要描述:2 m/ K% \! v L+ U
' V$ k8 @. y' @: z/ V5 V0 H
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试* S- y& S' C$ p6 w U& Q
详细说明:8 c3 d4 @ Q7 l5 O- U& ]) b
Islogin //判断登录的方法9 C; W$ X2 H) o! ~
5 y x- M: R/ O( j) e0 H7 `9 G/ E
sub islogin()
& `6 W& V M: x* s$ g% q : a) k9 l& i0 T8 k4 s' m
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then `# E7 D0 ^( c6 F/ b! \
1 z5 x( F2 }; pdim t0,t1,t2 5 K) o! A' \* D
1 ?# d/ k) c) B' P, b5 f- i
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
9 P' x8 N2 x/ a! t* I$ _% x9 W 4 q# S9 F1 b$ c
t1=sdcms.loadcookie("islogin"); Z; n X/ R$ k: X' t$ w) j% ?
. ]3 z1 U" i2 p3 S" \ t8 b
t2=sdcms.loadcookie("loginkey")
9 `6 G& K6 ?9 S% ], j" g
2 Q$ H' A1 `( r r% ?$ b- rif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行* w. x" a1 U! c& z* p9 |4 }) T
4 H) B! k. r: h' W//0 j# e. l9 ?1 _' p7 A4 T7 u% E$ N/ L
7 z" t3 I' y/ g, Z0 N+ R0 xsdcms.go "login.asp?act=out"
( |" \( W6 ?5 z. a/ q- m" _- X
, g" D2 ^! H" K! C( T5 ^exit sub k/ K! C8 v2 @1 D& z# l
5 |7 j+ n4 s, F- N" i9 c' K$ S
else
7 ?' _! j9 \; @6 J& v5 m3 k; y % e n( h# q/ ^ W. j% n
dim data I# J- U3 {, B
# P* q0 E: l/ n# A1 @ c. c
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控5 D6 }( B( t1 }5 C7 v
0 g7 n Y& f& `% B" Q
if ubound(data)<0 then
) ^9 E) d5 ~# D ! Y! n! E1 k1 M: E
sdcms.go "login.asp?act=out"
/ |7 L8 f9 d* i- l, u' |+ q: G6 {
# G* Y4 E5 q, h4 L4 qexit sub
! C( t( x- T3 g: P# R3 _ : J( r% G5 R, f
else
$ \" k, N1 `0 V% Y
4 R8 q4 X Y, C( ^! T+ Fif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then7 }6 P1 z, w4 k
* R. o- r' V( k/ g; s% s9 Usdcms.go "login.asp?act=out"
I, A& a# P. _) ]1 p! p + |$ j4 o% P/ \% P' {. {+ A
exit sub8 B% o$ U- b0 F% |3 ^1 o* y
7 i! m( K! v' J! q8 ~ k: aelse
B% {( f$ B4 p8 `
% n% }+ ^% [" a4 |6 V( I" [adminid=data(0,0) y! ^4 `% h- W0 s4 ~
* b4 k8 w+ [* padminname=data(1,0), d' I8 l" @5 I8 S6 o' g' ~: D$ V
' h3 l! ?+ @) C: f9 c Radmin_page_lever=data(5,0)
, C- _5 a& k+ l% [4 G3 E- D ; d# B# N: I! V9 \, ~, T
admin_cate_array=data(6,0)
8 { k. o0 \/ }7 z( ]4 Y: ~5 s
6 D4 i( O: a" B9 oadmin_cate_lever=data(7,0)' m7 r- [4 D; W+ A
- j5 y/ }' G* _# oif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0. w" r' U8 h- W) J
1 R2 ^; h: f! Z( _6 iif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0' x4 E8 s% {# `! O
7 R: ]6 i6 T! e3 ]7 H+ l/ pif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
$ J5 k/ J% n: N: y2 A( c$ d0 B) x 8 r: U7 t& E9 P9 O5 X% R6 U
if clng(admingroupid)<>0 then
" L e$ {3 p" q: J# g$ M( z+ Z
0 |& z0 ?: p' K6 x% E4 I# Cadmin_lever_where=" and menuid in("&admin_page_lever&")"7 f J" u' g" F$ G
" {( c+ q4 F) ]
end if, M: _1 w+ P9 ? b
: l" |: n( F% g
sdcms.setsession "adminid",adminid
5 q1 W" G$ c/ b& k
5 o7 p' V+ W; v4 g$ s$ d' M4 Csdcms.setsession "adminname",adminname) E9 v1 g$ p& A/ u
, D- |5 M* v$ U. x. b6 Y+ C
sdcms.setsession "admingroupid",data(4,0). z( `( Y6 ~* l! n" ]0 B" y
. M' A3 f4 V- | s6 d* Hend if' o, q" F5 L; g
: j) ~2 E7 f% Z& L* ?! I' Xend if
( K$ N# \" M9 ^3 |* d' a: F& N
" U) T6 i$ f) L2 F6 m* S g, s7 e/ oend if
3 D4 m# T; X& ]' B, H& v ~3 A! a
; o+ J3 r$ C/ T8 q- |% a- qelse) R; J' l& W9 f1 c2 t4 J& r7 \/ ~
0 I: s. q0 {& ~/ q
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"",""). \0 |. P8 B, O% V9 Y( D0 O
' S a' E4 _6 r2 a* m' a: S( |
if ubound(data)<0 then
8 e& Q- W+ ]4 |5 J- d v8 s 5 S# s: T# z0 E R
sdcms.go "login.asp?act=out"
- N% n& u: M& p; a. \
3 j2 \2 P! Q8 X( w$ ?exit sub5 Y, z- K, C- o8 u$ ~3 n# E
7 Z' H. u4 n8 Y+ Velse4 a0 s+ f* ^5 ]1 w
+ _* Z8 Q9 s- k8 r. m: a p, ?
admin_page_lever=data(0,0)
4 `' @+ m; \1 i7 m. F3 R; E1 Z ) K2 k. R. P6 g+ L
admin_cate_array=data(1,0)
# d) l; q$ a% Y+ @1 o l, V- ^( l2 j
2 @5 W- y0 D8 P" Qadmin_cate_lever=data(2,0)# t. K& c& w8 c! ~
& m( V$ ]/ g' W3 x" T
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=03 z* E& F' K3 y
$ g& u( |, f6 N0 k9 bif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=08 q4 K7 Y- c. n. \- L6 }# ^
! V* U# t- k% M! f7 J0 ?
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
- j+ W6 B) H% E1 q: h' [ " Y" G5 R6 n1 X* l* a$ r
if clng(admingroupid)<>0 then W2 p3 X9 Z8 l+ e% k1 c
, d( S. v4 K) u) \, D `
admin_lever_where=" and menuid in("&admin_page_lever&")"
5 Z1 `+ g+ q U6 j4 H' z N
0 V1 |# j' q7 B, D* Qend if
U* l' ]9 ?% M' V1 Z) T5 d4 B
7 `( K* [5 g' v7 r$ Gend if
. J7 v. t) o4 q: ~ ; U8 x# g" \) R" e; O
end if
& @1 V, n# A% M, W' S6 d& s4 j 4 U; q5 K4 H5 J+ ~2 {
end sub
1 v' Y7 [; } z1 z H& _1 o; x7 ^* ^) @漏洞证明:
8 Z, i; B m5 ]看看操作COOKIE的函数( S' k! D% d4 u3 [; C) F2 p
7 G N' R6 Q. }* x) ?public function loadcookie(t0)
) }0 Q- j1 z! p ! y; o0 m5 y% F# [
loadcookie=request.cookies(prefix&t0)' `0 X5 I4 Q) t/ b$ ~( t
* t6 v7 c3 F/ G- a% C5 {4 `2 L! Lend function
" {$ D) u1 j1 e6 G$ G $ m; {' a7 z: J, V+ A& n
public sub setcookie(byval t0,byval t1)
0 N) I* O' ~( g% t9 \) @6 B* q1 _) b * C) M& I+ ^9 q* n! S( E) d9 v
response.cookies(prefix&t0)=t18 m' N& _0 |/ @7 M' Y+ i
' U) m8 ]9 ~; ?, q Q7 u( K5 n
end sub
4 m1 G- `1 } h6 ?; @ : K( b6 m6 P" _1 n! ]4 M
prefix7 C* M3 F( z$ l% w; b) J
* j3 D. j1 D- A* z'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
: h }' W5 X/ f; J& A1 w+ @0 @" P1 ?; W
! X z& a6 L) Q/ cdim prefix0 i& Q- b/ V: Q, W/ F, p' q, T: Y
6 f3 b; v1 a4 m; L% ^! p, S( ^; Tprefix="1Jb8Ob"
- g- p. y7 N* w$ Y! M4 g! |. J : V# K8 Z; W2 }0 e0 G" U
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
- o! V- M, A V1 E ) H, ^: D$ n; H7 d
sub out. L7 H' H- P, f5 v- S) O0 o
5 l; j5 Z" {/ q* k
sdcms.setsession "adminid",""$ l% a6 H7 t- [; I' z
s" X7 E( v9 H' y/ f, P
sdcms.setsession "adminname","") O+ K: f& a7 j+ ]2 v7 v9 b
: f" M' U* o* G
sdcms.setsession "admingroupid",""* Y$ o8 C1 z+ U; D- I/ Z! [) J
4 M8 T" D3 g( F* ?0 |, fsdcms.setcookie "adminid",""
& A7 ]* y, I! j8 f& R 9 ^8 k8 |5 B) |1 M- t
sdcms.setcookie "loginkey","": H$ F; y' U7 [
" M$ A! Y4 U3 J/ p: R8 C+ Usdcms.setcookie "islogin",""
: a: G) [9 X: I* P3 i1 [+ y# l
- H" s# k1 q, I W9 csdcms.go "login.asp"
! {3 }) o6 p, R8 }+ A* [ 5 F" s: ~' ]+ `0 I6 E
end sub
3 Q* H+ N/ }) ?3 {* n
/ d9 G+ i9 y$ E2 m$ E 1 k( _1 c, I, j# r+ N
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
1 ?5 L) O. u9 R5 @, g& s9 `& d, _: p修复方案:! t4 y1 v5 O3 C
修改函数!
+ K! m6 q# H2 e/ J" r x$ G |
发表于 2013-7-26 12:42:43
收藏
支持
反对