要描述:. O ^6 o! M2 ~* R
& j* ~0 k0 u7 u" l) z& M lSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试) D' Z0 |: u3 @
详细说明:
4 f8 W0 d' K: t7 E6 V$ B* _Islogin //判断登录的方法/ ^3 L+ \! f$ \ D0 n& x2 f
( A9 q7 F. @, }/ vsub islogin()
$ }0 F0 p; {5 ?2 S* B M- S$ S p' q$ w) B, a
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then & `! E6 o+ H6 D/ n g
, |3 ?' B" p/ }& W+ w' q o/ wdim t0,t1,t2 . D" `$ g& C# v! j- U; |% a
! p. B" }0 F1 U1 J1 t, y, E/ jt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
! \' ?, P$ O6 S8 r3 M$ s h" h. @
/ @: `& X1 t7 V1 j% C$ Et1=sdcms.loadcookie("islogin")3 n6 M$ p2 s e; ` m3 j- N
5 q* ^$ \, o" P: v0 Wt2=sdcms.loadcookie("loginkey")
; A. t% B1 |, N. @; A; B* }
# a0 Y3 n' k& s1 P; Z$ Tif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行; U+ M1 @& Y; T" S5 N
7 N" C/ Y+ f l//4 g& K; P, a3 E* [
: X2 w8 E/ Y2 ]: ^) G2 z: ^( ?sdcms.go "login.asp?act=out"# q5 r& k/ A/ E* B* o; M/ E% ?
3 A$ F! I4 Z( s* @0 D' I$ H+ l. \exit sub# E& d& L. s0 z; y' t! G/ N
/ C! g/ ]' V/ P- u! k) j
else6 ~2 r, B' O* R2 ^+ X6 [5 G5 j7 W& _8 m
) Q; A3 F; a% [1 Q- g
dim data+ _/ q+ ]% L9 _' t" x6 T0 s
! Z6 O) K- H. E8 N) { i0 A- m1 ^
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控4 m+ v& z' F0 U
) K+ j: {- H" iif ubound(data)<0 then
! t3 c, ]( ?" x' T! G( {
( ~3 p5 ^& m5 D2 [8 C& ssdcms.go "login.asp?act=out"; P$ @7 N4 q4 A! ]8 w9 o4 W
. L* l- F, n; [& S+ k" b; Vexit sub1 e- E/ ]2 C! x6 R' c# d
# }/ V/ I; A% c' yelse0 B6 h$ ~2 O9 K& b/ _5 C
: q$ v. p9 ] Aif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
5 w$ l" m8 ~# w) |
$ K+ {- U: n1 X5 n- Z5 S9 }$ D# L/ Esdcms.go "login.asp?act=out"& o1 _% L- I0 S! u5 [. {
1 J+ f: y' b7 d9 p& n
exit sub6 e8 s" W/ z4 n# R* {. P
# w t' j5 F p& K- M, j' eelse8 R# x$ S, M( _3 h2 [
% I( i" q6 ?6 {- t( Q6 yadminid=data(0,0)/ [& b& {, `3 O# s6 C' \
* X K5 A! k+ w6 s, u) C8 W) [9 M
adminname=data(1,0)+ P/ V b7 Q& I! f0 P" y+ @
3 x" u5 i* D' b2 Y' g! ^) f; ^5 u- H
admin_page_lever=data(5,0)$ e* y: p+ T Z0 H' J; V
( A# @& [9 x$ c/ Q
admin_cate_array=data(6,0)6 o+ c+ o+ \! i; B, m
+ p; S7 j- W! W5 j5 E- o
admin_cate_lever=data(7,0)
) [ |2 K x5 n2 P& F
* Q' o% W S) L1 R6 D, dif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
( F' m+ ]6 @- @ v) Y3 r
1 |) _" w3 B" W: d Vif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
' X2 _ g) ~4 M: r
8 F9 Z6 V3 v+ W4 C5 Oif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=07 ^0 i, _3 X' b- v
$ f( c+ s: K) E' @6 a4 a( o9 N
if clng(admingroupid)<>0 then) n, h7 j$ n& D$ l0 X$ H. O8 B
# U8 l6 W. O3 N, @9 s1 M; s4 i
admin_lever_where=" and menuid in("&admin_page_lever&")"
( R& q7 a! Y& u8 o! p$ E
/ V9 a" F& U+ R8 }- Q5 Pend if
8 z; L8 t( F2 a" A& i- D9 N- Y
# D; _9 b- G/ R: ^; E' a- v" Y7 B/ gsdcms.setsession "adminid",adminid E8 |9 v# u- B* A/ n
7 n; s- w7 C0 {. vsdcms.setsession "adminname",adminname
) }8 Q: }9 A; g- T/ Y
0 p( c. ^. z. ~$ Z) x2 Zsdcms.setsession "admingroupid",data(4,0)
+ K: e0 R1 f6 }' j4 v8 b( L/ _
" J# r2 x1 J; x send if
G2 y+ X* {2 N8 t# X: o ! e* C s7 _7 e( p' p! b
end if( |; B S3 p8 ]$ ?$ y2 [, o
- x* y4 g0 o- R+ ^4 m9 N
end if
# Z6 l) n! r9 }- x+ T
; ?7 K! Q/ u, E. l) a2 _8 welse" N* X! [* r1 l* c+ v" m
$ c4 @/ h+ p) Y5 E* X3 e- wdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
2 E1 ^0 k6 U A$ ]7 x/ L " z5 X; c7 _- m8 A j
if ubound(data)<0 then
, x$ ]) K6 G/ c# r8 H, s* @
' P* Q$ Q2 I9 g. u! Y- psdcms.go "login.asp?act=out"$ m2 A& U! [8 I8 }8 W& n5 f
, ~4 P- H: S9 c) z( iexit sub
0 K/ C9 u7 D* `1 _
" n) ?- e [. k9 felse
. y1 O7 {7 h! f2 n. |+ ]' c ; g- v5 C8 u5 [+ G
admin_page_lever=data(0,0)
" p, V5 _% V. A( h1 ~ o9 D% p ; P+ E; J4 p8 G
admin_cate_array=data(1,0). @& B& G4 L& c3 a" k% ~
{3 {! g: [+ e! e- q' ]admin_cate_lever=data(2,0)
# H2 o- h7 J, f9 h9 o % w$ S# O4 r. D, |3 s
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0) @/ A; s; \8 v3 G+ S) d. T+ f5 B
" E$ }* u4 P% a: L6 G3 B5 k; T
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
' P4 J1 o& s6 C7 i8 \ ) ^/ R) G; `$ s2 L6 u' C3 S
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
1 T, t& p8 u( i1 w# _/ U: I
% V0 T7 Y; z" |if clng(admingroupid)<>0 then
2 ^- M ~( B* @: G2 ^, B3 R . j7 E1 Z# z& S! f% _+ W) g
admin_lever_where=" and menuid in("&admin_page_lever&")"5 F! A9 {3 g5 u- L8 C8 S
. x5 A7 m+ l% ]( Z$ R8 ]$ A3 {, N
end if
# v# t: v& I% I, H 0 M! j& R, ^) @9 P* |/ T, C2 ]
end if" N& h% A6 l" [# A
! E' s7 A6 `. k+ ~0 c! M* _
end if" V- x2 ]/ q: t
. a& C6 Y& @2 m* l2 @
end sub
l# z8 \: K& c# x3 |! F2 u1 k' s+ F8 r+ q漏洞证明:3 @2 Y% I' _8 ~; h6 A2 P- A: M, o
看看操作COOKIE的函数
\. |. t, E7 h/ ? 7 K, q' h: w( |
public function loadcookie(t0)# L3 B. j0 s/ w N- V
$ Z7 g# [% \7 k# @2 V# a: F. o
loadcookie=request.cookies(prefix&t0)
V8 g+ I- D1 @! I* Q# K0 q, W2 z* P ; D$ q0 f2 D+ s9 n) g. `2 y4 t1 G
end function
8 ]1 o6 X4 u3 b8 d' W' A3 N
) b' _( K, S" g6 N) S. Hpublic sub setcookie(byval t0,byval t1)% U7 u; P* x) A; l0 ~ p
- E) {$ S% u( J/ ]- G/ R; C. ?- A5 `response.cookies(prefix&t0)=t1
`3 ~ f( Z0 w ~7 Z- z
% j0 o* Y) P: ^end sub8 b, N' K+ T4 W
& C4 B4 b8 h9 v' \' T/ p# vprefix- {, R, |" ^, j0 y0 V7 F8 j- J1 k
5 o& E: }% I5 s
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值+ `6 z" ?/ R* T# w8 p( c4 C
( }' h/ K& l3 G1 o
dim prefix; ~2 t9 S2 p! F! \5 i9 l
% ~3 J/ D* F& \ ]- Y. f% ]: i
prefix="1Jb8Ob") D! e2 A0 V6 p4 E
1 B- O4 B# q: q5 e. l
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
1 f1 p& {8 r7 y/ V, o3 C4 r
5 h2 x5 s3 ?; |0 k( {1 q% Osub out6 A6 q3 C) D. p }! @. o
2 D- g$ a! B2 g0 t) |4 _' @
sdcms.setsession "adminid",""( `& B' c% y' @
+ L' X4 w! f2 B' a
sdcms.setsession "adminname",""
3 b/ F& W5 c5 D( D1 c, a4 w b+ V6 w+ ]
5 q5 y& h$ t7 Q- }, e5 tsdcms.setsession "admingroupid",""0 p1 q% K2 n g6 [$ U; O: F: M
: d' i2 U, ]# k8 O7 ]& usdcms.setcookie "adminid",""
) O5 F6 G) Y/ ?* F0 } * M4 I% S' h2 A% N
sdcms.setcookie "loginkey",""
' z3 |" m- U/ d( |3 x: C 1 U( ^2 F7 G/ K) D/ f7 D. A3 i8 G
sdcms.setcookie "islogin",""0 s$ x! H0 ]1 \/ R# g
( m& T6 f- c) B5 F" W; W% M! l
sdcms.go "login.asp"
- `8 R0 h2 l% ~% [
Y% D, r" o4 A Y K* tend sub; N9 y. Z+ Z2 {) _: Y& h' s; u
$ }7 Q' H8 s$ u; M
- s' ^# O2 ~) Q
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!/ \- F7 a6 {/ u0 O y) U
修复方案:
* O8 t A, ^- R9 Z, o& d2 Y* ^5 e修改函数!% ]* x- g* C) [$ Z8 R5 V6 V- E
|
发表于 2013-7-26 12:42:43
收藏
分享
支持
反对