要描述:) X+ u3 C% Z' }' B; B# A% @* _
$ [: c$ ~- K" ~7 X/ |- J
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
9 ?) C* D' z! O' r4 S" y+ ^, f详细说明:7 u( B+ g4 d# Q* L9 e
Islogin //判断登录的方法, S5 W$ S' J c6 O [# H
. ?, ~7 x9 Q7 d3 @sub islogin()
* \$ t. z6 W6 N3 G' v
0 ]3 Z8 y2 \) h1 xif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then . q9 c+ h; i8 X) Z( B
7 Z5 J* V, Q5 p. |( [4 t' u* U' hdim t0,t1,t2 % {% G3 z( y; @4 z' A
: b4 n7 r+ j! Z9 A2 I/ S2 R2 G
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 2 Q. e/ |" y. x6 j
& }5 Z; W, ^/ m; N% w& ht1=sdcms.loadcookie("islogin"), q) P3 O6 L( H8 {! K8 P6 s6 f
+ o( }& G. y2 O' R. ct2=sdcms.loadcookie("loginkey")
9 c( e/ X6 E! k# t ; p( ]' b( j1 i- _
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行' Y( |4 Y: S! y/ y9 w' m
1 h8 W7 |- i+ G9 [9 Q' c- z ?4 }
//* H- G3 M* m7 h' ~, Y2 u2 X
( `+ m" ^2 ^5 q9 U' \3 N% |sdcms.go "login.asp?act=out" `; i# f4 M& ]& g8 h# r% g6 h, h6 m, S
: _+ `6 W) C. Z2 |& l7 ]exit sub# m1 t' Z3 a' A0 b. b2 A8 q
9 [! _" V( w4 s& l
else6 K; w/ e4 t% n0 z
; W8 r/ U& B$ D) Q' q3 \* h9 A
dim data* ~' B6 I% E! @
0 a6 {+ ~ Q6 k- Rdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控& ^* S4 R7 k1 @7 n
& {0 L% U3 w# S( Z3 V1 {- M2 G$ eif ubound(data)<0 then
3 @5 s* ]! s/ R4 ?0 w
1 [4 I- z# c- Y, n: Q& Tsdcms.go "login.asp?act=out"
) S! g1 W$ `; T) N' w 6 `* V: h' O1 \% e$ Z
exit sub
/ x E& \: N' Q/ d; D2 O, Q
$ i# p3 o, `1 v1 o- ]else+ q" o4 X, j: K- k/ {
5 N' ]7 Z O& Tif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then; p% B: L1 l1 s' X
3 M: u; `2 X" a9 @sdcms.go "login.asp?act=out"
+ a. w; v3 V( L- R7 ?- u 7 N$ P, n8 E8 ]' C
exit sub
5 n6 m* n4 i* a3 l+ k) Q 3 D4 h% ]3 ~7 Z2 R) d2 G
else: `+ D7 x. o' m/ Q
0 V5 y' D* [! r% xadminid=data(0,0)& _( G$ f( k$ J) G- [9 g
1 `$ f' F2 q4 w# [' d" X
adminname=data(1,0)
8 w0 \! H. H" `3 d5 v ( [6 Q- |# H: B" H3 v
admin_page_lever=data(5,0)6 D0 K0 H$ y7 ?- H! t
4 ]. c7 h4 z- Q: t
admin_cate_array=data(6,0)& \$ ~! i+ ^2 q' ?. [
1 H8 D7 b% S) G" [5 ~( N) zadmin_cate_lever=data(7,0)
4 {$ `5 z- \8 A+ g% m 7 s' F% m1 ]8 ~% R( Y4 b& A7 p
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
/ L, z7 r) L8 d! |# c) e1 b1 Q! Y% k
. d( s0 G% X+ l3 Uif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0* J Q( O" A: \. Y- z
& G* p8 S- L7 t" X8 X
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
$ g9 }# p( K+ s7 e1 d3 s1 d9 h
2 O* {/ S- D5 I* A6 K i5 uif clng(admingroupid)<>0 then
# v z+ ~( b! m/ ~
2 d" I7 ^* H& B, O, f# |7 Fadmin_lever_where=" and menuid in("&admin_page_lever&")") g% `! `; Y& k" A# l" ?
$ [7 d5 p, W0 `9 [
end if- g/ S2 p2 ?# Y/ t0 s* c
8 X, [0 R4 u5 ]sdcms.setsession "adminid",adminid
+ d# ?( j( {9 v6 ~
, d* K$ d% p7 }- M8 |sdcms.setsession "adminname",adminname5 G6 `5 p( G0 W6 L
6 t/ D9 P4 ^+ W; B+ `# zsdcms.setsession "admingroupid",data(4,0)
/ u5 z. y9 }! q; m R # e1 r/ d0 n- L2 I& \% Y! d
end if+ k8 s/ s$ u2 r7 J( w, K3 O
5 {( T P! b9 d3 q
end if
; I1 `6 f- P2 E2 ?1 P# P. [
7 V; u) l" E7 Oend if
& ?% l4 i) O* O4 j
/ T- n. C% H, Jelse+ l' O5 a1 b5 O9 `. s) A
* W# C8 s: I- v+ l, w' R/ f e
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")3 B% D" L6 W: E
6 y2 p6 E; H3 A, S2 R( a0 L
if ubound(data)<0 then& z, I) U+ b! _2 X6 S0 A
/ Y+ O. `* U9 _- Z) Z
sdcms.go "login.asp?act=out"
6 M6 m4 u% P) s
6 h: z( I# o- k4 {, T+ [/ o! l, D0 hexit sub* q& y% o) p' R: S. G; I, p6 L
+ K) [: ^( o# ]! A9 D& w
else
% U+ p: h1 x# ? " J7 V8 L1 ]3 [, G
admin_page_lever=data(0,0)
' y5 ` }6 r+ m- p$ ]
; y6 J" S* {9 e. g- K+ Xadmin_cate_array=data(1,0)
O1 \- {) M( L0 i
2 F4 | t/ l: l1 Eadmin_cate_lever=data(2,0)
* x. z" F$ S, i* E9 h, ^3 i2 K3 l - ^5 s+ E9 ]- Y
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0* ]4 j/ d; B2 {- B0 H3 m$ g8 z" |* }
( D, `7 R1 g S- s$ ~- V4 A. O: Iif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
7 j4 P+ x- }5 O% H( I+ M4 ^( v % `6 ]2 [' e8 r# X
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
# k$ ^, r/ ^5 e2 K 5 I: l+ |# d. R
if clng(admingroupid)<>0 then8 ]& ]( N- X! G( z7 B0 u6 R9 g
( H$ p/ U7 o8 {- W# e
admin_lever_where=" and menuid in("&admin_page_lever&")"
8 A5 Y5 U; E) w i' u- W/ b; E
! ^, @; X, ^0 Y4 D! H" nend if
1 ]* B9 n0 w; B3 s# K
: v1 Z" R* j2 y1 P/ @end if
* f) a0 G* O; o6 Z; ~1 Q 8 V$ Q4 _; }+ S- S. b% o% {
end if0 V' ?* z0 G- p
$ W) a$ {% `5 _5 l+ \
end sub
) O2 s6 y- S9 H0 W* k9 M漏洞证明:( o$ W, b, o% ]2 h; N
看看操作COOKIE的函数, h2 ~2 w% T6 J3 P5 a$ T' ~
# }8 V' s$ i7 S/ S9 L
public function loadcookie(t0)/ g& Q- J8 | u- s& k
- v; i% l2 H" t1 l( E) i
loadcookie=request.cookies(prefix&t0)
; p3 u& G- _& p7 W1 _! F* p/ F3 i
F+ Q( z: G9 z) @9 ]end function) T7 }3 x8 `& v5 N) [* T- J4 B! y4 o
. m7 H! r$ {2 y' t
public sub setcookie(byval t0,byval t1)
: B) l" ] B2 e
4 {4 U+ c/ G( I" z" H* aresponse.cookies(prefix&t0)=t1
0 L n" H: j2 k2 b% e% B# m
6 h n( j- c J2 V9 Oend sub
2 V+ u' w7 [+ S! ^- U- R8 T
: X6 j }: w4 F* K$ H3 n, H; Qprefix9 L: g: x- h4 v3 s4 T# V& z
' s2 y1 X. Y# j5 C- V5 r' T
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
" r% Z W: l* g# v 2 [ n$ ]( @. s) Q4 ~) ~, h' X
dim prefix
, Y- K: j6 y$ C" I8 N4 u
3 z; K# k, j- w3 \2 n# s% {prefix="1Jb8Ob"9 K, O8 [# w0 O% Z2 s$ G
}$ L5 W" o8 S% |+ A* D'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 , R3 V6 N! }( K" I" L8 n
' L/ H# p0 l1 L) ?5 Asub out
. Z+ l6 u' D5 W' E& R6 H
. T; _+ T$ l. Y: k4 hsdcms.setsession "adminid",""* _& P: s; g3 a: f' r$ S
/ y% P9 V5 w% @5 o( v9 ^6 z; d! B4 `
sdcms.setsession "adminname",""8 p- ^0 _; U" E
) H1 i2 n5 [2 C: }8 H1 S
sdcms.setsession "admingroupid",""
" i5 I( v8 E4 H) ]0 S4 ~- }1 w
/ [! g7 R+ Y. ~' q' ~# Hsdcms.setcookie "adminid",""5 J" B4 b2 G2 F" a, }8 I
8 g; r0 ]8 { M( [# X+ N8 X! X
sdcms.setcookie "loginkey",""$ X! w5 j5 v. f& q4 A/ i: i
5 X( ?) ^* U( \sdcms.setcookie "islogin","": r* l! w7 C6 n* ~5 v0 {
. ]6 ~ r% @* K1 F4 \sdcms.go "login.asp"
3 A( q4 D+ h% R
$ U& w5 N% w: d' I' F/ r* dend sub
6 _; g" Z2 w8 T6 y* D9 `
$ F# h; K: C# U) v( M + S# o. {9 a0 d- f& e: u8 z' q
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!& G# m9 G- a5 P7 v' m P: Z
修复方案:
; Y, M, v7 u9 E2 a) a修改函数!8 h8 }- g/ F+ R' B: Q
|
发表于 2013-7-26 12:42:43
收藏
支持
反对