要描述:
: j. i9 \2 y6 [# D7 f/ f2 h4 F- E F7 O+ \
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
1 I S' W; Q5 d, y; _, B5 I H5 @详细说明:& c+ Z) s+ y% P$ E+ _6 k) f! g: M; o5 d
Islogin //判断登录的方法0 ]! ]3 g1 R! |2 {" J: z
& y: M0 d# \! v" D4 [sub islogin()4 H; u1 v9 C5 [; J; |* y1 D# j
' X5 ~3 P3 [. g# h: U. |. l# P* d% l
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
; U, |+ r/ x$ @3 C 0 e& v4 X3 L0 I7 {: K7 i1 E8 `' p, M
dim t0,t1,t2
" b1 O+ e$ ?2 [$ S( D$ l " I+ l0 `3 G3 O* N- t0 D% {
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
% Q. O3 f& }& l+ l, `
4 ~$ g9 i4 z% B+ n5 m* lt1=sdcms.loadcookie("islogin")
5 h# w+ s/ @9 K8 O: @, k% E/ ?
) `* r; R; k" F) `/ J5 tt2=sdcms.loadcookie("loginkey")
! `; ~& ?- D, n - z q6 @ o; s W& l
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行7 ^8 S! F; P9 O0 K2 T- l) |; L
2 s# I. l0 o) Z7 z u, C4 e//
/ W7 I d2 J7 M: O1 W n $ Y. K [9 j0 p' o; {
sdcms.go "login.asp?act=out"8 ~: h/ @5 [% @- Q f0 \5 _( z0 j
9 J7 T3 _9 S" v5 ?exit sub
0 w' J; i0 z! L9 G, `
; l) _$ U0 P3 j" q% w4 Aelse
) L* {; f# v( G" G# v& q X6 x4 I
1 d% n) ]1 a1 x9 ?dim data
6 |" u" V3 S% }4 I
: e4 w4 g' l$ Tdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
) \' y& m0 E; I* S
$ M) }' e9 ~8 Z I& Xif ubound(data)<0 then
, o0 Z; s0 q% r ; `5 E% g: |& m0 {9 \, n" h
sdcms.go "login.asp?act=out"
$ ?6 _8 h, |+ j2 P; n F
|, I% _1 x) fexit sub
2 k e$ r* ~4 u ; v# r1 h% R" {1 b# n: \& C" x0 W1 E
else
$ ^+ r+ ]6 ~$ v$ A
* z) ~5 m# x9 f: F+ u3 Fif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then& ^& E( x u3 x1 x7 x
1 P9 E* ~5 C; E$ Q# h L; jsdcms.go "login.asp?act=out"' ]8 @; [+ h3 `- {1 f# z
% L9 z& W$ K6 o pexit sub. L+ E) v. L- B* L! o% F4 f5 F
/ E! Z7 D; j5 |% ^6 lelse
" A: N$ r3 S$ E2 c" E ' E x$ `( W5 J8 [2 J
adminid=data(0,0)$ Z0 J( `! Q6 g i2 n4 K
4 p/ {6 l. C& B* B8 @adminname=data(1,0)
0 v& \; a' {3 i; g: e1 @% b
0 m- E" y+ E. j. X% ]admin_page_lever=data(5,0)# z1 H6 X+ s+ T& w$ G
k; \0 u( K8 N2 @admin_cate_array=data(6,0)2 m5 g$ c7 s! C' ~
9 c7 V+ v9 ^) L7 e, q4 j5 E
admin_cate_lever=data(7,0)5 \5 i" _7 l( `: i* Y
1 g- B h/ p3 T/ j& p% t9 Z8 G, [if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
0 ^ m7 E/ G# j) d3 N& h ' ], Z+ a6 M1 Y( y' j; T3 R
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0, q3 f: p/ j/ K( r% W1 M8 k
/ n2 J( C. G& R' a3 T, Nif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
0 D8 e. b* B5 A2 o* ^1 N( z
7 @1 ?7 [" e, A( c" }* d! z' p2 nif clng(admingroupid)<>0 then
$ n, m9 c' A& \
6 \' r- Q) d. X+ n# k- s& Iadmin_lever_where=" and menuid in("&admin_page_lever&")", V" ~9 c) {4 e" z! A5 [
, F0 v( K! G; _% s$ Z% [( B
end if
/ c9 x7 N1 r' n' ~
& D5 Q6 ?, K. X6 M. U) Z6 _* psdcms.setsession "adminid",adminid S7 V4 f) x' B% |
$ i0 s% k4 x( v# J( D* I5 i4 o# Q
sdcms.setsession "adminname",adminname
3 a7 ~, X! S0 e' b4 q. V8 @; j $ z( J$ w5 u5 T6 M) L2 E9 _- B
sdcms.setsession "admingroupid",data(4,0); J' l% _7 F, j6 [! ~
3 |: r0 f2 b. m7 w- {$ ^end if
9 I t. h& y8 J! T " P& N" e* j3 p7 [: t0 q
end if$ b! A5 K8 y/ _ M0 ]2 e
; i: s( {8 X' ?4 H! G) y5 [# ~
end if
* P( k' g2 a7 X5 O% n% A
6 e) o7 X8 |. s! Q& melse/ J1 L( U! c8 y2 L
p" b& m& }. m9 s2 b; N" Xdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
$ X0 N9 l. t8 v# }3 A5 M2 a( r
x& k9 p7 G; U; N/ Uif ubound(data)<0 then
! M& o, a4 s, H0 X4 ~3 h" a 0 S9 W% }& B3 V! _4 N
sdcms.go "login.asp?act=out"
8 K+ q5 T! `2 @7 ? : O# l) w9 i5 u2 [6 K! `
exit sub
8 K* C7 {3 `) ]2 P/ U7 y
: X# C6 g3 b" A+ X8 uelse
# K/ M2 g) ?2 r4 x# ^" i$ G# p 5 |3 F/ a' I, `" ~9 E
admin_page_lever=data(0,0)
! {7 A- n1 Y- |: a3 S5 g) {3 F0 G
# Y# p0 l& _4 U6 Z8 v, E6 ?admin_cate_array=data(1,0)* J1 @# ?5 D4 ]/ N: P3 R* x
$ A; y" w+ i) u" \. J. U
admin_cate_lever=data(2,0)% u- E+ W8 U3 N: }; ?
- g9 o$ P* J: Q7 P5 ~" l* D
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
6 D$ O& C: z; S6 C
& ], r- E# b" ]+ l& B0 E4 M/ f0 pif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
+ a" s3 ~% M: i$ [ 6 q$ _, b2 ]9 h$ d
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0! r d# k/ a: D' G
& o* u1 L7 {5 Z0 d1 J& d& M" g+ C
if clng(admingroupid)<>0 then$ h& q$ _# J. h j
9 Y5 `; |: c9 G7 G2 Q8 h, {" dadmin_lever_where=" and menuid in("&admin_page_lever&")"
& H) `6 E7 m: w; x0 s2 c - c( W3 X6 J6 y) w3 s" k* s8 d& P
end if. Y, E7 J/ `0 z3 M3 y; _7 j
2 D* W! j7 r- ^5 ?% A; aend if
/ A* Y3 V$ z5 @/ l. @) Y
! d/ n9 c3 |5 Eend if! p& Z3 s& D! W! S/ U9 b
8 v* n/ [: n! p5 k4 c2 \! Zend sub
1 }& e* y& J; }漏洞证明:6 c9 ]; R3 i: s
看看操作COOKIE的函数
* i- H& D$ \! c' i) _# T& ~
% Y: F3 H! p8 N8 V4 _public function loadcookie(t0)
, W Z# G; h: M% R6 O 3 G) i' E. L \% G9 R8 M
loadcookie=request.cookies(prefix&t0)9 M% y$ z( u; u( k) G
4 x1 U/ p4 V# I. ^
end function% Q& K8 R* X# @7 g' T
8 T* m( k- L: d
public sub setcookie(byval t0,byval t1)" d- E( \, U: p# |$ b$ _
/ g/ @+ g4 K0 k9 }
response.cookies(prefix&t0)=t1
' {/ }* H8 F0 |0 S- b+ L2 _ ( { }$ c; h2 y ?
end sub" h" w2 E" i/ Z: S* G# L) p5 n
$ f e7 {# M3 j" v0 I( P. f2 Eprefix
+ V0 b" v2 ^& ] z& k
0 O/ r r9 P- J1 } ?0 x'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值& S* L) S+ `6 c' U
& s, m9 n4 Y8 w ^dim prefix0 C6 P% ^( f: s5 { @( n
- F) y5 }% Y& ^" G" E! }$ c0 Y' ^' D
prefix="1Jb8Ob", ]6 ?0 A3 A5 T l/ G$ m# p
% M7 U0 b: ~ C- H# q4 _
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 7 j2 ^* \# i3 i* w
& Z3 R- A3 `% h2 T4 S# T" ~; Bsub out! R8 G! ?4 D1 q( Q9 h1 s
# Q( m7 ^( n0 z, y, ~. csdcms.setsession "adminid",""
* K: u7 [ j. W0 _# x7 H, e0 s
, `. ^3 w; A: s; O" D5 J9 n x( K$ Ssdcms.setsession "adminname",""
D: O. D1 \7 T6 ]- n+ X5 E 0 p( F0 x& s* x, n
sdcms.setsession "admingroupid",""
4 |( S K& w9 }5 z* ~8 a% k" y
8 z$ f; g9 K8 ?& vsdcms.setcookie "adminid",""
& F( n2 d# i1 p6 {- I/ ~
3 d% {' Z. _4 R* o% Tsdcms.setcookie "loginkey",""$ H2 A! J7 z; |' K: E
" `+ t7 }$ A8 }8 u' _sdcms.setcookie "islogin",""; T5 C( v# U3 a) I! L# ]
* ?1 E$ E6 }2 U& Q; |& Z; rsdcms.go "login.asp"; I2 ^# V. d; r7 [! w
! N+ `$ T8 e3 W4 \: S& A
end sub; R: y+ A! l- z) J; P% a
- z, u+ t1 `$ ]# f/ ]4 W$ v
1 z$ U- I$ \- ]* H5 F% a6 O% m
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
3 r' `5 P( |3 p+ Q! [) o1 ~修复方案:
3 i6 t3 p4 a% N3 v" U, ?( x. w0 @2 ~修改函数!5 J+ q* q/ c1 `; g- f
|
发表于 2013-7-26 12:42:43
收藏
支持
反对