要描述:
C1 V9 x2 [, t; Z4 v) y/ O& r
* @, A3 t, P) t9 n8 ASDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
3 p* c1 Q+ V2 R3 \5 v' |详细说明:) h2 L! L/ y# {# [
Islogin //判断登录的方法
4 m2 ~: K2 @, Z+ R9 e' A- B # T8 y! n+ r9 G1 E/ Y& Y
sub islogin()9 B# J5 U0 K" R# d9 n7 t, f. `
3 h2 U: w7 }0 e4 r5 `+ A; _
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
* h& c" v# p0 `& z, T- P! x1 U% J
" R- R7 C4 q% ]) Y% G% e0 Pdim t0,t1,t2
, h4 E. ^, v( Q1 L: F 9 o% |7 d* ~7 J
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
/ N/ o4 S) C; S% p& w ; F. m# R. l$ T
t1=sdcms.loadcookie("islogin")
) ]# ?8 V( x: s# b7 I 1 R3 I( n, {( B) _1 n
t2=sdcms.loadcookie("loginkey")
# D/ W6 T) ^+ T ' @3 i# a/ m2 l
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
0 d/ ~5 D2 ~ W7 R& E2 _1 d 0 [+ k' q9 d8 z7 ]4 R2 U
//
z3 u n2 _+ b# ?( I' R& h& m8 ~. E
& W, c0 \0 t+ O/ s" ~6 u8 Rsdcms.go "login.asp?act=out"
a- j5 O$ C5 \( k4 S! x; ~" ? , R) ~+ j: f6 R, X( T2 u8 V
exit sub5 b+ f0 Q5 {# D9 i
: k% V) m( L$ `) A
else
# d, Y5 K7 O. _9 z! f2 j 1 a1 r2 F* a8 R8 ? E" r/ o3 ^7 u
dim data7 v1 v, o' o5 D" `; @3 u
+ o' m4 `# }, r4 i% U* U& l1 Wdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控8 u# N4 x. G( p0 f, o* d1 I h
. ~8 b2 Q1 V s/ w% D
if ubound(data)<0 then
_5 C+ p, S0 a ) {. i1 _ Z4 [1 k6 m* l7 P
sdcms.go "login.asp?act=out"
5 U n8 R" J5 B5 c |6 Y# X+ j/ z ]0 P7 f2 u
exit sub
b- T, g* e* k; o& w# |% e 7 T+ f' p" ]0 ]/ W
else' h7 O& L( F4 G. _" Z& B1 [" h
; ~& v5 k( f3 {! o* |+ }9 L
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
0 N) F$ i- r8 z8 W" x ' ?% \# Y# w0 |
sdcms.go "login.asp?act=out"+ E- M. C# j5 i8 b% W4 E1 [( v
' L+ y) T7 k# _9 ^/ s* @/ O5 ^exit sub, C7 p) h& w$ m/ u* n" a+ P
; e7 Z$ K% Q% Z# y4 P7 X
else
/ X, Y/ H- I2 j/ d " Q2 ?/ ^+ `, O
adminid=data(0,0)
7 y H- n) u- H2 E7 a+ g f4 E5 B
; l6 A) L1 Y$ m$ _adminname=data(1,0)0 V1 \3 }* ~+ h1 ]1 n! |
0 }2 ~5 y7 u9 E- J" U( e" _
admin_page_lever=data(5,0)
2 _& g6 [+ T1 P 3 n. j. \: ~2 z( E, p
admin_cate_array=data(6,0)+ y! ~3 Y Q5 f# K
" w& n M x+ O* z: f/ ~admin_cate_lever=data(7,0)1 w; s$ p5 i1 C3 B1 `
. ]1 w* s) H! z' F" W7 L
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
) ^* ?. @ `8 R
7 y, Z' n X) s+ C8 ?1 jif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
9 h/ c) v' A, D* a ' u' B' X7 Q* z# N* b
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=04 k+ _% p! l0 S* j0 B; a$ I- F4 E. x
% ^' L& {& d7 E3 W0 f& ~& A2 r/ P0 Oif clng(admingroupid)<>0 then+ _* x# u) Q' Y9 s
' Q% ]$ c" w9 r
admin_lever_where=" and menuid in("&admin_page_lever&")". ~& P; g B. z* ?
( e: R# b* l4 O0 j( U3 v
end if% {. K% U' R2 ~0 @
- ~+ ?, |* P& |: u: C* V3 P7 z" gsdcms.setsession "adminid",adminid/ ?( o$ ~# F ^' W. c
0 ?# ~3 f' t6 g1 q5 asdcms.setsession "adminname",adminname. F+ q! W; y; k6 z
7 L9 J. ~1 B osdcms.setsession "admingroupid",data(4,0)# V! r5 W! q$ h4 \
{, [+ C- Y5 G" {8 q! |, q) ~
end if
2 k& K4 }; L1 Z2 W & s+ o# e2 f! `1 d
end if
& r* l n# S- q% |# f. V & o2 Y! M9 v" B* P9 ]+ a* z
end if
1 C1 ]9 e4 k9 E: Y 5 t( G0 N v V! t, v2 s1 j4 J
else
0 r w' g. |, _7 m! P1 w
5 A! B/ E1 `4 J6 adata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
$ x4 W% g' |$ Z. M * ]# L7 x7 _/ ` ]& |
if ubound(data)<0 then
9 K2 B0 n. U: h: t6 d
, L \7 c9 o0 b0 Lsdcms.go "login.asp?act=out"+ s- B9 A: e# m! N: G ~
+ c" t9 ]" S5 e- e3 Q& M6 f _. v% [
exit sub/ F, ^$ N/ G: d
; P: X- ?3 }' E4 G
else* D) G$ Q$ f \6 B
* ~: U! t9 r5 ^! N, F- X# C. yadmin_page_lever=data(0,0)9 J& W6 V# ]; L
1 i3 b% G0 A6 ~+ h7 l* R2 Uadmin_cate_array=data(1,0)4 P& i# i# b5 W, v& Z
5 x& Y) t: _8 d+ W7 t7 eadmin_cate_lever=data(2,0)
9 ?/ y" j7 V1 p' b# Y5 D+ q * `& k( N- ?2 i+ t& t- ~ q7 c0 L
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
; c( G" f% _6 @* n1 S( P6 I
C& |: C/ G, { Qif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
) k9 D& c' e% H# f s3 ~+ B
6 D$ N; B$ p _) A4 r$ Hif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=01 V+ k2 F1 z; E1 m, _' y
: m; A; k' c- ]8 T+ N
if clng(admingroupid)<>0 then
2 p' _4 Z- B( ?) _$ i* [
9 {* P5 F9 c' v: ]# V; W, R5 Fadmin_lever_where=" and menuid in("&admin_page_lever&")"* k% K* o& I% b8 s+ u$ |& K
t5 @* f: z; O2 t7 x( K
end if! S8 ]- k( Y+ c: y: `
/ K/ l {3 A* M, r! X; s( q
end if! `* D" P( D9 v Z
/ g6 F0 W. F4 P0 n3 T' E# p$ b
end if) ^4 C# \, J# v: ]
$ \! H; u9 [- oend sub& m, h$ m/ t( K" X N
漏洞证明:
$ f. ?' M' z" D# C看看操作COOKIE的函数( j6 w7 Y# Q. _2 ^+ _/ c" @: I8 D
% A2 D9 O3 [. F- \* o% N
public function loadcookie(t0)5 B% l) g! Y A4 c! j
( X; w2 O! ]- v5 d1 Z. l8 P! O
loadcookie=request.cookies(prefix&t0)
( _) D; O. P& w$ e5 R7 c1 B/ M 5 T0 }3 ~: K3 t. p
end function @9 `) H% Z5 s3 a; i. Q7 [
( z; o( S, `" M# \) W
public sub setcookie(byval t0,byval t1). T& s: U* [+ T' ^# A0 H
. b# d8 {" s$ Y+ i
response.cookies(prefix&t0)=t13 \" T; t$ `! V9 Q0 W `1 r
, L. h% \, P: x* `$ ]' lend sub; }5 }! H% F/ C! O& F
8 I% g' V+ m Q/ t. e* U- v( wprefix- j7 i2 g7 }- Q' B7 C0 `$ e
+ ^" D% W5 r0 ?# H6 c/ x'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
! x; D9 I! j, |# J5 ^1 X. C# a
5 a2 F3 G0 _/ Odim prefix& K* Q4 a4 i( s5 S3 v/ l8 o+ b5 C
% i4 P9 @& R5 Z0 |& k+ [: l1 L
prefix="1Jb8Ob"
0 M4 Z+ L' P! a. o, K" Z
" b+ R7 }: h% u3 h0 p$ y5 \'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
3 N( g' @- v0 I( f+ I7 } ! h( Q7 s# i0 m( P
sub out
# D# }, i! j3 r! G- g( J; M8 M7 |
7 b* L8 b: A1 e. c3 Jsdcms.setsession "adminid",""' G" h; C8 {0 g
. e/ m7 s6 |4 S' |sdcms.setsession "adminname",""
+ p0 u1 `8 I l5 M " o- c# m+ A# D; I
sdcms.setsession "admingroupid",""
0 q* n% P0 z$ B# K6 t # w% j/ J7 j" J8 ?
sdcms.setcookie "adminid",""
: n5 a# U) `+ n; j: Y" [" z. ?
0 }, s ~& k9 X. W6 ]$ @+ G9 fsdcms.setcookie "loginkey",""
9 l5 D4 P1 T! v) l7 I: W
+ d I/ z; I7 n; h# H0 H9 s/ Wsdcms.setcookie "islogin",""
4 l% k( }1 O- s' N & B8 f4 y1 {) z3 D" }
sdcms.go "login.asp" x/ O) G; E$ n
$ I r% Y8 [' j' R: d8 b7 Nend sub
( V2 z" }" Y# L, q5 A / d+ Z3 B2 E1 k7 `
/ C }) S1 y8 `, I! y2 j( y1 `: K* E利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
. _/ r* a/ R$ ]% q* f修复方案:
; N* o, e+ b2 }. T/ ]" S修改函数!
7 X+ b6 w$ e" |+ O2 x |
发表于 2013-7-26 12:42:43
收藏
支持
反对