要描述:
: j/ F/ u1 Q0 ~7 P
* x4 j& I# N4 x! C; b) _9 BSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
) A3 g- C, B3 N& [详细说明:
. |! `9 D/ V$ D- u0 ~; D! E' YIslogin //判断登录的方法
3 c5 y+ Z+ v1 b2 l
( j6 X: x2 Y% p3 D1 _7 ^/ q# i* Fsub islogin()
. p) r* J8 y2 Z4 Z # a# r, f5 [+ K) b5 c% R* k5 Z
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
5 F; k! K8 s9 z3 t X
" I$ u; n+ Q% V- c( i5 ?dim t0,t1,t2 3 C1 \( w4 H: j0 e! Z
& C7 L7 I6 V% y, w9 p3 B" p' y
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie - z! u* k7 s$ U& i: ^# i
% s1 U! I/ H3 N) V4 kt1=sdcms.loadcookie("islogin"). k1 y( G4 \# N3 ~& G
% }; T* s; ]/ `& y9 q! {
t2=sdcms.loadcookie("loginkey")8 v+ `& q2 ~9 g5 w# Z# q" o E
) O( R4 C* h! [6 R P0 I
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
/ E. Y/ V5 f `/ ?: F
5 S7 E7 u$ F! ]3 V O9 a9 s! A; m//- }/ f/ u3 j! F- R2 U* p
) M- ~1 \" L, _7 u; Tsdcms.go "login.asp?act=out"
. w: Y6 B3 }3 R# @& l + {( n; V" T8 i% n& v
exit sub2 `6 v* F( `7 Q) k+ \) e4 V
+ T. O2 P5 f0 y% |else
. n+ x9 v0 r# u$ f8 [1 n* x' z( n 6 p$ b9 X) @: |' D' ]; O( u0 v
dim data5 c& K7 s' \5 x
2 x& ~ c1 w3 I) z# h
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控- t+ z5 Z+ t! `: g; M: @, ? U; P
$ h2 M. E. y9 s' w) f9 S
if ubound(data)<0 then
3 m* E# E( T3 f- S# @% z% I( Q
7 t0 q: c3 B& N# Psdcms.go "login.asp?act=out"
. [; p9 o# u+ u+ b; l 1 T \2 u1 F9 _; b( I3 J
exit sub* J# V# ^. _% ]! @9 u- ?; i. O
! r' ^: l7 b& V3 }/ w! Nelse
+ k. l# m0 U* \ l T2 O : B2 ~+ I2 {& a, S7 Y) X7 n
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then" z& q0 y/ M4 L# z* H
; R3 B9 T4 {/ C/ J: L2 E4 @sdcms.go "login.asp?act=out"
) |. w! |: C- A% t
6 d: m H! [+ k7 y E5 O/ J% Gexit sub1 i5 H* B: n$ W- c* c( U
. R: o9 y. l% J4 t& G' Aelse g; @/ x( v/ g2 B
R0 ~) N6 z! c1 e: K, r
adminid=data(0,0)2 u5 v. R4 {* t, E: x: k
0 X! ] \1 R/ p4 iadminname=data(1,0)
1 ~ _4 v! L8 y% J, M 9 L9 G' V7 }' o- ^
admin_page_lever=data(5,0)) ~, Q5 L7 ]0 d+ b, t1 Q7 `6 J
- O% C4 ?* D4 p) S% H
admin_cate_array=data(6,0)
( A9 R b6 W8 }' n5 N) U! H ( k1 L6 d8 q6 A
admin_cate_lever=data(7,0)
* v0 \9 ^3 `* }: f . V: p- U9 m4 g6 K% B
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
: |. u+ {. q( n+ s# C/ E: o
6 Q+ X; j1 M4 D7 M, S9 t+ Z, uif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0% R+ v& R; L+ }1 M
/ w+ w" f! v% o; n; Yif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
" V# G" {4 o8 _
7 i: s/ {# j N9 Yif clng(admingroupid)<>0 then
& p( g# q4 t& c
P* z) q: `/ T+ a$ oadmin_lever_where=" and menuid in("&admin_page_lever&")"1 V0 `, ~6 U% p B+ |! B7 `
) Y- f0 L+ m$ N) @5 s6 }6 A9 F2 t' q
end if, C3 H' t2 F) b) y6 x
# l+ g% i- [2 H3 D i+ Q
sdcms.setsession "adminid",adminid) ?& W ]8 c$ O' @1 h$ O
% u- h) i: S, t2 F/ A
sdcms.setsession "adminname",adminname( f6 l3 c0 g7 G$ W) ]7 ?5 `3 {) `
7 }$ t' H% g4 _% g4 C* Z
sdcms.setsession "admingroupid",data(4,0)
) o# w1 Z. y) F% D- _5 c2 u1 F3 b0 b, { , I; h4 k2 e" G3 _( P5 D
end if2 m+ o+ V1 D! z G
8 J4 [! F+ I( z6 l7 T( k' S Eend if+ r9 H. v( u9 q% ]! \3 h+ d0 o
/ f1 y0 G; p( t7 k+ C* t, U4 p2 i' H+ ]end if5 y+ \: t& X. e, h: t
z. O; q, j- O: j8 N0 gelse5 O1 N4 B- t6 b$ P4 z8 l' i+ M$ n
2 T) A. ?! ~9 h* l% ~- Y3 Ldata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
Q5 T" `1 l( P. ]* t ' a% G$ }$ l: `& ~/ Q# E* e/ X# L3 M
if ubound(data)<0 then |) }# @2 |1 X( k# G% y6 T6 x$ X
: C y' P! l3 [% _3 }: `sdcms.go "login.asp?act=out"9 s( z/ |: S5 R
4 X5 t4 P! [$ r# W4 s2 H b
exit sub* Q- e, { f0 ]; Z7 V9 a4 S1 j
5 \7 v- {2 }2 ^. F( jelse& P8 {' [: n- s% N
; U4 R3 G! W5 J# v0 P4 {5 |admin_page_lever=data(0,0)
' x. T+ w9 c1 H& T- h$ U1 F. _ Q% S. j 7 r3 B3 M! u! z
admin_cate_array=data(1,0)3 ?6 t, p+ D3 L# H+ j# q
! ]: K% _5 h0 I* W$ E2 R: Tadmin_cate_lever=data(2,0)
" I3 F; K M; G" k3 G 6 D* O/ r+ [" M9 O; _
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
$ ]" J+ S- N+ @+ z9 S3 h( Y, q( J . Z7 {0 g8 d' Q0 f7 y
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
& v4 G: O' C' M
( x" v5 |8 ~3 P Nif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
0 G/ f7 j9 t, x, V 6 l* h- m$ g* j( g
if clng(admingroupid)<>0 then
4 B0 M8 g2 m( @% }* v1 H: y + a" a/ |$ H* o$ e
admin_lever_where=" and menuid in("&admin_page_lever&")"' d# M, G9 B+ [7 n8 `+ m
: m5 ?) K5 t* e5 N
end if' }& x! y% ], |! E7 o
& [3 V5 U0 T6 _; p
end if
# i* W2 Z& M2 r) M9 C
8 w' y1 ]; g3 y4 Zend if
' p% E$ B4 Q# A8 t. ^$ w. l$ z" k& C
6 t4 A+ W# G5 K! i: d0 mend sub
$ Z* \5 {7 x) Y4 N- F: x# M6 [: P! i漏洞证明: e' I1 D8 B+ G* c1 o1 }
看看操作COOKIE的函数. u4 y1 {* F% @! F$ c
. u- r5 J* p4 E+ N: [public function loadcookie(t0)
/ m, B, H+ n( d$ C1 |+ Z' Z
/ l) q& t" x3 Nloadcookie=request.cookies(prefix&t0)
: ~- ]8 s$ m( n) W% b
8 r; l+ e5 v. N6 G0 p5 w; c/ w; I' }. Vend function
2 T/ |" o& F9 P3 e 7 c( k- ?. r1 _. m7 x/ d* }( L
public sub setcookie(byval t0,byval t1)8 o, n. ]6 L" i. U+ S& C
7 [: S5 H5 _0 `& L6 Bresponse.cookies(prefix&t0)=t1
9 c: B1 [( W4 i) L) d' f: C & q! s8 l) N: E2 j. { w0 s
end sub5 ~8 G+ q4 `% r' W6 r1 J& C
2 { b' ?# g) S1 g- A* B6 H
prefix
0 F: U7 M& o8 M$ |+ a8 K* \ 6 d& H0 Y9 V1 n4 ]6 q7 P3 \
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值: D1 R# f* _5 a
& c b" v3 z+ a& jdim prefix1 e* e8 f4 e; t6 M i- ]
+ w2 z8 W. U7 ?0 j& J2 \0 g, ^prefix="1Jb8Ob"5 c/ L4 c0 `; Q! J' J, ^
3 U i/ q+ o8 b! X: \$ l$ _'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 3 x1 p4 s& c4 f. u: g6 r/ D9 I, O8 E' q
; b* D, ?& p5 H/ nsub out
- a- R& [& ^3 |4 a
" q5 k' A6 u2 o `. E4 S. M ?1 G Msdcms.setsession "adminid",""0 u" f0 y2 }( L: [
2 ]! e4 ]3 g" [sdcms.setsession "adminname","", @' U' u) b, P/ p
# t; e9 G+ ~ N- {+ ]8 Lsdcms.setsession "admingroupid",""- A& [7 J( B4 X
4 W# g/ } [/ E( k @) }sdcms.setcookie "adminid",""$ u8 c" @1 F- R1 r% ~
2 _5 |: f4 M& n, e
sdcms.setcookie "loginkey",""
2 F. t) h, ?) e' P
: u1 S- \# u6 H8 | ?5 ?sdcms.setcookie "islogin",""# z2 m* Q0 N5 n4 O- w
" }6 k& J: k. K- L# q+ Y6 J
sdcms.go "login.asp"4 x' T, ~1 w/ A4 _* Y' U' V0 W6 j
+ O3 Z) }8 l# S8 [5 Gend sub" e: P3 k/ ^2 v) }% i0 D, S
' d/ K. U1 t" F4 R. |
1 b* t4 Q; ]/ _& j) _4 T
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!; [, g8 c% t$ {
修复方案:
& D+ H9 a. b/ Q* B2 G8 I: a0 b修改函数!
7 a- O3 W/ c- H6 u9 b$ g" E1 @ |
发表于 2013-7-26 12:42:43
收藏
支持
反对