要描述:0 ]0 \- c- [6 M& B
) B, j1 }. t7 f/ h4 q" R/ oSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试' U7 N1 M, i! d8 |
详细说明:7 ? L {$ w$ l) I$ F5 _
Islogin //判断登录的方法: M' g a8 [$ l% [! X% _
+ V: W. ^% T9 P" g! Y" fsub islogin()
9 ?# j) j9 m3 d3 @% C 6 p0 V0 q* W, T8 z( G, M$ f$ ]. a
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
2 v2 c: T, ?+ q1 B/ c
/ S; T0 p4 c$ S: Qdim t0,t1,t2
5 R3 K) x3 L# S& \) e v/ p/ {
$ v1 H; B6 e) R- p) Y1 O: W9 xt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
9 O V- P( o" L
0 m* i' D) q- g" C$ b3 f$ Z0 A& dt1=sdcms.loadcookie("islogin")2 x- }& F- Z5 p, b" @
" X0 k7 w# e5 ^& R7 yt2=sdcms.loadcookie("loginkey")" N ^1 @' @& K
6 N @- g2 o4 X5 \! b/ v/ J
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
- \9 b5 w+ J2 J3 b) V s7 U T1 D
+ H- K9 Q* Q3 Q( }1 n" U//" W6 j( X) R1 H( ^/ o' g
* x5 o; @- m# U0 Z/ O( [, m9 d
sdcms.go "login.asp?act=out"
; r( ^7 b2 Y" I" T1 E% j! l
+ p" }( y* {: ]2 P: _: f9 `; lexit sub
6 E9 v0 i, `2 n, X. D6 _/ W0 z- o 5 z- I+ [9 \) }+ R
else
5 g4 ^- x) ^: ?! F( k2 U/ V
e, T2 [4 C6 adim data% X' a; l4 I- [( J/ f* U
' @1 I5 a. \; [" s% Mdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
8 A7 N* p# q" z- f8 M 7 P3 e/ ? `7 N- A* i3 @
if ubound(data)<0 then
3 q5 D9 E1 o6 {1 `6 i. g% Q
, A( r7 ^& E& @sdcms.go "login.asp?act=out"- ]9 E. t; y+ O" B
# R- {6 j/ r: v& A9 ?$ m4 {exit sub( R% x) \$ ^3 x9 T" k/ v: @1 t: r6 F
x+ c. h7 }5 v7 }: q% d9 }
else
2 X: p1 M1 e0 p- i2 A: H
4 d, w' [! c; E% L0 c/ a8 fif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
U8 G K7 L. u" @( U9 [ % _4 b, J# l8 u; E0 L% Q* v# f5 X W
sdcms.go "login.asp?act=out"1 M/ M. p r% B( P
) I5 E8 `2 \- I4 x! V: F* D& p* texit sub
% i: S: J; X) Q( a J9 b; W " |0 ^0 l2 y% H( ~3 O% i
else
0 r% N* j9 [1 W, t! z % `; M$ @% C2 H# C
adminid=data(0,0)
* W$ g. [0 W' r' ~/ }- [& ?" V
9 k3 G, Y; n# Iadminname=data(1,0)3 w$ q4 r! z e
4 G: D1 }% L I3 |- [admin_page_lever=data(5,0)
* [9 n" M' |' s, @
- Y7 a/ b8 ~$ e7 q! Badmin_cate_array=data(6,0)
4 \) g0 N9 D3 k/ r: x. ~ 5 t+ ~6 M, E ~$ }" w* K" m
admin_cate_lever=data(7,0)
* b6 D2 V! S+ |5 {+ Q' p
* G4 i( @) d8 B1 y5 d4 n$ xif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
) k/ ~ [1 D. c
5 K. p9 t2 f8 x8 e% }0 B' sif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
4 W. Q1 z' p: |; } 2 y+ w+ L/ I$ A& y) v7 N
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0: H6 ^( t2 Y& U, v6 A: W) O) @
. R5 ~. M6 f$ ~2 V% R/ N4 v% P
if clng(admingroupid)<>0 then. j& p5 A5 B W6 k. V( m0 u
: e e( D' o% j& E7 I% Zadmin_lever_where=" and menuid in("&admin_page_lever&")"
. S% b* h4 \' ?
; R% G9 s" J8 `1 ^+ ^- |end if
. H3 S; u8 N5 s$ ^# ]
- S$ u: [) k# u5 e* wsdcms.setsession "adminid",adminid; `7 e: y6 Y4 Q5 K& ]% [
" R" V1 l& A' W. k% j9 L
sdcms.setsession "adminname",adminname8 I9 c* m2 W. U& c4 l/ O: Z* C* E
% t( g6 b+ b# F k) B: B Nsdcms.setsession "admingroupid",data(4,0)8 l# U9 F# A2 W2 j
) t3 _3 t. C$ e* s4 D9 B" C" u
end if2 m% x: u% a( `
, S. Z* A6 \( P0 Hend if1 k$ |3 ^8 k& g3 m; F2 \1 b4 \3 l
5 B" }. z- l3 y
end if. _- u1 r% H& I' ?: I
4 @" y; Z$ K3 z1 G+ |# belse
% t2 {% N6 Y# q6 V
9 {4 S3 Q9 u; f8 ^, t4 q5 ?5 Ldata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")0 ^4 ~$ {# K4 s7 `$ S: D8 p' \
: Z$ q! h+ q* q+ [/ k" Tif ubound(data)<0 then( O+ h h, R5 r: m8 K
) S. u1 Q q1 n4 X2 S7 [sdcms.go "login.asp?act=out"
- S% u& N( h& n H7 ^$ a; V% Z9 m* r $ `1 D) G( k" u/ q' p! B1 O# X
exit sub2 S: a* w" b& A
, J, Z W7 c* q s3 l5 P- s1 selse
; Y$ }& K7 Y! t h: b: f 0 G1 T0 w; k6 v2 | s
admin_page_lever=data(0,0)9 _( V: o; K: Z3 i& ^2 B& t( N- K- A/ @
3 Y% i8 n8 t! g( e
admin_cate_array=data(1,0)+ q& y9 R( d* V+ }
5 C0 V$ d1 ^2 K: iadmin_cate_lever=data(2,0)
4 q, `2 @' P0 X+ T1 C3 c & o9 B+ |- K9 Y6 D7 t' C/ P+ w
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0 W; y! B6 I4 _3 G$ {+ p. ]
6 e" X; J7 h9 Z
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=01 }1 {0 Q6 d( o* w( z9 c% ^4 ?5 E
9 o, H, d% {( a3 f9 R" Zif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0& K9 ^+ H6 {7 Z
! T8 j7 S7 u. ^
if clng(admingroupid)<>0 then7 _: E) A7 @# C0 P J
, k, Q& l- {# o7 hadmin_lever_where=" and menuid in("&admin_page_lever&")"
5 J5 n0 z g9 I! v; k& ?! c$ p9 C& O % ~% |, a0 C9 N* u8 H# F; {
end if
0 ] v# x& _4 ^$ b) H& r8 g " s: O4 x9 Y$ s: |" s' P9 \+ v
end if
" S- K+ @ w4 g! l 5 m U, z5 e9 w: V. j6 T4 }
end if
3 k% ]% y' Y+ V9 D
* A) ]. A: J1 W: L1 y( Hend sub
1 G/ S, m! l* U0 I$ y g, [ j' \漏洞证明:
; v; n! [1 p5 L( h% M8 ]看看操作COOKIE的函数$ G* Z' t3 O$ Y l
! \/ }2 F# w$ z9 D, I1 x# m9 R
public function loadcookie(t0)+ l6 L- l# a7 I& p8 s0 a
# R8 g* D' v/ u: e, E2 [+ \
loadcookie=request.cookies(prefix&t0)! A& g) W% d0 R: J3 P0 {
+ L( v: r, X5 A" i+ Q. T
end function5 H! Q- F8 R. l/ w
# k! D, `9 v z0 C1 ? }
public sub setcookie(byval t0,byval t1)5 i1 f. o4 ~) @% W+ p
; Z% _7 R- y. }
response.cookies(prefix&t0)=t1( G+ E' y; \9 h" y6 ?& Q
* f0 t; X' U7 L1 [2 { a: E
end sub
! O/ k" }8 x& u4 p ) y1 V4 C3 Y9 M
prefix
u& G* f8 _) {, P4 Q4 n5 J3 _* G4 T a
; V4 c1 h1 X- g# S) D7 @'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
/ c# w6 ^: I% M
3 P7 O' D" G; o' c5 ]# ydim prefix
+ v' X) \ E! V2 N. r
) F1 m$ N3 ?' C; cprefix="1Jb8Ob"* n* L; }- t) a) {" o1 b
/ d3 L$ b, }0 r/ f
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 2 ?( z! ^0 w/ Z/ p- a D
& f* u- J G) _0 ]% ]( j
sub out+ X K; w) t8 c7 g
9 W& C2 e; @- t' p( ssdcms.setsession "adminid",""
5 C+ u2 S0 S$ D # Q( v4 s: ^' @! m
sdcms.setsession "adminname",""
* ^% t, C' ?* X3 n { 6 g, T# V4 Z! j9 _3 t
sdcms.setsession "admingroupid",""8 T _- U4 n: O1 r8 q6 w8 x
/ M6 E( n7 f; h6 r$ w isdcms.setcookie "adminid",""- r, }7 E1 g( J% l+ s& K2 g
* w3 W7 n% C R. ], |$ f2 r, s2 T7 s( Esdcms.setcookie "loginkey",""5 r4 t1 [* ` u$ ?
+ x* f& U) K% V9 ?sdcms.setcookie "islogin","", k" z. x$ i% @+ t* G8 \
4 U8 P+ y5 b7 F1 E0 [6 S7 S; V3 ksdcms.go "login.asp"1 s2 ?( G$ J; }! Q* O
6 O* x: g, i: J3 Fend sub
% h. F- _! g0 H2 l. l$ [' u. g 8 [1 ^2 q& ?* M! i# C
3 {. g5 N' U! s! h/ M4 H利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
+ U* A. ]! Z% M) W8 h修复方案:2 S, [2 `1 i; ~6 k
修改函数!
6 |- t a. @ S5 u8 c |
发表于 2013-7-26 12:42:43
收藏
支持
反对