要描述:4 p5 X9 J; L- [1 G) U
6 v! c" p) ^; z6 W: WSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
: e i5 Q( }- R- g, }6 k! c( ~4 o" P5 T详细说明:
& K1 _$ R0 P3 m1 m+ r$ pIslogin //判断登录的方法- t, n6 X' v' W5 H2 G
6 M+ D8 a6 ^: @2 w4 ?9 @
sub islogin()
1 C( z! S5 w' C, T* C$ e
& W, D& M& T8 u f+ J/ F2 Eif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
1 ~. z* d/ F) n8 T, o: p & E( O' @0 i" N% @4 A8 V
dim t0,t1,t2
) V6 z+ d+ E% N! b4 G' D) _
l" _. m* |, Yt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 6 n7 k: G7 [3 u2 }+ \4 l4 ?
' a# p- y+ p, Tt1=sdcms.loadcookie("islogin")
1 ]9 G. e; @' ^: ?9 N $ g! b& ^* Z0 O
t2=sdcms.loadcookie("loginkey"): N/ Z: u% x0 G( j3 ~3 y: w# ~* X
3 Y1 Y$ q" g! R" z }if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行7 P# g- {* B5 [$ E
2 O. F9 S' X4 X4 \
//
2 G8 T! P, f J( Q
4 v, A: g. @( `sdcms.go "login.asp?act=out"$ m3 @/ ~. p& b9 o
8 ~2 n7 P8 c Y+ x" K% m" t' {
exit sub
" w: U# V; q7 W; v: Z7 U
: L, V& L- Q1 D$ f- K% ^else3 ?3 P$ H S: l) L9 P
5 s1 T7 d$ a% ]% tdim data. |/ V2 A, d$ d% j0 k/ g2 M8 W( R5 r
4 h _! h! F {data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
& y; J. \4 G+ h9 M& Q+ P
9 S* ?) A6 u; D, cif ubound(data)<0 then% y. Z4 b! j, U& Y0 a
* W; U4 N" Y8 f6 s& t' j5 V6 P' Xsdcms.go "login.asp?act=out"
8 _* f* e9 \# c. ?9 O# Z
H$ f& Y+ L1 ~# Gexit sub2 }' q3 v- W. h
8 O% F# s; a' h: z% Delse
, `" P% _9 u& r, w5 z4 \, p9 \# L ; t g+ Z( J3 i
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then7 Y9 s( _8 e) S1 x$ F( a
8 q& h" o# S# p# K! D& ^
sdcms.go "login.asp?act=out"
8 ]4 J/ P0 W5 F0 s( Z5 I 9 a5 E% B* j. F6 m2 s1 M
exit sub
3 m9 ^6 ^1 `) U8 b( O
; h9 g. V& b7 h4 B" @0 telse* B! m* {) j& i( p5 M* Q
! C1 H2 Q1 @% O8 {8 ]3 H3 Zadminid=data(0,0)
4 ]. N1 J4 }, Y' e. l 5 p6 E) v0 q0 Y
adminname=data(1,0)
' B) m4 q; r* h4 i 3 f$ l8 n) k& S% K+ N
admin_page_lever=data(5,0)+ z' M3 S/ I1 l# d, z, z1 \
1 F6 s4 N% Q- z4 w. uadmin_cate_array=data(6,0)& l o; Y' z5 m+ z! d- j- Y
, x) M$ u' K+ d% I3 N* P. W
admin_cate_lever=data(7,0)$ [; r+ N/ C; ^5 B$ [8 f
5 f' l: K* ?9 e% J1 q( O! Jif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0' c9 }; g; V3 [
: ]! V( v3 L# b& L4 [if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0; Q5 Z& t9 U# e! {2 U
" P) ? R( ]( |$ d! F, ^' vif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
% I3 B# f0 R% l% D" c ' H) Y: \% E* n& h
if clng(admingroupid)<>0 then- G9 |9 G1 ^& ^' e- y6 s: q
. S4 A! q2 f& Tadmin_lever_where=" and menuid in("&admin_page_lever&")"- A- |) ]+ a; c! r
4 ]; @9 v5 P: F. f* yend if4 A" I- N, h, Z6 @
1 u7 t! D; [" X# a, J5 Z6 Y7 [8 _sdcms.setsession "adminid",adminid
2 d) `) s# L: x, w
5 V5 B+ C, D! J+ ?+ d& p7 dsdcms.setsession "adminname",adminname
% S# d( e" m% f) [" Y, i' t + ]$ V( U( L" w& |
sdcms.setsession "admingroupid",data(4,0)
& O O1 K/ J2 s: `
4 v4 Z; Z, L' b$ z3 g9 Y! _end if3 K, n: H( v( v3 S% g; Y
7 ]7 t8 B9 ]% M& S) J3 ?end if
6 _- D- c8 h& G, K" M: q; W ! l1 a, ?8 j( h( s: b( \0 v
end if
. A& b5 a7 a* Y) _: E9 }: G% [ + a1 b8 q5 U! g
else# J2 u& q7 d1 ]% i) c
# u- G2 v% w7 P! O" E. {data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
! y, g) m+ I! t# {- i8 w2 G 3 q" k# g) p. u. U" Q" s
if ubound(data)<0 then
0 R' t4 V3 S3 W$ T" L& e C0 ?4 `9 q9 x; R/ E: f9 ^
sdcms.go "login.asp?act=out"
7 _8 I5 |% e+ n 6 i3 [) t& s' j7 E
exit sub
' ^) _) @1 w" K! A) u: f
, N' W$ q6 ?* B0 Lelse# r. s, X- @; Z- ~8 X* I$ k m0 ~
: ?: | C. H6 Iadmin_page_lever=data(0,0)9 r# o3 P# v- q4 `4 R
7 H4 l4 Y: o* Q( ^1 w! m; ]
admin_cate_array=data(1,0)0 j" F& R+ g1 F4 F! _/ M3 T* J
& r1 g4 N `6 @& n# h) qadmin_cate_lever=data(2,0), M+ r) V" C) L7 |8 ?$ {1 n
6 N6 v* x9 Z# S; }+ C0 r/ Mif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=01 K& D( X+ Q" ^' E8 Q8 r! n
$ [; z2 m* N6 g+ F% x: Z
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0, ]9 f0 O q, O
0 j: H! c* n9 [5 W+ |* wif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
5 E8 O% X6 \( f' T% _: X9 c # @, f( A Q# X3 E$ U
if clng(admingroupid)<>0 then
" q `1 p% n7 x- s9 n
9 Y& ^( }* J$ O8 Fadmin_lever_where=" and menuid in("&admin_page_lever&")"
! X5 p, Q; k; A0 [+ I2 J/ x
% W7 L k. l" Q" k* M* Yend if
0 r, I! K* U5 `) W$ p % E5 s/ c5 i/ E# j0 U& S; T
end if% P4 J# i7 i" w
! U! v# R3 n$ a7 S
end if0 e- B9 E5 q. `# w: M
7 B: t7 G' i4 H; _6 I2 {0 k. f
end sub3 Z8 E. o$ D# L: P! U
漏洞证明:9 V1 i5 m- g* ]) E4 V" o: L
看看操作COOKIE的函数* \7 y; W- t" s3 ^
6 Y1 G4 U8 ^0 k/ U, c
public function loadcookie(t0)) g# b% [ i% d3 ^- B5 y
9 E5 b/ n; L0 }/ T5 h" W
loadcookie=request.cookies(prefix&t0)
- U( s5 T7 i3 W" W" @ ! g! S' a0 ?# y
end function
. S0 o w$ [* M3 u5 I' T" H" S
% Z& B( A2 N/ I' u9 F0 T5 Rpublic sub setcookie(byval t0,byval t1)) N/ l6 S! M% F0 g/ t& w) B
7 D9 B; d7 @6 b$ q' u
response.cookies(prefix&t0)=t1) o! q5 m: B2 f. D
8 F+ W6 }* \' S$ Q! ?1 [9 u4 w9 m
end sub+ e' p, S5 V8 _; X2 J( n
6 {/ E) |- Q8 Iprefix
# u3 l+ Z' W) t0 f. A2 D, t
6 H4 `% C# x7 D'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
* h, t1 U! {# }/ P* n
1 P z1 s, S$ P1 z idim prefix
! H/ ~/ v( _" H0 J i2 H# R2 H' f. a! G* z2 |
prefix="1Jb8Ob"
0 J `+ y7 _7 ]8 ^ 8 l0 t! @& H3 S' E+ z% b2 [
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
% O# l$ Z8 Y$ k, s/ d" a4 d A* f
9 d) `- k' G' Psub out
$ ^9 e8 H8 U' I1 x# [
, O3 n8 i! J- X, b csdcms.setsession "adminid",""
: b9 G! L8 O; j3 I3 R9 F3 r8 F; |0 U
3 o& u3 P% k) a0 d/ bsdcms.setsession "adminname",""
4 U5 v2 o9 T( s * x2 E5 l3 S4 k& L5 u4 ^* d
sdcms.setsession "admingroupid",""
5 k! K# _/ a1 }- z) F @ 0 @6 {. `! D; j4 |) s! q, b, V5 b
sdcms.setcookie "adminid",""
5 h8 n) H8 q+ \# V
; n* \) b6 [3 S8 f$ o/ A; Usdcms.setcookie "loginkey",""
" L3 e8 Q) D$ t$ B5 j7 b3 n
) O3 F" c+ }" b: Ssdcms.setcookie "islogin",""
% o- h: F6 O" k7 f+ T! P : U, ]2 o) M7 Q* u
sdcms.go "login.asp"
' j5 ~; y l7 U( p
* l/ B4 f) X) r8 fend sub/ Q) Y; X# l* ]5 ~- v; z$ U3 v$ i
' d! N) E5 G# X
9 E+ a7 d: C* V
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!1 l$ l4 C* z3 i6 o
修复方案:
' n6 J& l0 f4 b. |, k) E& c# L) D修改函数!6 D i/ [. J- i( i1 j6 c, ?
|
发表于 2013-7-26 12:42:43
收藏
支持
反对