要描述:
9 f+ H0 U. i$ o7 n e
6 R2 ~1 }# q) S3 R0 s$ }* ~ LSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试 e+ T$ G' I4 c6 b3 f) D/ `0 f
详细说明:6 a& S2 F- M4 j
Islogin //判断登录的方法
# f+ [. j! w. Z2 c; W0 S7 V % H6 `5 k% \/ q% v9 ~
sub islogin()+ c0 f6 j' b# j, J7 _( ~( r6 r+ D
$ B1 ^: y. h2 @, Qif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 3 }0 n1 Y6 B9 M2 h5 O; m
6 j5 f6 G# D P- M+ ^
dim t0,t1,t2 & N) D6 g6 a0 N9 Z# A( l5 z
* @, _! V% t" n: P3 Y2 E# R+ Et0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
3 ^6 z! f/ { [$ J
9 A6 s% w. c; r" ?* a8 r1 St1=sdcms.loadcookie("islogin")
7 j, W; Q+ w' d5 Y" w/ @1 K
# L$ g% H7 j# z* dt2=sdcms.loadcookie("loginkey")8 V n' d: z W) r8 Z9 a% w
3 T2 F2 m: k' A1 \$ B. y: }if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
; ~9 F* f8 @/ d6 h! S
3 X4 q0 S! i: ~: {. h//9 q6 Q2 W4 w6 f% a' Q4 e7 z" v" n
' U& e9 f) ^! m1 A. k' K% V! }8 ^sdcms.go "login.asp?act=out"
5 D! p9 O4 x' ?2 A0 \ ' \5 N p6 H0 b( A1 v0 E5 u
exit sub7 ~9 j* s( z3 S- s
! c3 p* k) ~( ?9 C' nelse0 l6 e8 a! N- [) i3 `- C! M8 f* Q
* M' Y3 `+ [5 \
dim data+ X& F1 W/ w) d, A; a. {
$ V0 u8 d' I9 D. j9 a8 ` U- ]+ Idata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控3 V! s9 w* ?" F7 F3 x4 V5 b! D
: h# W5 q5 P5 ?# v, V
if ubound(data)<0 then# w2 @" P/ c x/ S
! Q R0 p8 A/ b. f5 P# ~- Lsdcms.go "login.asp?act=out"5 a( p6 l) ~/ f1 n0 P$ f
6 ^9 G6 ^8 G& A" j
exit sub
. o" R/ M* C! {% k
2 V- j" U, T. |3 k3 {8 K# ^else ? C/ C* {9 E6 t
N/ {, I* `0 ]$ j; N" d. [
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then; h9 |# s' G/ h& t f
) x1 S* P$ H/ h- ?0 g
sdcms.go "login.asp?act=out"
2 S! O2 Y" H9 U
0 u, e$ b* J1 W0 I, Dexit sub
! O% t. [0 ]4 E0 V/ @+ u, W 9 V5 T- J7 a8 y4 B# f- @
else, e( m8 e4 y' J
k' N& ?2 X! Z; `6 `1 _adminid=data(0,0)
v" ]: a m: z4 f3 p7 ^
6 d7 }, `4 E6 g. l/ E+ Nadminname=data(1,0)4 T2 _0 T1 ^& k
2 Z7 e9 r" L' l: p s1 x8 Jadmin_page_lever=data(5,0)
" _, Z4 P& ^- w+ d" w: _) v* i / Q% B8 O) V& G: w+ e6 U# w
admin_cate_array=data(6,0); u7 S9 S6 V2 W3 Z Z/ N: h- z9 ?
0 a# N" F2 ]. |* P
admin_cate_lever=data(7,0)( u, W* A: E4 a0 J$ i
2 s' ~" y7 e9 ]8 h
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
6 e' e# o2 ?5 o3 X3 ^ & ^2 l: I- k6 m& W7 w+ ^- Q A
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0! k( @% O1 C. c2 D
; G) E# H; L1 Cif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0( U9 P2 B) w+ a! K# c' U
4 y/ z! C( ^8 I6 Q& m& b7 d$ Y" A9 rif clng(admingroupid)<>0 then! C2 J* q" r- l( h0 G/ W1 F( }! N
4 n4 H9 U0 p, K
admin_lever_where=" and menuid in("&admin_page_lever&")"! g K* ?8 [, r6 ^( m; N/ z
3 @9 J" [" L9 B/ D6 Kend if
) C7 o) z' X% C7 P/ I7 |- B ! A# y3 _ }* q8 `% @
sdcms.setsession "adminid",adminid* i* f: R2 J3 p" Q. [8 R) |
4 G' r2 x- I3 g6 B- f! s6 k- R& Csdcms.setsession "adminname",adminname
& ^" Y8 l0 m5 k( @: r2 e% u4 A
$ z+ M4 _( i9 H- u1 ]7 |+ r0 @( [sdcms.setsession "admingroupid",data(4,0)
7 T4 D5 ]8 ~( J1 F 5 J9 ?9 F6 m) F9 P E
end if+ `6 I! }6 O" H# @- }
) m0 R1 }% V3 o7 o
end if
1 @ j8 {* j! A5 S% s2 ?
% S1 X U6 f) t: p1 nend if4 {$ q/ y8 A4 N& D `9 {1 G
+ @& c' l e. a" V" P) F G& A9 S9 welse
0 U& L6 L( C% U
$ m5 u+ K% B* b( y1 I7 wdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
+ _5 A& Q! G1 v& L6 y3 Z& Y
4 l$ J8 ]. R& wif ubound(data)<0 then. n% o9 N$ s. t9 e+ F% S
6 @2 h7 S) S+ c' Osdcms.go "login.asp?act=out"& c! r8 c' k$ V: O
' ~0 I/ L$ k0 V4 Wexit sub3 {) w6 z; z$ v, d, v7 d
; e. _* ?, L! S
else$ G3 v. @- }0 c
/ u- r" J I6 K1 o" d7 I0 oadmin_page_lever=data(0,0)9 ]) ?1 G* j. m
2 A9 ^! g3 i7 V: O7 eadmin_cate_array=data(1,0)
. @& \* ? s5 t$ W
- L2 \ K$ H& J( Q7 G5 eadmin_cate_lever=data(2,0)
7 e* H& l# z- }' a+ D3 s " i- V/ H/ I( B0 Z8 p; Z4 y
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
1 i6 a4 I' \5 j2 A , r3 K2 l/ ^6 C% K2 ?
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
- w+ \% h( T9 q; y3 I0 x 3 D5 ]# @5 r5 l. D. n# }
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0% Z; z; C3 x B2 k. W
4 J+ @0 M+ V8 V1 fif clng(admingroupid)<>0 then! b- Z. l; D8 y6 ]: S. B
0 ~: U/ ^. W P2 d0 e; s0 Aadmin_lever_where=" and menuid in("&admin_page_lever&")"# L% t7 R9 F' M% c# M' o% q
4 Q; F& z5 d& A% D2 _& T& ^. Oend if4 f3 j& c i5 ?& }; Y
+ x2 P1 m9 C* O2 |; s5 o# f. ~end if
4 R( q0 f6 o. \8 J 7 X1 L8 [2 N. [4 O
end if
. j) m$ G6 X8 V+ `
$ z7 \$ F+ j! G F% O' p7 C& Lend sub
5 a7 G" g9 x5 O2 V# H: j漏洞证明:$ T2 V! s* k' U9 ]% v/ x
看看操作COOKIE的函数
+ l6 v; q' U9 A2 q6 |6 I- z; s
5 k4 a; B3 ]1 R& ^* ?$ V0 M$ ]! Cpublic function loadcookie(t0)
4 }. m+ Y1 l8 T o/ m- J5 N* h4 D% p 9 ]$ T, y* c2 K2 A- r, ?
loadcookie=request.cookies(prefix&t0)
; p( }# s: C8 O4 c6 R; i ' R# x. V5 {- `3 e
end function( X8 d3 `4 {4 Q5 l( o
6 Z: D2 P4 V6 g- `5 q
public sub setcookie(byval t0,byval t1)
! N, E" v2 r$ v5 i& N* G 8 O$ F- E$ \9 k8 m
response.cookies(prefix&t0)=t1
% |% b2 r/ b8 b/ j6 }" A5 J
2 b8 F/ R9 x$ z1 Pend sub' K0 `, [3 w+ L
, B/ Q; K: N0 b8 N% l2 i
prefix/ C8 p+ ~7 a) _ g
. o) ~$ p& l+ W* p'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
6 L' |/ p0 H8 y& S8 B* F# Z+ Y 2 F* b& D7 U' A+ [/ ~6 _) C1 ^4 s
dim prefix
" D) p, [4 x+ {7 l. n1 g" |) H) } 3 Q7 ^7 m& F- g" P6 H
prefix="1Jb8Ob"
, \- C* e) }8 C/ B8 y
# v& h( ?. x0 K'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 * E( s) ^" K& v3 V# z& j
! [, V% w+ l" L: Q$ x# i2 L w
sub out. q% `) R& M4 G
* ]6 k% Y- ]- P: o+ U9 l' osdcms.setsession "adminid",""
0 K5 y$ h9 O1 p2 i/ ` 1 R; h- j: V, X! S$ `
sdcms.setsession "adminname",""1 S# W$ S' L+ z: `1 ?8 s' Y* \
. V. f q N1 E2 Z
sdcms.setsession "admingroupid",""
* l2 J% j$ i) s3 y
/ t4 y9 d; C3 T$ L( w/ o6 d. D% p" fsdcms.setcookie "adminid",""
& S: U3 z, v& z, J+ g! g) F3 b ; q" f# [! |; K: J3 I, {! w
sdcms.setcookie "loginkey","") L9 e- H/ G* G: A
& f! J& K3 ]8 V( K5 R1 B5 dsdcms.setcookie "islogin",""
5 t! q. P/ P2 F( b: z, H + `( U, @/ |, z3 r% |
sdcms.go "login.asp"4 l/ `4 a& ]8 |) S3 u
3 a/ c+ r! f1 c8 h y& X6 A
end sub) d; a; m+ b/ Q6 C2 }, {, E2 C' r
$ [: P* l k% A% N4 U }
1 W% h9 D+ {5 n% E' o1 z' q* {: S利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了! [% j- b4 A" q
修复方案:* b# |& W5 ~& l
修改函数!9 L# h; y1 H0 K+ k2 ^' X
|
发表于 2013-7-26 12:42:43
收藏
分享
支持
反对