要描述:% y+ ?( X3 ~% S- t* s$ V) c, |3 ]
Q6 ~0 G9 b6 _0 |! x) M0 G+ @5 cSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
0 i4 a: z3 q6 v! h2 [0 [详细说明:
1 ]) B: j* R0 S+ E# F, r- EIslogin //判断登录的方法
) t# z3 I1 @( F7 t0 m* h / r* | ~ `+ t/ A; H/ u; R3 \+ U j
sub islogin()
. r9 q* z3 E. ^0 a7 C $ s' A! v+ j, }. ~% p, W/ ~' h1 I- y
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
2 Y ?/ [" [* D) {) J- v
) h* ]; @) L4 x% H1 b% `) vdim t0,t1,t2
3 T' {: C9 j/ }: @2 R7 T
2 |# x3 _8 r! P9 P" zt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
2 W5 B' E5 x. D- T) }4 R% O
' ^6 Q) }/ b: _' i( h' m+ qt1=sdcms.loadcookie("islogin")
6 \* b' f' k9 e& g* D$ q/ V; l ; r* R7 e. ^5 H; A/ r
t2=sdcms.loadcookie("loginkey")2 m- G5 M5 Q1 O! D# T7 ~6 y
6 H% d: x5 a. w4 k+ k6 }* f P* Xif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
' T- ?9 T9 l, b) l9 U 8 h4 v! J- J! p- Y3 x- u5 W8 e
//$ G! J. N. G/ p d1 P6 l3 U# {
+ r& w- ?; D9 e: O) ssdcms.go "login.asp?act=out"2 j! {% F0 @' s' m
2 M5 y7 S# D/ ?8 b: l2 iexit sub
" W( n7 |( | T$ g/ d( e ! K, F/ {' @* L
else0 X* A' k. h: b, ]& T
/ r( C3 ], V* hdim data6 Q. i: U( B9 R$ S% V3 n8 }
& q& \9 E1 S( N: Y$ c1 e0 X ]data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控 n; t! [+ K7 p3 B0 d
9 U" o4 e( W8 d7 {* t$ N$ e
if ubound(data)<0 then* b6 o* a5 F! M+ i* j
1 a3 t, N9 v+ a3 p) v" B1 w
sdcms.go "login.asp?act=out"
+ }: O! v0 Q: L w3 ]
- Z7 |1 Y- m' U/ ^0 z2 o+ ]exit sub- p; j4 z5 r% ?) s5 w- e5 n
* A$ y/ T4 C7 s. qelse
% R2 x8 M; U9 D
3 G" |5 m4 {+ ]! ]6 Y( {if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then) o3 K. G+ M' v; L8 m& M
- I3 V( ~7 \, }/ j/ o2 X4 x
sdcms.go "login.asp?act=out"
* A6 f. q; [* K2 @$ ~ # v' _ D4 S$ |. `2 e& j
exit sub9 ]2 O% L0 {7 l; v, Y
3 r1 Q! N- n5 C; p
else
g% U/ a. h5 _ 6 ]) L7 a! K; w+ E1 v) T
adminid=data(0,0)
4 S* B8 s' }- g: z 7 ^% U9 Z1 R7 }" x* {( U
adminname=data(1,0)' l/ P. d1 F- R
1 V4 u7 o! a8 |9 _
admin_page_lever=data(5,0)+ t9 e. z( R" l: }$ b* B% V3 n# i
5 ~' }& p2 z; D) k" g: I+ |admin_cate_array=data(6,0)( K/ s3 h' i7 n
! ^; E `) P0 m) ?: j; Iadmin_cate_lever=data(7,0)
6 n- w* w7 @% M5 {. E 3 h% Y! |* C4 E6 i% d# h$ k
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0/ i3 I3 x2 V8 A+ Q" K& B. m; P
1 I8 K1 b6 L; Q& x/ ~8 M* Q5 |
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
L, M* T7 E# D/ j ' z$ k( `+ K# U0 W* e4 u
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
# y9 Z2 Y- i/ ?. [8 ]
) Z5 `" l$ ~( T, m) a8 Bif clng(admingroupid)<>0 then
0 o) u2 W! U3 K; ^. B/ U
7 s/ K- j* D$ ? [. X! e& O4 B4 ~admin_lever_where=" and menuid in("&admin_page_lever&")"/ R( i/ O1 b7 _
L* B9 K2 j# k; O; V( pend if# u6 r% a0 k% X2 b6 U# e6 B
: N8 K% v7 `8 [; U$ h$ gsdcms.setsession "adminid",adminid
9 n7 {8 e6 \" f: A
8 d# ?3 O. a* @4 Csdcms.setsession "adminname",adminname
3 W# j, [! K/ u l- }: ~/ m- C$ i7 k
sdcms.setsession "admingroupid",data(4,0)1 O- W" G8 y2 j, a) t9 N9 _
3 U8 j+ U- I# e/ N
end if
! J q/ M1 S, M& c
" s5 Q r' h" {# X+ x7 qend if. I' Q) X9 {% @4 H* Z6 v: K0 [# I& E
$ W7 C: u+ E, q/ h+ n
end if5 w o+ H( f: `
$ N7 o9 f9 y- |5 ~" u+ q1 o
else
' {% L+ t% y8 z1 ^% a) `' }+ D : B7 m- b' a3 ~: ~( v! z6 Q0 b" o
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
" ?/ A+ K% X( n4 X* } \
( Z5 W4 P5 c2 e/ Lif ubound(data)<0 then& ~0 o1 S+ |8 Z7 Q1 |6 x
6 p Z8 c c6 w1 N. C: vsdcms.go "login.asp?act=out"9 K0 y8 x4 D0 A5 ~2 w
$ V$ N: u! u% Z5 p! g! M) ?+ texit sub
9 \0 r2 Q0 Y/ P! E1 E J0 E1 u+ n) W( e
else
- @- h3 b0 \/ ~0 c/ y 9 M# m* J& z+ F' x# U, |
admin_page_lever=data(0,0)
) K6 B7 A h( e1 `% Z9 `0 i5 ?
I! I3 |. A# B# i6 m5 ~4 ]admin_cate_array=data(1,0)
# R2 y' t- m- p3 o
, x1 y) A! z1 G4 t# |/ [" qadmin_cate_lever=data(2,0)- V* h9 {% G7 x" D q: [! x
9 `( i& E; k, aif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
1 U& H* O# f/ z/ E4 G; `5 D6 H - L0 \ \% L, u" j
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
* q0 E# r3 i! {6 E& @$ X8 i% V$ ~ q* }( g1 i* |
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
; G( F+ v6 I4 l$ L
. g5 y3 s' j }+ y3 a: d: nif clng(admingroupid)<>0 then
" o4 N0 L4 [( j& }, p 2 r0 ^. s2 M: |* B$ n
admin_lever_where=" and menuid in("&admin_page_lever&")"
$ K* i u3 v9 S5 s `! i" [; W
; N, w) u$ k& uend if
! M, `& @) s7 z3 q6 g1 D U" z" ~ + p" C. h) F1 ]) a4 w. i
end if r5 [6 r7 O E% S" D8 U! u3 y
* v9 S t) s u I" o2 send if; g7 a7 f4 m" a3 e
! U/ M4 H/ q1 W d; @2 f
end sub
1 w" Q3 }6 g' c( B, l9 R% s/ o! h1 P漏洞证明:
1 s0 i1 {, W& p看看操作COOKIE的函数+ I5 W, d7 v1 P) U8 J6 f6 _3 k
/ d7 `5 @' m/ s2 Lpublic function loadcookie(t0)
0 f2 l0 V8 W- U7 {/ \. Y# H
) `$ v* ]# e: q) L! N6 R6 D! c/ Jloadcookie=request.cookies(prefix&t0)
) ?+ t ?2 i8 u' x
3 L) _ ], P- n6 i& @end function
; q) k9 L6 \) S ! [+ \" t, E. A# e8 a
public sub setcookie(byval t0,byval t1)! ~( ?/ f7 _1 U+ O/ R, Y/ Y
, g9 Q G- K- D v hresponse.cookies(prefix&t0)=t1
/ \4 j* s8 A) C0 q 5 q; b2 k+ O% c9 i
end sub1 k1 |" z1 I5 V) j" a% y
- ^! g. n U! k- Sprefix2 h$ p, Y4 ~. `8 I
_- l9 E$ S/ L/ b- ]5 o'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
; U* D0 F" @# a3 G' Z$ b6 @6 l5 f
+ O% ]2 q; X- Ndim prefix' d, i$ h9 `! h
* j( X) N: E$ w0 |3 i0 Kprefix="1Jb8Ob"
& d' ^3 d1 m* c! [ ) G7 @ }+ ?" L& s6 T% t# j' Z
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
9 w) H+ L1 v6 M7 d. \ 5 G! B% b$ k9 I. c" L O
sub out2 d$ f. U8 ?+ E
7 c `6 C2 h$ }; ~0 k6 J1 H
sdcms.setsession "adminid",""
/ m- }6 e8 a/ _. n5 b 0 A( l/ w6 L2 P! F& X
sdcms.setsession "adminname",""
9 w& j& v8 Y. ? ! J" e8 M2 l: C9 X7 B# c- d- N7 _
sdcms.setsession "admingroupid",""
9 c ~2 ~ \8 p6 Y/ U* \6 }. b . W3 ]) V' ?! T, `
sdcms.setcookie "adminid",""7 [0 n6 i" k3 v" h
8 k) F* j; T+ Z- {
sdcms.setcookie "loginkey",""
4 S3 o8 c4 z4 m
8 d# [+ [9 c |sdcms.setcookie "islogin",""5 f2 f* N7 _4 p' ?/ {
& A" E9 j2 G! y. X/ o \) `$ Q
sdcms.go "login.asp"
& r) K5 {" b4 ?- P# S# y' v9 _* s$ z ! ^- w. _" h! C6 {' T/ v5 h! ?5 W
end sub A# h2 I) H* h8 V f9 j8 ]& I
) a- u q5 _5 | L4 n4 a" c _
3 E8 [) ^. l# S9 C x; Q2 U7 c+ q利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
* x1 o0 q) T$ u7 M" z' ^修复方案:
: _" I p/ N* ^修改函数!9 M+ F' Y9 i5 [& o/ o+ B
|
发表于 2013-7-26 12:42:43
收藏
支持
反对