要描述: W0 R/ G; L8 l7 C9 w0 Q
/ E- T- j- E, @' g: `5 r
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试- q# o% E, q. O7 E5 p
详细说明:
" I0 j& c5 o; Y# N* AIslogin //判断登录的方法
/ Z) T/ e' E' u0 J9 U- I
+ E+ Z1 k) l. y$ {4 ?) n" g' v0 R! [sub islogin()
4 Z' T9 c2 J* W) @5 f0 h+ Q " w, [, }' r, V4 ^* _5 L$ `
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
% ^" `1 k1 f% d4 U# `
% h* J0 t- c: k7 S/ l; n6 udim t0,t1,t2
5 k3 r& Y3 x1 y% u 9 v' T4 m) E/ }3 b" }+ o2 I$ p7 X; A
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
! H% O; o6 B. }8 Y, `3 q! O
! u( c F7 p4 }1 z6 V1 L+ L* Jt1=sdcms.loadcookie("islogin")! t6 H" g3 T6 F/ W$ r6 n$ W. e
/ r) ?: w3 k7 o* ]0 U4 y
t2=sdcms.loadcookie("loginkey"). O6 e( \7 [' h! z9 V8 l# u
3 f6 ^7 ]( c3 R0 M$ jif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行% S, v% d2 H* R" I! C
* B: u) B( d6 c$ o4 Y1 U& D
//
/ q( m/ i0 M* n8 d4 T+ p) f / h9 ^; k+ O3 J8 I% O
sdcms.go "login.asp?act=out"
* j% J2 H: {8 U$ l" c9 p: D
* k2 H2 o2 N4 W/ {1 g% P6 ?exit sub, D2 F) k4 m5 d, a4 G/ Q' D
/ X5 F& E% l6 e! h
else
" f4 O- @% ^+ P3 V1 C0 K1 y
5 t* W# {. X6 T) ^dim data
p) R$ R. p }) K8 J0 b4 Y
& h3 A+ M7 z6 F6 Bdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
; W; S+ e1 N+ \! m. a' x4 K$ P
0 p$ M. {4 M2 Jif ubound(data)<0 then. V! z2 S: I6 f3 l
, y4 Z8 h! {9 X& W( J2 x' G0 E( V
sdcms.go "login.asp?act=out"+ ]6 m7 n) L4 E
4 [3 q Y5 A% Pexit sub
6 T( G* f4 T: v: v% [ - |% J! x# R9 n4 c/ J0 ~* n* `
else$ i! w( s5 f' f6 R3 M
e; S" o4 ]& p2 C {if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
3 u {) t Q3 S7 x$ [
6 s* O3 o x+ H) q' ysdcms.go "login.asp?act=out"
- t! Z4 _! K+ e 6 |8 Q6 B: W: i0 j, c
exit sub
; m5 Y. G( v4 {$ P3 K
5 U w( m, M+ b3 Z0 r9 o, B8 Aelse& E- ?. ~8 O+ l( U1 E
# z2 Q# k* V% l/ E2 l$ K Jadminid=data(0,0)5 T: v+ Q$ `/ ]% H
2 C# {" r2 [! \# e0 d" n
adminname=data(1,0)' s6 z/ @4 t. U8 u9 v- |; ~
9 L0 i i" W. o u. }
admin_page_lever=data(5,0)
4 O; Y7 N5 ]1 i : V/ U" G) W5 k+ ?; t; ]5 m8 B
admin_cate_array=data(6,0)
) _7 S( A6 r: t' h4 y6 [0 C
, ?. K6 O2 }3 h# C9 C1 X$ |admin_cate_lever=data(7,0)( |$ a& Z! A4 ^+ C0 z5 `' x5 t
4 }& x, E+ B2 D) L; G$ o
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
5 D% e) s7 U- O' c$ G
3 W% B0 i- J ?2 `7 L( ~0 rif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
5 I% q! _0 D. Y2 U5 _$ X& T 9 C: x @, u* S4 \! v. U' \' b
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
4 I5 y: c( {0 H0 y
8 n! q! V! ^( A) ?7 vif clng(admingroupid)<>0 then
, O6 X0 o$ T) m1 ]! r
2 `( `3 q* q; {8 o8 l- Uadmin_lever_where=" and menuid in("&admin_page_lever&")"% H& M+ k+ f: ?- p
* m6 ]. H$ a" b9 f% W5 S! L& a0 vend if
; z" l6 D; x; C: ~& K& D7 o+ l $ G0 j! @! U9 o5 I- h
sdcms.setsession "adminid",adminid ^" Y; x9 b2 Z4 }
( ]- e( d& {' _6 W
sdcms.setsession "adminname",adminname) a# c3 s, o% i/ \ ^
7 U# k- @& a# D8 Fsdcms.setsession "admingroupid",data(4,0)
& j) F8 Q- O+ p, H' G) k! }& n0 | # T% ~* c1 P+ m$ I& T T
end if
& e+ x( w* s) `/ Z ?9 ?
/ N6 d" o- o; @8 a: ~% m- u" cend if
% Q2 I0 j, X% u' A: r
$ G/ c: R4 r2 yend if8 V/ M" w# J- M+ Y+ p
5 D1 }. Y" Q& q( p% w
else
( \# m" G6 b( E. n' u
+ p+ L/ N' @+ q/ j" j( Idata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","") m3 l b% q8 \. ?* E, R `% b( n$ A
+ O- m* Y3 i- n5 e; i3 Lif ubound(data)<0 then/ S, d5 H* `2 `" I @
' }# B2 i+ q2 S# C; F' p: Wsdcms.go "login.asp?act=out"# H. l1 S" x; k% b
; ]% u/ v; ?; h2 c4 F& i" K" X
exit sub# f( ]( T* z7 P6 Y" C
1 @, N& G+ @- G/ \, q/ }else
+ X# b6 o9 d0 U) t 0 a" b! }" i( j
admin_page_lever=data(0,0)' a4 C5 w7 L* W" U2 m* h" E9 w
2 K8 Q. M4 G( W0 q5 w$ Z
admin_cate_array=data(1,0)
+ j" D7 L+ S" Z. O4 b
4 j( E$ ?; j/ J7 d- R" Uadmin_cate_lever=data(2,0)2 ]: z5 c5 e7 R3 C
$ L \/ h( W" Y( w: v
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0/ m+ b h+ n: g$ E
/ ^& v. b* m" Lif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
/ a/ Q( y$ ~' a: l' v
% `# z* a6 ~$ Q. I8 Bif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0* y% j- R4 @2 I. p9 X" C
( t% p9 F# V! P7 T6 x) _0 vif clng(admingroupid)<>0 then
: x& L4 _8 t0 F1 l$ e 0 j. O$ r8 R) s1 u# G$ _8 w
admin_lever_where=" and menuid in("&admin_page_lever&")"
8 F" I3 A: P5 \& J) Z* o
* Q5 s( a) ^1 G. F4 U* x5 C6 D3 ?2 oend if' x! V/ P& k/ f! |
& z+ p, o& _1 A( \* r3 M( O {end if
: p) x4 r; d. l4 W
: o6 v3 x7 @; ?. F% Y Wend if
3 c; R$ P8 v& c/ U* X) ` ; ]5 M1 ?; x3 k1 T
end sub; @. T# T) p+ D5 b+ _7 ~. t
漏洞证明:
) P n' i$ C, ~) g3 [看看操作COOKIE的函数! G0 U' L9 B8 g/ K* Y
( }2 t a1 m" E- p+ h" ~public function loadcookie(t0)6 E* [1 M" ]4 }; _* h
3 j) U/ a( k* _/ z8 n/ W% uloadcookie=request.cookies(prefix&t0)
+ |( Q8 v4 _5 A, J& [- m1 n! w
" q: M. j) ^/ Eend function2 y0 a' {* `7 d3 J
. A+ i4 }0 P/ N4 kpublic sub setcookie(byval t0,byval t1)
, W I! U+ _' v$ g& D' X3 {; B6 j1 {
( }! b' }% Q" j* Iresponse.cookies(prefix&t0)=t1
" W4 C$ \" E7 S) Z
: g: T) x( A2 y# F1 u6 t! b0 Zend sub
( c, Y5 j" {( R9 Z + _& j- f1 Y0 ^* W! t
prefix
# o4 k; r. ~( Q
* p! c+ R- s7 q2 h- A$ Z'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
3 A# p) m: J: k R
3 }& M2 z$ K3 g8 D3 Sdim prefix- Y( L' U2 k* w3 r4 b9 C0 d+ u
. b; _" ~% y# O4 P1 O# k7 K! Z; Yprefix="1Jb8Ob"" D+ q4 o. I1 ^( O
6 w: w5 ^( R0 x1 b# d! D
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
; P2 i |7 X! L; o% ^ : ]' V1 Y/ |/ n' A. N
sub out! N* a7 ^! Z; x) c/ l
3 Q/ K L! g! l$ b+ K; Xsdcms.setsession "adminid",""
" S, N& [. b* G# P; u
$ b# e! G4 M2 |sdcms.setsession "adminname",""
8 \& b5 c; p1 U$ H) ^2 z
" \9 h% k* I3 J/ @0 Ysdcms.setsession "admingroupid",""! U. W) D' E6 I$ X& ^. @# ]
' |$ m' B7 K7 \! ?, V9 wsdcms.setcookie "adminid",""1 X6 }: x2 E" Q0 W5 ^' |
$ \+ D" ?8 T4 l2 jsdcms.setcookie "loginkey",""7 P: f2 @9 n' J# \' I
0 K0 F* I6 b" _! u D ~sdcms.setcookie "islogin",""; x. T! W6 h. L, j* q
7 [4 X' n# g- ~" G: |$ `sdcms.go "login.asp"4 O/ v5 k6 V7 G+ E l$ e) A
! F, R! E/ C0 h# i2 \8 X. K
end sub3 G& q. x( T- R8 y
4 i$ I# Z$ m# q/ h1 |: E
4 L; c- q: f0 @* @( f) O- y利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!+ o& x% }# R, r4 H& |" j: _6 w
修复方案:
0 n- @0 D, X2 _" ?' M修改函数!) R" Z/ i1 e Y' {
|
发表于 2013-7-26 12:42:43
收藏
支持
反对