要描述:5 [! j4 y: y6 g4 M# v6 U; p6 b0 F) |
v' G$ W" Q o2 O9 z7 k
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
2 R9 G' K# E" e8 R: A详细说明:
3 J. N' J1 k# [; ]% cIslogin //判断登录的方法/ n" h, P3 j4 j9 h5 M; Q3 E
- ^. g8 G, ^) V! m1 w* U/ a, vsub islogin()
* ?+ u) p) M* R2 ^
5 V6 s, X7 E/ S7 e6 a8 Fif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
2 Y# P8 ^" Z: L0 p ' F; M( _- k' r
dim t0,t1,t2 7 V9 L/ ? L" A
2 {' [* {. U6 N: ~5 Q% O
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
# u( W, ^+ e$ z0 F- ]0 R8 h
) e( P: ` d: D* o) ~; Ct1=sdcms.loadcookie("islogin")/ M; N, D) K! e6 T6 }2 h: R& F' c
+ l. l: G* e$ [! j/ R8 ?
t2=sdcms.loadcookie("loginkey")
% E3 q* p1 W) c l2 a1 X4 V0 W# W
! H" V/ t& c& e* j" gif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行. Q* y; t: G# o& ?3 W ~" T: L8 a
* l# l1 D' w! V. u5 g% h//
' I+ d6 z, W# h
4 L' ^9 _" `7 g( R" g5 rsdcms.go "login.asp?act=out"; P; G7 L+ M* f1 r4 w5 B' g: F
9 B. L- ] r; n' A; M" b- t m0 x. `3 Vexit sub
& m% H; ] S( V+ Y% ~ 2 F5 M. A7 O0 u% z. h) Y
else0 r2 r/ Y2 w3 S$ ~" ]
3 Q+ l) i- X0 h0 \/ L Z+ [) fdim data
; o! j, \. y7 {* d. O9 E, `5 \- k / O9 d( {" g g: k( L
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
+ r8 y2 ~8 |( h% a5 S0 P* B
9 `% b. `7 c, g i; Vif ubound(data)<0 then5 M1 n6 X; u" y, d
" u( v& H8 u: w3 c" Z- K
sdcms.go "login.asp?act=out"' L( T% S* k& | R( ]
9 D( S7 [/ _. c5 ?2 }! kexit sub" Z/ r% C. b! M' I
" a6 f/ I) j5 z3 X- Velse
5 O/ P% T. f- S & U0 Z- e0 v" ? o- {0 K" C* m
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
$ X- }( j7 G8 }& j" ]( P 3 s+ G% f& o8 q5 L$ J3 L, a. h
sdcms.go "login.asp?act=out"- t: [& S" w2 Z' @* N8 I) _
7 ^3 d8 G, a$ d6 K# M4 ]
exit sub5 x/ h/ y; J3 [1 m9 J2 o
8 ~1 U0 A9 x! M6 s. R( ]else$ q. p* B* y2 e( F) q
6 r) K8 @2 W- b$ M, f, S
adminid=data(0,0)
1 C# u9 n% ^8 \ ( t* ?* V3 \& x9 d& \& d
adminname=data(1,0)
i% d( `% e2 Y9 }
, n! |; j) i D* o. U+ b3 _admin_page_lever=data(5,0)" |6 W( m6 y: N6 O0 x' c
. c0 E4 U! Y2 n- U% s" L) e' Qadmin_cate_array=data(6,0)
& _0 Q1 N( z9 V7 l: y q
' K0 j. s4 k2 K" x6 K' q1 Uadmin_cate_lever=data(7,0)1 ^8 c/ @' n0 M( F, |8 I+ S
! N3 \) S1 E! Y" c! }+ w0 p
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0: V* R. ]% n0 [8 w) _$ A
+ @& ^ H! b& [3 Z3 {" q. @- |
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
" {; J I$ x0 P" P$ R# { 9 |+ V* _! J+ F' t/ J: \3 M- G
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0' y# ]; e5 z' M" l
( O. P9 [; I8 f, u/ E" e
if clng(admingroupid)<>0 then Q) t/ h( x" q
& d- B' ~# {, [1 F* I$ V
admin_lever_where=" and menuid in("&admin_page_lever&")"
) f# h$ M+ v+ w ' b4 I- Z F3 E- _: D. c3 P
end if
6 l& z) m1 _) w3 e# Q) k4 K& y% N
% m8 T& h% d) w- Ysdcms.setsession "adminid",adminid
+ E+ S q; q1 ?0 ?, H. b% P
( c q) U* e& ]% \" Fsdcms.setsession "adminname",adminname
. M& y- i0 I; J1 ]1 R
0 j; L, D: Z. ?; z* Ssdcms.setsession "admingroupid",data(4,0)
) B: X" \& a+ s9 L $ e. z2 Y8 |# h1 }& C: R* f
end if
w6 n+ C( c$ S1 X . X! J' v4 ]( q- T, p+ b
end if
+ T& F' e+ {2 ?! U 5 ?8 f0 p& {6 o, a' W
end if
4 d5 B% V. E. H , H! ]9 F4 O: [' i+ X" k
else
4 c d5 T, R; C " p6 M- W- I' i) ^* M7 h7 A
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")2 B, o8 P" I2 J; `) y( A d$ Z& i
2 W5 m9 X# G2 p$ L9 u7 W) zif ubound(data)<0 then5 n( S# B1 p: X& P$ r" T
5 Y% Z& Q6 h# u8 c2 |sdcms.go "login.asp?act=out"+ h+ L4 T! C9 u+ r9 U
, n! G# `1 p \3 O9 }
exit sub
/ Y. L; Y+ f% F( E
5 r' b+ A! F/ ]* {# Q. Felse) l( p+ i' O8 s8 j4 _" v
6 g0 G V% T j- j% badmin_page_lever=data(0,0)
$ k5 r1 J) s% t% O% g ! A# d0 V# K8 n
admin_cate_array=data(1,0)
d- j5 i5 M9 C+ z. |) e
0 V3 g3 z' s: p* S8 e8 Vadmin_cate_lever=data(2,0)
$ A9 j* |" X9 a# Q6 g2 p
9 `6 E F5 u! l0 E8 z) j) eif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
) r& E' {+ U9 X2 O( v& a ) i, i. E+ r$ ?
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
* D1 L4 h! @# f8 ?+ j6 @; X
{7 `8 u1 N( {if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0" m( ^% R- ?2 ^* T
2 _+ A5 S" t' B0 q
if clng(admingroupid)<>0 then, l; `7 l) @9 O# E: G
( e; w( d9 D$ q% |admin_lever_where=" and menuid in("&admin_page_lever&")"% P% |2 i0 ~) |8 T4 E. p6 n
, p0 J( F: }) n( x/ D3 l% Rend if
7 v- |6 u5 w; ^' k$ X# s/ ]
; l# A' O; X4 X* `" [0 g! ~end if+ Y7 C- B2 b8 K& ?( l
7 h ^/ o' F8 H
end if
, N8 I3 s" k1 j+ B2 w. H
$ c' L9 z% h/ ?* {2 @1 dend sub7 g! q- f8 U( X# t! X0 i
漏洞证明:7 `, ]: M& L- l) X
看看操作COOKIE的函数6 j' D) `5 y! d q! B
- q$ G+ }0 C0 x+ W: \7 g
public function loadcookie(t0)+ j9 q1 v9 w' B2 f8 q7 R9 x
2 I# T0 K' V& G# k, Nloadcookie=request.cookies(prefix&t0)3 @) T p1 Y4 J0 t
+ S" n& Y; ~/ W( E" \end function
8 z$ u+ u8 E+ O# B8 A 6 L8 e) }- m1 h0 J: `
public sub setcookie(byval t0,byval t1)$ M. }. @2 d. M
7 _2 T& u8 D0 t: R( U. l$ T
response.cookies(prefix&t0)=t1
7 d% T$ l$ M0 B+ o
% X' h8 G) P/ i2 _end sub
& i' h2 }9 H+ \. y) H
/ @2 i2 ?1 c) J U% Nprefix* f& f F! }$ j( Z
2 {4 ^/ Z1 l5 ^2 r6 \* v8 _'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值 v! S7 Z/ t7 F
, K+ N1 Z C9 Z& j
dim prefix, J" v& f! D4 Q8 a' p8 v/ h
; r3 E8 }& q- u3 D6 wprefix="1Jb8Ob"
+ L6 `' ?# [, I9 {9 u
( m. A. `4 J; o'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
`/ ]# [( r1 W* {& t$ |5 o$ ~/ F
' U0 U6 }$ U; U* U# K0 N5 u- Xsub out8 D7 a& c, a: C* I
4 Y3 i$ g% ]1 X+ w* F
sdcms.setsession "adminid",""
5 Y# l- m0 D. s7 \8 _ |
& r+ q! b& q8 x9 c+ Tsdcms.setsession "adminname",""
( |) s( }# f5 Q4 u) d
' U m, _8 W; W' N8 Q- g; H, bsdcms.setsession "admingroupid",""
6 J# G5 `/ d" u3 s$ J6 u1 _ 7 n7 w0 b3 _5 l* Y$ l$ Y
sdcms.setcookie "adminid","" `( {4 S& g8 v0 f& X# L# L$ B# V4 z
: h$ a& w3 Q& C) b0 [( b
sdcms.setcookie "loginkey",""/ u% z# _( }7 r' G7 {
* R$ [" C* w$ r. |
sdcms.setcookie "islogin",""5 i5 M% {) H4 t' `& V
8 }' z* i, ~( f, Y" z! @sdcms.go "login.asp"
3 C2 {0 d5 e& m8 D: D" Z3 s 6 O g+ S& f! s0 K \4 n2 Y
end sub0 U4 M' ?2 g" ?+ ?4 x/ u
7 N3 ^ b' @% b1 ?3 C$ K* i( d
; b6 F9 i& o4 Z- a$ x+ y) i) _利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!) Q- d: C0 ?# ?; l) x
修复方案:- D1 d$ o7 L7 Y1 r6 y% w
修改函数!
$ [/ }: x$ N; s |
发表于 2013-7-26 12:42:43
收藏
支持
反对