要描述:
/ F3 Y' f s6 `( i7 Q" H: A: M
/ C9 _! E7 ]1 r5 CSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试; k+ ?! o! b2 _( i7 ^0 V) x5 m! A) T
详细说明:
$ E+ }; N$ y. a& |Islogin //判断登录的方法" s( r( g' Y+ ^- e
( Z: _" z; d+ A6 s5 Ksub islogin()
. f; x, v4 x5 f: E; ?$ V
; q/ N$ i4 B2 t C" H# [if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then $ [, ? }( Y9 Y" M
$ q. r, z) C" {5 ~dim t0,t1,t2
; R/ C0 c- s; Z9 n
* Q j# N2 P6 f+ Rt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
& |, |1 T$ d! i6 J + T; l/ ~4 w! K0 K$ ~1 U
t1=sdcms.loadcookie("islogin")
( A4 K' C8 m* ]; b& H, `3 {5 G # P, U; `# J6 |- q
t2=sdcms.loadcookie("loginkey")2 c/ H- j% x+ d, O7 x
. v7 {8 n; j# Tif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
& a" B+ o% P5 V1 H5 {
" D4 ?6 w) _6 {4 l2 c: M' b//* r% h2 O1 ^) B( \) \4 e
9 P( s) n; C: T5 b
sdcms.go "login.asp?act=out"7 H3 \" j0 V/ D7 s
3 S9 N8 P$ O3 o' x+ f
exit sub
6 O" z2 K3 \ X
6 c0 P" q7 m/ \+ z9 R/ t [else
, ?; Y2 I- y' _* `/ `1 i " p, G9 |$ `' {+ W D3 L) G8 e
dim data
) m, b2 y/ d9 [
i! ~+ h+ Q4 {( t. d7 k. rdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
$ L; q! o9 \9 V% l5 d3 O6 J! v . [' k( q8 Z, u
if ubound(data)<0 then
: ]: K- z; n ~+ _
# M0 }$ \; G+ ]! \! A/ {+ Rsdcms.go "login.asp?act=out", T0 f$ L2 {# v& y$ a
V, Y+ D$ P7 M4 O: `% v
exit sub
2 _6 |1 O/ j' y2 J2 M7 Z7 d 8 K0 E) x: ^6 j& g% c
else
0 j. r$ c2 m$ i
* A+ T3 w: W) S; V) p! dif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then, B" C! y# U! _. F* t, Q
5 ]: a$ m. m, p) ~ p' Osdcms.go "login.asp?act=out"/ C7 B. K- w% b+ k+ y; p; s2 f" \
9 `8 }+ C: f/ N$ C, T- s T
exit sub
2 V8 ]6 A, E% ^8 m/ Y( U/ Z0 S
/ x( ~# J! y6 _- r) ^else
( X+ b5 V* d0 E9 H! @; N6 z) W 7 N4 G( t& @% `. H" ^; R
adminid=data(0,0)
- \! C, y8 n5 H# U" k' g # P: j1 i' ]4 t6 F0 F: P
adminname=data(1,0)
; ^3 M3 u( |/ I1 E* K 1 Q4 |8 `4 o- V u
admin_page_lever=data(5,0)9 ~, s' o7 m( M/ J0 j5 z
4 {5 a5 D/ l4 `
admin_cate_array=data(6,0)$ D" Q m+ F% j- p" A" X: y' |
' V+ {5 ~% Q$ R; y; V! i3 }( h6 Oadmin_cate_lever=data(7,0)4 z1 x/ z. T3 @7 Z+ |
# i3 [. }+ j$ }4 ]6 T+ D# Y$ \if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0/ {5 f" E7 I* y
7 g9 @& q$ V* Y% Z" Cif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0( ^5 ^- @1 \- c: z; G0 F4 @/ Y# ?
! Y; K Z2 l6 H0 \ X- K1 e1 B
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=04 ^7 H5 R% X G5 v- a9 D9 i' v
& y5 w3 k q# n+ G. {$ P( Hif clng(admingroupid)<>0 then
, ~5 Q R2 M8 T
: t" l* K8 i9 j& qadmin_lever_where=" and menuid in("&admin_page_lever&")"; L- e: S& {# Y4 o; A
# n; j- |2 D( `4 nend if) `5 M$ e# K* ~' i0 G
) i: f* c/ A, O& |# R- X* a! a. ]
sdcms.setsession "adminid",adminid$ M% P3 j/ R1 n4 {6 h
) _' n/ F$ o4 |! ]8 u- k
sdcms.setsession "adminname",adminname( e$ q# u8 d1 |8 ^8 b1 @8 k6 }
1 g b9 S1 [* K/ v, a3 O: Esdcms.setsession "admingroupid",data(4,0)
; C8 S4 y4 T0 e3 p& A . q/ _7 |7 u" u8 L. c- J4 U& b0 t
end if
- h$ Q3 L$ i! t' S/ d' F& _: z0 T( {6 { ' d$ C/ n3 C6 `: |2 p y; h
end if+ W& b; f" F/ B2 w0 R; L
4 J9 d- \; y ^, w8 ]2 Zend if! v1 l8 S" Q- M+ O1 e, S" t
5 U# v# o/ _/ U2 lelse- d( X& K& t! l* s0 z$ N
6 W& b, D3 Y/ k, U* [data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")6 O0 Y7 F' D# h o
+ g+ \! e+ r6 ~3 t0 I
if ubound(data)<0 then; t# ?% Q$ j/ e0 }; m7 j3 L, s6 t( O
: p4 e! [1 C O0 x2 N
sdcms.go "login.asp?act=out"
% b4 j# }9 z! h2 H " E+ u) K9 L2 ^4 ^$ {9 f
exit sub
0 ?8 x, |& Q: o1 f9 k& Q " O* N/ @! x. k, C4 t1 N2 w( d
else9 \6 J& d! g4 b
% ~2 i3 }; `$ |7 N2 aadmin_page_lever=data(0,0)
( J6 N4 F7 k0 f9 U4 S 3 E* ?, e: I- g; l* Z, Y
admin_cate_array=data(1,0)# i5 n$ B! d% t% c- Y. R
- \$ I+ s! D5 ], W
admin_cate_lever=data(2,0)
7 D$ u4 |9 t8 _( s. _9 L' M* V
0 o& J7 u; b0 L( U$ Mif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
0 @( a0 F7 E* c7 M
4 K; n% f. @# u4 Rif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
$ ?6 ~# k' I. D1 q, \# g
5 l5 t1 e% ?9 E6 D- Iif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
) A2 j1 C! i( W G3 J& @, y ; x: t& x/ F) Q, c% p
if clng(admingroupid)<>0 then0 i2 Z: P7 w- ?* r2 |4 q) F: m' N1 n
: i4 N" z% J' \( K1 d% nadmin_lever_where=" and menuid in("&admin_page_lever&")"' d3 ^8 z$ w) B4 z; I
9 q7 ^$ W& v9 F4 c- |! e+ s& iend if
/ h; e7 N/ E/ K& U& N" w! X
( v' i, l" L/ k {end if
& }- ~" A5 K0 s6 V
9 X; q8 \3 N3 eend if
/ V# W( c9 I' i$ ~: }# K3 M$ _" H ' G! ~3 u8 t+ J7 [
end sub
, Y4 i, j! Z$ `; |' i8 V, A漏洞证明:, W( C8 |, ]: X5 \ _/ f
看看操作COOKIE的函数
7 X( E& M# C, @6 j& O $ Y! d& x7 e4 V7 P$ |
public function loadcookie(t0)
* g- g+ a3 d/ ]
2 u2 x8 {9 e" u7 P) Oloadcookie=request.cookies(prefix&t0)
- I1 P6 W( A6 _( z s
# l" U2 _0 |, h2 c" w8 ~end function
$ z$ f; W8 P/ w5 n& s
% Q' f* D% h1 D) U; [& c9 ?public sub setcookie(byval t0,byval t1)9 ~5 I2 V. U! M% R
4 D. _/ |5 m* C, @# _+ tresponse.cookies(prefix&t0)=t1
1 O0 m& x: o' J* q * H* l. U# W, b/ g- U
end sub
4 J5 e6 W- d6 U! C( Z% d8 K 2 T4 W3 Y& [) R, ~ Z9 t/ s
prefix
5 V. t4 S# W7 Y7 @4 h9 B ( e% p8 ~0 c) [* R9 S2 h, Z
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
$ t0 o! k, a8 l+ U/ W! q( W6 y& q
2 x, e" `# B2 b" D, mdim prefix+ a4 u4 b m* W9 h! [. A& ]* U
- O3 @% k) K9 d& ~7 U Eprefix="1Jb8Ob"( _, \$ ^" T2 {
l/ M/ N; A, W, ]) V' d, g! b
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 % p) U9 j5 b, @ D
4 a, H' q2 o5 P; ksub out0 K/ p$ B7 M# @/ [. \
p& ]- C7 V; k% O% {sdcms.setsession "adminid",""
+ v2 J3 J% c" `' Z% h0 U- r+ k/ ~ / C& ]2 A# V# c+ e: Q0 \( E
sdcms.setsession "adminname",""
- o2 K3 m9 ?) b V! T6 P; N ; m% b& w( X( ] s3 a$ L+ e% R
sdcms.setsession "admingroupid",""/ i o4 U6 u5 D, P% l) u
% `& j( _* F. ~! N
sdcms.setcookie "adminid",""
" B' w5 U7 n! g) e6 W , {1 l3 L. o: `2 A1 ~. S+ ]* q
sdcms.setcookie "loginkey",""% s6 n9 D- I K- U/ i0 L+ ~5 t
6 T2 s% E6 H8 I- Q' p& T' J
sdcms.setcookie "islogin",""5 W9 G$ t, W* n, {+ Q3 h
0 W$ @/ O' o' }5 usdcms.go "login.asp"+ u1 I% t) D2 R
, p+ J' r O( p, l6 s& n2 X) O
end sub5 c1 G& p; `- Y: Q$ j: ?
( g) E$ I7 n1 {( _4 F
( R: e# g) e- U, Q/ c' F( Q利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
. g1 l; |+ N! o# Z; b, Y" i修复方案:& Y/ p. f K: B4 ]3 \" O
修改函数!( h% e% g" {0 C; O' X3 x
|
发表于 2013-7-26 12:42:43
收藏
支持
反对