要描述:5 i1 |* W1 m$ t- s( o) B% o' n
2 i6 ?- Y) ]. B# l s$ {SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试' z+ m w" o/ f2 D3 i1 ^4 v
详细说明:
; I6 L* n( f8 V! wIslogin //判断登录的方法# h& V1 b2 Y @% C/ V
9 k& }+ Q- M9 ^) w9 {3 z: K9 u
sub islogin()
" D+ A. A9 \( F5 O) v( b. T ) I6 X. H M3 Z! Y8 z% h
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then . M# G P- B0 g7 ]" Y
4 ]& y9 }" [: ]- N: t$ d
dim t0,t1,t2
( o: I( d: r Z8 Q$ y" A7 K( U ' R; M+ L i; f: w& \
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
2 `3 @, k* }8 a# e' l
: c& N) |! U* L6 D, xt1=sdcms.loadcookie("islogin")5 R2 ^: F! |, f$ u2 F
+ }+ m. Y: B! ~$ @( J: |
t2=sdcms.loadcookie("loginkey")
- B7 M8 l3 o a3 k5 e
" R1 l6 E$ A8 h: p7 |if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行3 |1 ]6 l& a7 o) R% q
! a: W+ a2 c( G' P( Z6 J//! K7 t/ c" a3 g0 c% L3 X
# y- I7 N( N8 t7 U6 G2 G1 f
sdcms.go "login.asp?act=out"
, W8 \. T% K/ k. u" Q ' a7 X; `" g* X) O& C
exit sub5 }# y/ i) P% \! ~! O
5 `; o7 P+ F+ F1 ^9 Y4 c
else
9 {6 S3 A0 [# ?$ A* m# [
+ x; m6 @$ D/ J0 H- g" C5 ?dim data
- D1 y" S7 Q* r' |: h/ e* q% n# ` 6 [$ Y2 \. x- a0 b; ]8 s$ W
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控/ j1 X$ L \1 d7 p9 d, a
5 b, w! ^( y+ q4 k) Q" B
if ubound(data)<0 then9 W& t6 e$ c+ C
% ~1 l2 V" z) G, N: N! J7 N/ s
sdcms.go "login.asp?act=out"* ^$ `. F" R$ D. r" t* o. W
9 T5 {$ Q v1 F+ q( Z; ]exit sub
! T$ t! c- S9 t l$ D. [4 d% o
Y* F0 a9 H- {0 B0 U3 lelse& s) y1 C, g* `0 n! \, F8 l, m
8 b( @( x( i$ ^* n: ~0 jif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then9 Z6 g9 T: M9 H8 K+ C
v4 Y! T! a: m- _sdcms.go "login.asp?act=out"
! F- F }$ q) |" l& Q l$ b7 d, D0 T% i7 R2 d
exit sub
3 \+ ] O$ y" h4 l, _
3 z* m" t0 K K0 b+ E8 D: c( \; |; }else
1 B4 R+ O! I& A0 f2 t
- `- V) p3 B: Kadminid=data(0,0)% C' e( m( U+ f% X* U
4 ~' D% a8 W# |6 e3 j
adminname=data(1,0)- Y1 u* r1 t- ~, [: _
; m& u5 y" J6 O% z6 H2 g: m+ Sadmin_page_lever=data(5,0)# V! w9 @' A$ N- r0 F
( o8 X. A4 l, r: {2 j
admin_cate_array=data(6,0)8 }3 }/ W' R' W( L
, ]' p6 \$ e" k a T2 z& dadmin_cate_lever=data(7,0) z* @( \ J' C0 c( X
R; [ m6 g; @8 X5 zif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
! a- z% Y/ |; b/ t
6 [- P; k, N3 T: ^, }if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
' Y ~/ k- O; {7 I5 G , {9 i; v7 ]$ l3 |
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0. @, f; |& D4 J7 s. ^
8 f: |" V$ J1 \% P$ C
if clng(admingroupid)<>0 then
. i% o9 K$ v. K) ?# w2 \
8 o% k% n: ?6 u+ Oadmin_lever_where=" and menuid in("&admin_page_lever&")"
7 `4 _5 ?, w* K5 {
& {9 m" O8 V4 rend if, j3 S0 b0 C* _
, Z+ u4 e4 M8 l; }; csdcms.setsession "adminid",adminid
$ Z k$ B6 v: u- T! ^! b" a
5 Z2 {& c; M& ?5 ?* O# X5 ~sdcms.setsession "adminname",adminname& u: S5 j+ C! |* v- Z+ D
4 k4 D2 o0 O! ?" s7 j$ l: R& Q
sdcms.setsession "admingroupid",data(4,0)
( n9 S7 }" @+ Y4 ]: \& {8 t+ E
* x$ r' O) W4 R. ]" b* k& w |end if
5 ~( x; E( R) ?. m3 J3 X * d$ V: U! t7 `+ ~' D3 H
end if
& g$ X/ J9 j! B# `4 r' ^
( b8 l/ \! P- D$ L8 b: }5 aend if
9 b8 Q$ J/ O! c. I. @
3 p5 P1 F% l/ r \. B4 g3 P g, E2 L( Yelse& m9 H, E$ B' F. F
) d9 z9 O: J8 p, O% f: `6 Hdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")0 y; c: O1 O' S2 u" `( p9 l
5 ?( E1 r% o" u( V% v+ J; m
if ubound(data)<0 then5 k0 n! f+ C) d8 J$ j$ u9 d7 A3 s
, O5 x3 G8 w+ W& F4 D* `3 V
sdcms.go "login.asp?act=out". Y. S; \- j7 M2 D
+ C Y; c- n0 H2 M7 s/ Z
exit sub
% L# r* c" ^6 y* U$ m6 O
k/ q6 E) Z: e$ o2 D7 \else1 O" `+ a7 }/ h& g# t8 v7 c
) z3 T+ x/ s& G Yadmin_page_lever=data(0,0)
+ W& g5 {/ w% \* V( Y
, F3 ]; p* s1 S6 N$ Gadmin_cate_array=data(1,0)' T' J4 r8 ^7 t+ ^8 ^% g7 y
! f: u& k {8 C2 d. c9 `4 m3 J/ d
admin_cate_lever=data(2,0) x" m% a$ @) e. }% T
3 Q( ?4 V0 M/ g# J% d3 e9 T% B2 eif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
3 g! F. `' _! ~# }% g k
3 A4 _2 @# M: p- @if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
7 x3 P# `# W* O
. u5 O0 l }+ a' T' Q9 T' P/ B, bif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=02 c8 g4 r! t0 q4 y
. P( j4 J2 Z4 U" D
if clng(admingroupid)<>0 then
3 S# l. q% D) e 1 }7 W* a, N8 N7 b6 e( Z
admin_lever_where=" and menuid in("&admin_page_lever&")"
" K8 p# {% B3 x Y % f4 ~# e9 B8 Z" d3 Q- Q
end if
9 G* k1 h) J; T) j7 U 0 |6 s3 F0 Y r* ?7 z
end if$ ~3 H3 t2 m! t6 m- u5 [7 q! X
1 T) T m7 E, v8 {3 Fend if
$ f5 v) |1 N. W( q" _* K( ?
+ M% j+ ^% }# D% O* | G r' oend sub
% Q9 z- V; n6 `8 \: [漏洞证明:$ f* V0 O, J) r3 O5 d* a
看看操作COOKIE的函数- X8 {4 k. J9 r; w5 O$ _7 a
3 V9 y8 l$ K: g$ c4 m {6 v' [
public function loadcookie(t0)
: l E+ o! l* s6 g3 r) d0 r W % ~. J; f, L2 N; V9 }
loadcookie=request.cookies(prefix&t0)+ u- k2 u$ |3 Q3 r" N; ~2 g! o. r
! t; ~/ q s$ i' q1 [9 } `
end function
! @/ T) B) [- n* o4 i* E7 t3 j 3 F% x' i9 C5 @2 { F
public sub setcookie(byval t0,byval t1)/ _' j4 a, [) ^9 _# l% i: t9 b
) H, ]. H+ v- Q; Qresponse.cookies(prefix&t0)=t1
2 l2 [; N2 C( E0 i. \5 N" B j
* N3 b6 w: e- g% Q) T. j9 ?! [, zend sub
" T/ n7 [! s. q 4 ]7 R( V9 v5 |. F! O: ]
prefix
- `) T% y+ r+ q% y
. r/ o% ?# I/ W'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
e3 x5 V% I& t/ Y
# x& f3 L3 \9 P2 ]& m9 zdim prefix
" m) p- R, V% `- r5 C ]1 L4 S+ x. ?0 D
prefix="1Jb8Ob"
! _+ |4 Y3 k% v: I5 B( |* A: E) |& \ / m+ F& @: E, x0 y' E
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
5 u1 Q7 b3 V1 p
8 f+ l7 t9 x$ s3 Jsub out2 g3 ^7 M! N9 `; v+ m$ w
5 d( [" T0 W( T6 Z0 h. Osdcms.setsession "adminid",""
( H9 _; S, G4 O; J) p
, x6 ^7 Q- _) Z/ |sdcms.setsession "adminname",""% [# ?4 {9 C7 X. K3 i3 ^' e- b `
) k, u) S: r o+ p D9 lsdcms.setsession "admingroupid",""
: l) l# f: y% \7 p" q " N/ F. Q2 c5 p7 z( \- o
sdcms.setcookie "adminid",""3 P, d5 Y; ~, ~ |. _( X+ \6 o/ n9 Y
( V0 E7 I) ~2 M) h( qsdcms.setcookie "loginkey",""
; V2 _/ W& g4 j8 f6 r* ` ( N7 c$ Z9 }9 X- M6 p0 W7 }8 x
sdcms.setcookie "islogin",""- E# `+ J( l, {, |- v) A! |! I3 Z
+ f8 z3 C8 \' `* g# Msdcms.go "login.asp"
' v: Q5 i: |4 G7 {, c$ } % g0 G' q: Z1 K [7 t3 s: t
end sub: @6 B1 D+ ^9 t
7 J. \# y- M0 y1 A3 f$ c
; Z8 r; ]% }0 P( t% e& f. o5 c. S利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
0 A" u; J6 f1 `$ c4 n% O# ?修复方案:
B% x+ O( `- Z5 @修改函数!5 H! F) y6 f4 ]& E
|
发表于 2013-7-26 12:42:43
收藏
支持
反对