要描述:
6 w; M- g* F) M7 r m* g2 j* `! m4 y7 E) k7 m9 R
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试3 ?! S! i5 P6 J
详细说明:$ A1 m+ e7 D% F& v8 W; A( n
Islogin //判断登录的方法
2 x: e' h- p* A1 Y ; U+ P! N) e6 ]; m9 }* ?! l, V
sub islogin()
9 `' P( c0 h3 F% p2 Q3 I2 c9 g+ L ' U/ X0 Y! q' x' ^. q7 w# o
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
$ G# n: r4 Q! }
7 F: S8 s- d; Q7 G/ F+ A# Rdim t0,t1,t2 / c% P) W3 G: Y
" h+ E4 y) H" R p& Q
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie " \9 E4 p$ R* t
& i8 n Y) J, o7 A) Ut1=sdcms.loadcookie("islogin")! M2 E O! K# a2 k; Z: F
/ ]8 H, J( I# q+ i
t2=sdcms.loadcookie("loginkey")- t2 m$ C* _/ H( P/ b
5 g$ C- J) B+ j
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
% E3 {, x' p9 ^9 D . G; T, l+ V& u/ h' J2 e/ K
//, [' B# B7 K# l( V, `8 T
' ?3 y, D$ {% nsdcms.go "login.asp?act=out"
1 i# r6 t# d. r" V/ h9 T 3 A, ?1 h* A* Y" G7 G
exit sub
) a# }; K8 ]: g, }! r/ X$ `$ Y
! p) g A& M# i" k/ delse
?0 G u5 F7 r% T% c! U- X% y' P - C/ p" a0 ^9 f6 ~' i- m
dim data8 D% H( o6 D; d# C5 ?+ G/ P/ F
% _$ q3 b% n# F2 C7 D, f4 M& @1 R+ f
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
4 G: X' J) h( J, S
% ^4 ]6 a# C" y3 l4 [- `! c- V, Mif ubound(data)<0 then
# ~+ c% @/ c, P9 ?
9 Z! u2 ^8 L0 e$ c/ [sdcms.go "login.asp?act=out": z6 r. j% E7 m5 B
* y/ x0 R: @ k7 X, Eexit sub
$ v4 Q. i1 o2 C6 L z/ x7 @/ U1 g5 a4 S' m5 o
else
0 B( O+ p" k+ j1 j4 A! ?9 J1 j : z: p' e- k7 m! r7 |" k4 G
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then) J+ i, R1 t$ G5 B# b
9 r4 |: h& g; c* U
sdcms.go "login.asp?act=out"
9 M- A# m" D8 U' `
6 v% P2 W. e+ y' h9 n; G& I- \exit sub
9 V# N3 V! U2 K ' I0 b6 j, l" d4 e& h! p7 \
else" x+ W( W2 d2 M, s9 o
! j7 [8 b0 P0 z0 v* I
adminid=data(0,0)! \% l& Y4 G9 t* S9 u7 P e9 q& _5 w
& B1 e& V" F$ ^* Z0 x. ]adminname=data(1,0)
1 R7 ~9 z3 W0 Q+ R2 N1 Z * t" O _. {+ |' a$ @
admin_page_lever=data(5,0)( S" y8 H4 V- c& o# L" Q2 O
% B! W. f3 m+ Wadmin_cate_array=data(6,0)
; P" z6 U8 G2 y & c5 i% `+ H' C. R
admin_cate_lever=data(7,0)% m) v$ D) {: S. s
! F$ c; \8 y- z( [3 _( V
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=07 z2 b- N7 ~5 S/ h: j$ }& Y5 {/ z
h0 h: t2 @4 b! s! r2 ]2 nif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
5 P7 g/ a, I$ N2 M2 r6 {7 g$ W
, a' P; z; I: M8 A/ _if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
- U: A( d; ~) \; Y+ ]# Z 6 S. l) x5 e' @ Q( j$ I
if clng(admingroupid)<>0 then1 s' d5 s: V! z$ F" e
: ^# Q% x: h9 s5 Iadmin_lever_where=" and menuid in("&admin_page_lever&")"4 i( I, `: _! X$ X( A0 ?# {, t4 o
: M' q0 E8 _! o" C( \
end if
* S& J6 O5 u& w1 t, x
9 r/ |& r& W5 j6 u9 Y4 I1 Msdcms.setsession "adminid",adminid' H* _$ L7 o0 `+ v1 T) S0 N5 i
" r7 v b J: A, C) z
sdcms.setsession "adminname",adminname
6 i$ c- ]. R& v7 x
' o+ z; H/ u' I+ Zsdcms.setsession "admingroupid",data(4,0)! ~! Z3 @. O: I6 ?. }9 _
9 |0 e( m0 e) A" e& B- I
end if
# F, G) |) I9 t& x" r: Z
" m! B/ J0 ]) r+ Send if) W% r) ` o; O% b1 u
; E2 u( \- V3 y7 W9 [8 f+ |
end if$ i4 M4 Q' v4 I6 }
2 a0 j" l: z7 a$ u$ Z1 ]+ k
else8 S, `$ Y$ S) b4 B
9 k" l6 V5 M* A T* i& ^- q4 ~data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
& B* ~$ O9 {3 X' |1 o% L; H2 M + D9 Q8 }2 F, G
if ubound(data)<0 then
( @' V3 X3 v U3 e
- F) O1 V& \' l7 v' psdcms.go "login.asp?act=out"6 W3 |6 [7 t# A% t
; ?% G+ X- `2 n& z R. u2 F
exit sub
* C4 q0 d/ t) {+ D' d L
* i, v. m- [( o3 e6 z0 D. Velse
$ p; n2 |6 {0 I! Y6 c
# T* \" n5 r" u; d/ ~admin_page_lever=data(0,0)4 E/ N4 T4 \. F0 h; U; K k* M) ]
3 B7 I' d+ k1 ~& s- R
admin_cate_array=data(1,0)1 Z* Y3 k: U. D9 g! D4 G" u
& m! S( k% d. l! }1 Q8 f# ]. {# b
admin_cate_lever=data(2,0)) {* g+ N1 z% n
( v2 H& V7 k8 n
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0- L; h9 ~5 [" d
; H' F6 m; o' c/ B, C0 G, [4 z1 w2 k
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
0 d4 g; S" K& O' N: ^6 ^4 u : K; a! Z- p8 {- K, \
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
" h; t5 M+ P0 g: d" e5 O, K 0 `* {( A- o( |8 w1 A2 \2 C% |% {
if clng(admingroupid)<>0 then6 v8 X( R+ O* t% \, O3 `4 k
( z5 i4 z! F" l8 _+ ^6 j6 D9 r
admin_lever_where=" and menuid in("&admin_page_lever&")"* Y6 k/ w: f$ H- V
U% A. P7 G9 g+ z& e. Nend if
/ u# c7 v% W9 v$ l# @ - @3 Q: A7 x1 m9 }: h: ^
end if
( H+ Z- L- U! a1 B0 ~ G! P: Y. n 9 ^ b- u' R* g/ F: l
end if
3 E. v$ H3 G. Q# S T 9 p+ D& P9 d3 M, Y/ R# ?
end sub% N' U+ o1 O' E
漏洞证明:+ B0 y0 h! D; ?9 h/ _! W0 O
看看操作COOKIE的函数
* d9 J: w" k4 o& P# x: W $ m& a' p' h/ t T5 l* j4 c
public function loadcookie(t0)8 O a \/ v5 \5 A* D8 k1 \
, j; O" i9 a( _* cloadcookie=request.cookies(prefix&t0)% [ S' K( a1 u8 U; m1 Z
( o$ W6 y' D' I4 K5 Q- [. t& s
end function# I0 l2 g( ]$ c) V/ U
" Y: F \& W$ q6 H4 A: `
public sub setcookie(byval t0,byval t1)# h: k4 F3 i* g9 p
E! z" S8 j- ^, R$ V3 a) Aresponse.cookies(prefix&t0)=t19 _" A' F" s7 P( `# |% w
# G3 |+ r6 a, |6 {. _end sub
/ F8 e& \7 @' B1 S: P& z5 M1 H! d9 e 3 S. x. o; Q" I- _7 f7 y
prefix
8 u2 H8 j5 L$ k7 O H; |6 s: [, ` : X5 A- m, Y+ y @- e7 e
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
7 L& Q- D2 n$ L! M, z' C+ O3 k& X. k
5 Y+ T0 x, n" `# T; m$ E+ odim prefix
5 {! ?; g3 D6 a) {* h1 B5 `
F& _: H! l5 Q$ D; @) ?prefix="1Jb8Ob"
' l9 l% I, p' W8 Q, M # {% h5 x6 `: h( F$ E% A
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
: }" q% d, |: B+ S
: x& |0 _! X$ D5 }8 Qsub out
$ _: x6 T( N! _
* H* d0 g8 Z3 F3 r2 D6 p- ~' P" O$ X! jsdcms.setsession "adminid",""# D# j) K1 m3 m9 h- `7 J9 o& F
" |* C& |$ X0 q g
sdcms.setsession "adminname",""( V* K' ^6 x" l j
% z1 B3 @9 a$ u. Y# N1 w7 n' z
sdcms.setsession "admingroupid",""
1 ~1 V& B. z% m. s" _( p
& o. q/ [) j' x7 \0 Ksdcms.setcookie "adminid","", O& I. z# J$ o( \ T' U
& I2 }% M/ e0 |
sdcms.setcookie "loginkey",""
/ a$ n! M: W; w" p) l/ m ! ] t S: c8 N: h; c0 ?, a0 B
sdcms.setcookie "islogin",""
# ]7 ^3 K( D! H9 s 8 ?7 u' _1 y- ]7 S! L* j1 i
sdcms.go "login.asp"1 _3 @+ f/ }# a2 v. v+ h0 g
( e: W) h" j/ }end sub9 R9 d. X7 A4 v
% ?) d# V+ x) @: F" w3 Y3 |
& C3 I8 ]' a( o; ~# c8 g
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
( N1 F/ l$ ^6 [! I修复方案:% k) Y0 I% X/ B2 o1 m% L2 h, p
修改函数!
% s8 e+ Q! ~, h) e, L: V, u |
发表于 2013-7-26 12:42:43
收藏
支持
反对