要描述:
4 w1 U( i! z# f* G; m' ?( G8 l8 Y/ @& O1 F3 P
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
# i2 d$ m' @: f' ?详细说明:3 U& W5 {* q* c4 o
Islogin //判断登录的方法
! \, y( s+ O, e7 ^8 s; Q
: [6 b; [/ B" L# ]sub islogin()
/ [3 U) W2 h Y7 l1 U$ N7 _ r
+ r8 j& D. g3 b) Wif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 1 l6 n) w: I5 w, S' u9 ?4 l
6 u g1 z) p2 U3 kdim t0,t1,t2
- t% N/ V% O' a5 R# s6 s2 u5 Q/ ` 3 r) H b& d q3 `7 \
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
" \/ s$ o. r: Z. c E, K x
% m( L3 x# |5 }5 x; y. R" ut1=sdcms.loadcookie("islogin")- a4 d0 g2 @2 {( P& A7 q
; P( K1 w# u6 G- Z: W7 w
t2=sdcms.loadcookie("loginkey")
3 X5 d! t8 X5 e r ; z' j; r; d& Q
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行) D9 [1 j# y9 ?2 D
2 h: ^) }7 H1 [5 j5 S5 {1 G% n//6 x) h3 k% @$ u6 ]" r2 z/ a! y
7 D/ f9 @' P1 H8 Z+ A3 a) Bsdcms.go "login.asp?act=out"
4 U0 ?% J- V* {" d* b
% {# F! d& G- ^% W( o; R, bexit sub- i6 a: E5 N8 f2 {, V. [7 f" d: G9 ` N
# J+ C) o1 s) l% b4 Telse
! H% d5 K9 i" p8 l' S9 P . E. a, S( X1 X+ } p, l
dim data
5 u& e8 g) c8 \8 ?% }5 f9 c9 }/ y6 V
3 W% w Z; ^6 P+ adata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控) y5 P& Z6 e6 y$ t4 N9 a" a8 Q
9 s! Q2 Q3 I( Wif ubound(data)<0 then
) I9 R0 d+ I1 `% b: P9 \ + u$ `* i1 P" Q
sdcms.go "login.asp?act=out"' |/ v Z* y1 o) i
: Q2 N2 B. f2 Y' c6 G! Q& a
exit sub
, ^# t% u$ H2 d9 G$ W2 M: `
- i3 N8 M5 u4 f. Y2 A. U7 A Oelse+ l& E2 W; w0 v- K) G
' C4 w ]5 W* c, F4 w! e, Rif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then5 D H# f4 X" k8 Z; _2 P3 c. q
# c! G3 M. r) }9 A# g% lsdcms.go "login.asp?act=out"
% n5 F; r+ d5 V. r0 C
; {3 y8 u, ~; `$ c7 {4 wexit sub* q) g) @1 I$ ?0 b8 C) J9 q8 L
9 u$ P' o. {1 W/ p
else
0 T' {# H k: X7 e7 h) [/ ^ & {& F- y' L5 ^& `
adminid=data(0,0)
, R. I5 e, I4 K5 ?' o 3 ?" i6 q% C; Q# x
adminname=data(1,0)
8 Y- D! D9 `; d$ N' e& P
* t% j* G4 Z } y1 D) Wadmin_page_lever=data(5,0)0 C( U h G3 O/ p5 P8 D4 U" V1 ~
- K k7 ]* ^) M8 Q4 B8 ~/ K
admin_cate_array=data(6,0): p$ b% e4 I% |! d4 k) G
! \+ U" u5 i$ wadmin_cate_lever=data(7,0)/ X- P" [* @; a ?
' q7 J' g% p t% I4 W2 V
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
( {+ |' U! [8 B& Q; W* y( N2 G
9 f( O; W. q& Z K' {if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=06 ]: o3 K1 Q0 |3 y+ Z' x v: r Y' [
% p8 h9 i1 k" h) I, Xif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
0 u3 G3 G7 I* ~: w$ g
( F9 K1 E* m3 V( q; n2 k& j; rif clng(admingroupid)<>0 then
9 G. C0 T( V: W- L8 r) V7 o5 Z0 h# I $ G e* r* f9 o: u( r2 Y
admin_lever_where=" and menuid in("&admin_page_lever&")"& c+ b6 y3 [6 m# V
! X# ?5 X/ K4 Iend if
9 b( m$ {2 z; {/ d
" o7 t; B9 [$ q( O" z5 tsdcms.setsession "adminid",adminid
4 }8 m( r6 n. ?# |6 c 8 K% |& v2 |( r# [& {
sdcms.setsession "adminname",adminname _$ p. g. F, z- t' S
- `! I6 K1 n1 d! y( q
sdcms.setsession "admingroupid",data(4,0)
- A" W( Y9 h* s' J$ [( d5 L " G# w- B+ K/ ^+ I4 \2 w/ s* D
end if, F' \" |) D% P: x3 E/ g' O
4 {6 g) |! ]. t8 T+ _& Bend if5 f/ ^& Z( X5 x# v1 P. r ~
7 w; \. h) ?$ ^' z, h" Iend if
/ G& F8 D6 \( N$ O$ b3 y- O2 ?
5 J2 f/ I2 }5 n% u1 Zelse" K! o8 ^5 T/ B% `2 A1 @# d
! b9 S* h9 p: S @ S9 ^$ D4 q. _' Fdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
2 ?6 Y! ?- B% H
5 K) P! _0 [! K; U, Pif ubound(data)<0 then$ r0 k! \7 d3 @! w% ], [/ g. W
& Q' \3 x# C' L" e3 d0 xsdcms.go "login.asp?act=out"! {. N: A, K# E$ Y" J5 r- a. S1 p
3 O/ H+ u# |, `9 ~; X8 g
exit sub0 G ]. v3 ~6 M7 k" T0 B* [
9 ~) `7 X( o' f, v5 yelse
- ?# s( V y( n
4 ?+ P1 C1 E( G& r5 ~admin_page_lever=data(0,0)) c/ G- Q' X5 J$ n
9 F$ O( L$ y: t8 N" M/ fadmin_cate_array=data(1,0)7 b( u& O5 Q5 x- J7 D# N
0 c5 X% ]- D- z' q9 Y- sadmin_cate_lever=data(2,0)
+ k5 X. |$ y9 |& b8 J5 u& L- @
2 s" m: z7 @; Aif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0 j0 X S+ n# t$ j$ r- N$ N; k
9 t$ P5 B. ~, S" ^+ u
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0' r- r, i' J) o
! l- v* m0 h0 Z0 Uif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0 u8 }) f) q1 T0 t" }
1 u) ?% n5 N1 J. B: F5 h) O! R% k0 qif clng(admingroupid)<>0 then
8 r& e# t+ q% [7 l& @
( Z1 P, T9 z0 j$ |1 o' u, gadmin_lever_where=" and menuid in("&admin_page_lever&")"
9 S8 ~9 A4 o& Z* y+ N! x. r+ g + `: o; v7 b0 @- z% M
end if
8 Z# @8 j4 Q6 Y( o
! _/ R( I* [. |' Vend if( y: u# _* R# z
' r8 G$ \& G Z% {7 C
end if( }3 d+ d( q" R% p
/ ~' A; c7 Q$ W: A( N6 B
end sub
, b3 [6 I# m" @% ~, j- \. l: C漏洞证明:, z( V y6 y: B. L; ?, W* Q
看看操作COOKIE的函数
& \0 e" o" d" J; O& c
) s4 l3 L0 _3 l# S1 J4 ]& Cpublic function loadcookie(t0)
: \) q' O1 x# Y) A9 {" Z
3 U' R- v) b$ |. Q( Kloadcookie=request.cookies(prefix&t0)
4 r+ l$ I! ~* b: E 9 C' C# {; f1 j' U* k+ U5 ]4 H. d- t" l
end function4 W7 J% \: l: l# C; h1 L0 _
) _' X6 {- t; @3 b8 _! {public sub setcookie(byval t0,byval t1)# Q0 {, C7 ]5 N% Z/ Z! |
0 X( g8 ~# @6 y0 ?& ~) t9 c ~response.cookies(prefix&t0)=t1
$ s! O* u; v' W4 f* f) ^0 I% [
* A1 K) C9 z9 w6 ?0 X+ H, rend sub) Z0 O$ j' F) t7 T* c( v) C7 r
0 X+ |# [6 V8 `. y- U8 S4 _prefix' @- [* C* z/ N- e* A9 i
# z1 r! D5 `9 ?$ j8 R8 m: r
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
" N' z0 R( `5 j' z9 y
& R6 z/ C6 K4 { a1 G/ g# _, Cdim prefix5 K) \5 ~3 y9 a1 K7 ~1 g0 {/ N' R6 f$ z; z
% F* ~. R0 O, @, {9 r& L7 C
prefix="1Jb8Ob"* x( u8 V7 Y; k! h
% u* g2 T& O% [; {9 l( _'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 2 f+ A) @. m* {2 a. t
k8 l1 |1 `* `% f8 ?sub out
& _) D @( L% N* |" c7 [9 k
7 K! }1 f2 S/ X: B: Bsdcms.setsession "adminid",""+ X: J. C Q b/ Q$ H% O
6 y- M* b% {& t+ b# Q o7 b9 b* rsdcms.setsession "adminname",""% @) ~+ i/ B, A9 j! N
, P* B n& |; @- {% u
sdcms.setsession "admingroupid",""
. N0 E' x+ k% K; k; v& e+ g 9 t9 I g/ D: @! w# c9 t3 K, `
sdcms.setcookie "adminid","") _2 Z/ }$ z* r, Z: q
4 W4 [8 K* }* p- @; @' j9 A
sdcms.setcookie "loginkey",""# A. _! t' D5 B# k, s/ a" g
' E9 S5 u K; _sdcms.setcookie "islogin",""9 g0 g% i! w: z, }4 B* P
% n& c8 l; m4 G: lsdcms.go "login.asp"- E$ z y8 ^- m5 M {: k
. o. U0 @8 r; A ]4 q& C0 Jend sub0 L$ V' h. q% T, \8 M+ c
2 E" ]8 o( a$ e- w" S$ z* Q
/ l( c! z# u8 G) |利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
% r$ V" U" h0 G修复方案:
! g9 V: k; W# { Z% |" c" l修改函数!7 ?5 ]" O) A9 l% V0 x5 C
|
发表于 2013-7-26 12:42:43
收藏
支持
反对