要描述:
( T( q! A2 s4 q! W8 Q q
# c3 v; U# p5 w% v: R5 v1 B1 _SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
' E; z6 N1 i* u1 d* U( P. n9 Q详细说明:
7 O# i i7 s0 UIslogin //判断登录的方法6 _1 X z9 _6 W3 w$ i. X, g* a
' r+ C3 f# C* ^% f" o# [9 q, B+ g
sub islogin()2 D( I2 W$ a+ u7 t! q+ p2 l- Z! R
& X! w g, v( B; H. aif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
( S- c9 K/ R. u+ U$ D 7 o* P' h- s. v+ x c" b7 N( y; X
dim t0,t1,t2 6 I( x* G Z; r
- j3 _% X& B) A3 `5 h1 b! W6 D* G
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie & E* P x8 [2 Q; _, m) V
9 n0 u v( b/ \2 O) T4 pt1=sdcms.loadcookie("islogin")
$ W& f4 ^# y9 g8 M1 b
: Q# j9 K' e% Y) Y; x, b3 C: @$ Tt2=sdcms.loadcookie("loginkey")
9 ^* n0 S7 e; U. T 1 I. [. }8 A2 Y2 S6 [$ ~
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
D8 W- K* c+ c( _0 k6 {+ k! w 9 P% l) m: X1 F; y3 [1 Y
//9 a' P) f- _/ K' y4 f7 \
) z2 m0 Q z& k+ ]
sdcms.go "login.asp?act=out"5 W5 G `6 Z! l$ u* d$ I8 u, g! `
1 Z5 K$ \- m$ Uexit sub
) G* {+ O' [) n) H; d) } ( y/ |0 R7 J! O4 X7 }
else( `% R0 c0 H' Q4 U0 U
5 n+ c3 D( h& A! F! M
dim data
. r* Y$ z5 d Z* G" p
; I4 D8 h' ]) l+ m8 X9 \* C0 ^! Zdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
% B1 A: d% k; ~' | & t) }1 A3 \% ~6 D9 J, y1 W4 F& y
if ubound(data)<0 then6 F; Z# ?( d8 D3 R; }
; U5 N$ y; V+ H3 L( _7 r4 ?, `4 Rsdcms.go "login.asp?act=out"
' N; f" | b S: I 4 O# ], g; n/ {9 o8 K7 n# D
exit sub! p2 r' F0 b m6 g, i7 x+ y2 _
4 m: d0 y1 f* L; g: {/ o
else
c3 \( z+ P8 Q$ j 1 `, `, T7 ~( N- F- l" s
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then! b a$ P/ O2 ?+ g, w5 o
1 K# D: T3 g) A2 I( csdcms.go "login.asp?act=out"( G4 N4 P2 `. p$ p: d
$ f" t6 k) C- V) U1 Hexit sub
2 X/ o8 I# D8 s+ ?
- S) s) |3 ]8 E4 D5 g* ~else
+ [( a" Y8 o) O' k
8 ^! C1 ]; s$ Nadminid=data(0,0); ^4 }" p" b9 b+ m3 E3 W. V4 q
0 ]' M/ v+ \5 X( \6 {adminname=data(1,0)' p8 C) S, ]* W* k/ _
% E# O \: o5 D, a/ ^7 {0 k, h
admin_page_lever=data(5,0)
2 Y$ B5 P% q- N ( D. F' c4 w; s$ B) j0 N
admin_cate_array=data(6,0)2 e4 f M) W/ R$ a1 H
2 m: ~' E1 F: q1 jadmin_cate_lever=data(7,0)
5 T/ E$ v! ~' b2 x 0 k( U4 s0 U, {# N: E
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
/ x- n4 q3 c( y2 g: b/ N, B5 W
; n6 ?* k* O/ E0 }2 I: cif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
6 T! e$ q7 {6 a" ?
+ Q1 O# ?# ^. b sif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
6 f8 m. b9 H- S* D2 B- P' I, ] ; D" b3 y5 f% u$ f7 j$ [
if clng(admingroupid)<>0 then
* J+ D1 r; w( R t( y+ p - L$ b3 J6 V5 a1 z
admin_lever_where=" and menuid in("&admin_page_lever&")"
. ?+ X/ O& _$ Z7 ]. C L
5 A5 W$ G' o- K: H; @9 @5 _end if
# i3 \, D* t4 |
$ Z$ G' ~2 r" k) j/ d0 Xsdcms.setsession "adminid",adminid' X9 t6 j( j+ X, x2 V( S
2 S0 y, S' x9 e: M* P7 Tsdcms.setsession "adminname",adminname1 z1 B2 z2 G0 i: V2 |: h, c% O
; [1 H# d/ f& y/ M& `
sdcms.setsession "admingroupid",data(4,0)( H9 D! @' F5 A9 Y7 ~
9 }3 n3 D! v& @
end if+ n$ ?* h3 I# a% m7 {
* ~/ d: S, O6 M* P" {
end if) ?! F0 J& ]/ T$ I" B
8 c; g2 ]. Y1 y! L1 y" A0 p+ { U$ r
end if, m. J4 V; S/ R1 B/ A5 q
! ]# {1 U B9 k/ v0 I6 Helse
4 i6 V9 j& c$ Q5 b 4 Y4 i6 h8 F' w s/ }. v; G2 x
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")5 x" A& z Q* t2 j" m
]: r8 Z! I9 C5 oif ubound(data)<0 then* c6 X7 v5 \; Q& r, Y7 J* M
) i( P- o$ Y& H5 L- z" e. Ssdcms.go "login.asp?act=out". w4 V+ G% A* l7 L
0 e. u, F0 Q& y& r
exit sub
, ]4 f2 c- m8 n; J4 H
% n/ r% P" V: t4 q5 U1 p% t5 uelse% u. p3 K* }" ^" d; N
& s% e) J( g1 ^: L5 x* [admin_page_lever=data(0,0)
* }& H3 l7 t0 P, r3 A/ i' r ' o/ _; S% i! D9 g
admin_cate_array=data(1,0)
) f7 o" n. P0 t3 B4 \
. z8 G3 R1 @. L2 s5 z( D' }" R. Padmin_cate_lever=data(2,0)
/ L( {$ n6 y' r, u! z8 O' [4 {3 i
9 }: u/ t9 E2 } v( hif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0; x& w% T* F1 C6 p
Y& {! [ p0 k* ]7 O% P' g
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0: ~- N' }3 X( w+ A0 [, h
* Y7 N, P3 }* u& bif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
- | z ]$ P! i9 ]
/ V6 x, l; ]4 ^; D' @' l& z: Aif clng(admingroupid)<>0 then
9 B Z7 l( ^. ?9 U F 3 c& i1 b" P5 B% L4 V
admin_lever_where=" and menuid in("&admin_page_lever&")"
' m8 v8 e# N- [* R L) }
; T9 H" Q3 Q" J4 x# tend if! f8 Z# o/ {( T0 @
/ N' M2 s6 {1 s' M& s: s
end if
+ C" h! Z" D) R! c D
) T: W7 s. {% Z; }; q( J3 jend if
9 n, ~) V$ M* |# a r* D/ z3 w
* M) S; J! t5 e& _% F' xend sub
( H. y7 ]+ z$ ?/ `" {0 |漏洞证明:
; [, o x$ C; g/ Z. k5 _: B看看操作COOKIE的函数
- p% ~ F% _/ ]' F- [- q 8 c2 j4 G+ d* C. [$ C
public function loadcookie(t0)
6 A- p7 u: _. A: |4 G ) R2 ~, b B) |% X& w
loadcookie=request.cookies(prefix&t0)7 }) X! {/ G: e! S/ y+ e3 T' x
2 s% n" L0 Q* S' ?: m- l% r
end function
/ S2 X; Z! A7 C. z* n- q
5 [8 C$ z' X1 C1 }, L3 N9 @public sub setcookie(byval t0,byval t1)
- @6 D$ e( G& y * b8 P$ x1 S8 {# N$ e
response.cookies(prefix&t0)=t18 n) q3 U' F* g( Q7 T$ ^+ A# C$ |
2 q" K- H8 M l' y! t! |end sub9 @# D! l$ J9 ~+ I) [
& `$ T# P- v/ h( a! q
prefix$ z2 g8 s5 d# L; T0 y& R- O5 L
' I% q( {0 R& `9 e
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
" l4 V4 S/ Y& o6 e2 a: { : q h) h4 O" } V3 W! r) @
dim prefix
i5 Q) n2 e8 n3 [/ H" q: O
1 y3 l0 g& P5 r. r$ r# Jprefix="1Jb8Ob"
( `& f$ C. r7 d+ A& p' W) Z ' j' \% _* x5 M- g9 O2 P
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 $ c7 ^' L, ?+ I# c5 N
: `4 d2 O3 L. Q+ k' B9 A! o
sub out4 t' R5 b) u7 f I( m3 g& @
& x, a" ~7 b# j: ssdcms.setsession "adminid",""+ f3 K+ ^; q& w3 s C9 f
* Z2 M: F- w9 _- C& u6 Ksdcms.setsession "adminname",""
9 Y( j+ d% K( S0 }1 k/ n " R5 X' N) R: c5 f2 o2 }% Q
sdcms.setsession "admingroupid",""
1 i. e- L% z. l& s3 _ 1 D; d* _6 p/ T5 s) D3 K6 w4 ?
sdcms.setcookie "adminid",""* p" V# ]% x/ v+ S
/ E! O5 h5 E& p, h1 l9 ~& usdcms.setcookie "loginkey",""' M* S1 L+ V1 ^8 X6 V# a
8 ~7 K2 w) R, ~) R( F) p( x( l' k! \sdcms.setcookie "islogin",""* U3 w$ a8 S3 {+ x6 ~! x& Y
# R+ H8 [) V gsdcms.go "login.asp"
- h% L% e& t3 g8 y8 d8 ` a' Y, Z0 Z" P) h4 }1 P
end sub
6 s- R7 t7 e( p
; g8 ?0 U$ y0 }5 c9 u6 J$ Y - i% ]* H& n. l
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了! G9 o+ x& d- J9 J
修复方案:
! m' H: s, N$ U) e修改函数!
$ E# [: e1 k7 P0 { |
发表于 2013-7-26 12:42:43
收藏
支持
反对