要描述:
3 L7 B9 H5 ~! v2 T. @ Z0 i9 z- |* j7 Y3 Y. p. f: _8 P
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试# H. D0 G3 U, c' L0 P3 Z& }
详细说明:1 ~" l! n$ d9 c; Y
Islogin //判断登录的方法, J5 a& N8 _& R. E W
7 V, M# w- O4 G _( ^1 U
sub islogin()
7 U+ S& ?' q+ W% l5 ~
% d; V$ |; P8 t% [2 C/ rif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
X. A- s, L3 `: n8 f N
8 |* E0 _7 @/ u* ^) h: d0 Hdim t0,t1,t2 4 [3 g, ?8 x+ ]' a- r- U, @
* q3 I. ? o! w; Nt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
7 `2 t6 `3 J+ G8 N
% T. Y2 B, l X* ^. v# z! s3 S: ?t1=sdcms.loadcookie("islogin")) n3 q' P, n9 U2 }
- W$ W- w* S: l+ K/ [t2=sdcms.loadcookie("loginkey")3 a. H' r" ?7 i9 d( f# [
# z5 w$ x, P0 ^) \ t* _
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行$ M3 J) f5 T @! U
( o$ Q1 O, W+ z7 R//+ t4 g/ A, R! x& o# M1 R4 U
- r* ]7 h8 e7 x% |
sdcms.go "login.asp?act=out"
0 }& M, t) `4 F5 i+ u6 g
! A3 P1 v1 o3 ] F# a9 C8 y; k4 wexit sub
; A0 }* K( N" h/ j M* H " ]% q* R8 ]2 L/ a3 o/ _
else8 B5 W4 V0 V* g& s% Q; v
0 Z4 e/ q5 ^% Q2 h- q) Z
dim data; _0 A% H! @3 Q( I; {
! ?* E2 q; |, Mdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
% v9 T8 H5 c1 I Y0 J; Z 9 g3 M% N/ Q% b4 ?
if ubound(data)<0 then, } l6 a& v$ I+ p
v: y5 j( @0 T2 V2 N# Y5 ~sdcms.go "login.asp?act=out"
1 k4 R' O, J2 f S1 e2 n- i
3 N; d/ Q7 m% r) @. k: |0 iexit sub
' S" k( b5 Z1 G2 q2 o5 C # l# P; L9 O$ K
else/ N" K {+ f+ u
4 n: S, \# }1 n+ c" P
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
) e, J2 a" Q, `& U2 S& g/ f
& [( b2 v1 I5 W& Z9 z# ?( u6 Rsdcms.go "login.asp?act=out"
& Q2 l, e/ l2 G% l: b ]. l/ Y$ ~8 C & {( s' c+ [3 @0 ?% G8 Q9 i1 o4 o2 c
exit sub
! l7 x S6 R! }: J- L
' V& M R* E D" b& m& ?$ x" celse: ~. X$ M. W4 d4 c4 d" r
9 p5 \7 }9 d7 L s" j
adminid=data(0,0)5 Z" w6 E2 Z; p6 [: j
" J% G* f) e) j
adminname=data(1,0)
8 d8 a! ~6 n( \) V. u5 a$ S 6 [. M3 n* Y G- K+ t! g( ?
admin_page_lever=data(5,0)
1 s H* p+ T' N9 P: V
- c' W' e/ D; J* C% U3 {" D9 kadmin_cate_array=data(6,0)$ B# E* y0 p5 u/ r6 Z
- K" j$ Z Q) C4 W% x9 E
admin_cate_lever=data(7,0)8 `, T) k) X8 k8 Y! K, ~
8 C* M7 z# f8 s7 l9 r, _8 y, }
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
3 \+ Q1 I& f& P* `) I% Z+ }, B" y# w* s
# ?' n* z$ u/ E+ k: {- ]if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
& T4 k6 J" E3 ^4 Y$ Z& n+ ~ + m3 z) y) _9 i8 K; p; l! X0 i. D$ k
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
- L8 S+ V) \6 N) D 8 l3 c$ [ l0 q% U4 D
if clng(admingroupid)<>0 then
- u' j- N2 X5 E& \3 ]" n& D
$ z# X& \2 F3 Tadmin_lever_where=" and menuid in("&admin_page_lever&")"
1 @) Z: Y- D* q* P$ \' q - J) C' ]* z' O, {
end if
: V; K/ [" D* V% f0 {4 O8 y7 [ 2 {* o: v7 d5 } f0 n/ J9 z& E* D2 u
sdcms.setsession "adminid",adminid. z# l6 ^/ G# [
" W" W% p" W( g; w6 e6 bsdcms.setsession "adminname",adminname0 p8 ?, T! I: [/ Q+ Y
^2 F9 l3 a9 rsdcms.setsession "admingroupid",data(4,0): L- r5 l* a ~/ r) a5 m
) x; d7 V) L+ s; @# M9 ]
end if" }% u$ z, ^% b! I2 i- r
( U& Q6 p/ v/ ~- Rend if
" @/ z- a9 d& k1 k- \0 V- T$ m
) d+ E8 n6 _) E- h- vend if( Y: X/ Q. c, q/ v9 e- e: @
f& o5 o+ \# F0 celse# d2 F( h( c( `' ~7 j! y
. P4 o' I" m8 N! i" R$ \
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")+ E7 F5 e u+ {7 v/ V3 T
5 e, R5 p6 o5 J
if ubound(data)<0 then
( n. e! H* ^7 Q; U" w( Z& T4 a ) J7 P1 Z. ^" o2 y) ?% u: F' c
sdcms.go "login.asp?act=out"
+ e8 r! @/ e- B6 }1 `+ A
# W3 v5 `7 {; U+ m, j/ t0 hexit sub* m! R) B3 B+ }2 M5 Y
5 [- A8 u6 r/ ~! @$ P! gelse
: c' c" x" _, _" `9 b: i7 z
- i% ?# j/ M7 ~6 n& K# Z' Q+ madmin_page_lever=data(0,0), }1 A! p" | r/ E/ [8 R
( Z* ^; E7 J2 z) l/ b1 o
admin_cate_array=data(1,0)
1 f, e7 w" o7 O) I# m
) `9 L0 n( C, x/ _% A- Tadmin_cate_lever=data(2,0)- \0 G9 S6 s j9 f
) \( D7 i$ [# s1 a; I) E2 F) n$ Jif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0! F; P( ]1 x+ d" |
3 B8 K; r v/ w. S; I. D' Y
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
9 g6 ]8 G j+ c " L" s9 F( }. `/ k9 r$ l7 x
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
6 }5 l2 O |2 x% V: ~9 x* X0 t
7 R" ]0 H- c5 P- H: uif clng(admingroupid)<>0 then
4 z @ a% f3 V, E' M0 _
- l0 c$ C) U1 j+ [9 eadmin_lever_where=" and menuid in("&admin_page_lever&")"
0 e' ?4 ]( I- m+ {3 F
L% x# i! ^4 ^. b4 nend if
3 @9 C( l% ^& S& x5 @ 3 @9 ^# B3 p2 a% f. L; A% G8 b
end if
! P; r7 @5 }; G$ f* ?
{; r; D# @& u K% oend if7 j4 ^9 c$ a. V4 Y- k
, ]# s3 F2 H* r2 @3 ?
end sub2 z7 X5 P7 x9 ^+ V
漏洞证明:
3 R5 v7 F) a* q6 ^! h看看操作COOKIE的函数
6 J/ [* J" v; u+ g( _+ K
5 u) v' m4 k% W4 G( s" F( jpublic function loadcookie(t0)' A7 n* Q$ r4 W; n z
6 A" S: [! Z4 S4 a `) T9 nloadcookie=request.cookies(prefix&t0)
2 W2 i3 f% y3 W* Q 3 g8 P! J% T6 {3 v9 E; ]
end function4 z* ]1 F- V3 T# ]+ |
# L# V& z) x$ s' Tpublic sub setcookie(byval t0,byval t1)
( |# z& l% d& ]# ^. w& x# ? " a2 @! g1 f1 y- K$ ]% Q
response.cookies(prefix&t0)=t18 s$ ]1 O# o6 h5 o) }9 q, J7 }- n
2 i% ]) j Y+ G/ [( G0 g5 H8 D# g
end sub; b% g: ^5 F. `( S( k0 M( b7 B6 x
9 ^# ^+ b( w# n1 C1 Yprefix9 c- \* p) f' l# ^
# v) v& v- i; r7 z. `3 B
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值" {/ }. u% p# h' A' ?: l7 N, N
0 r( L O. B6 r2 l1 b2 p# c) M5 Idim prefix
z8 W1 D' m! H \1 b/ A & K0 a( [9 C: r) [3 e1 ~5 F
prefix="1Jb8Ob"/ u, ~4 Z2 _1 i" L, |* o! ?: o8 C! S
2 q( Z: f, W- S% a9 U9 j+ `* [5 M
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
3 B Q4 w9 m! b3 V P+ Y1 }
; M1 J8 y) T! S s, Asub out
" c& I& V0 S7 w' g! n ) y2 Q1 I" e( g" y3 A% T C* g9 ~4 w
sdcms.setsession "adminid",""
7 e) h9 i: C7 U& r# m2 z7 k! ^# Z3 c
) ~& W. V( \5 A( V3 x8 Qsdcms.setsession "adminname",""9 s1 ?' J# r! `" J, R0 @5 B
: T; B8 k" P. O# B3 Isdcms.setsession "admingroupid",""
* c5 h) u) _; E$ r ; c/ k3 H! L* k+ r2 H' r7 K c
sdcms.setcookie "adminid",""
4 `( \, g% a1 i& K1 S
2 N. c E) U; O2 C# n I% p* Msdcms.setcookie "loginkey",""8 A- q. B% y3 F
, Z3 u) S P% L' G# m1 |
sdcms.setcookie "islogin",""
. h p; N7 @7 M/ [ x* r
1 l1 |# L9 d7 c: wsdcms.go "login.asp"
$ x& ?4 v2 [. k& O1 u+ V2 x& q 6 U5 c; C" e: W/ K% ]! p1 E8 G" G
end sub% f5 e) y+ [$ V6 y
1 `6 d9 {$ X% f1 K7 X( w! K8 Y' ^: g
; ]+ J, v2 i1 ~+ Y$ p2 {1 ^7 I利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!1 k% a+ d1 ~- [. v0 Q1 d3 u
修复方案:( J- q7 {; X6 |2 m* P: \
修改函数!) S9 I! c7 |4 {
|
发表于 2013-7-26 12:42:43
收藏
支持
反对