要描述:
& D& o" E, x" G# Y" s1 ~; u- r7 U& E% T2 k; n
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试7 G- |6 J+ u3 q* s5 u5 Q7 V2 C% H0 B3 s
详细说明:
0 J5 g6 z% P6 Y9 u+ MIslogin //判断登录的方法7 Y a, Z# d, E6 b3 N1 |& `: N- h
: Z& b T; V1 r. [sub islogin()
8 X/ J" @. I( F* T- C
4 X9 Q) e) o, [* F7 D4 G8 y- Sif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then : }7 e' s% {) `# ]: d
. q1 p0 h# p3 F4 c9 a- ~. ~
dim t0,t1,t2 {. L0 [1 q7 P
1 [( Z2 K3 ?4 ]3 v2 p8 ~2 B, R7 B
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
2 x# \2 ~, G/ ^* a" i
" _2 i) w. w! I" L* B( ~t1=sdcms.loadcookie("islogin")
' U& q- H9 H" U: o: O* @9 K
5 A/ `; E8 E- T9 S3 q" N" R9 k- at2=sdcms.loadcookie("loginkey")
3 I% h- x- F) F4 L4 c% O; u ! T _% K7 ]- d' \$ J* }/ O' v
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行% G9 g; I5 B! \
3 ?# A6 `7 N G3 z' t2 ~
//" q( L& a: ?' W/ k
+ [. V' x$ g$ X% J8 D3 ?sdcms.go "login.asp?act=out"( Z8 r' C8 e6 I8 c& r8 f6 W& W3 @5 N
3 M& q" G, m! T' }/ u2 Y5 t5 mexit sub
- n2 A) C- E3 f4 Q+ ?
/ f1 z/ j# k+ j' Q: Y0 Pelse1 _/ z+ u* C4 w+ g9 \6 \7 x$ k
1 K; n' [5 f. D @( h( V& L" rdim data: l9 E% W$ {% S( A. H+ B/ z
! q, I* W3 d2 Q; fdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
! W' A& y8 x. k) U+ _
' T: J7 W+ d% }& \: q1 r; ^if ubound(data)<0 then( C. P9 M7 P& }+ I4 _
0 D; R( K7 q0 ~# ]( P# j, V% P6 nsdcms.go "login.asp?act=out"2 a* }% m6 m( w5 }3 [. X
+ x0 p7 @$ ~6 C8 B$ ~
exit sub
' S! m8 @% t9 B* C7 W5 G4 C ; n5 d% K" k; |. ^+ S; O; O
else
6 W% {8 M; ^9 O8 D5 Q5 i) v/ m
3 S1 g% o1 P- [0 Q8 _$ A9 bif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then& P* z/ R9 j0 y0 o
" b1 k( X- `" A* W! s. R. \
sdcms.go "login.asp?act=out"
& |4 f# s+ `0 } v6 ^# `* ^
5 G6 A. u9 D" J' H4 ?exit sub$ g* O# {( g# c
, H5 N- k5 Y# c1 i$ R6 e9 I( \else7 t w6 x5 }; I" j+ Y# w- \
, Y9 k" w1 e8 w! V
adminid=data(0,0). X# n- g: _% z4 _$ a$ q7 ]) M
- \& ^1 u3 W' v+ Z
adminname=data(1,0)
& b; H# R- Z C 2 D* _9 p: b$ q
admin_page_lever=data(5,0)/ l: K2 ~( S6 W% m
2 d7 A! j/ R3 Kadmin_cate_array=data(6,0)
3 q1 h, n- |! t5 Z 0 J2 C, }: G' K, P
admin_cate_lever=data(7,0)
- C/ T7 x( Z i7 _. f % y: @ c" O% f
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
% i2 B5 G+ @3 C2 s' C: m
$ }8 B% j* V1 l6 B( {" L- ?4 A: lif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
- d# y& a2 ^' y( {
' d# N6 n1 ]3 H: k' t7 W0 f! ?- S' uif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=01 l$ L7 P6 W$ y8 {; j+ V- B
' J! G4 m- E6 \' i
if clng(admingroupid)<>0 then
& ]& u( j4 X3 M* Y 1 i3 ~! A" _. m- c) ?5 K: Z
admin_lever_where=" and menuid in("&admin_page_lever&")"
! @" \8 H) C5 Q# ]- _& W8 ` 1 a$ I9 C7 U5 y: \( r M
end if- ? ]' y/ F: c% I
6 }4 e' ]6 V4 ^& C& N g9 |0 u. W
sdcms.setsession "adminid",adminid
# R$ n; i) Y$ O4 W' k
& I9 E% H- j) H/ f! T. b. e) [sdcms.setsession "adminname",adminname
( v- X, d: M0 u
" I1 z! y8 Z" Q$ P; e; y' w4 A* ysdcms.setsession "admingroupid",data(4,0)
. e9 S0 a" g/ ~% t2 `) Y. w3 T9 G
: {# \$ T& E' E/ m, f( G* Mend if. p1 q# v, U# s
6 ~$ L' S! z" s& |
end if
0 @ M) O7 C& l0 T: z0 r 1 X3 [1 n: Y) Y2 |: _
end if0 U0 h, W& U" A* K6 W
$ K) l( ~1 I$ T- \+ U! U& Melse; C/ _: y8 a: e' Z" P7 f) \' n/ ]2 j
* K: E# R, T1 y
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"",""): F q) z# b& h5 Z9 P
% x( A: M: S" s% p3 x+ n: ?+ _, qif ubound(data)<0 then
' p i7 [, b9 F; f7 W2 ^
3 m* Q/ n! i& V- b& _. P) Q Msdcms.go "login.asp?act=out"+ \: { \* z8 x$ p
J; w6 f4 y8 {2 \8 J) Texit sub, A' r; c! n1 v
1 D: K' I' s+ s& @: B& T
else
' i+ s. ]; ~5 L- L$ m + G6 g2 ]7 S+ f! j
admin_page_lever=data(0,0)
3 ~8 ^1 d- J3 \$ z7 Y' d7 U & c2 o( E/ ?8 v6 K6 e$ k
admin_cate_array=data(1,0)* z/ {- h& e1 t, c
# v* v) r( k/ _% I2 dadmin_cate_lever=data(2,0): e2 r- {8 j/ G- @+ W1 e
- |2 c( C/ l$ Y* z
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
' q( R, w' f X( u k6 X |
7 R4 }+ K4 U4 `. C& j0 \if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0! X1 ~# X0 u' i T
) B# H7 X7 M* @( }) C( c
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
2 V$ t* n+ R6 t2 x
) d* x% e2 V. K; q' zif clng(admingroupid)<>0 then
) l, r) o' l: `
; d1 C) }& P. _* ]8 k( z8 E$ Zadmin_lever_where=" and menuid in("&admin_page_lever&")"
1 ^6 ~5 u# X E' u& C* L
( r! x8 `2 @+ f/ `" R9 _end if
5 v" A* }1 [+ |- Y! |4 ]
$ m6 Q1 d9 q( yend if
& h8 b$ O5 N8 Y9 V- c7 I: _; A ! B) x) c0 }! K* C/ S
end if. i8 n& w3 v4 k4 w _
0 U/ Q3 V* A. w+ v8 |9 }4 V
end sub
9 [" H |& P7 q$ X P2 F" b: s漏洞证明:0 }$ Q+ [( j( x, c c
看看操作COOKIE的函数
9 c$ {8 c; a/ V, j8 f6 q
5 O4 N; z! i5 ]% z6 xpublic function loadcookie(t0)
- u. S/ F3 Y* A* ?; ^ - ^% L! M8 g$ P
loadcookie=request.cookies(prefix&t0)! ^; t: l" H3 R, V' z8 q% U; x
$ Q* E* J: K( c" ]! F8 dend function7 W; _$ g8 N' _; o" ]/ C( ]
! p; t' D' U% }* C% rpublic sub setcookie(byval t0,byval t1)
% @) q" y. u( G: z! t( C4 Q
3 g" U. q7 y3 V! i1 c- ~response.cookies(prefix&t0)=t13 G. H6 ~7 N, ?' U8 ?
* G/ D$ f% w, Y; b
end sub7 k9 E+ K$ f; q) Z1 D
) f9 z; j. _. U6 p& E. L
prefix
% R. {* j: C3 d; i d
, B$ G6 R4 o7 H9 B0 e0 q'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值0 Q( \& k: ~- p6 m+ g2 z8 s9 ?6 P, ^" `
9 G9 }. B3 J1 N4 z& {' ~1 B. c% g
dim prefix4 p- z$ @7 P; ~& _; {
1 s" D& _* T9 N+ Iprefix="1Jb8Ob", o$ o; j b8 X
: @: Q; T3 A4 Q
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
8 D+ h1 ]) m1 E 0 `. \* V. F4 m2 J3 `
sub out
$ G& C) z" q$ x. L0 x
* [3 g% E I: R6 v* n. O4 u' D6 U* Jsdcms.setsession "adminid",""
* |4 a- l V& [( a( W " \; M/ n. B. i/ G: U- ]" W
sdcms.setsession "adminname",""
* w1 [! h9 l, a4 ?' l
0 h7 ?; Z! K+ [sdcms.setsession "admingroupid",""* u: C- J7 j1 |" _4 G6 g
2 H! Z/ ? d [" W0 W! jsdcms.setcookie "adminid",""
' I0 m% t: U" v: w 1 _* p5 ?5 n7 z5 m' \
sdcms.setcookie "loginkey",""
( m0 @0 A, n2 r: r0 j . E) G* k/ U6 s! H# F( Q; i2 D
sdcms.setcookie "islogin",""
n( d* _5 }: T) t# C9 l
. q0 |# d+ `( a3 {' |! J- esdcms.go "login.asp"
" H( j3 r8 w- O" @. k, n 9 e( V/ f. o3 @4 q( N' y
end sub, n) V, b2 j% o9 E* {) u) h
9 f; m# K* Z& E9 Z
0 L' R3 _/ W$ K3 l! H" I
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
- D$ [- E( {; E8 m5 D F" {修复方案:0 o! i0 n s' s& a( G
修改函数!
) Q- q3 T y# m4 P$ I: L0 b; Q |
发表于 2013-7-26 12:42:43
收藏
支持
反对