要描述:' u/ t$ f' ]0 G, Y6 ^3 J {+ _
5 |' s3 e7 U) g1 j9 a
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试) A( j$ ~3 I" X/ [1 O/ U
详细说明:
9 M6 Q5 F7 H% W, U" CIslogin //判断登录的方法
6 _& Y8 C- @7 f9 u' b- v' o( q0 B* q4 J , h8 C% b4 C9 x$ z
sub islogin()
B3 F! f W% f / h {1 Q9 ^ F2 i& p2 v$ ?9 I9 l
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then % P+ m6 ]& i5 F$ c0 F# ?
3 j& N; a% M* c( U0 ndim t0,t1,t2
6 d; F; Q$ l) l" \
6 @* l5 ]( k$ C3 Y$ mt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 3 H. l" e Q$ ^6 A$ Y/ p
& v6 w8 A' @- at1=sdcms.loadcookie("islogin")
9 o' m A! X5 w. i- R8 o , `' |' j& _2 {1 s+ P/ W) u+ M2 F
t2=sdcms.loadcookie("loginkey"). _/ e9 H! G' T2 i5 Y4 u' T+ h
. X4 V- [) N# M8 ?
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
2 y1 O2 r! W4 k- ]1 D: i# Q; p0 j: U
* r) W4 r" u$ Y& k//4 W8 _8 m# Z4 x5 _3 N. E0 }( v
7 `: s4 k6 _8 L
sdcms.go "login.asp?act=out"9 \9 X' A* `! q' |1 {, b
0 B% m; K5 n% W4 u+ g! r/ @exit sub
# j/ v$ I' M. O7 O j
4 _2 O/ Z9 i* felse7 D! D: f& {: s8 i* b0 [
4 y% E; K8 V/ c9 Z3 [+ d8 o
dim data
- ^1 G8 i9 a( H/ a( c. C
2 y5 V0 w% a4 D6 V- p* ldata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
@7 c7 p( o- K1 r( \: U& M0 z( y( J
; B$ u; S3 m" e9 E# mif ubound(data)<0 then& K! u1 \# W$ n. m: m) F$ ~
) W: [- r1 h1 \ a7 Wsdcms.go "login.asp?act=out") P6 B% D$ J U& \
: D5 r0 Y3 b& O T. x+ `
exit sub
5 z+ @2 ?% `/ T+ R- | , {( I2 ^& g9 e3 s2 _
else
; g9 D g* S5 O5 o0 R 3 L- @5 W" @0 L) d( u; Y1 |
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
0 @2 R- l5 N: W# ^2 D 8 h2 }. \. L( T U& R' T+ A
sdcms.go "login.asp?act=out"
! ]$ w& a2 N8 r1 g$ y 1 C+ x" ]' @! m1 g$ Z, @+ \, [+ S
exit sub
4 e+ y1 M" H7 v4 G& ` ( D! E8 K8 y; f' U) e3 R- u! d
else
0 m) m0 `5 H9 o& b+ n6 w! w7 B
) `$ F8 a) D( q% xadminid=data(0,0)/ ]0 G" G( a3 Y- p% w& u0 [
( x+ V9 X/ j. Y- O9 wadminname=data(1,0)
7 P9 i6 x6 K1 G' \6 n( |, R
2 B: t& y% q+ ladmin_page_lever=data(5,0)! f- ~7 H, ^7 n/ Y
( q" g, S: z- C8 T) Q$ n. x( c
admin_cate_array=data(6,0)' @$ k N4 G, [# n: Y! f
L& ]5 m5 g# A8 N v
admin_cate_lever=data(7,0) _! ?1 a3 u$ V# S' X. Z
( d; ?: G, I; A
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0, ^" E" F2 P- C% u
- @' z" ?3 ? s0 B- Y
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
4 a( |* ?( y, y/ U' l2 F' s; E
0 X) l0 k. t {8 V/ ?- Vif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
4 p( b5 `5 E( A2 j' b$ M ) b+ w& k+ g. g+ F5 M8 w& i
if clng(admingroupid)<>0 then0 t9 `* p# v4 n* l! C
, X0 C& x; y! u c# E1 @! [. u, J- Kadmin_lever_where=" and menuid in("&admin_page_lever&")"+ U( ?. {8 N$ Y; f) j* u- C9 |) a
7 x3 s1 C1 R u; \0 |end if
; m) J2 J5 P* W' d( k. Y1 T % I2 a. S8 v9 S7 m
sdcms.setsession "adminid",adminid3 @# X. ^9 G ^
% |1 W W# y E+ a$ j
sdcms.setsession "adminname",adminname
) S- A- _ q6 @: Y6 x9 I1 w8 w$ G$ S 1 K: I/ q( V6 x8 |4 l
sdcms.setsession "admingroupid",data(4,0)' b( t/ `# j/ W. i
3 H: Q0 {; i1 F, |2 i0 S( T$ V, e
end if
, y6 W: c: \2 {9 j8 f
/ P3 G- Q0 n+ ^: a3 pend if
C6 g( V N' h# C) [
5 b. m' e1 W3 L5 J3 bend if
# L0 A7 H4 L) v8 T % I8 H! }' @( O/ F
else
* O2 n9 q' [( ^# M8 @- `
6 {' ~- S- f; M' Ldata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
, a6 X: P- @2 _) N
# o1 K2 @. h- Wif ubound(data)<0 then( A6 F6 W& `4 b
8 i; G5 m- M3 K6 z0 Gsdcms.go "login.asp?act=out"
" ?4 R" a' H) Y% [% C% ~. g 5 W' E! v% g* k/ s$ h ~
exit sub
8 b, B/ a' E- o! Q$ e" h- Y
. }% i" c5 o6 Delse1 s* D2 c6 M* r& O
: [: p _# l7 ?admin_page_lever=data(0,0)
1 X1 v2 z# W0 R# v6 E 7 j) V" g, V: K1 `9 j3 p6 v6 ^! u; v" s
admin_cate_array=data(1,0)2 C9 [# Q# z# G. v2 e# J4 e% o
: V( B& G! G6 T0 g5 ? ?, xadmin_cate_lever=data(2,0)! M& v, Y6 y7 ~
( c; N P! A6 m) M6 J+ k# [
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=06 e' y/ Z: h4 m' \/ z- |$ ^/ e
$ S! Z9 Q8 Y# z4 R$ c0 B3 h8 H7 Kif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=04 D# U+ C0 k. M0 m- q. B
8 z B% T, M! |' Z) T, W. wif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
4 W- H' ]0 W4 I, b0 [ ' i; R) n( T0 z1 N% ~7 i/ y% _: l
if clng(admingroupid)<>0 then% V. Z N4 n; }2 D, N; n
4 d: W6 G, X) H& n# j. U
admin_lever_where=" and menuid in("&admin_page_lever&")"
: |: h6 P* i: l 3 ]" I3 P, S* L* n& }/ f7 W- E
end if
. ?; l& @' I* f, g8 A$ R3 b$ ?1 Z* s
% X5 s8 ~0 m& @+ Qend if* y3 D. o0 Q# E) R. Z6 Z5 y
- q q7 T' V: J1 Q; W% }
end if
9 o+ d1 H( A; O0 c- L8 a g+ }
% o5 ~3 Z9 Q' s0 M. y1 u: ]+ E& `7 Bend sub
" y) o" p5 \2 s% l漏洞证明:
3 \( o+ I, i1 Z* b( Z4 u" @* I看看操作COOKIE的函数/ l2 y5 Y6 p; \
' c# q* |) x, s' g$ G
public function loadcookie(t0)! F* [1 |& Q5 {7 v! f7 J
- {! N0 Z7 I# R& R M# Y$ p ]
loadcookie=request.cookies(prefix&t0)
2 h; T* c. ]2 R , [* I2 E; X9 P- V6 ^0 G1 p/ ~# Y5 v
end function
. A7 b; M1 B: ~; V2 f
. Y2 D( `2 e5 f* R! Gpublic sub setcookie(byval t0,byval t1)
! `4 h+ L% h9 I2 W' ~) j( f
6 }* h- S; ?1 K# B- c0 lresponse.cookies(prefix&t0)=t1
5 U) N0 }+ x( C) i/ M8 Z ' l& }0 P! i: ? R5 V% S6 E* @4 X
end sub5 j: d% x, h5 l, M7 Z3 y
# p& T8 c( N% V0 kprefix7 z! H6 t" a& |& Q4 L r
- U- _' |) g* ?'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值) b& r6 u T8 S! P8 b; j
# \# u& j1 ?0 q. {dim prefix& X. ]9 a0 b4 a2 d# m; T8 j4 v. P2 S
+ l3 f- k b7 u( a6 S' K6 z4 _7 W
prefix="1Jb8Ob"" R. A! ?3 ^! R, x
: x+ \4 l% Q, z ?9 u5 ~'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
) c, g0 e5 t/ @
, L) _, u5 ~9 M! Y2 _sub out+ N* q6 G5 I N" P# N, V/ y
$ t) u' j) U3 g
sdcms.setsession "adminid",""/ h( K3 d* S4 s9 B, \+ z9 {
* d8 P# |9 |% i3 B* P! n
sdcms.setsession "adminname","") U/ R5 `+ F) J* W$ R7 Q& |$ [
' |+ `! Z, e0 u( c2 h$ z
sdcms.setsession "admingroupid",""
8 V# m o; a, w' C+ g) d
" v; \) S8 w+ _* o& q+ q. P0 Ssdcms.setcookie "adminid",""5 |* l0 N$ C" A. n M
6 G; I1 M1 p E% E6 Q/ hsdcms.setcookie "loginkey",""
+ N' @) e1 E2 f1 ]" A ) E+ B' M: U2 {4 Q7 o
sdcms.setcookie "islogin",""
% @% f5 N7 [) F+ Y- u " _: D6 M3 r9 T3 G- M' O, u* m
sdcms.go "login.asp"
, T! A5 b9 A5 n! h, v+ W* l
- V+ L: T$ X( C0 Xend sub) i. m1 L* d4 V
0 i D2 W4 c# M6 Y# r+ j
5 C( u& v7 i& O/ k7 {: P利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
7 ]2 N/ i% r- W1 T8 W% X) [% H4 _修复方案:: ?% q( U/ Q: L; s
修改函数!
" V. y9 G7 L: [( [ |
发表于 2013-7-26 12:42:43
收藏
支持
反对