要描述:
8 [4 ^% b9 W6 {4 }& g$ ~- L S7 s" p
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
! J, m) [5 ~! a详细说明: U" T% T8 h! o
Islogin //判断登录的方法0 z( b# H& R8 p6 \" k, G- Y
9 {3 }8 M1 V/ F% B. o$ C+ n; o
sub islogin()8 Q9 W( X* d7 A4 M/ c" R) S$ ?
, P! ]) R% g' w' ~6 ?% a6 d0 ]
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
( P; y& Q+ t9 x4 i$ @5 C) N. G# [
2 E) j- d2 `" ]dim t0,t1,t2 / {( e4 x8 n/ G2 I6 J3 w3 ^$ |/ L
+ w3 x4 k$ d3 h! v
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie - o _7 U6 f5 f$ I& w7 J4 w J
, Y2 R) T# b, X7 L' C/ V; d u9 ~7 Ct1=sdcms.loadcookie("islogin")/ W( |( X+ E' |5 p
6 k0 I M1 u- |0 M) r3 ?t2=sdcms.loadcookie("loginkey")
& B4 _3 j) n6 _5 |: b, _8 g 2 T1 \; b, X1 L) r
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
- y1 M3 u2 D: |* g& b
% F6 q1 \# B: c) c: w2 @* K( V//
1 }2 h- N6 p! f* _) I1 i4 L0 l: d% L" Y h+ P! c2 M/ ]) U$ N. l6 p
sdcms.go "login.asp?act=out"6 a+ f* `9 x1 L" k% L
: f* \1 d. m3 H6 j" |exit sub' _% i9 c) Y8 m f |5 n; `4 x
. H( h' ^# V: w+ k+ }( v$ }* G
else. K' X5 U3 X. C8 a
1 O; F2 I3 q8 X: R2 Sdim data# ?. a$ K, J# `% l. }% u. P
: s/ L/ ^2 s8 z( ]data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
+ ?$ H: c) x7 H! j( J; t K7 J" \- ]2 o( S8 q) S3 u! ~
if ubound(data)<0 then
% f& w& w* a$ s6 M6 L* [8 F; H
+ L9 |, I* D- ^* j- wsdcms.go "login.asp?act=out"& n) b' d2 D0 b J% h r
4 U A% O+ n9 q/ D5 v5 {. Zexit sub9 v8 u% W/ {6 c6 r5 E
, G/ B G, U/ p8 }" u i( D$ \
else
# U6 @* i1 O1 \ E
! w$ ?3 H: e; f/ s' }if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
- r# v; a0 i: E- | G; v2 s' Q: r7 x- _- C% M% o4 H
sdcms.go "login.asp?act=out" I! s7 o7 w# ?* n! N S7 U2 I' e
$ Y+ `& [" w( s' u& Vexit sub7 P! k$ U5 {2 e7 v
* S, ~0 J/ k( B; P! Velse" x# K" u) |! q- ` A
5 k8 l3 E0 r+ {- i" r% C
adminid=data(0,0)
$ C9 Q, P7 X- p1 ]4 y
6 L4 X0 u4 W. n; G3 d- D& ^4 h+ `adminname=data(1,0)+ Z: X" F% K6 X) ?% N6 z) y
5 K6 `( S [* w7 e" K; V% cadmin_page_lever=data(5,0)* D/ m6 ]% b- S% R; c" o; a! }5 f! V
8 ?% U! W& l/ J5 ^% }- c
admin_cate_array=data(6,0)
$ H" t- v" d2 c! V# ~+ q
d4 |2 t! W# o9 j9 p. Jadmin_cate_lever=data(7,0)" m4 n/ Y: Z- `$ y
8 ? {# W* U5 D$ n3 h0 Q
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0% P% d0 F/ R7 ^; L4 d
+ P. p0 \# X ~9 J6 S% V2 u" h) m
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=00 ~3 b$ E; N0 Y9 v2 M# D
( c+ c: v$ q2 b7 mif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0' e( M0 g/ q5 b* t3 b1 R! h
( m: Q" W5 L) q& k, h
if clng(admingroupid)<>0 then
6 S! }. ^$ j) h: Z
8 ^$ N1 l* p! v9 X/ x. Aadmin_lever_where=" and menuid in("&admin_page_lever&")"
% u9 K$ y+ R4 W: {0 z! ] $ |% y% ?2 B; }3 `4 \4 v9 {. P2 Y
end if" [/ Y8 J: o5 h9 P* h# B7 x
# ~9 y( Y* l. o: G+ Esdcms.setsession "adminid",adminid2 j8 Y% E1 g5 \6 j; ^8 J
9 v$ [3 ]( m! M R6 b
sdcms.setsession "adminname",adminname* O5 k3 C6 M, E* W: U1 I* m
+ ~0 ?& v1 O7 y* N* ]+ P
sdcms.setsession "admingroupid",data(4,0)
/ s' b3 W# x( I# F, ]: \2 x H* ~5 C4 g0 h/ R) v" h
end if
4 r# y% ]$ C( H) \9 a 2 W1 D4 l" E6 U- `4 D
end if
( L! ^. A5 z# g) K" |! I! V. N 1 O9 b" l2 r! r6 a G( D
end if
* N S6 C; M" w. H& G; C 8 D7 c" `8 [8 V% D z# Y
else5 t2 w6 r- N5 N8 q! g# P, z. h7 y
- c2 M- s. _ y0 }) R+ C- K! e$ |data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"",""). s) c/ E! ?! g1 k
0 J, ~% L/ k( ^0 s7 |
if ubound(data)<0 then
" U& m5 W$ p! M
9 l" P3 s: r7 p( j; csdcms.go "login.asp?act=out"- x8 n5 J+ K) W9 C) S( H
; g4 X- L+ `7 j( O) k8 g) Y
exit sub6 v/ ?# [& A- ~$ J" `: W
1 _9 P( a% h% V6 X, j" j1 H4 |else* w1 B' ~1 F# ^2 E! O
" e% S4 `) i5 Q/ U% b; a3 V0 d, l
admin_page_lever=data(0,0)
, y. b- \1 r1 j% P) i f& o
+ ~. r5 u3 }- S; W; |admin_cate_array=data(1,0)+ `6 y- R" G/ g, ]
- F- ~8 u/ t3 c) P; ^; u n9 yadmin_cate_lever=data(2,0)- F0 K" ~+ a7 l* K0 E, @5 P
8 c+ A' N3 O% J1 b6 ^0 ^if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0% @% b/ L( E9 C. X' Y- d
9 K) K3 M) K) W Fif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
8 W" z5 F) T2 _# J+ }1 C - k$ K+ w3 R: k+ n
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
* E/ T& u1 o; r2 n @, e $ ^9 `! o/ O+ l
if clng(admingroupid)<>0 then- W$ p ]6 q5 b
+ Y0 g2 K6 \7 G4 hadmin_lever_where=" and menuid in("&admin_page_lever&")"
6 } ?9 V/ B9 [" D8 u4 O' x4 F0 Q
* ^: X* @3 v& M+ h; b5 T- Zend if
# ^6 X$ ^4 L1 C7 [
& c9 {) A r% C/ Q3 Z4 Send if
* w" y, E( X& C) v4 U- L4 m
8 W U* n$ Y8 I0 B3 H* q0 r2 Fend if5 n3 o& p' \/ V- S
, x6 d( w* c* a! \end sub
3 ?2 R) |$ ^! i# N5 O漏洞证明:
- t% ~0 B; x3 V; J- x& y/ D0 ~ M看看操作COOKIE的函数
7 g# [8 _- C8 s5 L# l( F* z " ]6 R- V- N8 s
public function loadcookie(t0)
$ ]% d1 d1 Q6 R3 k# j
; U: V0 j2 V& M9 W- t. w1 e# Vloadcookie=request.cookies(prefix&t0)
. Q/ K2 N8 _/ i3 l8 d' t' r
, }1 m7 D. q- B- x0 Cend function R1 }+ ?" q5 ]( x; C# `
& M' h& V1 v5 j- K) A9 ~) X! q. b9 ~% {
public sub setcookie(byval t0,byval t1)4 B% a0 d2 E0 i
2 o9 L" D8 ^6 Z7 U9 d4 x3 w, m
response.cookies(prefix&t0)=t1 ^; t5 e" l& L5 H6 L( A
# ]3 b% |* k; F# M: c
end sub5 e. k. |2 @' r
" m) R) w; o# H, E. T
prefix; x, J% `) N% ?9 b) u1 j; W4 w( R c( M
+ l# V6 T2 r4 G' ~" c'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
% L) u" p8 K/ {9 _/ g
' X; v& q/ k: C( ^- \3 _% w5 rdim prefix% Y3 s# E/ u4 j. e
" }5 j& q0 T, x- A" f
prefix="1Jb8Ob"2 K. ]1 w4 \7 }; E
. i5 s8 |/ R6 ^'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
" U5 p- A. J: h: Q - J1 Q# z \7 w& Y
sub out
9 z# T$ e# Y- k
2 T. ]* [' S8 I1 n2 q: G8 Ksdcms.setsession "adminid",""( k9 |5 x; i0 U2 e- U; x n
% `7 o1 A; V1 \) `
sdcms.setsession "adminname",""/ Y9 c- t7 ^( N3 ]5 X
6 i# C6 ~6 N- ~0 K: a" ^# y; \
sdcms.setsession "admingroupid",""% s' Q" {% L$ y) B! Y. M5 d
* A+ a. Y& }2 s4 c6 isdcms.setcookie "adminid",""
* _, _ H% E2 r5 f4 b + Y& Z) y, \: s5 ^. ^- t
sdcms.setcookie "loginkey",""$ a6 H+ x* Y; d0 Z# y, ~
/ W7 A4 y0 f- P3 |! P: ]& D( i
sdcms.setcookie "islogin",""
6 }0 D" ~4 C8 d$ h* m
" k3 F/ B7 P/ b4 Q/ F/ rsdcms.go "login.asp"
/ x) R: X8 u! I 6 ?( v5 I3 T3 ~) g8 Z, \
end sub
8 h* T" }( y+ ? w$ g/ }) n# B
# I. _+ e8 @* I8 y+ q. o
P6 {) B% n$ w1 d% @利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
( z* K7 Z% H# f7 S修复方案:
" h+ Z1 j1 P! l. s6 B0 n修改函数!
~4 Y3 W- ~ L, @ U7 }, O |