要描述:1 O! G: ^/ {- d3 ^3 Y
; ~; O5 D9 d; a. R6 {9 t# F" K$ @1 pSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试1 Q7 j% D- K# h% H0 n6 W# ^. |+ L
详细说明:
. y8 ?5 l# f3 u& R7 JIslogin //判断登录的方法
% r, r" _7 J: }& h( q1 B
) a- J2 B: j+ M: E& p- csub islogin()
/ l. G/ _3 a) _8 w 4 r$ ~+ i6 `& f3 b) M. L
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then ; V& r( e! n$ T& k |( O8 l
: X2 ~3 X% R' \$ X$ N `8 c. t! t
dim t0,t1,t2 6 l# Z' \7 o: ?9 J; E: U
: i7 G' k K; @: n. g$ Qt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
: B0 B! m/ j2 o9 w
_7 f/ x/ t; b( H4 y$ ^t1=sdcms.loadcookie("islogin")
7 ]2 Q; e* z( E; m- I' V1 g V& |5 y, K9 c8 ^: ]2 a
t2=sdcms.loadcookie("loginkey")' Z7 h! n5 X/ ~1 h; h7 T8 t
/ ?) [+ }+ L$ \! p4 B. c nif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
% }4 ]7 {2 f8 Y% ?$ r
2 ~. p- S) Z! I' |5 ~3 m: [//' h$ ]! t( K; f; r
5 ?3 b' c ~+ y* O9 |
sdcms.go "login.asp?act=out"" _7 [4 I+ m1 J- G* A
2 C# u: M8 G6 c/ C5 C; V. {
exit sub! h4 N4 v2 p4 V; g. ]
/ m. {& k& ^+ Y3 E2 Q# pelse: W/ O' M0 W+ s2 g7 u( r9 t, ^
6 H. z2 V' v: {! i. W5 E0 zdim data2 E* q1 p9 g- w9 c/ |" c7 A( G4 T
) l0 Q1 _: i& u w2 T% `0 Q
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
4 X! R: ~! f- W
2 v* w! [3 a3 w& U tif ubound(data)<0 then+ O1 f1 c( _/ G1 U! X9 U7 n
% ~$ H2 x2 i) X* ^* g3 csdcms.go "login.asp?act=out"
$ P% g$ H' M9 H- h
. S- E( u, G0 S0 L3 k3 V3 R0 b4 p* yexit sub" m* W8 w9 A3 |! `
" E: r4 K- X. P% c7 _$ aelse! y+ H r& ~, Z( V, X
p# y' \( k/ t& l7 M7 m V; ^if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
$ S4 e* R' B4 D. G. p ) q. h6 K1 T g) G
sdcms.go "login.asp?act=out"
4 F$ R& K- t) n" ^9 U ; h8 n6 W' n2 `9 E
exit sub6 X6 q. \$ I! q R, l
2 B8 x8 L$ U0 P$ H) gelse
* \ E5 ]& m s * n# ~2 u9 Z6 T: L/ W5 d
adminid=data(0,0)
; K% R x) ~& M% {" u( s0 f' e% E# G
5 V0 x0 j: j# m& [. g1 @7 \# t0 Z+ oadminname=data(1,0). j& M; j: Y' G4 q7 L- \* f
' n; M% g6 h4 R
admin_page_lever=data(5,0)
( P3 P2 e* \8 y$ g
! l6 x. q, P; t/ \admin_cate_array=data(6,0)% T2 u( W4 u0 J* U- p7 j6 l
" E1 @, H3 ?( d: B+ S& Eadmin_cate_lever=data(7,0)4 Y$ w2 {+ d% { y
# Q$ W/ L) o& q zif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=07 b l: P/ S- @% N" X6 c' I; T
0 s$ Q0 }9 |7 W) eif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
; u2 U/ W, `2 }* _ L4 j
, h; h0 @2 X# |if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
$ u$ ]! i) R2 x$ c8 j" B ' |" G% Q1 c1 q* C% R8 T
if clng(admingroupid)<>0 then
9 g2 ^! C( X' g0 R' U
% |9 L+ \7 ~( x7 Dadmin_lever_where=" and menuid in("&admin_page_lever&")"
: B7 G2 y$ o% z/ A3 u% L1 V
2 T6 i" e/ r, @end if
; A+ f. B7 `2 ^ ) t2 g. \8 S |. Z4 \: T& @& }
sdcms.setsession "adminid",adminid
3 z0 H( t* D. C! s8 I4 @4 L9 ? 0 ~2 N, z) h) a
sdcms.setsession "adminname",adminname
( s. `7 G" f3 M) N" F/ G5 N7 A% Y
0 d6 Q! `! J/ M' i# Z5 P$ S+ X5 ]; Lsdcms.setsession "admingroupid",data(4,0): V: U0 Q! q1 t
) q2 ?9 h8 c$ D7 L4 f0 K6 V
end if
/ m6 n: C4 \* b; m3 T* a 1 q7 X- e$ x( N5 C( C G1 O# b
end if
5 M# l( m& P3 f8 L 5 w# O; B, ^- @: t2 [, L4 h) M
end if0 O! G: J: c8 f" M
( O Y% m1 l W( I% G' Z
else1 L9 K9 t7 K5 H1 I- [9 R6 U$ ?, @
2 W( N6 ]( K. F- K! H7 Adata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
5 Z4 T% T! ^9 o9 y . U o$ D$ f, I1 H2 m3 H( }. W% a
if ubound(data)<0 then; q# U. b4 g6 {: y
1 P R2 w( s- c/ g# C; b& d5 n; Bsdcms.go "login.asp?act=out"
/ Z! ?; v+ I3 w- v, D1 v+ b- G & m! ?, u: P9 f: `; |
exit sub9 F) t2 v6 ]/ s. D. m/ E! c
% p) g: T& I x0 M: i
else
2 X# m: a7 ^: Z5 N, P1 ~ B+ a
5 y, J$ K' u8 U- Y/ e$ Gadmin_page_lever=data(0,0)7 l6 f5 o( q- }1 U8 j2 V
" y6 [ a; }2 Qadmin_cate_array=data(1,0)1 Z8 e6 ], Q. l) E, @- `
3 @ s/ H; B$ n. O% Aadmin_cate_lever=data(2,0)7 n3 L; S- Z& D6 w4 V: ^
: G7 ?. A/ T( Wif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
$ F( J/ l5 ] q% x$ ?% o6 F* A
2 C, o. Z+ P- s6 M. ~) V% f) }if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=07 T0 _* M3 S( q
+ C% D# X/ Y( |. ~$ v7 ^8 `
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
/ q8 y5 D1 u+ T& E. r9 Q - H) [! N& G5 V. d$ I- D
if clng(admingroupid)<>0 then
9 V, [$ ^ r. s3 v 1 W! O! I; d' m7 A
admin_lever_where=" and menuid in("&admin_page_lever&")"& N& h( W' ]7 l2 t2 [
8 m8 j/ s7 w! S3 ?3 c7 c
end if/ L A1 X/ `+ b1 ]" I! Q
& `. Z( N0 V% j0 M- o9 g
end if* b8 j* X6 U. z: j5 c8 ]
6 C; ?8 I& ?. |: t( g. G
end if
' s9 {- W. i( B0 @2 C: ]# x7 E
& I: ?+ n2 f- @ Kend sub
4 [3 ]* V% F8 A! g漏洞证明:
: g. D& `0 R- b2 {- w" d看看操作COOKIE的函数
& ^( F( H) @% I / N6 m# [1 u+ {2 V& `' F- l. V
public function loadcookie(t0)8 f# n7 A# H Q
3 L9 x9 E' t- n
loadcookie=request.cookies(prefix&t0)
, R+ _' C9 @/ H- C- J
" Z$ V' B M7 i! Uend function ]8 |$ ]! j; }
( ~+ g* q$ U3 {3 K- C8 Lpublic sub setcookie(byval t0,byval t1)$ s) C* e* n# ]: m6 \: S
9 K0 T6 Q6 `$ x( B4 ?
response.cookies(prefix&t0)=t1
4 ]) I' ~5 a. u. E8 J7 r
1 z) Q4 v" @9 b! y1 j. z' M8 G, Yend sub
7 \ t& E' s' j- R: I! a q! Z: a( X , D% K9 S/ a! }/ D
prefix* M; V( ?% J0 M$ x7 m. q
% V" a& q4 a* J3 n'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
# B# y h+ F) ?. K" c1 @( ?
8 k# L# I& y! Tdim prefix: t2 c) U! u* A% ]* y0 D
; R4 X: l! o w/ k4 O1 tprefix="1Jb8Ob"
& ~# |/ v' j& R; L$ p 5 }0 a% X8 P7 L% \
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
* D! F2 N9 f! _$ j! h3 |) w
5 C* L- b9 S5 [9 X8 t' o# |3 Xsub out+ y. X& T1 F. h* Y z: S
7 C p' ^& i; g% f" a, {1 r
sdcms.setsession "adminid",""
9 h: Q$ z( @& c& X1 G b2 j1 V
4 {3 t# v* m4 c2 J2 xsdcms.setsession "adminname",""4 Y! @, Y8 L. K4 n1 k0 ~
1 j: G/ ]! }2 c/ V# a% Asdcms.setsession "admingroupid",""/ m4 g: _$ L" S5 W* i
7 U/ q6 u: F1 ~
sdcms.setcookie "adminid",""
# J- K& Z" @9 c/ Q" N4 z" [& L
' D% {9 {/ }2 T: l- H' a( Hsdcms.setcookie "loginkey",""
2 J# ^+ e, g* L3 n" k, F1 b& x " v0 f7 f X- L8 L# t4 R9 ~
sdcms.setcookie "islogin",""
% w! W. x1 D r2 ?
% G. K9 l( E$ W& |' O8 d* x3 @sdcms.go "login.asp" J+ @6 [9 h- `6 x
. [3 Z# S- n+ {+ d
end sub
6 w, _% c$ n. d( J ) p0 [9 X1 B% g
* f0 j6 m7 d$ \" F利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
/ u/ w: J% K2 \) L- ^0 O" r8 R: X修复方案:
% b- g* c9 e4 y ]* P% M4 v1 [修改函数!8 g3 O4 H% Z F2 f& Y
|
发表于 2013-7-26 12:42:43
收藏
支持
反对