要描述:: I( ?/ _. r, N6 q1 w0 G Z
' R Y j) ]/ M9 y* x% WSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试4 z# U: |: ~9 h" c! h6 n' J
详细说明:# O( p" \0 y1 y$ Y: a& `
Islogin //判断登录的方法
8 u# H- C% [: r' y9 V$ Y* e* u
C- P: e+ N$ [sub islogin()
5 A' Y6 [1 |" u% r) C# z$ {
4 @2 B4 e6 `) w! ^if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
9 |- r# h- U/ y. y# I2 A9 e' C
. h1 W% J8 _% N, Q3 k2 Wdim t0,t1,t2
( w" c$ l$ O4 s- L ) G" p$ H' y6 B3 M3 ~* V6 u( b
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
1 S) Q5 j2 `8 n
1 ?2 g2 }" \$ d/ O, {! G* Q1 t% Ht1=sdcms.loadcookie("islogin")' y7 A# x: P- p4 J$ V
( M9 ^* e! O' |8 G9 P, Gt2=sdcms.loadcookie("loginkey")
( {- X9 x5 Y4 A3 z 0 B& J& k2 ~. g2 H
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行7 y1 d. U. x! w- R0 w% D2 D3 m
5 `$ l( u, W( Q+ L, O
//, I4 A' x3 j+ y7 \$ l, Z! Y
6 g/ l# Y+ ]7 ~3 I1 U
sdcms.go "login.asp?act=out"
7 Q% S( ?: }7 S* f1 @8 M4 `5 h# G # X# w6 C, @: ]: ?& j: B
exit sub8 v; w6 @, _5 ?- ?8 {
, ^1 ?! y0 P+ y1 Melse
+ |8 d7 U: a3 L2 [0 Q
0 o& j9 A3 G: @6 h4 h# z+ m/ q _dim data5 \* F2 T# |; @9 k4 {1 B7 F
" w K. e, P; z7 c. f
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
F- ?2 X* x) {* W+ ? " r; ?; E4 I% @ ?7 j, y6 c
if ubound(data)<0 then/ D) O1 d f1 P: g
$ V% g9 X3 K6 I9 q U; X8 rsdcms.go "login.asp?act=out"6 l! z/ d/ m+ v W) }
9 C) F/ T' e- V/ [exit sub
: h+ ]6 v& R4 G( R
7 q8 m# E9 B3 f3 V# Z* F( ^5 ]+ kelse% |5 G4 |4 O6 A
& H% e" {' e" Q$ hif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then; b. `9 |. W8 Y) R q. G. m7 k2 X
( @- Z3 d8 \& p, r6 o+ s6 v! `2 `sdcms.go "login.asp?act=out"% n9 U! Z5 m- b: ]: R) c( S' a, S- \3 W
$ j6 y; z, ?( H% Aexit sub4 K: H0 C, _# }- Y8 f
0 I( \ l4 a9 P- Y8 M. x/ l
else
! M1 S* {* d0 P" D! V9 E$ s
5 M4 \" u, T* |* N$ o7 {5 Wadminid=data(0,0)* I& C, y, [( j" [' \9 n) P$ H
0 @& m: m: p( _1 j0 x* g: ]0 |
adminname=data(1,0). y" a7 G7 T' a: y K$ b
" M& Z# J7 i5 wadmin_page_lever=data(5,0)
$ s& s; k+ w3 I1 ?0 t' _5 g0 U+ A0 t 6 v7 {* k2 U+ U6 W3 f
admin_cate_array=data(6,0)
. v1 c# G# p9 s3 I2 v
?# g' j" |/ l% p/ S" tadmin_cate_lever=data(7,0)7 H$ {6 W! `7 B2 }1 g4 R
# E6 s* D& c8 z3 pif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
; C9 h! X' [9 ~7 f! h7 h: v 0 h+ \5 e# z" }1 I
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
" U( I/ U6 X# {: O6 k1 G2 T # b: H. I0 h& D# G
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
* q. ^: K8 j' w& Z" z' \ * D8 z5 X5 g% W. a" v4 h
if clng(admingroupid)<>0 then& s7 \$ m3 I. n3 @9 p- H/ Y3 r
* O3 a" E* M; @- E+ e" c
admin_lever_where=" and menuid in("&admin_page_lever&")"
. V7 B6 s) B+ q) i0 [- g2 t
& w% g3 c( E2 r0 i% M2 ]1 Eend if
! @& t" U7 z$ ?& Q9 h+ R+ }* O3 }
' Z7 R) h; r% K" gsdcms.setsession "adminid",adminid: J+ O2 M# z; @& n$ g
% q g/ T' ~4 B+ u& Usdcms.setsession "adminname",adminname, S. X& ~# X; ]' u
( w- E, m. r9 F2 h7 {8 l
sdcms.setsession "admingroupid",data(4,0)
2 J( i6 T+ U- [# M* u5 h$ f- u ! E7 y& d9 F# _
end if) }# H/ p- W% z1 J
' t3 o0 ~: |/ r, {
end if
9 n1 f7 v& U( g8 e
0 G0 S& i4 }: A6 t* C2 Oend if' v3 g/ G8 W& U, |# r
- P% v9 _) A3 ]0 i9 N
else+ s* k; P- c! S m
* x m y6 H* d6 x4 f1 X! k: ~
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")/ b" v9 E& R) F. c
8 o. M! B/ F( _1 V% J1 g
if ubound(data)<0 then& C% ]5 B- K; I8 T
: k4 N% [4 J$ T* c3 t8 I5 h0 asdcms.go "login.asp?act=out"1 e7 b. a4 I C- b) q z
) `0 C3 s" a1 A( h+ z: I5 pexit sub* x1 D9 u# g# J
. G* p+ z) C c/ K: m' Q* `else0 A# U1 `( o! q3 `2 m
- A$ z) ~$ [; V1 R2 @6 Padmin_page_lever=data(0,0)
! ^- A2 F# D9 ~7 L6 N" E! o * }7 }" ]; }9 i
admin_cate_array=data(1,0)0 F0 w& i9 w$ y% H6 x& }6 t
/ ]# o' q. J3 D7 jadmin_cate_lever=data(2,0)& M7 E9 E. x/ y% j
! ^, M; l/ N" o
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0$ B/ z* c, M# e4 Y+ x7 h, G
3 ^+ Y7 l9 R. g9 @; E/ _if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=08 Z- G$ k8 Z- u4 J7 w; s( \
$ Q' B& C. {+ g7 m3 D0 B: {
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0/ b( \3 D7 m# F) z! m
2 L* a) e9 y0 I& S: i1 F! ~if clng(admingroupid)<>0 then
* ]: ?0 `, {) D5 C1 \' | ; O' z! @) R6 D
admin_lever_where=" and menuid in("&admin_page_lever&")"
. a; g/ d4 r2 Q0 ], p
4 H! }9 q. y4 ^ | N9 p: Qend if
b, l8 U8 l' Z8 r* c , c; w8 R n# u3 f+ Y- A9 w5 m
end if, a, T E# W8 p' p' R! S
+ ]! E( G8 @3 `2 d4 P; B2 Rend if# _2 X3 g9 J. T2 e" w; O W3 e6 N
. |$ J( R0 C& O( J5 x+ ~- P
end sub
: T0 k0 G. ]! m1 n3 W* i漏洞证明:
' T% [3 A6 I" X. S5 ^* e看看操作COOKIE的函数
% `: I8 D3 r% h. Q1 B8 T1 X M 2 x. u2 K5 I0 q- T @0 X
public function loadcookie(t0)% u8 H$ t* i% |9 n; R0 p
! e5 z* s0 S- p* ~
loadcookie=request.cookies(prefix&t0)
: F. u- x% c) J" U- q3 j- _! i# W4 q
! Y) O1 ?# d! k" }4 Vend function7 } ?( A6 K* r3 \
4 x7 q+ @4 _4 \2 ^7 q
public sub setcookie(byval t0,byval t1)% f8 w& G8 \: |3 N1 b1 c) f7 ^
+ r- h( G% b0 Nresponse.cookies(prefix&t0)=t13 s$ [. B" L+ q9 v: } |
# p1 e0 o5 K2 O' l9 m% _
end sub
9 L/ r5 ?0 }1 r4 O& ?* ?. l
( a( M9 E1 x; @& Y: Aprefix
$ R9 o3 j( g5 ]& r; S5 T; y5 p
# a% z6 v* ^( D7 a7 Y7 V7 S4 T+ V% Y* Q5 Q7 j'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
9 }. @4 W0 E# v0 L. n$ y + v9 Y6 Y7 y6 l! s6 O& ~
dim prefix4 p- l& K* H$ c6 k
% M( Z1 H1 h$ O3 T N+ |4 o6 R# {prefix="1Jb8Ob"
7 K* E x" F& x. z5 Q& Z, Y& e , P0 A3 J7 {- f% ^4 @
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
6 Y8 [7 Z) C9 u. e) Y " ]9 ^; }' X5 A0 L' j
sub out
3 d" U$ J- q' Q
/ H: l- g- `9 `8 Y, C1 h) Msdcms.setsession "adminid",""
U$ c% j# ?: |6 p 5 D. Q9 J- v# g: _/ V. Q
sdcms.setsession "adminname",""
6 I* ]* J; Q1 i7 w' ^; D# X ) W' [, Z) c; s" E' [, s% Y
sdcms.setsession "admingroupid",""4 U' B5 {$ c4 F
1 |1 N4 D- D$ |, tsdcms.setcookie "adminid",""2 H, |, M/ ^$ Q* ~. Z. J3 q9 N
; Y0 c* X/ D( i4 y3 ]sdcms.setcookie "loginkey",""
/ t9 M+ U: a$ Z7 ^
5 r3 C/ O3 c' |3 H& k( W) {sdcms.setcookie "islogin",""( c5 k& |# v5 W0 U$ H8 T% K" c6 A
+ {8 U, V, }( ]3 O' ^' qsdcms.go "login.asp"' E* H1 Z* H R. H, E
6 w* W! r5 x* b! i$ G
end sub
+ ?- L; i, `. j9 r3 c( d# f
3 f! V- M3 `) E, l3 O6 n( Y, p2 j4 ~ " d2 m' U4 y; ^5 ~
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
% ]7 _; o/ j0 H9 O修复方案:
' t* k" H- L6 r* {. b" G8 Z修改函数!$ r: j( N4 s7 h5 h
|