要描述:
2 s* [7 L2 |# M; ?. |
3 ?- l/ e; m) z. K T+ o. Y% bSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
& x' d; v. w2 t% Y" }5 P2 ~( U0 ^2 j详细说明:: J6 ~% a9 }5 u* J) E+ c3 f8 x7 a
Islogin //判断登录的方法
( D* {# h1 L) A
% S2 B- h6 G1 X+ U' c1 qsub islogin()- Q; z1 J5 N' j& p* ^, J+ @( K
9 J! \& t |1 w( g3 Nif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then ( b/ ^4 Z! q$ d) r1 U
/ a/ d. `& A0 {8 u' ~1 tdim t0,t1,t2 2 r+ T \8 d* ~) [9 V5 M8 \7 z
/ t. s/ J' v7 W3 m, A
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
. [ W3 _8 m' l7 m: N# S ( U6 O+ _# X8 u9 Y! i1 I
t1=sdcms.loadcookie("islogin")
" h" p' C" y( Z/ X! c% }3 _& W& O
$ J6 \% {7 }( a& u* {, wt2=sdcms.loadcookie("loginkey")
" R! k' d6 r/ o5 c % w6 V+ |. {5 H
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行3 R& B; w, d. a( s* R! ?% g
' \% |& Z( k$ m0 D+ d//; |3 z% t0 k+ l6 m; n2 f$ D
4 |7 U0 A( W) E: _
sdcms.go "login.asp?act=out"2 m3 ] a9 z( O/ u R
0 a4 ]/ z4 H( i4 e6 Y
exit sub) j+ a2 R4 {5 a$ Z5 w4 i$ E5 |6 M
& c+ \+ ]5 R/ s5 [" Z6 [) w/ s
else
2 X. ~ G% s( j @% n( _ & {/ z2 U3 R( M' u
dim data
) X7 A2 K& f& h0 x+ K4 |( [
0 W" f) l0 |$ P$ O/ _- Xdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控+ c$ ^& u5 n! M$ N, e
5 f* g3 v( l% W8 V: X& S7 O! [ rif ubound(data)<0 then
. }' I" W, V1 [: K- ? [- K, k- d
4 U) K+ v/ n/ e& g7 Ksdcms.go "login.asp?act=out"
' m# ~+ f2 E) W+ V* R5 \ 6 Q9 `6 q; C8 M# a3 ^1 e
exit sub- K/ G( Q) ^" F+ `+ E
, E$ O! S9 P# _5 e8 q$ `else, _; Y+ A1 [# Z' y
+ n3 }2 Z8 \ a# Mif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
1 j$ A: p m8 E' I' s/ ^
N5 U* ]" d: Dsdcms.go "login.asp?act=out"
: V4 Z) V' E' A % r$ ^7 U' W# E- R- D
exit sub
$ S$ u2 Y- t2 b1 v
) `' I3 O8 }! @) Oelse
* M5 M5 j t) ^: ^( ?9 t5 v3 w4 [) R 7 y! B$ M0 a+ o- S6 O
adminid=data(0,0)+ Z# N9 {4 ^5 J g/ E
" P! z5 a. J; C8 b) M; r, \
adminname=data(1,0)
9 L( L: q" \& x Q 0 Z# g1 E, R/ m" _% j) z2 i
admin_page_lever=data(5,0)9 E0 w3 J+ I; m K2 Q! T1 g
7 |% J" j6 K/ D; j& \3 H4 O
admin_cate_array=data(6,0)
% m* o& E) R7 K' n8 L# W+ k2 i' n! P * n! E" }. H; h" l! y
admin_cate_lever=data(7,0)
6 _5 C" V! L! M1 A) F
2 `5 H* d$ d$ L" T% J9 A9 Yif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
! t7 m: l, b2 i3 y, u1 v p, V) r0 J
W- X! A1 a. x' J' x2 b! h* Vif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
6 v8 _- y! |) a
6 S- T5 R% H- R6 t0 @) Hif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
+ Y4 q) b2 L- w6 L } p6 n8 b
) P8 r; \3 J) _& kif clng(admingroupid)<>0 then# L' c* n7 E) [# L& C; M8 o3 C
* ]( W7 Y3 @% V$ Y9 Q& S; U+ Dadmin_lever_where=" and menuid in("&admin_page_lever&")"
' t& W: \6 y7 S- N5 U# K $ x& ~+ X6 O0 [) F x6 T* A* b
end if
+ i8 o0 T3 u/ d" |
; r$ D! ]- m' [# S \sdcms.setsession "adminid",adminid
! l8 ~$ _) k) W: z; S 3 ?) g- q3 ^2 g( k) ^9 Z- n
sdcms.setsession "adminname",adminname$ O( V( t' }; W5 M, H7 q6 S
- G3 ^: u4 d6 \, m) t: B4 _3 ^% |
sdcms.setsession "admingroupid",data(4,0)
& Y& x1 E2 D" s8 j1 p V- l4 o: T 3 i6 J. w' z) N/ M; Y
end if
4 U) n z6 [+ C0 F1 E' A
4 h A& w5 j* w0 U; tend if
9 _8 ~1 B7 c9 c2 B; a, B! h4 x$ s $ ^+ l2 _$ ~/ g
end if
# j$ n' D! K# F8 y# }9 F+ L 7 h3 o; z X* i- F" A5 Z
else
* Q9 f, Z5 C: a, t- ? ^
! w% z! Z( M8 S- n& S1 Z' |3 G7 G5 Ydata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")/ {+ w" a) g2 w0 c9 z, a4 d* I
) `* |( x# a7 n5 L7 V' Wif ubound(data)<0 then
- f- {# Q+ F/ y; w. K9 Y5 Y 7 t5 a7 h. A6 j
sdcms.go "login.asp?act=out"9 ^2 S! X- M! p2 p" C! X0 g# s
3 Y% C+ \$ B0 H- W; l+ ^
exit sub0 I' S6 h+ @( @
/ x5 k, _! a/ \' Jelse) |& E% a- O$ L6 K5 ]
+ @2 s4 I% r* Dadmin_page_lever=data(0,0)9 t- i9 x I9 {4 f
F% r4 ]7 S7 v! ], r5 Zadmin_cate_array=data(1,0)
. b6 ], R' W5 ?0 Q- D' C2 W. @
6 j0 s+ [! z, F7 W6 ]/ \+ Kadmin_cate_lever=data(2,0)
5 j/ c+ a. ^' [4 |+ R) E ; D- J# S, x- O+ C
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
" `3 b. a' s U
$ m0 r' k0 K# xif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
# G3 t4 u% [/ D2 G ' o2 M- k5 k2 N8 L
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0; \' q" b' P) y8 Y2 z8 @
, J2 G9 q0 U6 h2 s0 jif clng(admingroupid)<>0 then" d: g( D2 R* F8 {
w% s! U0 _9 a$ z
admin_lever_where=" and menuid in("&admin_page_lever&")"
0 [3 R- g3 X2 n7 W 2 d( F& p' P$ j7 o
end if
1 B6 [9 ^# \' Q8 _# H @* C . A# B' a8 P$ q* |/ _9 u
end if
3 x* t6 w+ T! J # l6 H1 \/ M. ?8 R* V
end if
, J. `7 r" t( t( k
4 l! ]9 |9 r o. Oend sub
' }% w' H, d9 h漏洞证明:
" y; M$ A I& d) |2 K# ~) G+ `( G5 V看看操作COOKIE的函数# Q. r6 Q2 y- Q: P) v/ U
7 Z+ r- m1 o2 N/ q" D5 \
public function loadcookie(t0)3 j5 Q7 B- T- C7 F9 [5 h
- B3 _+ W& ^/ j* E6 W& x
loadcookie=request.cookies(prefix&t0)
% R0 I# ?5 q7 I9 p8 ^; H& n% F/ e
- {; A. R; n) ]3 m! eend function
$ z b8 h: H+ O, \3 R0 J : F' F$ e1 I0 P& b% }
public sub setcookie(byval t0,byval t1)8 F2 C* `7 ?% _ Y( G% |6 t
9 @/ |. z2 W, a/ V8 R9 Presponse.cookies(prefix&t0)=t1
8 ^% c b! n9 {8 M& t5 l1 N5 x 2 I1 @ y1 E" i& f# p' j H0 Z8 z7 K
end sub, _+ d* a# c+ F. ]6 h
& W; Q- [( b5 q! G/ A8 Tprefix
% H2 T4 S1 ^5 q7 ^ # V/ u; C3 A$ _; K- P
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
/ h/ ~+ o( K9 M 5 q, i& W" r. `: F S0 g- Y
dim prefix
1 g! K" V" M) ~. C* d9 c
: b1 A' `! `/ R/ fprefix="1Jb8Ob"
5 d) W/ P. m2 k
. [0 F0 k& x7 I' {. b'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
& V( @; S0 m1 U: V
- g( Y, n: c- o2 y H: p' X/ bsub out
& x1 M/ k7 L% z Z" Z
' C/ i! r# ^1 Q6 r8 j/ j. D# ksdcms.setsession "adminid",""
# @8 c. J& B0 w
! H! k, j4 A g: F7 ?- ^sdcms.setsession "adminname","") f# ^$ n' I6 B* _! D: R
+ R' S5 X% t3 N/ A# c' L! f
sdcms.setsession "admingroupid",""
4 ^; c6 T! ?3 ]/ F( O
N3 b. [/ ^/ K6 Q7 N/ g# J7 R Isdcms.setcookie "adminid",""
2 R- i5 b, F' Z* x
. x) X0 y' O. N$ x: O& M: \sdcms.setcookie "loginkey",""* d @4 p: f3 m- M& Z
* [3 P% M. o( p; ?' X; P8 u: o
sdcms.setcookie "islogin",""- n2 H- A# u0 l& P
8 K) f3 H, A: m) X$ v6 I
sdcms.go "login.asp"% Z% R3 ~8 M( }! V: M4 T9 O
) ]& @3 T \2 S
end sub
8 p3 f+ P7 w4 M. w* u . q# O6 ~, l- \3 z; ]& J
/ d8 M, c( `1 ]利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!% A, G- y' l6 v- F
修复方案:
; w/ a. W9 U+ L- f; E4 Z- E修改函数!+ u2 M: Q5 R: I3 a* m7 z' a
|