要描述:# V1 U' l9 s- u3 d7 K3 z$ G) O
4 `# O0 L! J) n' L( ^4 L8 d, O
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试2 a2 r6 w3 [7 _$ u. ^
详细说明:
+ f! ~3 c1 {0 W# RIslogin //判断登录的方法9 d2 b0 w9 j) f9 q+ |
' W5 N; x0 F- ~. P: Y0 Esub islogin()
* R2 ^0 A+ @/ y( { 6 [" E2 `' W1 e: N
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
0 c& Z9 m1 j9 E( L7 L! T% b+ ^4 V
. l, {- }; A* Q' |" X, G3 `+ \dim t0,t1,t2
/ J$ F1 p9 t/ A5 ^$ R . E* l- l* ?' m; x! j, k* O9 V
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
7 W: y& j/ j8 g6 p0 Z7 o
8 T+ {! O3 t; o( ~, ?t1=sdcms.loadcookie("islogin")8 K" E/ W/ ?7 t, V% m1 P
/ X& A* A _( R( B: K* B g
t2=sdcms.loadcookie("loginkey")8 K# Z# e8 H" U- V- [
9 \8 F* n" m x% D6 I7 u$ n, k
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
7 y! O9 D6 o/ d# t; e0 t7 i9 m & T/ d2 A& g* n
//
2 ^5 U3 `8 M' N; T7 x2 Q* x ' z% ^4 X2 f( W# p& J
sdcms.go "login.asp?act=out"
* J3 ~' q; |: l, J+ G" \8 T1 W
! h) S" M# B, i* G" Mexit sub3 p/ v' M7 ]9 F" y' X- L) j
3 k7 {1 m! H% {* [3 ^else
& [, K S: e" ~3 n 2 f. i/ ^/ a, t6 S0 y, b
dim data8 P# g% ?) u3 I" Q% {8 S# J
: [* T w) l- ~' M
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控5 P4 ^' W: m) H% }) \
- h4 U% s' W- j' Tif ubound(data)<0 then
/ ?6 W c u/ l1 B/ W
( j/ ]" r- W" ]( vsdcms.go "login.asp?act=out"' \; v8 {8 F7 o; ?' f2 C+ O
; t h* t/ s4 ?' ?exit sub
5 w" q! [6 \, ?8 v+ y
. A' @2 ]- K. i; E2 Kelse
7 h% X J; ^0 s
" w# ~6 V6 Q! m& aif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then" R7 n6 r# `" @
0 G0 ? w" A: d& Z3 ]& X$ isdcms.go "login.asp?act=out"
/ z4 `; w) `/ e6 w3 D1 f3 t; D 5 z5 F- ~# N" m O
exit sub
( e4 _" v+ F, O; g
/ I2 d2 D& s% l0 telse& L% _1 O( ~. {
! t+ N. ^" i, u1 t/ p* _& L) ~& _adminid=data(0,0)
3 C ^7 S2 g M
# K: F. v: e- Cadminname=data(1,0)/ Q$ [7 K" u& g& m; {" j& d7 |- P
3 N' x1 x9 k8 ~1 ^; B
admin_page_lever=data(5,0)
8 C5 E# _ G$ T, o' | : l2 ]) ?, l0 y# D) k. {6 C' ]
admin_cate_array=data(6,0)
4 L* ]- z* A" a
- U* w1 d* P% b& Z8 Q+ cadmin_cate_lever=data(7,0)
2 T- Z# n" h: F1 d* v5 E
& [" T: b1 y1 c! Xif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
% \4 A+ H. m( q' F9 \. b : T) Y$ w4 A2 q* S
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0- h$ \+ o$ Q; |
8 o: h* k' W# e& ^; |( X' N6 Hif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=06 _, X+ a) h# r) m1 q: j
9 J2 ?1 k4 F! S% w3 Z3 X3 Eif clng(admingroupid)<>0 then
" ~( a% Y4 u1 S# {9 o6 K8 G6 v; D7 v
) Y# g. k% m6 A& C: F; Hadmin_lever_where=" and menuid in("&admin_page_lever&")"
" Q5 ]6 R+ y- y' u( n& V" m
) }4 U( L5 @9 E1 Z2 \& j; ]9 ?- \end if
) F! ]' E; k4 y0 i
. C5 X2 e. u) h/ Y- @sdcms.setsession "adminid",adminid
, N7 H% t; j5 [8 @( v3 z* E. o" n
2 O6 N8 K; Q7 A% \" W3 jsdcms.setsession "adminname",adminname
" \/ p$ V" x7 Y) S 7 b- J* M8 ?9 [+ [) o1 _
sdcms.setsession "admingroupid",data(4,0)0 @' \0 l) c& `1 ]+ [( y7 w
' ?7 |% I; P U0 M4 ]% \
end if; F5 w3 h8 P# w- R- }' M2 | w
1 L! V4 U4 `0 c" E
end if& a, ?& W* P6 k0 R* F
5 R4 S# }, W0 K" i- ` Nend if
$ M( j J9 ~" @- g6 g 9 x! D; T* Q" k& o! \% U* t
else
0 a7 Q, s! o, ^1 [8 s& ^ / L- J! R8 Q) i" q
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
% X' g9 c, M7 s( l% w
5 L8 x( w6 v, T1 C+ tif ubound(data)<0 then% _4 q% {- U$ ]( {; n2 p( Z
5 I% ?! F9 g# A- S/ D. ?; m/ O2 l" msdcms.go "login.asp?act=out"
2 t2 o$ G7 m- n ?2 B1 d" ^ ; y/ E: x8 ~! l
exit sub6 U& F% X1 N- P# ?4 J+ t2 |; G
0 C! _% W% S$ _else
. Q3 |! [+ @( q1 I i5 E1 m6 C) F ( B8 q" w" a8 v
admin_page_lever=data(0,0)
4 y8 i: E' R0 h2 Q' J) L, ` + o, ~5 K1 K- @* ` e
admin_cate_array=data(1,0)
, H$ d+ d3 I5 O7 L {1 }5 Q8 _. t+ ^ * M4 B- k7 B# j$ E3 a
admin_cate_lever=data(2,0)
) K# a) f' n' h; b) @1 I 0 \# e V/ g @9 i; ^. h. @- J
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0' B4 w& d2 y/ j" Y, Z$ G: q
* y, q7 S% r2 q4 f9 Jif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=02 o1 I# N3 B& Z; l) r' l
0 @, r; ]! F- ?" n' J: Sif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0, w3 {8 q5 D4 h7 c$ c- r
" @ F7 ?6 L0 f. v: u9 y. C2 } @
if clng(admingroupid)<>0 then
5 {* m% k' }. k5 Z3 D s) } 9 X7 ?/ [9 p& {& G! p5 D
admin_lever_where=" and menuid in("&admin_page_lever&")") P$ F' Y% a+ P# ~0 J
6 j) V" K% z- _! p* Y, F( Gend if
; G2 O" y' V' x
! @7 q, C9 q# e- @' A6 Eend if" o" h0 C' i" {" a8 ~
1 h4 o f+ X/ D: K# K5 I& l! Xend if
; y0 d8 g4 y0 n( w7 k6 \ 1 r+ q& M+ `. _5 U; y% @
end sub' |2 J5 K" Q( D5 m$ a+ s/ k/ d U% r
漏洞证明:
3 o5 A* b( A- L# _( x, @看看操作COOKIE的函数
5 |0 C, S; _ m% q6 Q1 j+ v
5 J- [1 d* a% Apublic function loadcookie(t0)4 m! t9 |2 t: J5 m. t; a
4 Y# [4 \$ G' o4 X. o0 g* n! A
loadcookie=request.cookies(prefix&t0)0 s$ z7 A% J! H1 d6 @
$ P) c, T9 z- n0 Z( J! B0 mend function9 k- I- B6 v/ Z b
4 T& t3 O/ {: g
public sub setcookie(byval t0,byval t1)( O) [0 S& ?3 e" Q( I% N
: }8 l' u% l4 \2 hresponse.cookies(prefix&t0)=t1& g- W) |0 c F9 g
g" L2 z6 j# V; B! v
end sub2 M* Z) O7 b! J* Q ?+ A9 c
& b0 U) m- l* i
prefix
3 S8 H' }4 \- c, x& I2 J 6 @0 z( W# v) L% u3 w1 y# P
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值; M2 |6 B" { F) @0 R, W
0 I. F. L9 |; q. t2 K" B. @dim prefix, p) k0 r/ h2 h, K9 e7 u0 ]$ H* z
! ~. X2 M! o$ M. Q, y- K& K$ dprefix="1Jb8Ob"
% l1 u' {" c$ W0 o$ A; u 0 I1 D/ z( m# ?7 k( K- V
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 - [6 ~3 I, {5 y1 D# F0 ]
+ ]: y" F$ [3 @1 b) \5 S
sub out- p8 K* V# g# v V
/ M8 [+ u: b c% N7 L" S- b% Usdcms.setsession "adminid",""
! T! v' N4 E) k6 c4 B- ] 5 R2 r- M5 l! x5 i% v- `
sdcms.setsession "adminname",""+ @- C0 |; }7 H0 l7 A. S
4 l$ M' o0 L" ~. K, B& ^sdcms.setsession "admingroupid",""
7 c, ^; v X9 U, H/ B$ ]. j! v . ?1 r" }5 X5 t
sdcms.setcookie "adminid",""
; h( p7 Y$ C8 A9 T; i7 Q! T3 W & l& T6 S, A' o( s% L6 v; x+ x
sdcms.setcookie "loginkey",""
, P( W# s: }9 ?* `- n: @ ' P, r& g; z1 y: [4 R2 f3 L
sdcms.setcookie "islogin",""7 {9 Q7 X9 {& r7 H1 I2 U$ m
( d! n+ v* Z1 U' s$ g3 |/ \4 {8 ?
sdcms.go "login.asp"
: r6 E" Z1 o& W" X : f$ `, h% @ y2 P) X
end sub4 G, ]9 ]4 r: {+ E8 j! H7 i6 ]
4 S+ z* ?% v2 Z; b" w# p
# w+ n) P- ^* E2 e& w' a$ u) X利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!6 O3 M$ Y% q8 j) D5 t6 H
修复方案:
; O: U* f) ~$ i9 Y$ U) Q6 z修改函数!# b4 I$ _. g+ ~% P
|
发表于 2013-7-26 12:42:43
收藏
支持
反对