要描述:. i" J: l" `: E. E$ V4 y: y( ]
8 S8 b; ~, E3 x# {
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试. S3 P# ]; }* m7 k" _. ~# f# ?9 a$ x* c
详细说明:
; y3 f' S1 e7 J3 G7 c, W, rIslogin //判断登录的方法6 [" b6 D# c" z
5 T( s% T! Y& Y# b
sub islogin()
' ~/ K6 I/ _, ^: M' H9 Z
* O' u9 j2 p, O3 H R/ Qif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then $ M {: S# E' E$ K8 _- t
) o4 y$ w7 D$ V" [) p& f( s! D: Cdim t0,t1,t2 8 d9 }! F: Q* O. G8 T& `0 g7 n
, R: z* B5 Z4 {' u- P/ Lt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
' h4 F8 Y0 L7 p$ y$ C * t& W1 c3 |+ f1 Q
t1=sdcms.loadcookie("islogin")! A: N1 i0 s; g2 O2 P
7 ^5 ~6 k0 Z6 y0 i/ w9 |: I8 Xt2=sdcms.loadcookie("loginkey")
5 [$ r, G# F# H ' g' u: J! @. u( I A9 y* y
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
. N& y# [- W, D! _
1 p$ w5 n [6 ^' {//
7 Y! ]/ X+ w! d) e+ @0 s
7 d8 S$ X2 w& ^) h8 F; f( \" Usdcms.go "login.asp?act=out"
6 m# [, ?. H5 H. p
9 j4 t7 J5 U- A* D7 G) Aexit sub
4 X* k M, ^1 z5 J! i 8 o$ B/ v/ H! K3 S% g6 N- {" S
else6 X( Z* ]& k$ [# s, V5 z& j# r
, \) `3 w4 _$ ^0 {- A
dim data& {# w; d, D) y2 z0 x
% d7 X: k P7 p5 z" u; i+ [& s7 V
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
& J" ]# P; J" y! m& D. ~
3 _' O% S9 E4 v( Y1 x% X8 Qif ubound(data)<0 then
}9 Q9 [. S* s8 C. ?$ E+ j
5 {; L8 p9 M/ `# u) Y$ Jsdcms.go "login.asp?act=out"' a0 Y/ R( l, C/ i; {+ _
! D# u" [5 ]4 r4 d. y
exit sub
% \ e2 q8 P7 I7 b; f. { ! T6 W# w P+ |* E5 p& c3 _
else% m3 u1 `) [. u) g
) l- |7 G& Z) f; p' G" {
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
M! d* M, z- s% _9 p% N+ Z 2 [3 D3 q/ ^6 j9 }. J* h, @8 U4 r
sdcms.go "login.asp?act=out"
% W% z% W7 y% u2 C" C
8 Z$ X v5 j8 O+ q& U; iexit sub# F; U, P8 ?1 Q2 C* ], Y
/ d- _/ ^) T, G; e/ ?! O: Q! Belse
9 V5 m0 ^- |) M" T' G9 Y5 b
! W3 x6 a" @) _7 Dadminid=data(0,0)
& f8 R# Y+ @* p# X, H- A. ? # e4 b8 S' w5 M) t6 @
adminname=data(1,0)9 z+ q- i" ?1 u3 o* {
, v. Z4 Z6 z% }/ I
admin_page_lever=data(5,0)6 O. `2 ]* G3 Q4 B5 v7 ]- b
7 @9 N$ [* X1 t; V' w1 X6 `admin_cate_array=data(6,0)' a1 r2 z* q8 \: f/ E0 c) F: y& T
, d) x& }7 N% W% h- ~admin_cate_lever=data(7,0)
3 f" g- L/ ]% r$ j
" d$ T/ o+ D4 O# sif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
- ~" b* c6 O+ W
) g- v8 V* }+ x# e# V" t5 [+ @if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0, t( x f ~5 D
& E* }. U! z9 f( ~3 l* Z
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
5 F8 F, ?6 y6 C9 I
8 `6 @- {$ m7 ^( i, r' Hif clng(admingroupid)<>0 then
' S5 l: [: I* `- z# J6 p 4 y2 X" |! o" k2 J2 y! t6 B" L- @0 y
admin_lever_where=" and menuid in("&admin_page_lever&")"4 s' _4 n' F9 _0 X
' ^" h) Z! o* Gend if
- t, G/ j- `: E/ e% g
- [; d3 b) G( nsdcms.setsession "adminid",adminid6 s2 Y8 U1 G# J: L- {# Z
) ]$ C e* y' \( b& n
sdcms.setsession "adminname",adminname
5 H# j. e, i) o5 }
1 r$ `0 `- L5 E% R/ f& P5 a! isdcms.setsession "admingroupid",data(4,0)4 `& e c7 z) e& o; j" P# Z! H
7 }! h7 Y. f Q2 G, X# \) V
end if6 h) t# B+ h/ Z
: F' L' z! ?8 _9 g% aend if
7 ]/ I& p; g2 M( p7 X' q8 o7 ^. A , W+ W: }! P0 d, A1 R% ?" ]. I
end if% U, m5 N! k6 A3 e7 Y
4 S) D; F3 o; J) V5 P
else( e- T& z1 N2 c3 e' Z, h
: P2 e ?( V2 x% B, Rdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
* x/ Y6 `# l% S# b5 L& J& z* H 1 z. m; `' \# \
if ubound(data)<0 then" m, O; H0 B) \6 ]. X
0 t, X( r: ?2 _4 }* V
sdcms.go "login.asp?act=out"; m! E3 z5 L T& ]2 g5 x
8 M2 U1 X0 z+ ]5 [exit sub% R" r1 X5 C( M2 i: X9 k
/ \, L# T5 _" u1 B
else% @. i2 t( p$ g1 M& J
# r( t5 ~1 [ A& F2 ]6 i: ~admin_page_lever=data(0,0)
2 T5 o8 U' d. e u5 ~) G$ I
: C: h( J. X" K( g- G+ madmin_cate_array=data(1,0)& q& [. x8 S: d2 Z n- B
$ ^1 Q' w% P, n. p, ^- ~, A7 badmin_cate_lever=data(2,0)
8 }4 S8 j. i) _ q5 f9 d' d: d & K& k( E& r6 B$ L
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0' V4 i2 W, L9 W9 d! C' @& U8 R
3 M. {# t' V9 }' [; aif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0$ r& N3 \, Z- V3 l( m% ^
4 p6 }1 i4 _9 m/ K
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0; F6 B/ K+ x1 k. A' s7 c7 `
( S5 b1 b- Q- u# l0 cif clng(admingroupid)<>0 then. Y* h; y0 R, E3 N/ \. h
( U, ]2 ]; o7 r$ a
admin_lever_where=" and menuid in("&admin_page_lever&")"
& P: C, v# v7 E% A. p 5 v' I+ [: u; b' d; A* `. V: S6 d
end if
4 j# f& N0 N5 C" q7 X
. T! F/ ~4 V) `/ z" P, L' iend if
6 G# E R1 b% L) [1 A
5 ?) t7 \' ~0 S1 y9 A9 d7 G% ~end if
# N8 K! }* O! S) u0 S/ t" S7 Q+ V' W2 p " r& H D n* `" ^! X1 e& S3 f
end sub& q$ R! W) n/ C! U- p
漏洞证明:
, s$ e' ^' }# w% X1 K+ {; o6 \看看操作COOKIE的函数
+ L/ v$ g* N j- q4 A+ F5 v8 s 0 p) s. I* D. c/ l
public function loadcookie(t0)
9 A0 b3 w- L6 p
0 d: `) G/ E* B( @- X+ ]& {& D }loadcookie=request.cookies(prefix&t0)
/ w/ B* A- ~2 y9 @+ H; Q7 j' y
$ K; a0 \& E+ o7 T) s3 x1 }( H; aend function0 I& M# @4 }% S9 K* }* q5 U
% p% \4 m r4 M" _1 Jpublic sub setcookie(byval t0,byval t1)! M. V1 I8 A& e% J- _5 \
4 z& ]7 L# P ?% cresponse.cookies(prefix&t0)=t1) z; Z2 p: u! A" [) f
* w( O" `* O7 t2 N3 u/ N
end sub
c0 F; m5 H3 D
6 L/ H6 f" C! o8 M: j& U4 e5 iprefix
- j' X D8 P" u: P; X: @! J
9 v0 U) L/ t! d$ i% w" q'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值/ O, e- [5 O: f4 [2 g/ m# F
9 X" Z8 C$ J D. D1 r4 |+ hdim prefix
, S: E3 ?9 Q# B
) _6 s3 t" O. r( C Aprefix="1Jb8Ob"
5 W0 l& A% w' [; r( V
! e# s6 P/ j/ e'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 C; r$ ~. W: N$ ]! \
: M x/ ~7 p5 O9 v x6 V9 Y, K! ~
sub out1 m3 p+ x p2 G6 v% N' @
& r9 _) ]4 b1 h) a# m4 ?
sdcms.setsession "adminid","": v8 b7 l* R& _" e K9 q
: Y! r+ |) i3 U4 a8 r0 Z. p7 C
sdcms.setsession "adminname",""5 U* j) e% p( |1 [5 H- M# \, q9 f/ R
' [9 I; A9 Y& y: V- U9 m
sdcms.setsession "admingroupid",""% w- S5 C% K" V9 ~& u1 x+ \
# f' w& r& W+ u- m0 w6 nsdcms.setcookie "adminid",""
1 t8 n1 w/ }% g: f # y1 `! _$ o2 r. ?4 \
sdcms.setcookie "loginkey",""
& P2 o; }* f P @" M) c) M' `7 K. S* e 1 r. p% u6 ?7 }! r! A" P, w: M
sdcms.setcookie "islogin",""* s# r" u7 E6 l( n8 P
' R5 \: i# M' [7 ?1 r9 V3 `. w; M: M
sdcms.go "login.asp"
2 u. q* }& f# j. @$ Q& a X+ r
2 k/ a- i: u0 B+ Pend sub8 V) x4 r+ y$ F, v& E9 T6 c3 H
3 {$ n0 N; C) V6 b3 }
( Z1 b' G, l% c; P) H7 O2 o利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
/ a! p! z# c% d+ ^" b# z8 t0 N修复方案:
2 d. k- [( |# N0 J1 X修改函数!
0 k. ~" e! R& R) |( |4 o |
发表于 2013-7-26 12:42:43
收藏
支持
反对