要描述:
% h8 ~; w' N, d6 S* U8 T1 i5 ~; _& O* V3 f! W/ h" _8 F
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
- u$ ^; o/ X) [" ^# V8 u* A详细说明:2 Q" c0 V" e v
Islogin //判断登录的方法
( s" ]4 c3 G" | y4 ^, y & J/ j# R: Q0 [% b' X2 X8 u' T/ R
sub islogin()
/ [8 i* |3 x% P9 A, I/ ]5 A5 x ) R$ G7 w5 S6 \6 _
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
& L6 e3 }8 p/ l d 1 V! \5 K @. I- n' p
dim t0,t1,t2 ; q5 H1 [ G) ?8 C: m+ e8 P
2 N% E5 ]* \0 f7 \/ ]- H! h
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
2 A1 E8 ?5 ^! f. s1 u6 h
1 T% K9 _/ f7 a6 H9 pt1=sdcms.loadcookie("islogin")3 K' u) E1 M, D8 X! t
2 @) z8 i" i9 B- t
t2=sdcms.loadcookie("loginkey")
, \3 {; x: K% D+ E( o# n & `' Y x% \0 ^
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行2 F. {. h3 `2 o; P3 V
# S' H# @& ?2 K/ @//) n. q5 P' ~# f# D' @
7 ^) m( g& ?2 \1 Lsdcms.go "login.asp?act=out"
! Z2 H2 {7 R" G# i" ?6 a& l : _& G2 o" H9 `, {% f' N* Y, A7 b
exit sub6 g4 G* ?6 o1 M* B% O
$ J" `# q! V4 N" N; t5 W) `
else, C; L. R$ Y, T- R+ c- D! ?9 g
5 t9 `& {4 t: A2 G
dim data' T) x- i. ~. A# V0 {0 s/ n
( o, p5 D1 |+ }* Q9 L( \6 P/ ~
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控 |7 n6 M8 _3 k! V2 y* W
- j6 Q" w2 `# D9 w: Qif ubound(data)<0 then* _) A1 }4 Y. a- T3 u; U9 i' T
& x" D4 {+ K1 {9 |* m+ ^( Vsdcms.go "login.asp?act=out"
( J& x; E" l7 P9 G% d- G1 a % ^4 [: J! F, o6 l! F5 |) R
exit sub6 z% h* y: L5 p5 w0 ~9 }
5 ~) L& A1 a4 K& h/ b- K
else
- x) m6 C8 F) t6 S- P4 `
% C: E {4 T2 r$ Qif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
. G; R9 p0 ]2 h7 y1 s9 q
! D* w: N7 D+ H7 q- V8 b( D9 osdcms.go "login.asp?act=out"; {- ]. ^4 i+ Q8 |" E; L
( |" q k. ] p N9 j6 w
exit sub4 [8 l" b; I1 G) N2 B
3 B% ?0 a4 G) g0 melse
- v; G! h) y% U: y/ R- ]" |
2 t: J8 y( S4 Y% W5 Madminid=data(0,0)8 n/ r6 [% z7 i% X. N( u' K
( r3 f7 H- I8 V9 |; ^adminname=data(1,0)% d0 H8 I( M. A2 O' \) i" q
5 A3 o+ M$ f+ J/ {
admin_page_lever=data(5,0)
[1 S+ a r& {, r3 x" \0 _8 h0 j/ H 8 u, i- w( J1 b3 t
admin_cate_array=data(6,0); @; R) A$ t: @* r
2 `/ [' W- W [" ~: E# C! r+ l
admin_cate_lever=data(7,0)
/ |7 K8 t% C, {4 z ' x# P9 d3 L- p' K& m
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
$ v, n2 t3 W k% ^* @/ o ! s- V$ W4 E ~, x7 A
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0! F' O4 u; R# ]1 [% q
7 @* b* R# u8 m0 I; a% n; u+ r. Zif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
3 h" u& D2 B; _8 O ' o* \$ z) s' t
if clng(admingroupid)<>0 then
; F$ j- W9 L/ o5 ^# w. n
0 K. [- `/ T" G# M' y) i# o# uadmin_lever_where=" and menuid in("&admin_page_lever&")"9 x9 V. g' ^1 E" d1 R
" m- |3 ]3 D! b6 w b3 I
end if$ a( c$ ~( P- I8 R( t
* W$ B; _4 h! U, }
sdcms.setsession "adminid",adminid" b' {; s5 C9 e+ M
! N( h; C* k/ E
sdcms.setsession "adminname",adminname& V- v% h5 w. s8 Y
( T% |/ ^; h0 s* nsdcms.setsession "admingroupid",data(4,0)5 g6 M6 S/ }4 B
V2 L; x# N" q, g8 _end if4 t' V, o6 [- p! k
) ~; T& B' q, K( [& Dend if# ?5 S8 C3 P) s; J8 w* _- p7 y
; N" {4 ?/ @0 m% N/ G2 oend if
- p* M& B& {; [4 ^# S% ^
& o1 e! {6 t3 q6 C4 \else, C" s8 z" [! G/ a
, }3 T* e' q. B9 q9 x6 ndata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")6 v* E; r2 E9 e* V7 J8 ^, k) [; H$ z
5 L- j( }& f3 o3 X/ h5 b8 @if ubound(data)<0 then- i7 o8 W$ J2 O/ l) R
1 u! w9 ]3 F8 S; A8 J% F
sdcms.go "login.asp?act=out"7 x/ o* @( {$ G0 @
9 `* b6 b, m( Y
exit sub* \* O8 y' g+ m3 j6 b% |
- V; B! G" D/ E+ y' g, _ w& A9 uelse
L% Y% } Z& |" ~6 m" @& } - U$ F2 D3 ]0 ]4 J" Q
admin_page_lever=data(0,0)0 Z8 e0 R. G4 {' i
; u$ ^% f: Y. n/ l; M. Radmin_cate_array=data(1,0)& P8 H" s5 K) W+ K+ ]6 f* E
$ Q9 t9 `+ L: I; i4 Tadmin_cate_lever=data(2,0)( R* Q( t: @# ^$ c3 J! E
- }9 T' y. F& F: R# b0 bif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=01 ?( A7 y( z( Y! g/ e# j& K
! g& L5 x6 u0 J$ l U6 |if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=06 ]0 V6 b7 f/ h6 J( b
# R* v6 U& B2 E
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
& d) {3 |6 ~- `% F: h# B" G1 x # p) Z4 H# I6 F( m- z' I4 M
if clng(admingroupid)<>0 then
1 R* n9 M r5 g
# E, g/ }9 m# F; H+ \, o, Eadmin_lever_where=" and menuid in("&admin_page_lever&")"9 B% J: L: H8 N" E: h! ~0 V7 N g
: @7 x) A o+ r7 f7 h _
end if3 t3 j [7 D4 b3 F& v% d$ W" s
% y, A& T7 O9 {' O, p. Send if
* ~$ a) ~6 J2 M" m& U* Y
; Z$ _9 t& H. N$ ]0 ~( qend if
" c6 o4 D# P1 r! x 4 \5 U! s) J" ]; {
end sub! E$ l: L3 o. c9 O& I' `1 t. m
漏洞证明:
4 K% z1 a5 G' D+ V) `( t看看操作COOKIE的函数
: n# x3 C# S$ A1 a N* A4 m
# B3 b0 A4 `4 Z* o' Epublic function loadcookie(t0)& X0 t% E! J' C5 k; ?1 r/ g8 y
+ V" ]3 S! f+ mloadcookie=request.cookies(prefix&t0)
3 o6 e L# y! B. E$ g V+ j
' X# M: t( Y$ D. C! ]5 qend function& Z- j. v: g( d- h
, B# [& g3 H$ l1 M$ X/ e0 f( c
public sub setcookie(byval t0,byval t1)
- N2 m$ ]5 ?+ q, j' b6 V& x W ^8 s q5 ^$ s$ R" x
response.cookies(prefix&t0)=t1
* |; x! _7 T$ @5 m7 N 7 m3 R" o( {" {: e& G( E
end sub/ f; ^ y9 J, s. a, L6 [$ z
0 k, Q8 ]0 j; |& l% G \$ g$ y
prefix
- T6 ]+ b' b: a* g& ?, h! k ' a% [/ {7 p- U& Y( x; r
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
: k3 x5 J4 o& ]
( n0 B( W, o0 _, d& B2 [dim prefix
& G* |; ?/ z2 n ! Q* b. I/ N: o( m
prefix="1Jb8Ob"
- ^: b r1 h* } d# N4 c) G
& N4 s3 M$ J6 M m, [( ?; ~'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
* {; `2 m3 w5 q$ l5 t+ Q 2 m7 K2 z; D) r* ~0 G
sub out _+ [ k9 p5 C
( V! |. h7 s. t" x' \0 d) Lsdcms.setsession "adminid",""9 d) v H9 H0 J5 Q
& |7 F9 b$ t) z* k6 o( |. o9 Osdcms.setsession "adminname",""
/ J( p) z* ^8 w" o* ^- l/ _ + W. M: t! F9 g+ ]
sdcms.setsession "admingroupid",""
3 `; ]- `0 E1 q- _9 h
' I4 F; X) w6 ^ _/ a# M% a1 asdcms.setcookie "adminid","") n! `+ O a/ G0 h6 `0 J9 T2 X6 I
* T8 W: {1 H5 w! Y+ c+ psdcms.setcookie "loginkey",""( C! a. B+ n {, n P2 ]( v# \4 b7 H
' M! V+ x( P+ Y! `( Y( B; rsdcms.setcookie "islogin",""% Q8 y0 Y; ?$ |2 u) u9 }$ _7 p
+ {! m! r7 @0 \# tsdcms.go "login.asp"
6 o' q$ q- w T . `& n* _- S5 X+ s3 X' N
end sub
* L: a$ _; d- H! ^4 s) V3 A
0 x5 z/ E; }4 e: T1 @4 u 4 s% v; n; ~0 F' w/ W* K7 P
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
1 P7 D! `. [: m) ]修复方案:
/ K1 [ v+ v. T3 a9 x* i修改函数!" K+ P. A5 j( d& K* D8 P0 E
|
发表于 2013-7-26 12:42:43
收藏
支持
反对