SDCMS后台绕过直接进入漏洞

admin

要描述：

SDCMS后台绕过直接进入：测试版本2.0 beta2 其他版本未测试
$ D% O& b- r/ y6 ~, c& d- n* L1 m; K详细说明：
4 T" V: v% }6 r* H0 y; R7 lIslogin //判断登录的方法
3 M" A% q; x& s* f
sub islogin()
: T0 Z0 E  _5 s8 O8 M
/ v8 Q4 A! L( C% y  c/ @2 r3 Lif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then

5 t9 C5 g8 _$ H( `5 _& r$ \9 xdim t0,t1,t2
1 p# N+ j1 l0 B/ s0 t
9 A4 _! i: r# U, |% y' \% h( Mt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
/ h$ l& W% b" Q
t1=sdcms.loadcookie("islogin")

t2=sdcms.loadcookie("loginkey")
" N2 K) e, B1 j- q
% b# a0 `0 Q6 cif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行

) h' ^% G0 ]3 v3 ^//
% A9 y  \. L$ k+ h1 Y
' b8 ?( r, k- `+ \; ksdcms.go "login.asp?act=out"

- d& K3 E- d) t! B5 wexit sub
8 N5 w9 s7 J* ~, k: y. p- M6 @
else

dim data

data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控

if ubound(data)<0 then

4 u  m% J# O2 A3 a" d+ b! i( asdcms.go "login.asp?act=out"
! t2 j  Y. k  S- e( ]$ X, l
exit sub

else
5 e3 V( N& q7 |9 ?) |8 W
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then

3 b# u' A2 i' {# `* H, C6 Ssdcms.go "login.asp?act=out"

exit sub

  w" |+ O+ K' nelse

+ w5 o. Y7 K5 X" G$ A0 J- z+ a0 v) W- ^adminid=data(0,0)
! |: ^$ U! G1 C  W- R0 e. c3 A
adminname=data(1,0)
" I) \. k5 R4 ^+ h% i# D
admin_page_lever=data(5,0)
  y/ X9 B$ G. s; H
admin_cate_array=data(6,0)

admin_cate_lever=data(7,0)

if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
' f! R* v4 ]3 \. h7 L/ V& D9 J: [
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
' u) O( N$ S8 J; k7 \' v
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
' R* |/ M8 @2 g! [
5 |. F. ]! I5 x) W, q/ J7 e: Cif clng(admingroupid)<>0 then
& s$ g4 F9 o8 S* p
8 [9 N5 ~  Q' ]3 V8 ~admin_lever_where=" and menuid in("&admin_page_lever&")"

$ I$ V: M; s8 R; Dend if
$ z7 k) J4 o- W+ P
+ c" m$ P, ]/ G, j" r6 [4 Msdcms.setsession "adminid",adminid
% y# V( s; M3 r8 w
0 f- x" H/ A# ?" Q. vsdcms.setsession "adminname",adminname

% r2 b5 X% p; rsdcms.setsession "admingroupid",data(4,0)

# Z& Q4 X4 z+ d. [  Y4 }end if
  w& o' q- \& D" D" H5 c  {- P
" T1 V, }8 o$ `6 qend if
0 _5 c: v: p' y5 e& `0 H2 r0 ^9 f9 d
- ^' [8 N* a4 m$ s. ?: Rend if
0 p- a2 f3 b' a+ T% k  ^
else

3 j5 t9 r% x9 T' @* ^  ~+ M+ Vdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")

if ubound(data)<0 then

+ o8 ?  V( L5 _2 a5 ~sdcms.go "login.asp?act=out"
& S7 v: X) G3 c9 n. z, s
exit sub

$ e$ ^" R4 z: E  k9 Eelse
$ E( y+ c! ~0 y( }8 e7 x
admin_page_lever=data(0,0)
9 y) }. M6 w  V4 x+ z# J# t) L7 M1 D
admin_cate_array=data(1,0)

admin_cate_lever=data(2,0)

if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
* f( l' j% ^8 A. P0 I' e6 q5 u
3 i0 G& I  H7 F* y0 q/ |3 [0 gif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0

/ s3 ~7 v. {& r) }$ yif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0

if clng(admingroupid)<>0 then
% Q: Q# P; d2 u1 W
admin_lever_where=" and menuid in("&admin_page_lever&")"

3 m3 l' x4 T; s" T1 F# mend if
% D/ s! \. g! J! H; c
  a2 l0 K% a; O: a+ Wend if

end if

end sub
, X" x5 C7 L, A; W1 b* N8 Z漏洞证明：
4 t$ p: \, G: q4 t5 u9 [  ?看看操作COOKIE的函数

public function loadcookie(t0)

loadcookie=request.cookies(prefix&t0)
7 f8 k% E$ A# o2 z8 L/ B* Y% O$ D
# ~3 {& p9 G* ]" k  [end function

public sub setcookie(byval t0,byval t1)

: K$ e$ T! X! U# T3 m& aresponse.cookies(prefix&t0)=t1
" _! c. X0 l+ y* E% G
end sub
) ~+ B" f, ]1 ]' `
prefix
, |/ [, g9 n& [6 O9 Y1 m
'变量前缀，如一个空间下多次使用本程序的话，请每个程序配置不同的值
6 d6 Z4 l. i3 J& _. z. q1 x0 G! n
dim prefix

* D( n/ {6 {* L9 ~  G+ \prefix="1Jb8Ob"

'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
5 L; h2 @6 g4 G3 u
sub out

sdcms.setsession "adminid",""

# M3 ?2 \/ q3 g" \/ n* ]% N) X  l2 Hsdcms.setsession "adminname",""

sdcms.setsession "admingroupid",""

- r' _4 ~* y% T  v) @, R+ d( tsdcms.setcookie "adminid",""
0 i3 j* E  W# {' p. }7 ^" t$ w) N
4 K3 F% l5 L- R0 s! nsdcms.setcookie "loginkey",""
: v  F, B3 I" b. _- b' Z
& h- n- V1 J& M; v$ Z# U  ^' Bsdcms.setcookie "islogin",""

) h, J) r' s2 u/ p" P' Wsdcms.go "login.asp"

end sub
; d9 L0 k# Y/ X( D
' }1 V5 X- t2 t6 O" Y' ]" [
利用方法：设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台，就可以了！
. N& @2 |# \: h2 G) O8 j修复方案：
; D7 K) R. O- _& ^, _5 j% l( w/ G# R+ J修改函数！
  v! t+ s$ F$ q! p! g, I& `