要描述:( @, A* R5 s: z" X
# o2 V0 m) j5 z' q; L, g' |
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
5 P7 h& S2 z2 I9 }# F详细说明:
& {! ]0 Y! r* U3 Y3 \1 D' ]Islogin //判断登录的方法
4 F% k6 ?- ]) q4 b8 w& J9 x! S4 A / \/ [ g" N' d* z# z/ j/ L1 \
sub islogin()5 I4 `1 b- K' @- z1 j5 v
& f& Z u+ S- y, I4 P t p( E; k* Pif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then * W! j. N& `& x% k! ]
; o7 \0 X" {/ H4 P8 T) Q' ndim t0,t1,t2 2 n0 n, E4 p' _ X5 A$ a
$ _" c7 o- w9 _t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
7 m6 I9 ?3 c( E: W* R) Y8 q ! z3 e2 a, J/ h' A- z, u7 n* d
t1=sdcms.loadcookie("islogin")
" _. x; A+ l) o: h$ E3 I
0 Q n# c7 m! u! N9 ct2=sdcms.loadcookie("loginkey")
9 ~8 k# [ D" `; O7 Q 0 [ t& [+ t9 W' B" @! a. d
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行+ l7 b- P5 K( h4 j) Q% z
' z1 e4 l; Z: Y$ R+ @/ E
//
+ q4 o1 v$ P; ^* w( `, } + N4 i" v8 m/ k2 |% R
sdcms.go "login.asp?act=out"* a5 M _8 |+ r8 i4 ?( u
+ j) o- C4 R! V, ~6 r+ ]
exit sub
7 D3 q# [8 z+ v* ^ 7 S7 A1 k6 K8 h$ u; r9 h. V
else
/ D5 R& [/ v _* \ % h. h$ ~) Q( Y- \
dim data9 Y3 M+ U8 c) P& ~- a7 q
* v/ v: |3 F4 e: r4 E/ b) k1 ydata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
# ]' [0 J% G1 k# j! l3 F
% s, p4 ^1 O/ C2 {if ubound(data)<0 then/ Q* Y2 U9 E: f7 w- O" A. r) v, k
+ H* I2 Y. M& G4 t6 r
sdcms.go "login.asp?act=out"
! A, P: D. X1 f5 t" k6 I# Z+ p ) s. U1 Q+ W! l
exit sub8 z! ^5 [" G9 Z' ~# U
* x4 h& s2 V5 O( w* {3 j- g
else
i8 n2 W: F6 P f- }
. `8 s+ _5 L1 s& X y( Kif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
0 r4 q# R, y1 x: M
k( x, x+ o9 Q8 n+ T$ S5 D8 d9 msdcms.go "login.asp?act=out"
$ q3 H) M6 [8 Z4 z6 @5 m5 N) n2 i
6 E, \- e1 x ]& e1 U) `exit sub a, x7 ]$ h7 `' E7 C
$ v+ |8 Q0 k+ ?8 Z4 [else
$ a5 a& _0 r" g: z% p
# U2 C( y; ^. |1 Gadminid=data(0,0)
: A3 {. D3 B: y/ i( m+ c
- A/ v3 N& Q6 m, h3 _7 |0 l8 c, \0 @adminname=data(1,0)6 ?/ C5 h# }" z& I: e: [' I
( f) p/ k$ c+ T$ `admin_page_lever=data(5,0)2 a+ m1 U5 K$ M3 Z# G
- l. V' e. a" X6 Z9 K1 \+ R, q6 i7 `admin_cate_array=data(6,0)
# @/ V+ n I: c6 V: ]0 F; M; j
/ H2 _4 \; L) R( r1 T/ badmin_cate_lever=data(7,0): c( Y: l5 d, I% [( k3 g: @5 B: |
) P* x5 |; b) Y+ v# bif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0$ D; h3 \% V- }, i) d, R, O0 J
5 ~4 T6 F6 i! m! d6 |
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
6 E3 \; i* t5 n3 O. T* e$ Y- { 1 P: q- m; b! }& r# r
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=02 S% j! H) B' `! ?9 s) b3 J" u9 z
) ^* s) s: n" N
if clng(admingroupid)<>0 then8 u# z/ [- Y3 M' x
9 }4 k, f1 G0 T4 e
admin_lever_where=" and menuid in("&admin_page_lever&")"# H3 Z5 F- T. l, {6 O4 b5 t9 @/ O1 S
) {" c$ h3 U4 _* f3 F \end if2 @: N3 k5 O' \
: M6 A* k, S/ H0 _# j" h- c/ i! dsdcms.setsession "adminid",adminid7 Y/ Z( m; I1 R8 J4 e
5 L2 N @9 b: d3 O8 W$ G! t
sdcms.setsession "adminname",adminname# F1 R% L4 W2 J1 _. z9 p1 ~4 S7 a
4 n b( u# o/ z& s9 e, a/ X1 d. E0 A/ i
sdcms.setsession "admingroupid",data(4,0)
6 n9 f' ^; |' F. S" C( ]+ Y
# N- m3 u: v! D& ?5 U- B6 E; [end if
( e! \. ]1 P5 |7 v* R8 I5 V
( f3 J, X' j6 P2 e% bend if# p) y" j# z5 c6 M; U6 ^ T+ D. F5 t
( Y5 D& C9 z0 X; b4 g3 h
end if
- i+ W+ r h, d4 o' A / X; ~( G O* b: W7 t3 N
else7 h7 X% U& [* Q
4 Y9 i, I! M' b" e+ J# xdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
1 i6 Z8 {8 u. P3 Q( ~6 F: F 5 U, A! U! `" W" O' [
if ubound(data)<0 then# w* w5 \, O# F- s& ]+ z4 _
8 g* L3 D) @3 @% u# a& Psdcms.go "login.asp?act=out"
w4 r. V# B; s* K$ w' W* L 1 Y9 e! H" }8 t g% R6 o+ i
exit sub
3 w& A1 V8 r6 u/ A2 H; S
2 s B7 V* a2 d; r, q l# Oelse0 Z. h3 S3 r' X6 E/ {
& V$ K) r0 s& f. hadmin_page_lever=data(0,0)' M) {9 m5 F4 l+ N' j$ Z* Y
6 C+ X' I: m; _9 padmin_cate_array=data(1,0)! S) ?% B* Y. [- d! Y+ a
8 T2 S# f; e3 V! e$ E& C0 zadmin_cate_lever=data(2,0); `/ F) p3 K) x! s
! x2 K6 r5 K% p
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
! j6 a, B% ^; E1 ]
" ?) G. }4 @: `+ G' H6 s% Fif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=07 \- Y; ?+ q0 z: Y( P
- S' u& {+ T& T4 p- o& ]$ tif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
9 l8 C) f4 p7 E+ w! f% m ; V! l7 s( a0 Z+ O5 q
if clng(admingroupid)<>0 then8 D# W! p2 ~7 m/ |3 g
7 ~ D, |5 N0 P- S! ?; d' Q) k& b7 w( xadmin_lever_where=" and menuid in("&admin_page_lever&")"
! x5 h( z1 v3 V" _3 m+ U + H& q6 a1 x. a% Z' t
end if1 I6 p; h0 n) F9 o1 U
- u7 K8 L' v M! I: V( cend if5 I8 O% U/ _4 w0 ]! p
9 Q- o7 H( }( h& K1 w( Eend if
O' s; {) _ l( X2 ^2 L : M# J" {4 A# Z
end sub+ s& n. X4 l3 p: a% W `. l
漏洞证明:7 y+ U* u8 p; b! q
看看操作COOKIE的函数+ S$ @/ N; ^- O! e9 t$ ]
0 z! P$ {1 t/ [1 i! B/ U3 z
public function loadcookie(t0)
4 [5 j& k/ V) y/ K/ a 6 b1 b/ p2 D' {3 ~% @6 I
loadcookie=request.cookies(prefix&t0)# C" P" `( {" H# N3 n
" O- f; j6 ]8 { Aend function! I L- z0 V, }( g
0 B" i6 p1 @6 j4 C% ^2 ^
public sub setcookie(byval t0,byval t1)5 \3 B6 B7 ~9 j& D2 b1 P% [
0 j, h4 j$ e) \% Q4 A' r C1 m# wresponse.cookies(prefix&t0)=t1
" K! Q6 j0 X% j ( a- p, W* J- D" }$ c
end sub
) _( g7 ~+ K$ e' y4 F7 Y / F. `, f; a' P% O7 U* z; W
prefix: @2 B- l1 q5 Z S% l9 n' b
7 D8 V# B3 |/ k# v! _- _'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
$ P) f2 `' W3 h) | W. W" A
$ g h! r5 y9 Bdim prefix2 S) C1 V$ y4 R
" J: T9 C9 N: z; {1 }, \5 m/ o
prefix="1Jb8Ob"
* d* v" ~6 @4 V3 \; j" x
/ u/ Y* h* s @'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 % p% e! C8 L) y% G
$ q* L' Z5 s4 y
sub out
' l* w, y* I$ t6 J# t' R5 w1 q
9 z+ ~7 D; m3 O8 l; dsdcms.setsession "adminid",""; E7 N6 u* f2 h$ g }( @" k, e+ |7 e
0 h3 o, V9 O2 M: Q8 j; E- z! @
sdcms.setsession "adminname",""
) M2 ^- b& l: G
) g' k* Q) e$ y4 d8 \6 f' tsdcms.setsession "admingroupid",""; A; n5 R3 l3 C% A" L1 |* ^
8 g. C+ ~% P: x9 ?* Esdcms.setcookie "adminid",""
7 ?" C$ k' p& f7 y! ?# l- V 6 D1 T. Z0 }4 y# S! M1 t5 M
sdcms.setcookie "loginkey",""
4 X. A1 p) B f " f1 E( c8 M) J+ e H" L4 Y
sdcms.setcookie "islogin",""
' B- {7 b; L! T 1 A2 f* M9 n( i% @: Y! Y/ b: v @* ]
sdcms.go "login.asp"" z) v9 J2 D) z. v, a8 E2 s0 @# s
( W" |2 b, S( s7 Q! n- r
end sub
1 t( j8 k7 Z3 u5 H1 B2 @) o 4 `* l- ~* G) L* `
8 S4 V" k8 C; Q# b7 ?- z
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!$ u: s; |5 ]/ V
修复方案:
4 I6 ]0 a) r a4 x修改函数!
6 q8 s- r2 g0 `- t3 u |
发表于 2013-7-26 12:42:43
收藏
支持
反对