要描述:8 y- o& x3 K( ^: e8 `9 U: {) l
3 s' _6 d6 d# U0 ^. A% h2 e1 KSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
' u2 g9 q/ T$ x [2 k, ~, J详细说明:' @$ i3 a- |1 ]4 B$ F, H
Islogin //判断登录的方法1 h6 r9 x+ X* r U2 k
( k8 o& }% S5 |. c
sub islogin()
: I; d0 j. D( y
2 [8 z; b1 M, O q$ xif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then , U# n% J8 n( s8 C
K& D4 X. E2 ]' k7 C* n8 p
dim t0,t1,t2
+ |) w0 y9 {7 K. h2 y R
: d! J7 @: h/ H9 Mt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
7 C% g* m1 B1 E5 r
9 T8 z" [& C6 t6 G. Y; v: pt1=sdcms.loadcookie("islogin")
6 A. l7 y# r( `# h& E6 C' B 9 w& L" P/ X: Z
t2=sdcms.loadcookie("loginkey")! S( s I9 u7 w! Q+ E
% O* [+ ~3 k O- A
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
# z' ^' l* ^1 ^1 a
' v5 o+ @' O" p, F, P& A//. p" p+ y& Q* }' b5 y0 p0 u9 ~) \
0 x4 S/ l( v: r9 x
sdcms.go "login.asp?act=out"
6 P: L. t1 P) h5 |6 v % ?" I% g* A! ]+ i$ P4 H( z1 |
exit sub
5 U3 x7 V- O [0 U & v" ^1 O# |3 S, F. q, ^* t
else
# B, J8 A7 z6 h : B, L% W2 F0 J* h/ c( F+ E; i4 f
dim data
: U9 @( D5 x j# o) j* T & a- [" r7 V+ l5 W" v
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控$ _1 z, v1 J; D. U, V1 [
! Q0 V( I+ A) k, S ?* u0 P7 e
if ubound(data)<0 then
& L- i' C8 Y& J( y
5 S5 R. h1 I, m+ `sdcms.go "login.asp?act=out" K, k& [2 L- u, ?
- F- o5 L0 F+ H( b% y, r, k
exit sub) u% F/ S8 f. i" X
% U% V5 d, _) ^9 `% n% Belse5 N1 y7 a ]8 V+ I8 L9 ~3 B* N
/ O2 q/ \6 o I9 P% C
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
# T" j5 k6 c8 s" }1 Y! C1 T& p # }* v* v3 c+ a# u+ I" t& k
sdcms.go "login.asp?act=out"
9 F. X( x' c6 J% t7 u( {5 X, Q7 u 4 {; v: P) O) H
exit sub. D& W+ @+ O5 T7 j3 o1 j- A ?: H/ H
4 F8 ?* }! z0 { w8 c+ Telse
! w2 K+ H" y. t7 P3 J" N6 N 2 w5 P; S3 g8 D& j6 d d
adminid=data(0,0)
: O+ Y8 P4 @- o b8 p2 A: W
; @: C% I/ A) B4 h. S7 badminname=data(1,0)
4 e( E" R D0 ~1 k# D/ {) u 4 [; m8 ~, w3 l5 C% L9 _* |
admin_page_lever=data(5,0)
7 u/ u) X6 p* i 2 r0 p U- G1 K* j
admin_cate_array=data(6,0)
2 [ l2 J) _* D5 p$ ?! L
2 P3 x! N7 u6 N8 _$ oadmin_cate_lever=data(7,0)
; D$ t0 ^8 |. l$ z' x" n 8 v& I) y `( @" ]
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
2 }( _3 H) t2 h4 e+ E% P- c
7 Q/ h( C. k3 ~if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
$ ^4 }2 c% J. F' A3 M7 \" T
8 |# q, W2 V2 n# q. o/ X! V1 a- Aif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0. C8 [1 e* M+ l
" C- Q7 b1 a/ D, o4 r
if clng(admingroupid)<>0 then
) y0 a" Y& \ @) {
" F6 K' ^9 v+ f/ wadmin_lever_where=" and menuid in("&admin_page_lever&")"
, E* {, ^4 _, P3 a6 s2 Q3 e
9 E5 I }( G6 Hend if9 L/ a- x* a4 f/ p
) h2 G- `# X' {& h: R, f& o
sdcms.setsession "adminid",adminid
7 m# Z6 g5 G- y: X$ E; p
9 o8 D }3 G8 w* U @& I6 zsdcms.setsession "adminname",adminname
- h# e7 t# W+ X3 k 7 `8 ~, }$ H; P2 ^- u
sdcms.setsession "admingroupid",data(4,0)# a4 @9 L3 b: J: t; I
7 h7 w' G: R& ^
end if
6 A& f6 }' K' z ( E- X+ C9 G6 B
end if
L6 j! }5 q# y* a* s
# }# x7 ]0 \; X0 e5 v! Rend if
/ q, f! k5 A) V1 o. B8 ] , T2 X L: x. y) I' ~* M+ \' `
else
" n8 p+ r8 |/ b, p
# W% B8 h6 M7 G" \data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
+ Z. r! D) s W; X' }
+ r! Y `* O4 G+ b/ Y+ d, Dif ubound(data)<0 then
, U; J* c* I4 m. L. A
$ u1 v V2 \9 |sdcms.go "login.asp?act=out"7 h1 V1 X b! v0 s+ d7 K
& n0 ^. N; _& Q: @6 Q B
exit sub
9 [/ W0 z' t% l* u4 e! @
0 S! t4 m. Q5 w/ N, f. Celse. }) A5 |+ h* I& P5 q
4 o+ {9 N+ m5 Q
admin_page_lever=data(0,0)! s K8 @6 F! X% e! c
3 A ]7 j# ~- C' H% ladmin_cate_array=data(1,0)" S9 K, b0 p% Y" ~" U8 y& Q8 h
, F( x$ V* K% `9 w! z, |3 ~! z J8 c% gadmin_cate_lever=data(2,0)
9 D* ]2 N' ]; |4 A
$ j7 _, e: V4 s! ]if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
$ y. ^1 B6 a1 V9 N, P% U : |; r: A( Y* X6 P7 P( l
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0; ^* Y- a0 ]8 G$ C7 n
, J: W, Z" |& W+ `' Rif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=09 k$ ]6 d" n0 V# C$ {* j; E9 [
: l( n/ X$ l! o4 z
if clng(admingroupid)<>0 then+ T2 l) i1 A" L) a2 a2 i7 ?
0 q* ^" ^' y* F& u4 ^
admin_lever_where=" and menuid in("&admin_page_lever&")"! a7 U' U: v' g U ~0 P4 g
& [( k/ i# H2 r6 S, eend if9 R* N7 y& m: u* z
0 a, o9 d$ {6 s8 S& m: Yend if3 b% Q7 G+ t+ ]
+ M- N4 d- Z M( ]end if( N2 t* `$ h: m9 n: Z
+ Y9 J* H+ _$ `, e# |# n% j
end sub
9 V/ u4 A) }2 y5 E u- r漏洞证明:8 d2 a( g3 h& k% I- E9 j( a
看看操作COOKIE的函数* c2 M& q: d. Y* Z& P- t- A0 b
! L* u: O3 |8 c# cpublic function loadcookie(t0)! ~5 m0 p. M7 E6 X8 A
/ _9 E0 x( v+ x% R4 J
loadcookie=request.cookies(prefix&t0)
4 g4 m# h8 X: ~" ]5 d% Z) }
x& [- F. k) Qend function" q, P P% f, e6 p& }! n0 E8 k a3 k
) Y; I- `* D4 e8 E k7 @# _5 Ppublic sub setcookie(byval t0,byval t1)
1 |0 l; j6 Q4 |7 b* ?
2 B1 R. s" E! F3 [: ] }response.cookies(prefix&t0)=t1
- b4 b2 H1 l6 P$ y2 a+ K O- k6 R1 Y+ V* H& ~7 h4 _
end sub
8 U. v9 M8 p0 {! G( b6 o
" w# r3 x8 S( Z4 R% M/ |2 }prefix
( [: p7 E+ ^0 J7 N / Q; Z; [% ?$ ^. \6 g/ D8 |6 e3 e
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值 H$ L3 b5 r# ^9 y( l
c) C) q! i, S0 w8 t$ Vdim prefix* C; W9 v1 N9 W: I* m) ?3 a+ ?$ }
* t3 ^- r! N9 k7 K. aprefix="1Jb8Ob"
% T/ x: B/ d% ]! P5 v u' a 7 W- E V% M& @9 V3 N# N
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 ( M& ~% v. J3 g. B1 ~: e( B
, k8 t. `3 n# T2 O9 z: m' Jsub out
" J a$ V9 C: \$ C' W: {) k & s) D2 I1 r, q* ` a& _# Y
sdcms.setsession "adminid",""
+ x! N$ I) A" c- A
8 w* L# a T" z% a" |sdcms.setsession "adminname",""3 y# K5 Z- r. }7 D# G. P g
s+ k. N% V0 [% U8 R* j9 Lsdcms.setsession "admingroupid",""
+ r. x R+ t* Z$ h6 l
0 T5 F1 j( Y% Gsdcms.setcookie "adminid",""
8 |" x* s3 @0 {7 B . o4 g L7 [ N5 f9 Z$ ]1 M
sdcms.setcookie "loginkey",""
$ G* B# N2 n* h/ u
# z! A) o q% b1 m6 Vsdcms.setcookie "islogin","" r @8 U6 E& N) Q
* r' k% b- Y' V4 g, }' \
sdcms.go "login.asp": i( ^+ T$ [$ [ G
& N' E( w0 v6 G6 r, }) S& yend sub
9 Z, i: @1 J8 z9 h
M, z# y. [3 e( V% g/ M& Q
% n2 P2 }( h( a6 U利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!1 D1 W6 v0 e3 O/ K( b) v. f# e4 g. K, ^" \5 R
修复方案:
% g3 g9 x! G' Q" l; _+ L' V+ c修改函数!- ]4 m& t9 [' q
|
发表于 2013-7-26 12:42:43
收藏
支持
反对