要描述:
& y0 N u4 l' E" o0 S* i, B9 K6 j
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试; P: V9 T6 e1 H! ?( A
详细说明:/ p, x8 y+ Y& X
Islogin //判断登录的方法
[2 j; ^+ I' r5 d& C
6 E/ ? R9 k, S6 g A8 Rsub islogin()
$ ?3 d$ t) D) e/ \1 s: f
$ |7 B* g1 M) a N' P* }( xif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then # e( [" e4 p8 ^1 C; d- X2 Y! T
* I! j+ ~% A4 c8 Z. b5 l- ?# Sdim t0,t1,t2 & i. J% ] D- s1 m8 I0 g' X
. I6 M! D! |$ w( Q! n! L
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
5 f- u5 @) m3 S7 g $ R- \. r, l/ |* H
t1=sdcms.loadcookie("islogin")) S+ }: [. ]5 c5 `
; I( N `6 ?5 H" T$ u/ }6 }/ g
t2=sdcms.loadcookie("loginkey")+ c+ ^- i; P6 Q" ^7 T
+ C' F- z# q! _# ?if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
# c# d; F/ u1 J) g; r# w
! F+ @* w0 r: L* n// O, r4 ~8 s! Q) T- D, @' H' V
/ V+ `" k' |, R9 n6 i! x0 x" P4 F
sdcms.go "login.asp?act=out"! f/ ?, s# l3 T0 F. O
; e0 a7 x6 o* f0 I, zexit sub
" p4 R1 G: {4 }& v1 s 9 G; E8 t/ g! Q" L7 p
else
, k4 g' P' R; v. {
, R7 ?' o8 X# X. bdim data6 X2 A& O, Y A0 z" E: H( X3 h7 ~
2 z7 O$ F9 K5 E8 Ydata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
- v* Z h0 e4 \& C t B8 e 5 o% G: @8 q7 d" }5 v
if ubound(data)<0 then- i+ R% O. A- h& t
$ W8 N+ k8 } M& R4 f& l; J9 c
sdcms.go "login.asp?act=out"# \; e, Q6 F. [# B0 L
( E' }4 J( a; x8 Iexit sub
7 Z6 [/ B2 D5 F- u) @
2 w C5 q$ |* w, a8 xelse0 L+ H, @1 p4 ~2 N4 j( H
9 }) }0 N* `5 M( ~" Rif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
) i* z o# G- o j" ]
) @1 h1 }* i9 V2 b8 e$ ]9 M; Hsdcms.go "login.asp?act=out"! j8 c9 H! G' K7 g) L) G, y
7 A! @" q5 o- p+ `8 ~5 n$ i: mexit sub8 i, T1 e1 r# C% c, m, G$ x) B! R) _
0 g9 u# J( ]. U0 V8 w% Y* [% A
else9 u4 w. d- b% k6 t) y: a. o
) f3 p# Z; G; O4 _. Eadminid=data(0,0)+ W$ U; y/ @! s/ b/ ]
3 D# a* ^3 J: O5 |( F: N% A
adminname=data(1,0)
, k2 A& N" B4 F! @+ [ * n3 k4 i J4 a6 O) A+ J3 d& H
admin_page_lever=data(5,0)) a/ R- C% r+ B1 @* \7 G
" Z8 Q5 k4 @ y1 V& G% Oadmin_cate_array=data(6,0), C4 ?( ~6 v- t7 \5 ]! l8 ?
6 c* I7 F$ R& K. ~, m$ H- f
admin_cate_lever=data(7,0)4 O6 y2 i/ v$ V! t8 K
# s: o" X0 u; m, p! G1 F! ?
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
. T8 Y( H. Y) P. O) r- t9 i3 ^ # V9 h( M# z1 I
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
% F# R0 ?% y7 n; }
7 C! S3 `; j- a6 N8 [% bif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
b4 ^" f% u4 ~ N
V" S l: X- Z# n, V4 N( D2 oif clng(admingroupid)<>0 then
; r' [( w# a% w3 b! @4 p% E 6 d6 H. s& o* s8 @, d
admin_lever_where=" and menuid in("&admin_page_lever&")"
1 U6 g5 g: f0 F3 m
+ @0 q5 H& |/ I8 @end if
$ ]; J2 C1 F" M# ~, ^. V 9 y; F3 E* _5 c$ L/ L
sdcms.setsession "adminid",adminid, c. ]8 n: f! c) R
5 F% T) G7 N' }! d1 }
sdcms.setsession "adminname",adminname4 |% T# ]1 B9 [+ g2 [
7 K& G0 ^* Z& G7 f8 W0 u$ wsdcms.setsession "admingroupid",data(4,0)
0 J& ? D- p) E3 P- L# j ! x8 j+ |& {4 j* I$ C [& G4 _) ^
end if- O1 q* j0 P: Y9 D- b0 n
" ?' Z! z& b- K! Y' Fend if4 Q! m' ]; O8 l& g2 ~
4 L3 i% P+ }( n3 i7 o% O/ I7 I1 a
end if
' ]* E) v( c0 B7 j
1 o+ V! x% V4 ~9 |$ M3 c8 aelse
; R& B( P( w: C" l ; H( r* P; }, A0 [1 l7 ~
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")! c! {4 g! V t6 |3 c
% ^1 f2 {. N" n
if ubound(data)<0 then P" p5 T5 O ~9 B5 D- W
: N) {3 X9 t: J4 P) X7 k( d; m! V
sdcms.go "login.asp?act=out"
- z( a% U: V8 } v9 P! |, A F- p+ H- Y2 _9 M0 |; \
exit sub6 I3 z4 e7 J9 w5 v
. t# U- A% p8 v: zelse
+ ~- n: z' F3 R- m/ I7 f$ e % s" {$ b+ j* d: e7 ?' J
admin_page_lever=data(0,0)% ^2 R4 S- ]; S1 ?$ C
, r. z' ]; m- {
admin_cate_array=data(1,0)
) T2 A. d8 L( `% f% X7 o9 l
6 M( `7 l; n+ V0 [7 S; D) ~admin_cate_lever=data(2,0)1 D' v/ g7 o9 ?! z3 c; ^3 I% e
& M" c- z: x5 U4 j: Z4 uif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0" r$ W# n2 V' X6 W
' d0 h2 B8 q' L6 r' Y( p6 E6 {# t
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0) u) K7 _3 [' e1 Q& N# a0 m/ T
/ f* a8 o+ h4 Y& Z( Y% T8 J
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
$ D# _5 D( u7 s ! u6 L: K4 |$ O8 t) r/ ]
if clng(admingroupid)<>0 then
2 u. y; j9 k# b6 v6 Y( D+ ?% W& J
9 E# N8 V3 T( ^8 L/ `+ b! ?admin_lever_where=" and menuid in("&admin_page_lever&")"
0 `; G) X- S H
* V! D& M- a# |3 p% Z7 dend if8 _0 y1 y9 @7 S1 T" B7 d$ y
" b5 E) Q$ ^# J$ }) }% o" a! ]0 Send if% w0 Q) N* _2 y& y, h2 z! y% i
# o' O) M; U6 L9 t2 J. Eend if
; [8 P% W; m* ]* K) @ 5 I4 O3 Q# n5 g- U' U/ E1 X F) v
end sub$ r2 b9 \. w+ j) n, c: x, R
漏洞证明:
. S; x& m9 R4 A: P+ |3 C4 ]看看操作COOKIE的函数* ^/ o7 }1 n! C5 l8 s( g
6 C7 w& s. P d" B" Y
public function loadcookie(t0)0 g4 }: {- P" ?; X0 S. Y5 c# t
1 I0 _# L( R# E" mloadcookie=request.cookies(prefix&t0)9 g. x0 v$ t/ q
1 |- V9 c: Y/ @1 K9 N9 l* wend function! L N( @ c& P2 W
7 J5 m& d/ u% J# `
public sub setcookie(byval t0,byval t1)- x1 L' D4 ^: d- M
4 o3 A% l& [9 a3 O, gresponse.cookies(prefix&t0)=t1
# _4 n+ K9 Q' L& g! T0 {& W$ Q# m: h
* x: M4 O1 N# ~# o' vend sub9 g3 R; U6 R) K: S: }
3 }4 ^+ y# @# ?9 {prefix3 B1 I- ~$ y3 r! ?# ?( g% w
9 ^2 g, b- G# E( [+ |0 K( J4 v% \
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值* r8 J/ w) J m7 [( \
7 D [: F& l+ z9 `7 F& R& r5 ?dim prefix& e& c8 j8 R8 p3 S& s- s
$ S! n. _* B1 E& `' U8 L* T( f% G5 F
prefix="1Jb8Ob"
0 N0 b2 `. d/ n9 H . H/ i" \3 G0 a- R7 }0 A& q+ s
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 / B7 a& l. ?: N5 v# W0 }
7 x& t5 c v/ j8 V) g& ssub out9 K R; i& F3 M8 Q0 s
# E9 s5 S+ x, Y8 E. p
sdcms.setsession "adminid",""! t8 T& h& X& c9 Y R1 N
1 | Z" H. i$ }" K, |( qsdcms.setsession "adminname",""
/ ~" {; h$ k- e2 x" l
3 j, r0 E3 i" t- psdcms.setsession "admingroupid",""
, B. {' i, H9 R P: H , T6 M5 x1 C" L/ R- U* S
sdcms.setcookie "adminid",""
: H: e2 q4 f+ A) J, V1 { 5 s! P3 T) `, ?: V; O
sdcms.setcookie "loginkey",""8 X5 e) ~) J/ U- r- a& E
; q9 q- V) `4 K, D: d4 p
sdcms.setcookie "islogin",""' }3 y9 ^# c+ k: P9 Q* L
$ y) G% i) a) C9 ^; X2 U0 Vsdcms.go "login.asp"4 [1 F% V1 z; r; @: m
0 v% T' q' {$ B/ b& a0 A* E
end sub; A1 G8 x3 |) g$ k% F. f" [/ ?, b
3 j; _3 C; b4 W" V9 g3 J! o
% t2 S: G* J6 U利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!/ `: E" _+ d( C2 Y2 G1 c" b
修复方案:) T4 }! {0 ^$ n" t# @' {
修改函数!; d- s: T. e8 F; @, r2 \9 D, M- y+ n
|
发表于 2013-7-26 12:42:43
收藏
支持
反对