A# @9 W) p: [/ A
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
; m* P- b; `6 \9 L$ {$ Q4 z
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
- ?" f3 ?! t+ d/ I
- T6 @4 [# w5 s) q$ b! bif clng(admingroupid)<>0 then

% _: d4 w4 g- ^+ C! R- `$ M* Nadmin_lever_where=" and menuid in("&admin_page_lever&")"

7 {2 i5 s2 h- G$ `2 b6 F9 f/ Yend if
0 Y# _+ u  ?5 x- x
; C7 I3 d. d4 ?/ T1 Ysdcms.setsession "adminid",adminid
1 c, K' M: ?+ I: W  L9 `
sdcms.setsession "adminname",adminname
3 q. V0 P8 _( Y. t7 E
9 J, e# t0 x* usdcms.setsession "admingroupid",data(4,0)
2 Z" w6 S+ r* a4 E- @
7 r+ ^, n3 P6 m* S, S, U8 Rend if

end if

end if
; A) G; @8 z+ k1 i, y, G: V- D
else
0 p5 k" K0 z; V8 N; R1 g
2 `- B% o6 ~. F% q& u, x. ^3 \data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")

  \; P) [9 L, \8 A) rif ubound(data)<0 then

sdcms.go "login.asp?act=out"

exit sub

else

9 O# b* O& k$ Q9 G, i! Tadmin_page_lever=data(0,0)

admin_cate_array=data(1,0)
; h+ ^0 g) b. Z' T
admin_cate_lever=data(2,0)

; ^5 \% p2 r; w( Iif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0

if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0

if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0

' q7 D3 G( ~) Q1 Lif clng(admingroupid)<>0 then
8 r: g! e1 \7 ]' P
* c$ v- O2 Z* O/ O8 ]6 `; ladmin_lever_where=" and menuid in("&admin_page_lever&")"

! s4 F4 F* F: R6 U  u* d/ Qend if

end if
3 b* Y6 V8 `5 a0 W; @- Q  u% F3 h/ G
' ]3 F2 n; |/ J8 t1 o: l7 oend if
) K/ Q8 c  ^0 E& R' y
9 K) ~8 C$ E6 |0 n3 g  i. Mend sub
% C7 L7 _4 n4 B( \2 u" y+ g漏洞证明：
; \2 V' E: o6 I" [2 F' Z5 Z  \  t) z看看操作COOKIE的函数

public function loadcookie(t0)
5 q; Y+ k4 ?: X2 z# C
* v2 d0 w& r/ Q: ^0 A; @0 Eloadcookie=request.cookies(prefix&t0)

; Y# |% w1 |$ F/ G) Pend function
1 O# ^* C9 i1 |4 B) W0 E! J5 m
public sub setcookie(byval t0,byval t1)

/ N4 [' p( K% `2 T3 Vresponse.cookies(prefix&t0)=t1
, e! B1 g* q6 C6 X4 c9 i
end sub

& `  D, M& F2 G! h  Qprefix

- D+ T  K; ~0 p  m5 }'变量前缀，如一个空间下多次使用本程序的话，请每个程序配置不同的值

1 T7 b, J; t5 e# S8 j9 F6 G; tdim prefix

prefix="1Jb8Ob"
6 q$ {& H3 ^6 a/ x1 w8 O8 `' }) i
7 M* B. h; B' K; s, q" D'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
5 @" V- ~2 T4 w9 k/ ~
sub out
" }# q; e6 p! p8 {/ T1 w8 N3 P
/ s) `3 p3 |& [. I4 y0 |7 a6 Csdcms.setsession "adminid",""
# @: Y/ `$ F  r
. s6 o# F: C1 T# U8 Rsdcms.setsession "adminname",""
3 f( k6 V/ Z6 Z
sdcms.setsession "admingroupid",""

sdcms.setcookie "adminid",""

- E! M1 y; X* X: l8 M8 ~3 ^- K  msdcms.setcookie "loginkey",""
! V$ V  K& S, D; g) u
sdcms.setcookie "islogin",""
, x2 V) k: C/ Z) d) _
" [7 c! ?4 }5 V$ I" W; m% i/ i; Qsdcms.go "login.asp"

end sub
7 d5 _2 m6 y6 I/ y" q. p
, `$ v# W$ a( l
* T' `& w1 ]; J$ t7 D利用方法：设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台，就可以了！
! B! s+ ^1 q2 `' ?修复方案：
修改函数！
( `* {" K; \& S3 z' k/ K