要描述:4 g% a& F9 m& _
8 L S* i$ l+ ?) `! T! ISDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
2 k/ e3 X4 S. ^" A, N [) c% G0 {+ Q详细说明:
8 B2 d9 n; k+ U+ N9 Z' BIslogin //判断登录的方法0 S/ [& Y* X* \4 D& P
7 B/ J. Z# }/ M( H+ Y( g/ A, A& a. esub islogin()
: _5 I1 j' ?( t3 N! Y; l7 Q5 ~
- f8 K2 p3 _+ o9 X' qif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 9 Y' x( @0 m& D) G p: s
' y+ w" O. ]! I: z4 z0 q
dim t0,t1,t2 / L- {$ L" W& Q
& K3 F: s$ t+ O4 b6 p& Qt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie ) M* U! l( }. O$ M" I
& `+ t6 k& I% ^
t1=sdcms.loadcookie("islogin")
" L6 j' P; X7 P5 R2 |% W + g. y0 o/ S% p5 N; ^
t2=sdcms.loadcookie("loginkey")/ _' J7 g; Y7 L$ s) q3 H
& Z% u' d x7 {& H" U, c* B
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
. X! K9 H- h( f/ e$ y 6 A% T+ V. v3 M& Y, o
//
6 b7 h) P* n% r5 z 8 J5 m4 e; e+ Y# U5 T. b) @) q
sdcms.go "login.asp?act=out". L9 t9 a; M' W1 c4 b3 R
) e. {% b& C* i9 q
exit sub
# Y6 [* B( m# E/ T% s3 z
2 b3 N1 c0 x: g) L- yelse
. O I/ ~0 i; N/ e
8 ~! ^ T* A0 L. z5 Qdim data6 S3 w" Y+ N G8 W3 W- w4 L+ t
8 Z% c8 k' B, S3 ?* |* k
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控+ |- m- `* B2 A( e1 ~+ ~! K
2 Y* v5 m- [4 O
if ubound(data)<0 then; c/ a/ J& p3 n& {& U$ o6 n/ i
8 q3 D8 F$ e4 N a; Nsdcms.go "login.asp?act=out"2 v# w" |7 b' `# ^* H
3 ?' [5 Z+ |. B# texit sub
& g7 P- c- v* m' @) _
7 \5 q' Z6 c j- Relse6 e7 q. w# V2 ], \% ]/ y/ N3 N. H
9 l6 e5 ?" Y% ?6 C2 e
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then7 G% q9 H5 y0 f8 z
( n7 |% S1 M2 m6 j3 Tsdcms.go "login.asp?act=out"/ p9 c4 k c* q" Q
; u2 j9 T2 q, t; R0 M* @) d+ lexit sub
5 S ]. f0 V& c2 _! @% E
% N% t; V, Z ^else
" D2 i: e& @/ n; p: V5 c1 w# n$ J4 a
+ E) ^- a0 n; R+ b' q6 W) Sadminid=data(0,0)
. ^6 a8 n' d5 ]: W. ^% W' Q ' z8 @$ F( w3 o5 N+ h. y9 k
adminname=data(1,0)
) O9 `, W+ }& Y) |
: A+ W* m' F4 n: r+ n4 jadmin_page_lever=data(5,0)
& d9 x8 O2 g+ f! K 1 B1 f, H- N! K) n& H5 |' ]% R
admin_cate_array=data(6,0)7 T3 K( g" o( s
5 T. r* x/ F0 W# o- N6 xadmin_cate_lever=data(7,0)
5 D; |0 }8 Q1 L% @% L/ {# I2 R 9 {/ Q, } o) W/ L P2 @
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=02 T) `6 I% m! L' }* z
; ]2 `0 U/ s3 K8 C9 d- ]
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0/ S/ u7 [9 G0 S" e
# Z2 f9 {. R! J0 d' U- Q$ J& M6 R+ r
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=05 @: a; i& b e+ [8 \
3 \: ?3 @0 p2 wif clng(admingroupid)<>0 then" i9 C& C3 O6 X/ W/ E9 K
) A$ J8 Y$ |5 S1 @9 u1 C
admin_lever_where=" and menuid in("&admin_page_lever&")"; b# u. a' o, @: ?- ^
2 w: }& [6 r( [' F0 m
end if8 }# O6 V' z2 `! u9 L
/ X: t, _1 `( h- e; _; P+ B
sdcms.setsession "adminid",adminid
* S5 l2 Y' O; q# m# b
" m- g& v {9 [! s1 Ssdcms.setsession "adminname",adminname7 Z A& W; S* D2 \% T8 E
1 }% R! _9 @2 ?7 R, `sdcms.setsession "admingroupid",data(4,0) g# l2 A# L' p
2 m C8 Y6 s f. \' o4 T8 y8 f$ K
end if
& F- H8 `. L; W3 P4 `8 g3 A
. h* |6 F: Y. ^, Vend if
' d$ p* {" G5 b R: _; H% c
' n: K1 \2 |3 P4 Iend if8 l; J" Z) y6 h
# m1 i3 i6 P7 |6 \6 Relse
% N4 h2 e) b3 H3 {: b9 |% U( ~
% E3 {; J* D4 n; f# H2 J+ P8 o" tdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
+ M) @' R$ |9 [ k
( P( _1 Y: W! c! M, A2 V pif ubound(data)<0 then$ C0 g6 U# M- L8 s1 C3 f5 m
- U2 H5 z( D* u: jsdcms.go "login.asp?act=out"
5 m3 k! T, S! X% m# A4 j$ G * m$ |% K* H. n8 F% M
exit sub. ~ {/ g$ ~9 ]# R' r+ V3 l
6 W1 ]. J: Z* q; U0 G3 z) j N
else, R) b6 {- N7 J4 B, u* v5 H0 P
+ t) `4 b- D/ u7 w% w! Z1 m/ R# _1 Aadmin_page_lever=data(0,0)
6 r% H$ i& i+ {8 w # ` p6 }2 b$ r
admin_cate_array=data(1,0)( ^& q1 d1 c/ F! W
$ {9 T* }: k$ cadmin_cate_lever=data(2,0)
& n8 u! L7 ^. j1 C- b- _ 9 D8 |% M0 l( }1 R
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=03 I1 e0 q' F v
2 A1 \0 ]$ j2 i4 Uif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
% V- h- f+ @/ y9 a# a # b# B. j* |; b3 V, D
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0& D5 _4 S# k( H. N' [9 M
9 p: ^. [7 o" q& vif clng(admingroupid)<>0 then! e9 P3 ]/ W; T6 A9 k* @
4 k( |- f+ c. d6 j0 \/ Aadmin_lever_where=" and menuid in("&admin_page_lever&")"
4 z+ Q6 {! B4 Y. A4 T% Z D% n7 B 4 J8 L4 }5 J7 [! p% M
end if8 P5 U* V" |/ d4 p& ^, y
7 }) d- b% ]: h R( S$ w0 ], Q) |# Cend if
q9 ]* P& @0 w% d6 T* {% z, y- Q 4 K9 l, w3 J% @% b$ Z
end if* ?3 T5 \/ ^% M% R$ N
) d g6 i6 a) ?# m" a4 [
end sub
3 j v) S: [8 I; I! e漏洞证明:
6 L% I' C$ P* n. G" e7 G看看操作COOKIE的函数
4 v$ M5 B7 [) L# h \
2 j4 a+ H. |4 a+ Opublic function loadcookie(t0)
1 s# ]$ v, i* u! y
1 c+ l8 N+ R4 [# h- _loadcookie=request.cookies(prefix&t0)
+ ^" A! v; S9 t& ] 7 s! M$ l3 H7 {7 t) v8 n; D
end function
1 d8 V8 \* V4 ]" p1 ~ - M) q- X" R& b+ L) O0 X5 e' ?
public sub setcookie(byval t0,byval t1)/ k# E* z" X( I1 `
5 o1 C8 c' l) r& p2 J2 P
response.cookies(prefix&t0)=t1* b8 i# ]4 a0 X: v* d1 _! S# V
8 t {9 t; k; o# }9 A1 T, j
end sub
$ `; q" x8 n4 T9 i* c0 |# Q 7 ~8 {( [& Q# L: C& k
prefix
2 A. m: Q' B, t. M% U P, v3 R
5 C2 M( P6 ]0 t3 W'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值1 [1 ~9 V% {: p
4 i/ r1 n5 x1 g$ A
dim prefix
' Y% z7 L$ j9 a0 ?9 c( B: @
L- H. Z6 o4 _. ]3 tprefix="1Jb8Ob"
0 m' W* p' ]& A% e . r) T5 N* m+ W& `# N' `$ c" d
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 3 q8 q4 T) Y C/ p
/ b& t* M% o$ q3 C3 Z
sub out
: M) y5 g5 A8 _0 G* g
4 }& c4 [% O3 ^sdcms.setsession "adminid",""
% ]# \8 Q. v+ b e6 f% z; V. p
" ^ p& }5 K5 {; b! [" H8 @sdcms.setsession "adminname",""* w3 F: L9 R2 _7 t7 F5 `) w
: _' @3 H; ~; m9 x2 ^
sdcms.setsession "admingroupid",""; J$ l/ Y1 r' n) u4 R% j7 w7 j
! ~) U7 V- X8 N
sdcms.setcookie "adminid",""
; \$ A6 m3 i+ m) H$ ` 9 l) T# F. X7 A: X( i* A Y
sdcms.setcookie "loginkey",""# E8 ^' S; E: w. j0 E
+ A" y" m+ r- {! b8 v9 n+ f
sdcms.setcookie "islogin",""7 t6 }( Y! v+ o6 k) k
, C5 W$ c$ w( H6 _5 R# |
sdcms.go "login.asp"
- b3 d; [+ e/ q$ Q' L2 O: s- \ ! e! m" G( |$ D6 H4 J: n8 v
end sub
7 n9 N* Z- r. o0 f
2 C! w' `! c e; x- |. d0 f
/ i( ]% H; S) s- K; \! d利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
: _, {, X; M2 }+ ^. W+ E修复方案:
8 P$ a: ?; Y( K5 E修改函数!
9 t( C3 b7 F: T" {" A |
发表于 2013-7-26 12:42:43
收藏
支持
反对