要描述:" W; \& i1 V/ U' k& p9 m
% n8 g. q9 p7 {0 J# WSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
3 u: {: V" l( \# [详细说明:
$ J% [5 }8 n& jIslogin //判断登录的方法' f: m. d6 x' |: P
; Z g# G8 i" `sub islogin()
( M, y* t& r. {# c0 Z s7 y; P2 c : D' F( c) u& m8 t; W6 [# s
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
; k* k& s7 ~* N8 b. k% j 5 w* S3 a* F2 A( H
dim t0,t1,t2 ' b7 T1 K. L1 M/ P
, y7 j! l' r: L* o7 U3 }4 A6 j/ m
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
$ W3 A, a1 e+ ^ x
5 o) E/ t: S# q3 }$ C- N/ Ot1=sdcms.loadcookie("islogin")5 x1 p& X' |7 u2 Z
. Y' s' S0 C7 b! W) Q" M
t2=sdcms.loadcookie("loginkey")
+ B1 T" N# X) a, C) Q% D% Z8 X7 j
; J# K( |4 e8 e* d. q1 J5 a0 `& iif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行2 N" f, o* b/ ~
6 l+ r4 J( b7 n' v//
$ g) Q' t2 z! B ' q; a6 w! ]% u! Z7 t
sdcms.go "login.asp?act=out"
* E7 Q! Z- ~4 s1 B% F; P 5 O$ f. G4 F* B+ `6 |- {
exit sub% f% @; P4 R* [, _( s4 ^3 f0 u# w
; p. M0 V' l+ X. R* P ]
else
4 p, V7 Y( T9 ~( K) s' }
& c; Z8 Q% h+ X* x% j2 sdim data
4 N) I) C- {2 p4 ?
2 P2 o# Y: x* m0 a2 `( H. |data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
$ M& [7 _4 \/ p% s o& r- K 7 k( `) v0 v' V3 v
if ubound(data)<0 then$ {5 D) I. ^, r; w& j/ z& a
! i {3 [& K% t" {4 R4 D- Z
sdcms.go "login.asp?act=out"& B s( L% @! W/ U' s
0 T: b# s# ^4 k Y0 X' W" t% j+ A! {exit sub
$ e: ]: z' T- t2 {4 r1 k( P; J
+ G# C( v% p9 ?# m0 Telse
, {1 T4 n: f5 n. M( O % \' Q, ^8 C8 p8 i
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then( c' i$ U. R6 x7 \9 P9 \$ X$ q
; G* U& y% |* p D5 k- W. u3 A
sdcms.go "login.asp?act=out"
5 ^: `+ W; C# z' m) D; P9 c 9 F; {) i" i; c9 X. ?3 B" J2 m+ O
exit sub
- K9 M" i. m2 X/ S8 b" l ' K0 U' j* p. _+ k3 C
else
8 ^" e5 t6 c; U7 p9 o 1 b9 R3 q& ?! }: [0 X
adminid=data(0,0)
0 O( C b1 G# \3 x
. V. h) m! {: C$ T" y( E$ madminname=data(1,0)
& N% k8 A/ C0 A$ l5 v+ }( {2 h( f7 k
; Y+ O# P8 h+ A5 ]9 ?$ v" U8 J1 Nadmin_page_lever=data(5,0)# c" U3 o8 B0 r
5 E5 |8 V; O- qadmin_cate_array=data(6,0)
( A2 P: r* ]) l. y6 v) o2 ~ * V4 U6 o! a7 `; X
admin_cate_lever=data(7,0)0 t! m5 A g% Y/ p6 I+ G
2 I" n0 s7 r) f) Y) I# l
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0% G7 k% Z6 L/ W. }/ _3 F' B
4 h g9 O$ [0 Zif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
7 U- e* I9 v6 ]7 A* b. W
/ r! e! g6 d! v: G% d0 y& z/ g# jif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0+ D" J5 X/ k7 A' B
" O, y5 T0 {/ c) Z, Q
if clng(admingroupid)<>0 then
5 X7 I9 v, D5 e( S# [
% _2 F" i3 E; Z; ]8 `admin_lever_where=" and menuid in("&admin_page_lever&")"% J9 J2 }5 t7 Q- d, c2 o0 f. N
* K5 | v* _) n, I" \end if
+ j7 x4 m) c* @. o8 i! m( C' \ * [ k* \ E9 h: |6 g* S
sdcms.setsession "adminid",adminid! S; Z! K1 ]* v- k! l7 S- K
+ B7 O8 f s1 |0 H6 M- _
sdcms.setsession "adminname",adminname/ D" i' d' ]1 a6 l
; S" {* _( }: y/ h+ o0 }4 v* I( j
sdcms.setsession "admingroupid",data(4,0)
1 T6 H A" O8 J5 x 9 H) b! @. T! Z$ F
end if9 M4 c* [2 V8 ~; {6 `
9 w4 k T: I! m# x. b* T
end if
9 G; E- f7 w' ^ I& ]
, t! E& m2 G. L {end if2 ?/ r, e0 M7 X* l: ^, C
% U. I3 D; D! K+ a/ z! velse
0 E8 U4 \) J. L' h7 L! Q
( M2 X% B7 F4 Ldata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")% V) ?. V- g9 O* d# |: i) x
* j, d) j6 G" {; m5 m6 [1 H2 Gif ubound(data)<0 then. {6 @1 U& A1 C; A2 W/ ^6 j
+ H. v$ y" O; x# u* P: f! f5 Y/ N" j4 tsdcms.go "login.asp?act=out"
% o" l( y) k! h3 ?, L6 p r) i ! @: T( B; L9 K7 k9 m
exit sub
) U) |9 a& W4 K- p1 ? / a+ W/ w n+ S2 D9 p: E2 S
else' x' x* u5 C0 d5 }9 ?
: p+ t, _- I! D& _admin_page_lever=data(0,0)
5 r; a- s0 \! i7 J& \0 W$ {& ^9 R
/ ~; k9 G" d. Y" A8 Oadmin_cate_array=data(1,0)2 v9 H( u, B, `- P+ E' c
0 q* T7 z& K& N
admin_cate_lever=data(2,0)4 G* b q5 y; W H+ W
" Q, X9 l& ~' o
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0 j5 `! Q& M$ e
) s) e r* k8 e! }
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
8 |# {) f6 v4 M! ?' z 5 h5 Q# i& I$ ~- L# P0 Q; B" r
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
7 h! \% S3 j& Y
3 n o* f6 `+ @ G" {- q: Zif clng(admingroupid)<>0 then
5 ~2 E, e% @* J) x& u) {2 O
- Y" c: u; |# E* d# P6 @admin_lever_where=" and menuid in("&admin_page_lever&")"
; X+ ~- l8 d- J ) W5 C# ~ O! y) d
end if
# Q3 X5 B3 r5 @ - H, w' C" w% ^5 h( q/ C
end if" r% k8 M7 d" y
0 W3 R1 d7 F# k9 }; Wend if
; a# T2 n1 S/ L% [# R
h; C) G( Q, z, E: kend sub
- o/ q7 \. w# l7 ?( O漏洞证明:
* t, I( O- P6 f8 z- F/ x C7 ~' ^看看操作COOKIE的函数
4 o* J+ } B' Y8 t # g. K# ~" v8 ?( m2 P4 r
public function loadcookie(t0)% V' N" R) Y5 U% z- u7 x
6 r' U) v) |6 V" i5 G, L/ Q
loadcookie=request.cookies(prefix&t0)/ Q! l3 t' U9 L- I
/ \- |1 |! `/ b9 `. h/ |
end function0 i; v8 P7 y/ u, \
- a- M0 {1 e( B- W j& Q0 }public sub setcookie(byval t0,byval t1)
3 }; d* e7 x- t; d- |* a) u : N w; H( Q5 {$ y, P
response.cookies(prefix&t0)=t1' C3 g* t; _: d E1 h. p2 Y- C
" D& j" J7 z5 Z% p7 p& T' Qend sub, [) }: e; n% a6 E1 p# I |1 a
7 T @; T. ?5 J5 E) a
prefix
% ^" n9 O0 k8 ^8 R, B7 `/ U1 k . {4 Y- U+ t. Y% e1 I
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值7 v7 J6 v% Z1 O7 @; `( E
( C% x! d0 z* u( p6 `# |7 J5 D
dim prefix
# e4 u7 D; y1 k" Q# _
6 K0 z8 u1 b+ g1 M' E% J eprefix="1Jb8Ob"
" H- h9 q: r& T% }9 z6 g5 ~( D, w
6 ^/ x# C$ ~% N; W3 p3 v6 i'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
1 ?" O2 Q0 p. ?1 f7 _! j& p & A Q) i6 \4 Q. C. _+ f& X
sub out. k, g$ z* }3 Z7 n, a
: m2 d- w* M7 g) P |sdcms.setsession "adminid",""
- P. s/ D' G/ `
1 U+ v k4 @8 A: o' ~# o0 u' m" }sdcms.setsession "adminname",""7 M" a) r* m2 {" }8 Z
" `5 a K W# o l& F3 L
sdcms.setsession "admingroupid",""
8 i1 s$ c% q% x# `$ n, S
$ ?# N! j0 p( f7 T6 }sdcms.setcookie "adminid",""0 s1 ^4 B* o3 L; V( G& e
7 ]; [' ?& ?& [0 W2 Nsdcms.setcookie "loginkey",""% L0 ~, `; j0 B( m5 F. a: I
1 m1 h5 ?1 E e" |& Y' c4 {
sdcms.setcookie "islogin",""
: h: P F* h0 R6 k9 N - K' |* ~, m6 ]3 t
sdcms.go "login.asp"
% }& N- A- N1 L! W' F/ U
2 ?8 ^$ R& w+ ^) n* N/ Bend sub
( e5 y: }. i) H
* H0 {7 C) R& M9 T 6 b0 F0 |3 w* P' w# a
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
+ |, T$ {, l! w+ X' R9 U* L修复方案:
! a% y* t" `4 \/ i9 r0 C' b修改函数!$ u$ q. P4 ^% W
|
发表于 2013-7-26 12:42:43
收藏
支持
反对