要描述:& {. B6 @ T {* p
0 `" x. n: `! U+ {- K, jSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试9 h" U% V) K x
详细说明:7 w+ N- y- R7 b- M8 @, Z3 v
Islogin //判断登录的方法8 I+ @, X k X: I% i F4 d
) E" ]7 L' p3 h9 h. w. p
sub islogin()3 n* l9 C) f2 c7 Y. m& l5 u
3 O- Y' |2 V5 u& u# `. Aif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
4 t7 i* c4 ~( |& U2 ~5 v 9 e% j: ^- e: D, \' Q" a3 f! ?3 T
dim t0,t1,t2
9 `: Q1 l5 \9 D4 Y# X! ~
6 W0 o6 r' ]% g1 a, ft0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
9 [7 T$ d- w+ B8 `5 Y. | " d" S+ u# f6 g' E, G! F1 m
t1=sdcms.loadcookie("islogin")1 T' T: @- p4 j. ]: T& Q
' f1 P' Y! h% Y- _' s$ x
t2=sdcms.loadcookie("loginkey")0 O3 a9 p2 v$ I5 W
8 b6 H, S7 F- S1 r! X
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行; g5 b$ e9 c8 A- ?6 F0 p- j+ h" q
1 d; A; Q6 R( x9 W' L) }. n//, p1 Q# e5 C3 e: i8 y9 g% O) t& b
6 `7 K% @, G3 {. Gsdcms.go "login.asp?act=out"
1 S: o- Y1 j" q8 c8 h! }" F * G+ B8 g( z5 G+ V; ?5 ]) G
exit sub. Z) v2 k* \$ ]* q
; E! i; z" ?( _$ E
else0 U5 U+ N7 C! C* S: p' N. ?
8 K+ s; \% }& a
dim data
. X" p2 Y; ^& S' m8 k
d- w, V2 P g) x( T; W% Zdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
, Y/ z, B/ X. f8 u 7 V$ h, H9 t$ z, Y) f# D8 `. m
if ubound(data)<0 then8 x7 p8 \7 K0 i! T! P% Z
/ P8 ?8 `+ @. B, b. I6 U
sdcms.go "login.asp?act=out"6 @4 [( r; |0 W0 [4 L9 T7 e
, f @9 ~5 Z/ z4 T- g! F
exit sub
+ X) Z: Y* o" m' W1 F6 U$ @
# `- y* t' Z# ^9 T6 Xelse
! S, L( w3 p3 o0 V2 x9 {! ~ , p) p I) C# f: w% @
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then% [- o6 \5 ^6 `0 ~" S
$ N" |5 c0 H( dsdcms.go "login.asp?act=out"
V* J) C3 ]) a* s
5 W6 o# x5 p) G. cexit sub5 r |1 s' d# X7 r3 E
* N0 q% k4 C! E; A, m, ^2 D x) |' Q
else0 M3 @! ^9 D R& u! G* @2 V& @
) c0 Z; y& R" d- H0 Q7 e% R8 r
adminid=data(0,0)$ u2 X/ b* X( E- G! t5 m; O, ]9 a
4 k m2 w5 V& _/ ^. C" q# q* e
adminname=data(1,0)
* \. x9 p+ v- ], @
3 K p* o! A$ s% r- }! J: A) Y6 cadmin_page_lever=data(5,0): ?; {6 D. h# g7 f' C
# M8 F2 V7 h3 j9 l6 g& I; W( padmin_cate_array=data(6,0)6 p4 d) ]% \3 ?. A3 |9 q
. V" e9 x8 g( ]' l- F/ n4 o
admin_cate_lever=data(7,0)5 A$ h7 l6 I6 b6 ~ r" P
4 L* z3 A2 o9 Oif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
3 U( p3 X7 \9 I3 Z& o
& F/ ?3 R6 J, i9 D5 Uif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
5 ]1 r3 E2 X! E- s0 A8 \
# u6 y& ]* O3 ? u; C3 F# u6 jif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
' U) c: {: e A5 e# j
. S% O9 I4 x7 ?! ~' Z6 nif clng(admingroupid)<>0 then, B" X0 B& j4 X1 T
/ i" x: K( w- B6 G3 u" Oadmin_lever_where=" and menuid in("&admin_page_lever&")"
8 P! M8 p; c$ ^/ a6 i' Y
/ M3 Y* [1 r0 `7 Rend if
, F* @- l/ L K7 Z- i" O9 Y6 q2 f, `0 V # h: \( v4 w5 ^+ z# N# O, }0 K
sdcms.setsession "adminid",adminid2 R+ P0 @* X- t, f
5 R0 O' [6 Q+ s" Nsdcms.setsession "adminname",adminname: O# C+ {6 `1 O" a; j( r# t
) ~2 i8 y& w: ^2 N# Z
sdcms.setsession "admingroupid",data(4,0); U- U0 c3 P* n$ |" J0 b$ k. R+ v1 M
: _% r6 ]8 M4 l0 u* m& S
end if
* |! U( f0 X$ M, ]
- r0 I4 V7 f" e, Wend if
Z& p! b8 v# x; H! u- F' T- [! k
( n- L0 |8 [: c- R( _& u2 Send if
+ ~ Q" m9 G' V" m) e
4 R1 C [1 T: l5 L; \else
' D0 @- t. n# }6 u1 M( o9 P5 A t
( \+ j8 d: q6 z0 ^" Vdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")( t3 ]- i; L) X) m* A
. \! U" t: Q% ?7 b" Y" h3 L* I2 \if ubound(data)<0 then
4 [ l( t1 F$ d1 P5 D: t
# b; e6 C3 e- g6 w4 L0 G6 wsdcms.go "login.asp?act=out"
* t8 h2 l, m% o' M" B: i$ R- i' J $ W- G$ R1 ]9 s
exit sub4 _, O, w2 m0 d! P* d
- x9 C" O! M$ ^. ^4 i8 n" u
else: v- G: K8 }6 R) D. b. G+ S$ c6 h S
( E" L5 Q+ C' L, Y X
admin_page_lever=data(0,0)
; e! G; w7 x) c* @
9 O. I2 z( @' }! r+ c2 l7 s k# s5 ]admin_cate_array=data(1,0)8 b0 K/ @6 j3 {
6 j5 m7 K% L8 F) o+ wadmin_cate_lever=data(2,0)
1 s2 R$ |, U( f$ H9 O) O + S/ _) _# Y$ L0 j
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
5 z6 j) a+ t: V5 }/ j, X
9 L- }, ?# K, g" G1 iif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=02 U& t) ~ k( |6 Q; s/ ?
: p: Z; P y, V5 ~+ O/ q, l
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0) m2 b& A) n: h$ u5 M0 f# S
, [/ f: k& X6 \1 M/ c
if clng(admingroupid)<>0 then" @6 E2 H1 ^* \: Y: S: E3 j% M% l
2 R% {% Q. n6 u8 `$ V8 z% m
admin_lever_where=" and menuid in("&admin_page_lever&")"
X6 o( _* G& B7 v" b( O9 P! B
1 W. o6 u$ ^7 T z4 hend if
. h+ |: ]& K5 m. J
: F: {8 r2 p( x3 J% t) qend if
% y% x9 e5 F5 ~! }9 J! \
4 l8 J+ B. W5 i5 f; bend if; t) g4 Q+ U, c2 ?5 D
6 V: x6 B6 e0 T* x1 r9 J
end sub
6 V& f9 m( {! v# ~漏洞证明:+ k& Y) j* T4 [2 }9 [
看看操作COOKIE的函数3 U9 `$ D2 k5 g" X2 N& O/ _7 J8 U# C
: e0 l b' Y) j1 k( {& Upublic function loadcookie(t0)) D( e7 b1 W5 z1 r; K
8 i8 F& z+ y2 v0 ^3 I& J3 G
loadcookie=request.cookies(prefix&t0)8 s: H% P* f0 o* r5 E8 s$ _5 s x
7 e& s% T! s8 D8 {- C) P, `: ?end function: q$ C d) ]5 ~+ _* e
: s- N7 g% i( X* @public sub setcookie(byval t0,byval t1)
& [ n2 v% {) n7 M( i! Q . @, |6 @2 P: R/ A" `2 h% Q
response.cookies(prefix&t0)=t1, y6 v \5 v. m
7 i& V1 A- D. U( }$ f4 R/ _end sub
8 M& U& f* u1 D; G: q) r " E v* J( H2 f& X d4 r4 ~
prefix
+ u! c0 {! `3 p, d5 } $ G7 X# Q/ Y4 O# e( V
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
# H! I( d$ \9 D5 b+ L $ S& ]# d7 c/ N1 R, k, b
dim prefix
* W% u+ W' e# o$ y6 p$ E ( {; Z; I9 X7 b4 _
prefix="1Jb8Ob"
J" l9 X& i+ D7 t# ` 7 r+ _' w/ }0 z' [
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 . F+ v: Q+ g3 v0 E% {
" c" c1 g* ~2 {. x
sub out
0 n$ w6 E' [, b - k! Z$ d3 g& k2 k1 B8 S7 n7 G( H
sdcms.setsession "adminid",""
4 ~' b R8 m$ N6 d, v0 ] 5 B8 ]+ |% c9 Q6 e, w
sdcms.setsession "adminname",""
, W8 R s. d$ A: {% x , _4 m3 M( U7 `5 S( g0 E
sdcms.setsession "admingroupid",""2 s; z$ C; B" I$ C- l6 `! Q8 R- y
) \* ]( @4 ?4 S7 osdcms.setcookie "adminid",""9 T( k+ j% w9 B: r9 A- i
9 ^% c) n4 F; K- `6 l
sdcms.setcookie "loginkey",""2 }; B; O, s6 E x
$ C& X% b; d4 w# x, ~) ~& `- gsdcms.setcookie "islogin",""9 d. l4 C& ^( Y- J' Y4 i
. l9 i. V' Z( I# usdcms.go "login.asp"- f" I( g! Q5 m& V* ` @2 z
D: E. r M3 b/ C+ g: S
end sub
( V( t2 n+ l. T+ j. a6 \& @+ D/ |6 x ; o8 a/ A% c3 u
6 W" W u( f9 U( N) n2 `利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!8 E4 Q6 l1 u& e, x5 J/ }4 R+ ?2 q1 j
修复方案:) F6 B8 j8 i4 b4 J# I3 [
修改函数!+ I) F2 s. ]$ @! n
|
发表于 2013-7-26 12:42:43
收藏
支持
反对