要描述:& i# G. J7 o u; L
) X) t! e7 c+ N( J# [0 Z4 R9 y8 y
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
7 o5 A0 n$ N) q$ A" t详细说明:3 E9 ~2 y$ R+ J: p8 a4 S4 `; Z* O: c
Islogin //判断登录的方法
: L- W! q% ]" J% y8 d
( W6 g- T- ]1 l9 jsub islogin()5 D' b0 t# r" C6 Z9 v3 _% Q4 f9 ~
/ M. p1 K3 q7 q: H ^! r) t
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
. j' K. g( c' `$ w0 [ . | m4 D" P& D# h8 G
dim t0,t1,t2
M. Z. V$ \* J- ` 7 O+ o& p. w) G* o/ O
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
2 Y* f4 Z! {8 A* S7 e 5 {' N- s; G3 W: p I6 o# W* `, T: h
t1=sdcms.loadcookie("islogin")7 x0 ?! K8 ^2 X. X+ p7 `# t
" \; |* \/ }. ~+ D4 S& l
t2=sdcms.loadcookie("loginkey")( O- W$ h8 T2 I7 e3 N) t5 O* E
" _) T T. C9 G$ f- Cif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
- D: O2 I+ r6 D7 `% W + }5 ^$ \ P* f1 e4 h9 u
//
7 o' f# p. p, U9 n+ b( r- } f# b) b0 V+ u
sdcms.go "login.asp?act=out": [0 i, n; l( Z3 C1 F. K
* H9 S+ j% L9 A3 yexit sub
7 M3 O6 J7 N0 u; q. y( E9 Y 3 o8 d+ o7 k0 k S6 J2 D
else
4 A+ |/ r- Q4 [7 U+ x8 q: { & w, z3 E, M$ {- l+ f- y
dim data; P6 G: _& k- F3 v7 U
6 w" B/ m' H" Adata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
+ ` k( q4 g+ Y/ a/ R5 E" ^
7 W9 L. ^; Q& t* z/ Kif ubound(data)<0 then
# I$ b8 C2 J3 E$ `$ P
9 o0 D8 N. R( t- y2 x3 O3 \# ssdcms.go "login.asp?act=out". I( e) W9 k, ~4 H# g- Y- k& F6 @
' Y9 T: o5 ] m7 y7 U, k' F" }3 B8 V) }
exit sub
+ _7 W1 L5 F# e6 | 0 S6 D6 k2 g0 ?
else3 G0 }9 [( A& H
9 g! U8 {: c6 |' J
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then; B1 v! _" A; J9 _9 D8 m
& N3 d9 s( z# K
sdcms.go "login.asp?act=out"4 M( g# \6 K( i/ h
8 M" y l7 C8 m7 h- I/ `4 _
exit sub( k" ^! [, C8 C; I# P$ ~
% q+ K; { N' U# O
else
) O# G( |9 ?6 E. W( h; ? 4 M4 Z: |8 P( K( Q
adminid=data(0,0)
' v' r( r q @- F8 o" J ) j7 b& w4 B. y: S0 P7 [: v
adminname=data(1,0)
/ ] o) |; V! E. r3 O3 B ! N | \; [# l# t9 I* n& j
admin_page_lever=data(5,0)% o5 c6 [, h2 c# w) Q2 L
+ r) R, Q' F i$ l/ w: _" \* Fadmin_cate_array=data(6,0)
" t/ P- N* l' b5 h; s) L
$ I9 R: q$ R! \5 a" b3 cadmin_cate_lever=data(7,0)
$ K3 h) g" u y9 o8 Z# R$ O + i4 q- Z8 s6 Z# M
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
9 Y$ J, S! ~1 N8 n
5 ^: H( y" T2 Y% rif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
5 N- D- i% m- h2 n2 a/ b
7 B9 z& \* J$ V! [- x {2 m/ y3 Xif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
, `2 f( B5 c6 U6 {4 g & A/ c0 L! T" Z1 V* d
if clng(admingroupid)<>0 then7 c+ f6 C7 m% O9 J" Y
' c% b2 j+ T! j$ p3 O' y/ H: \4 Kadmin_lever_where=" and menuid in("&admin_page_lever&")"& S3 j! q8 s O. i7 ^+ `
; N3 A' z$ o5 x7 T3 A" e
end if
6 N A6 t/ A9 l4 N5 V% e9 z 9 b# x2 x- J, F" w
sdcms.setsession "adminid",adminid
, K/ r5 o; i' U9 b% U: I* K2 }
, \7 p3 X5 u2 e) b' N# zsdcms.setsession "adminname",adminname1 @4 H/ j( O0 l5 A
% b/ f- t5 M: h8 d
sdcms.setsession "admingroupid",data(4,0)9 ]5 p2 M1 a9 G- `6 ]2 c& X
, F! Y/ @& I/ ~0 Send if0 @# p' L; t9 C) H7 Z
0 Z. b# q1 n) h$ x
end if
% x l6 ~7 a7 ], K+ D1 b" | : N. Q3 ?+ {1 D4 _" \2 c5 c+ j
end if+ ?) o" c8 o: i4 r
; B+ o1 L. X- m2 G. felse
5 U' E) R B9 y! t2 c j ; [+ A! `4 H3 q. J+ z0 _4 H
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
9 X+ p/ q1 z& I5 j# z5 g3 b ! l/ k' w- h& A( U9 h& ]( F
if ubound(data)<0 then* J/ V: J9 I. D R4 e
/ e( L: N: d; L- G! X* isdcms.go "login.asp?act=out"
0 m5 g4 Y& y& C" r* S ( Q# R1 K8 a! M! ^
exit sub% i% S* }8 k u' m7 F1 I8 `
. p3 C: m3 f1 U: |: T
else, r( w# s: D! l3 ~' d' i1 M
2 T$ L8 |& S. j+ n& z+ |/ \
admin_page_lever=data(0,0)/ k7 b# _9 w. t; H9 ^
0 d {: j" W8 W" G- jadmin_cate_array=data(1,0)! f7 E+ w* K7 ]; S8 q3 [% c$ ~
. O0 w; \( k& L; R3 `admin_cate_lever=data(2,0)
% C# p0 e; V& a 9 x7 P7 F# b7 k" l2 w& V2 C. q5 S
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0% B6 s; a9 t% J* s2 K9 z
9 v1 u* ~, A+ g' P0 Uif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0* ^" y. R- R. j+ n+ Y8 T2 `+ e
# b2 }' e) O' o
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
9 H1 }6 C* J$ g% V, V ; L* o4 n( f8 {$ k- ?( y' E) b
if clng(admingroupid)<>0 then
% A. b1 q# o; X% q& } k : e$ `0 V7 w" U/ l1 s& `( g- l
admin_lever_where=" and menuid in("&admin_page_lever&")") T! \, W5 Q" o& R9 @1 b
( o9 q( M Y) i* ]* zend if
: W9 A L% L V9 a$ b$ e
1 t, a6 }5 m8 j5 s% ~end if, W6 D1 _5 s' |/ t. L, c5 M
3 Q; D8 a6 H0 w4 _3 C
end if- w Y% {2 | E3 e
% c, e$ M- d0 W" Bend sub/ E8 K3 S) C* C
漏洞证明:/ ?3 ]4 U$ y2 V" q- [9 ^
看看操作COOKIE的函数
0 z9 g6 s8 w) S/ H 2 ]% N1 T S& ~; q
public function loadcookie(t0)
( M# m/ K% f0 F5 S. O1 w+ m; `2 f7 F 0 ^! S; [, s; t
loadcookie=request.cookies(prefix&t0)
2 k. {- ?. Y" b6 Z2 f0 M! N6 K5 z - _" V- S+ F) z3 I) B2 o% z
end function
9 l- K- ^, {& A) d" r! n
) c1 F9 K5 I0 t2 e% O5 Ppublic sub setcookie(byval t0,byval t1)
7 R6 m8 ^+ W9 q, A2 g. u
% ^+ H5 D3 w: B, v+ nresponse.cookies(prefix&t0)=t1" E2 h1 C# v/ e' o
a0 _2 t/ d# H. }end sub c. L: G4 q7 H- A5 }
" h# o* h+ W# [) b3 L) z9 @
prefix+ t4 P& M& }/ M0 ?4 y/ L, J
5 Y! e+ R1 z2 d9 n$ F, g
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值! A- F# q; l9 W0 X$ W/ e
3 \- X& t% z! }7 u$ M& j
dim prefix
( h6 g. d% c& M0 i. ~
! @5 ?1 v: W) y5 Q& L0 _prefix="1Jb8Ob"
; {5 E9 M! {: F4 t8 C5 r0 u " M/ W- F4 Q7 p$ K% g) b" p* g0 Y
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 * @7 e! `6 R6 m5 [* W4 o
6 U( q* v) L: u) `' d$ ~+ S
sub out* }: k7 H+ h# _( b" B0 N
9 U* O& ~3 u# N6 s" K1 P
sdcms.setsession "adminid",""! `! K7 I- i( v X. \
% G' j) w- }1 S2 j
sdcms.setsession "adminname",""/ n V2 l1 z8 x) q' ?5 J
( p: R0 U" o7 q0 |# j1 E) Qsdcms.setsession "admingroupid",""
0 p! V1 L& c3 T+ c
9 r( n, f9 z- n, ~: J5 Z+ m' X) D, asdcms.setcookie "adminid",""
1 H7 D' j, s: O! a) N# W: e
5 K/ S% v& K/ S7 z+ }5 ^3 g0 Asdcms.setcookie "loginkey",""
. H: F A6 N" [9 Z
1 w, g+ R* N3 d1 e6 _sdcms.setcookie "islogin",""
( {3 ]9 F* O/ m4 B5 g# T4 E/ z" b% v
4 o6 Z$ p2 O# ^" h; r( ]7 Y9 U$ dsdcms.go "login.asp"+ g/ o$ B, A" F. Q, T3 ^
! Q. N* a( g% ^) C% P' K1 Cend sub
2 s+ Y! }2 E. D! P * R. H* V* ?) y5 D3 h( R
L$ A; `: Z/ K8 k利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
: o* o" ~8 U6 H: I' ]! G" u修复方案:
% i9 Z" ~2 J- n2 U5 c: L/ t2 P修改函数!
; y8 f. N# c L: X5 H |
发表于 2013-7-26 12:42:43
收藏
支持
反对