要描述:
0 m, g% f) M9 q7 f3 Y, H4 C# l& [9 y3 v2 a3 b
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
. v b8 ^$ s* E. W: P7 A4 L详细说明:9 w. Q$ k8 E& r+ u
Islogin //判断登录的方法: }9 `: R4 B" f! A7 V+ f
( i5 x% q. k% z' I! xsub islogin()
. ?" k. R1 V( ]/ ]
# `/ G- M. ~, c4 h, ~if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 8 B* c6 K: h+ D( b5 L
, L) i, k: G/ u$ j% n& I; }dim t0,t1,t2 1 ^$ j. m' l* w1 C+ E9 n* K: a
) j( P; A3 F m2 Zt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
S" w2 x4 N! ?' E& q" ]8 {$ \ ! _3 w$ _! @$ R5 c6 r# Y( {
t1=sdcms.loadcookie("islogin")
0 a4 e [+ @& n 7 {. Q' t+ `4 G7 t
t2=sdcms.loadcookie("loginkey"). p; j( S. I) x, w3 |! v
, h) W+ v7 |- h! j5 rif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行; C, ?9 G+ A& f$ X$ q' h/ O
( l5 s% n! y$ X+ {+ X1 |. K& }) i//6 p T9 f- r+ b+ D
7 F4 L- _" C6 A+ e C
sdcms.go "login.asp?act=out"4 T. o3 \: l% ~" Y0 q8 W
; i1 E7 ?0 y- w% Kexit sub
& ^ }* F6 B' u4 V5 m' m
; Y' L) k' Q2 M6 \* ielse
0 b4 p$ Q% Y, I4 `" b- m# o 3 B/ v& X$ e9 h9 l6 y7 N$ I
dim data
: o; I" g) s' g+ ?7 q h+ m $ l: @! w: ^( Y5 h
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
" b' ^, c1 r' l% @* y8 u5 x% { 6 f8 n$ H6 j9 _( h p; F* l( q
if ubound(data)<0 then
5 n7 f5 u7 p4 h$ D
+ y0 Z' y& R2 d3 H; D' X- Tsdcms.go "login.asp?act=out"* I) S+ h, ?4 e$ _6 V/ e
! J' ?/ _2 }: m% e! cexit sub2 F- Z( V% o( ~" T/ L& C! ]7 b
5 ~1 l' J* c' d6 E1 J, Jelse- y( f- ?% _1 y+ @& ~( h
/ R0 @ X, k" _* @2 u1 M. b$ K
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then2 P8 A% r% P1 a. I! F% H3 p; M
5 M( x# h) D2 T" V
sdcms.go "login.asp?act=out": W1 B" z% s' ^
" @) Q! l. W& s' C9 Sexit sub
2 m* Z* D: y% r% L ' ~3 E1 \/ ?) d$ D- C
else
p) K& c/ w$ h% G
4 J- \" k( f/ g4 \' _5 z3 S' I0 S8 H% cadminid=data(0,0)
7 }: R9 |7 f5 y+ b% n% A 8 q% f- p* A2 p
adminname=data(1,0)
" ?: l7 P1 E+ ^; u5 o/ E
" M" E) v9 ~ n; f. Qadmin_page_lever=data(5,0); t ?2 {! Y# y. c
8 B, f0 n2 Y# D' C9 b9 R) ^$ G' d9 ~
admin_cate_array=data(6,0) ?& ^* z4 Z* d
3 L% ^" H2 i' Y2 ~4 r, }* iadmin_cate_lever=data(7,0)
3 ^. |. e, _3 \/ |. f/ h 7 a. z) a9 o& Y) g+ p6 N
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0 I4 U- O9 L# H4 f! A
% V0 V" }& a U! M) J+ q1 K
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=04 Y0 w3 s9 V* W6 Z. o; w! Y
$ M! t9 c3 p5 e1 H, ^/ w& b' ~if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
5 C9 `; e9 _7 p N$ C * ~2 J0 e* N2 J. {+ F
if clng(admingroupid)<>0 then
0 W8 `3 M: L7 E% l% ~ * U( k! s& h) S4 y
admin_lever_where=" and menuid in("&admin_page_lever&")"8 q% w2 R/ }0 S3 y3 a% X, T+ D7 n! @
; q' ~( Y: s7 Eend if% d3 v2 I; M) E9 Y7 h
$ S: B, {% B7 `6 dsdcms.setsession "adminid",adminid
- i' T# A7 m9 H1 Y! R. }
* i4 x1 k3 w! Q8 Zsdcms.setsession "adminname",adminname# _1 U/ Q' h5 D% Z) n# H
( p' i4 w" x# V* O$ M
sdcms.setsession "admingroupid",data(4,0)
' ~6 ^$ | _- S3 G. x
- [; N- C: I( W8 _4 y cend if- _, N; d* @! X# N
+ l9 c4 ~ v% lend if
, M0 T) }$ P1 I" g' G* R $ G, c7 j$ z7 U, u( r
end if' y, a7 D) F" B% _* [/ Y
! _: l! _! c7 I* [else6 m" ?$ Y& ]" u% i) N
. k5 ^6 b) P: S* m- Q. Z) ^data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")% ?/ v8 ~& D9 z( C
; l) z' Q* G5 W5 m" r/ A
if ubound(data)<0 then
, h: k; l+ u9 Z3 q7 K $ }% `% \0 i: w; |, _
sdcms.go "login.asp?act=out"
/ w: B5 }; e$ u) a, z: I / }5 c! Q3 y9 X$ a3 {
exit sub5 T. S ^: i! r- Z& |
% i9 ]- g% U# o; k- lelse" M4 K- g1 h# ^* Q+ H+ k
5 f# b$ k/ C: F7 radmin_page_lever=data(0,0)5 h5 `( k$ d' x, p6 Q ~
9 r7 r4 O0 ~* d' U
admin_cate_array=data(1,0)3 V* \- A( S0 g: b3 }+ J! j( j
4 q) c. }/ M, y& }admin_cate_lever=data(2,0)4 I7 O! O) E/ w
- `+ V: `: f# B' G( x4 kif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
; S; k! z1 H: H8 @! }0 Q) g
6 ?( o) g8 A& _/ c5 [4 M& @if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
4 a; p Y+ ^+ L4 q5 u
; x+ h- Y y/ u( q8 M, I" {6 Rif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0" @. S9 [7 r& E/ G3 |$ d; \" A* U
& @/ A; s7 O7 ~" @& g8 ]+ R$ k
if clng(admingroupid)<>0 then/ {, D, W5 v; I. D
$ R- ^+ Q. E+ N: c( L
admin_lever_where=" and menuid in("&admin_page_lever&")"# K8 ]+ c$ }: k: `4 t$ i: Y3 F' F/ @0 @
( h' D) Z) X3 E7 Kend if5 L+ i+ _9 e$ ?" Q2 p1 P9 O
# U9 T4 W8 o- d
end if% }! n' g2 O4 I8 d1 q0 c
[6 ` H1 h8 G% h ~end if+ }7 b8 q" l* _+ N
8 t" w/ {2 I }# E- E. b' J0 Tend sub" _8 s# M( f- e! f4 E3 V4 M
漏洞证明:* J8 P+ |. e$ g$ {3 m+ G/ y" F
看看操作COOKIE的函数
0 r# h( S! e0 j/ q2 C3 \ 2 C* m' W/ {* r* z' E, O
public function loadcookie(t0)4 {) a- S" r* y' F0 H9 V2 }
. i. d% H' K" k! K1 b6 k
loadcookie=request.cookies(prefix&t0)" i3 M. p; ]6 B% P1 I
, L/ J9 X, ^5 x ?4 I: ~" aend function3 Z: }* L, k% m! E! L3 s
0 A4 b/ H5 k" \& I1 ~
public sub setcookie(byval t0,byval t1)
( N7 I, _' Y4 Z5 R ( v0 V# H7 C. C
response.cookies(prefix&t0)=t1
/ ]/ F$ u+ n r4 R0 ^ / g, N: ?+ m0 g
end sub
. \. a8 l3 T/ c - F2 s/ _) a! g ~5 g3 w* F1 w
prefix
7 ^% x" b- o5 N' x" y
( u' m% h5 `* k3 s* u( o$ I'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
' Z8 r2 J# J( R+ T% [9 @* X ( p/ ]7 M/ c- l T# z* T: c
dim prefix
6 [: G; A$ f4 D& q% G- p
. u3 J& _& \, v2 N' G; iprefix="1Jb8Ob"
5 K) T0 R2 a% Y- K B . p1 X# P2 j8 r$ l7 y( `1 I
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 4 }$ H- y, I4 {9 j: U2 E' {/ q
. \0 M& @# k& `' e0 o9 I5 l
sub out
7 x& K( V0 j* Y2 F( F0 m3 _
2 u3 C% m6 Z4 F( m5 I* c$ ?sdcms.setsession "adminid",""
6 c- v" p* r8 i: m( u9 ]+ O 6 K' z8 Y6 x9 L/ m, d) M0 [- s: x
sdcms.setsession "adminname",""
& R( D* E- S% p 8 j# a4 L1 o" R
sdcms.setsession "admingroupid",""
! \3 x* d& K t4 S' _
, Y4 m0 ^, v6 m7 S( a; X0 S' Ksdcms.setcookie "adminid",""2 j5 w/ I; j, K' y5 g7 F' J
8 Y- k6 U8 ]& G o. \3 u$ x" Lsdcms.setcookie "loginkey",""
$ R1 ?/ g7 G& S6 Q, J 4 k9 D3 Z1 V5 }
sdcms.setcookie "islogin",""
9 t: v! u3 D# o 6 }; P0 D8 A- a8 W; h' Z7 l. ^
sdcms.go "login.asp"
* j& N0 E7 e" w* d- J 2 M) J3 W: w3 G
end sub; z2 p5 |9 Q' A! B- p
( c- O+ a; q) {4 b2 B& ?; h/ s# d
p% Q. S$ h7 @7 s利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
3 I; X/ ]! t% u Y7 A# o2 }修复方案:
. k) T( V, n; o% y: f2 G. r修改函数!+ k+ N1 V3 I5 ~& o3 |
|
发表于 2013-7-26 12:42:43
收藏
支持
反对