要描述:0 P) w/ j* h0 O' }# m% G
: }' K6 f& ~: D- z w
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试- l0 I5 P( U m) R7 |5 L9 q$ K
详细说明:
/ J8 _, O& U7 ?8 ~! pIslogin //判断登录的方法, l# w; t5 `. ?* E
* S" ~' ]1 o5 |7 y$ ]
sub islogin()* q+ b1 k8 ?5 J% @
2 t6 F' ?9 R) Y- u L4 R8 x5 k9 I
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then + e2 B9 g! L$ _- m* I1 j: ]& P
$ e0 Z8 Q( x" V+ t) ?
dim t0,t1,t2
. b1 [$ ^+ p0 k# c & G' T/ m9 N; x/ b. o: q
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie ) J4 |3 h& ~3 q, u8 I
4 r- W) r4 o3 Bt1=sdcms.loadcookie("islogin")
3 V# ]+ A5 t$ b; Q: {4 o* s
( I: }! I. E) m9 Yt2=sdcms.loadcookie("loginkey")
" G t. q" H7 n Z5 P
+ ]# [; s2 T: \3 E O6 m7 Jif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行( F! H5 G5 N$ P+ Z$ {- {. W
0 ?5 h1 k# ~, m, E. B//( }9 S/ i+ D2 I: d9 P
, @( s- \- D& t; R0 tsdcms.go "login.asp?act=out"0 t' D9 ?. l+ C& U# q) N6 u% C6 @
2 G& p8 U+ _- i9 d) x4 Dexit sub" l# Z+ u- ^( G6 }
: z3 y0 X0 h5 X/ y- s1 i" y; ^else2 r- Y9 \ t3 {5 o. W
" p1 K0 n; n% x( sdim data, H0 k1 i8 @& L3 q
) I# ~' ] O9 F5 Q* R
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
: v! z6 \, Z" S7 D
0 @# r% g2 {- W2 W1 R' g9 @& Z6 E3 nif ubound(data)<0 then( e$ s3 q6 q' g+ S
7 a' Z1 |$ O& m% |
sdcms.go "login.asp?act=out"1 N+ S0 K) V' b: ]! l" e0 ^
+ R8 ?" g* Q) n# I0 P8 b- j" ]exit sub! }0 f1 U& m( y, w
) F1 }* E5 l, K7 L+ a0 @3 i
else1 ]0 h( J! s5 A4 } ~ Q- e
9 q4 S2 d- ^% E( e$ s9 dif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then9 \, p% M! E4 H- r* x
3 ~% ]# D; E! L4 b% L4 q6 V' q. Psdcms.go "login.asp?act=out"
- f4 n: i# y. n8 }- s! ]$ \
3 F V2 ?- v4 L Qexit sub$ k0 O, i3 k) I$ _% \$ S
3 G, I' a8 s. {
else
7 E1 z3 e8 Z7 H9 ^: w" w0 _& {
% g# ~0 h/ E+ I e) T9 \adminid=data(0,0)
( C* ]- u# j8 L# B% T & _& A9 r T% G! Q' c
adminname=data(1,0)
" | u; J5 J' \
1 b; Y3 ~0 e' padmin_page_lever=data(5,0)
7 X/ ^) ~: ?) S+ R 1 A9 A3 p* x! Y+ c1 u. F: p
admin_cate_array=data(6,0)
B: t4 g2 [9 x / i1 o( _& `5 g+ C# ?9 \3 z
admin_cate_lever=data(7,0)6 N3 m( Z+ N# f) h% \& J
3 I5 q- R- V, X( xif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0 c2 W. z3 I! C9 u6 c
" p, n5 s9 `$ V5 t0 ^if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
3 ^* n2 s/ _; N: \6 \ 5 C) k( x0 u" Q; Q' e2 {
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
) ~. J _; X Z* F) i7 d: H+ ~ . i. `( _* \4 b' d
if clng(admingroupid)<>0 then' y7 ~1 o/ j$ b# k4 Q. J; N) Q
8 ?1 o* k) u. e! b( ^" f9 radmin_lever_where=" and menuid in("&admin_page_lever&")"
3 Q, E" z; g9 B' L2 k; Y * | ~9 p2 y4 l1 F
end if9 B F- [* D: n1 J
- `" I G+ l4 {2 d5 z) J0 O0 A
sdcms.setsession "adminid",adminid8 S5 \$ ?0 o: X9 c6 V
. a4 A. l1 r0 Q% v
sdcms.setsession "adminname",adminname
+ [0 ^: q7 i- k0 ^% a8 X( c Q
2 I8 S5 B/ P/ v# Y2 m3 ]sdcms.setsession "admingroupid",data(4,0)+ G& y$ C& f' K9 f( \
3 }! O9 ~( v5 H& e
end if
. p( T8 ^) N6 o0 i5 m0 @ : G0 t3 N# V: L; i2 f8 e. S4 G
end if
# q) q5 l n& J+ d
5 F# M$ w. b/ L) Q0 |3 v' Uend if
/ A9 ~8 t$ x, x3 n$ l1 j- f9 c
' J; k' i1 \3 C8 Qelse
' C# }8 H6 o/ w' }% ]% o Z
& c! C+ c& D2 P9 C1 X- |2 m6 {) \data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")5 \' a: z* s3 @
7 ~; @8 x# d5 X5 @2 S7 @
if ubound(data)<0 then9 E1 L/ a& C) Q; u% K7 k
4 _9 m \3 t" l7 P0 N9 \6 Wsdcms.go "login.asp?act=out"+ }8 I8 K6 u/ p, s4 y6 B, ]% t$ c% [
6 [2 V* B# A8 Dexit sub
3 s8 L4 b& c! J$ T + G: u: e1 R( o, f/ {( q
else0 @# `/ B8 }7 |7 ^* z
8 s# Z3 S+ N& z! R, ^
admin_page_lever=data(0,0)- x# ?: p1 S% ^4 v2 F$ o
a& z, m; x4 B4 F' G3 S+ X, Jadmin_cate_array=data(1,0)0 f1 M; T% O6 b/ r& R6 h6 B8 r V
! R0 E% i% A, r
admin_cate_lever=data(2,0)
6 F; d p) S" m! H0 V0 N/ F1 Z, @# h& @0 ? 2 u. h2 G/ P) ]
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=01 _6 C( A) ^" D4 L" w
# s7 A/ Z3 O2 U3 D K8 r! ?# f
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
/ }) v3 ^) L/ P( M
2 l4 v! N: v7 q. C2 z* fif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0( m+ v, v3 a4 w- K9 e b
4 i% H( C/ o i: ~% jif clng(admingroupid)<>0 then
0 q6 J: T2 R. _$ s2 E$ [ & B, z9 y D: Q0 v9 G
admin_lever_where=" and menuid in("&admin_page_lever&")"9 S4 V6 ~0 |8 y
1 Y1 D: v8 @+ \+ U* F/ K6 }
end if' c3 @" N, u, H* h7 X7 O- R
P" u& U* ~. m' U5 [5 J7 o+ f
end if; G( s3 W+ d2 P7 l7 Z" @ x
0 y8 b5 l w. ?end if5 W4 u) A- x, S- X0 Q1 J$ m# k
' G: Q% Y8 Z* \end sub2 ^9 D8 Z4 @' z* K( \3 T
漏洞证明:' j! Q- d9 _4 S7 k; l! @ |
看看操作COOKIE的函数8 \& O" X4 w& B
9 M/ H# y6 `% tpublic function loadcookie(t0) Z9 J" p: A7 h8 U+ e
. Y* z8 v) j: O( ?loadcookie=request.cookies(prefix&t0)
' B8 u6 p/ v8 {: ^) h! }) F d 1 q8 ]" G. T: w3 X
end function6 t- s2 p$ U' L: A {4 m4 i
- L$ c; g3 u0 l4 V/ L" V
public sub setcookie(byval t0,byval t1)( E# P. f/ k1 U4 u
5 _. u/ L% d2 Q5 U- g% S( {6 d1 z
response.cookies(prefix&t0)=t1& N/ W* S: S+ c( A$ i& Z
7 y5 i j5 s5 K
end sub
5 f1 E3 C1 f! |. |$ s7 _5 Z, Y9 Q & O1 t0 Y: B& l5 x& E/ H, B
prefix
- F( E/ ], j! f9 c $ y+ Z* Z% M+ z$ t3 j1 ^, l
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值3 Q0 u1 Y( [! P* O3 x# }
, W0 ]6 _1 e5 `) A; i: Jdim prefix
! c. c& Y m% s: J6 V9 i
8 F- ]) S$ T) y# x4 U' A- `prefix="1Jb8Ob"
5 O: e; r! c3 }. S4 Z& G ! [$ E% U# T* f
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 0 Q- h. H/ h! N5 V' N( `0 S- W" E# Y
6 F+ Y1 B0 Q- U2 D; g8 A/ Q3 X8 qsub out
0 `! ]0 X* c/ r' k- F/ G
% U/ u! [; r! I/ t2 m% j# ^sdcms.setsession "adminid",""
$ x' B2 j6 T8 E: C2 ]
" E6 f. K7 M8 hsdcms.setsession "adminname",""$ ^7 l/ p E4 Q' a6 y$ d( A
" i. A/ p# d/ u$ e0 m( x8 A: S
sdcms.setsession "admingroupid",""( I6 H1 F: Q& c/ w
! T& Q) x6 p' B2 p1 A8 E
sdcms.setcookie "adminid",""0 R- U m2 s5 p7 ^) g
5 ]0 @: g: O+ [8 ^( c
sdcms.setcookie "loginkey",""+ x# r! ~' Z! E! \% f
, X' p. a7 R% S
sdcms.setcookie "islogin",""/ I6 E6 ~" Z2 k+ d$ c
+ o T2 r/ f) q4 L( C. n4 g
sdcms.go "login.asp"6 S8 `& l9 `; ^+ l
5 @9 k8 L+ s! o3 fend sub7 ~& _. m- y" u* o: k c( Q* P
* ^+ p3 z! X+ O; F( w
2 k5 W v9 b0 `) e# l利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
, N6 H# ]0 a$ j$ Q- w/ @% y修复方案:' }: t+ O) p: q; f2 F- N4 }
修改函数!* F9 H. }' ^8 k2 i4 {* O, F9 q! a
|
发表于 2013-7-26 12:42:43
收藏
支持
反对