要描述:
) }: }$ N0 B$ C, ^' A r* u- X- F4 \) k; m
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
: O* l2 W, S" R9 U详细说明:
6 O& g% p0 |# ^5 g! G) r/ S1 CIslogin //判断登录的方法
' T" b/ Z- m5 g$ {; ]0 ?9 y4 |& @ 3 [4 H1 c" j# T9 ^3 ?
sub islogin()$ N, Q. _4 E3 k+ w, a* W
4 a3 t2 q. J9 cif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 2 d* A `7 B1 r+ R
6 S+ A" \6 D0 B1 ^0 }/ l+ O) edim t0,t1,t2
" u1 r) P+ b' p7 ?1 x6 D
; ?6 ~1 Q! C& Mt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie ! u) J% Y& P7 K" F8 Z( n: p
$ j7 O7 u; `9 m8 W1 E$ M3 F
t1=sdcms.loadcookie("islogin")
; C+ a! H x4 O+ ^; V) I& k5 B
* ~' o+ X6 }% K+ ?2 _t2=sdcms.loadcookie("loginkey")
# _8 |. V0 G! `
% J! T6 r) u0 ?! H0 @% F4 ]if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行* J6 V% E( j6 F$ G# }
% b. M7 ]! l. |/ q" a//
7 ?( V9 j# f( ` % M6 `" ]' P* I+ ]2 b4 ~/ @
sdcms.go "login.asp?act=out"$ O! c. w) w. g" J) i
) ]7 l; d; i4 G1 {exit sub
! |, u& c+ {% X- B' D3 E3 l
& \4 \* P* [% J L4 Z9 `else
6 I+ _" c# V4 u$ G* G* N % a& }" s* q& V9 \# O
dim data7 ^/ Q: o8 q% w& v: s n n: I: R
" k% o5 N' ? i* \0 `1 F
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控5 u: D# l/ ]0 j- H7 i
% I) e' ~* V o) M2 N/ Rif ubound(data)<0 then
7 I" V) m& \& |* \
( X& r0 i0 t c+ w% R' U- z$ Msdcms.go "login.asp?act=out"2 J l: j8 D& x* F4 t) ^& ~
K, e! M+ d# V1 X. u5 M
exit sub
% C4 d' E3 y' `- N8 ~ 8 o) K) k# B9 C+ i
else
* D5 H, f& y) u; X+ G
- A' q; Q5 ]4 a9 h& F4 B9 g4 r9 Kif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then8 R, `0 r" w6 @0 M0 i3 V
) n5 T P( A: O) q
sdcms.go "login.asp?act=out"
* ~# k, `+ h- j/ S0 `% Z @1 V' @% i" N) @0 y7 U
exit sub
. v: W. Y, t' H- ]; {* R7 J$ v8 X , `3 i K6 f7 b4 d
else& P+ O! g" r5 A: p
) k3 u: B4 T$ U1 ?) w' L6 K/ p U
adminid=data(0,0)
. g2 Q9 Y2 @+ o6 n6 c2 l
0 c9 P( \2 H9 j! r8 {adminname=data(1,0)7 D! N/ U6 p$ ^0 G. }5 b' R
3 a2 ^, ^/ H0 {4 B7 c5 \admin_page_lever=data(5,0)
# T, j, A5 c1 w% `
. y: t2 b I4 J. A% h: \2 q7 ladmin_cate_array=data(6,0)
' c- A: W4 z1 I ~ # e7 Y+ ~$ L& v2 P8 G; j3 D6 F
admin_cate_lever=data(7,0)9 i+ G. A* }( g4 f
4 e8 [# d% }9 Sif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0" R4 N1 o+ {$ |: K0 @5 s. L
# D0 I% h2 s. ~7 Y& ~" qif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0 z; S8 E. a6 s6 W* O
+ i8 c9 H( ^# X% r9 S* ^/ C
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
' k* e* G, r% p& k
" h" ^# b4 F. }& g+ {! [# P- Uif clng(admingroupid)<>0 then! t* ~+ P7 _# q; D, H" C" x* t* F0 g) A7 Q
0 x% f8 T' I; uadmin_lever_where=" and menuid in("&admin_page_lever&")"
0 ]$ r$ Y. B4 |1 C 8 F; q; R% O) E) W Z8 R
end if( a6 O: ^7 C% X8 H9 C+ e/ I$ r! \8 }
- L% m6 s7 f) h( E+ H8 {sdcms.setsession "adminid",adminid" }; e+ l( d C0 J6 _. m3 b% X
1 w4 F5 I- S3 [) J8 A! P9 ~, [sdcms.setsession "adminname",adminname
+ V* o* V# l; F4 s
$ H/ R3 K# Q! v5 |sdcms.setsession "admingroupid",data(4,0)# c+ K. B8 g& f' @- t
" z7 m1 |5 f( v! F* m' I
end if
! r& Q& I. y) i, C- A " k: t' y( J c- L0 G+ {
end if' N3 ]6 k# h# F6 J7 r% n" ]
- R I) t9 s: |% R, n. oend if' f1 Z% g6 K+ p0 m: L
% C' o' U9 z8 F l# p$ {else
4 U' ]3 r, _- s! q5 t# T: a
3 J. G$ ^2 `% W% v" E) t+ J3 [9 \1 |data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
' A/ ^$ M# E1 z5 t
5 L4 F9 n4 Y ? {% pif ubound(data)<0 then
8 [5 i7 U) M" s- f
' O+ k) G- @4 T8 W0 X( |, Ysdcms.go "login.asp?act=out"
! j6 e) D5 b; b: W- r& C6 }4 ~
* W, _4 j& T# j9 Nexit sub+ g8 E: b! J& |1 v
: v) [4 @" V# {. r/ Y' t4 z
else
% O$ V! s R/ _6 c5 S - _' o' P2 C2 N5 y) i
admin_page_lever=data(0,0)
; n+ j) K4 D0 v& P+ } 0 P D9 c" S! j3 R
admin_cate_array=data(1,0)
- \! O; V- t; T- u% _9 @% P
; p0 v+ M z# _5 ]" nadmin_cate_lever=data(2,0)
4 s& L0 w6 n2 e& _$ ] & b0 O2 { ~1 {
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0( K6 J2 p0 _2 C ]. q1 Q3 G
4 s: S) D, }2 K& Lif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0, }6 r& A. }7 W0 l k+ O4 F: ^% x
0 l: Q K0 c3 X' O% |1 _
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
3 R3 v2 A E2 T) [7 ? 4 p+ ^2 P) x+ V! a& k
if clng(admingroupid)<>0 then3 @$ l4 j) i \4 @4 b, b
$ s, Z& h d5 R6 X& Aadmin_lever_where=" and menuid in("&admin_page_lever&")"
4 Q8 k8 d$ F7 Y' T" l( h6 J
0 {! [$ M8 t7 \$ d; r. |end if
" X7 e& o' Z3 y. D* Q, r3 j w5 H- w$ P s& {, n6 q
end if
( D+ T J6 M6 [
& t1 }* c% [6 ]$ Dend if5 K, p, o7 R* u& T& E) ~5 q) G0 m
& j" X" s) q; k2 I& [
end sub
8 _/ x! u( s- |. ]8 F, `7 T8 f. i漏洞证明:9 }; H8 K! q1 P9 H, a# e7 g- z! ]* J! J
看看操作COOKIE的函数
9 |6 Z9 B8 \0 c* t5 L
& M |% C8 b3 o. R1 o- a* A$ ]# F- ppublic function loadcookie(t0)
' K" U1 I) z6 G* A
0 A* m2 F. v( iloadcookie=request.cookies(prefix&t0)( H7 U# p+ d, b: w7 K2 I
( u1 l% p8 O/ s5 f1 w n! E+ B$ ?! ?end function2 B. m/ f/ C6 ~: p* E
* w# g+ i4 A" _0 e1 u/ ~
public sub setcookie(byval t0,byval t1)2 F) p( J1 U: t3 |6 m$ j
3 p5 h3 y. \( w/ iresponse.cookies(prefix&t0)=t1
$ l/ o; `! i& N: y 0 o* P" c( e9 E! D
end sub% s) m& S' m! s# B
5 ?$ n' Q# K- Y2 u6 O' K5 e
prefix/ A, W. }7 r; T( c8 I& `
4 d; h( L1 h6 R6 ~. i7 A8 n
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值5 ~& i( |3 H4 _4 W$ F6 N5 {3 j b
2 E' E3 L7 y+ m0 g5 u
dim prefix" P" Q' y! J( R% s; H
4 _( F$ K8 G1 v8 F( J" Jprefix="1Jb8Ob" z! n) p$ q1 @9 T# u' G
+ n1 v" `$ s$ h2 J# ^( j3 o7 H'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 1 O! X9 Z* j6 d2 z7 m" n6 f
3 m5 S; D1 ?& Y2 i3 L8 ^
sub out' o) G$ U$ s7 b
4 Z& e0 p$ M3 _7 Rsdcms.setsession "adminid",""
5 ?# ^9 s% q2 }, n$ m
; R3 e4 ?: S! `9 ]; n* s$ Q( Bsdcms.setsession "adminname",""
' m3 u0 s5 B3 H( A* r$ ^% m
$ }; k' j: _3 ]6 ^/ m$ w& d8 esdcms.setsession "admingroupid",""# W" f* q! N8 X6 @* w) N
, s1 Y5 ^, p# T1 ~* c s
sdcms.setcookie "adminid",""0 q9 W4 u, V- p, M' O) F; ~
6 z" |- j$ j/ }* f. [+ i" Z/ v
sdcms.setcookie "loginkey",""
" B! G5 Q* E* e: O7 }' J$ k! @
$ u! k+ a1 _# A7 g. Y# Esdcms.setcookie "islogin",""
' _7 W9 S5 v; ]9 d+ m
; M: P( Y: x6 _$ Zsdcms.go "login.asp"
1 A6 C6 d4 l9 d: R# E8 E
' _( C) R% q+ ?3 U: m1 Y% d5 vend sub5 N% C1 H5 U( t! a: `# B K
, W6 r* E/ d8 |( e& |
0 U1 \2 |6 |) m2 A3 p
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!6 R4 G; H( x, e9 \
修复方案:
' k0 d# A( I9 m2 J) f修改函数!1 m( G$ `% |; v3 ~( w2 w
|
发表于 2013-7-26 12:42:43
收藏
支持
反对