要描述: I: @) G' e: u$ ]! g# w
4 l/ e6 n, h, d7 c4 }1 N
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
+ t9 f$ Y# N( K- @6 J* A# u, d. f详细说明:' M2 s* ]4 n0 l8 a
Islogin //判断登录的方法+ u. f0 W% ^. A3 }" u! P8 I; t
) V' B. |3 F- T& R/ R( f/ xsub islogin()8 {/ X# O" M9 L
3 j7 L7 f& x: N) \9 i2 W
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then % B% Q6 u0 C! E
' D# o. o! L' Z, s3 a0 Y
dim t0,t1,t2
n) V* C o1 \
1 U2 n( e7 x' O* L4 F2 _" tt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie , P/ p" q. X& M! V" y" n
4 J2 e9 ^3 m% [7 ~
t1=sdcms.loadcookie("islogin")6 n) O2 e9 G* G" p, e" a
3 ]5 T' h, {6 {: ^# e) E# M( z
t2=sdcms.loadcookie("loginkey"); E. b+ P. O5 w
1 C0 N# a# Z1 L6 P; a% [
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行/ C, q0 Y! `2 S- ^) X
% P, D# @* j" s2 Y N9 L//
7 `. ]) j) l/ M' E2 ~ |( r. {* _
# j2 L" I" A/ w+ @sdcms.go "login.asp?act=out"8 u- i9 Z* v3 d
2 [4 S: V! @( Y5 m
exit sub
( T k3 G7 p& A6 c2 i4 J7 } H5 V9 b & Z/ l2 l5 h" p4 V/ M! t1 h
else
$ _: x/ N1 G9 z$ m ! j$ p- H# I ^7 s
dim data7 w4 M+ R; Z. \1 D! G& m9 B
5 h0 Q3 l0 m9 ]( H" f3 E$ p
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
2 u: q9 ` {, K0 K+ v- Z6 z- t + X0 u, W# d7 a. Y/ I' p( n
if ubound(data)<0 then
$ |/ s& f1 O' {
( y& ]* Z& ^4 H Z+ a: Psdcms.go "login.asp?act=out"8 y2 P* w" K, K2 H9 i( ]# S% S5 i
1 i' u! S$ c1 Y' P; _8 a
exit sub" Z4 p- K. U7 C
+ y' Q+ P7 U) b" [' j. y1 {
else/ e( o% d6 i+ W" {: t6 Z' z2 R8 ~
0 C+ ?- c& c0 _/ g$ [2 t& R
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
$ @* F6 \+ ~ A# B1 t
3 [3 v9 x" `! K$ s+ N( L4 Tsdcms.go "login.asp?act=out"
: k1 V2 Y3 i6 U% U% g 3 h! n! j8 u$ a) i3 o, ~- W
exit sub
# k w% Y8 l0 G
% _. v7 j: t1 L/ V/ l2 j5 telse( B3 {" v- }" U) P3 `8 [ {
2 t! c# A9 m0 Y+ E
adminid=data(0,0)
# f8 M0 ^1 I+ U; O 8 |) K! \" u% h- A+ e9 k" E- d5 r
adminname=data(1,0)7 g1 J; R- G) B- B6 z H# n
' c, b0 {* ]6 Y& l& b% padmin_page_lever=data(5,0)) M0 I% \* s S$ _( ?( x1 i8 \+ u
( m9 B5 _7 K: m2 c& m1 J% X3 Y. wadmin_cate_array=data(6,0)# K# \9 z* k8 B1 e9 n
( Y& `$ Y2 n, D% Q( \admin_cate_lever=data(7,0)
, h7 S$ a! X$ Z$ i# B4 E3 Z6 v3 V
0 T) Z# D) Q9 ^9 a- D- Pif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0" {- F5 y: U0 w5 G% [) |
% |$ a! G' m# n W$ {if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
$ t" E% F6 G+ Z4 |* m/ @8 z
7 P# D- e7 M( g! X, p2 Hif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0, L2 u7 C9 P0 o+ j* T" Z
; C: j. g& {" N. d( x0 ?( D
if clng(admingroupid)<>0 then
& w; T2 e+ r+ s5 L/ V
; `$ M" |$ M- s& e0 L0 ]0 [admin_lever_where=" and menuid in("&admin_page_lever&")"
0 a& A/ K8 U5 p' i 4 k$ X" [3 ~) ~% Y
end if
$ P) r3 F0 }% j8 t* C $ I; \1 s" v* R, D2 G! ?
sdcms.setsession "adminid",adminid/ V0 X0 ?" m6 h9 X
4 Y0 u- Y0 T# `1 \) Tsdcms.setsession "adminname",adminname
+ h" \1 p, P4 |9 o4 ]+ b
, n! m* V' b# ~8 tsdcms.setsession "admingroupid",data(4,0)
, l7 l8 a# ^. \3 L , q/ A# e7 P, c6 V: G& ?
end if
~8 K' X- k' ]5 P
4 S; I. Q% v1 u* j* gend if
4 H/ j$ {* D3 j' O/ g) H
' K5 n, O. _/ n, c, r% send if7 B! A4 k* T5 f8 q1 i
6 B9 i, s/ q0 ]
else
) R6 G+ p) {2 Z. k/ Z- O0 j1 o
; Z+ B6 o9 W6 g idata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
2 i. Y$ b9 H: @8 Y2 C' U 4 R f6 H' v) @. n, t
if ubound(data)<0 then; F+ j6 I* o6 Z6 O
2 y2 n. |& S: csdcms.go "login.asp?act=out"
: H1 v8 ^# D/ r' H% \5 o
4 Z% w" w% y: \# R; Vexit sub$ ^, v% V; r, P" t# X
0 J" r4 I7 }- X5 F5 w* {% b, ielse
6 r% \/ T# [2 e- d) D3 H6 f1 u- y + y6 ?/ N! @, p9 _
admin_page_lever=data(0,0)
( D9 U& u- a; Q6 A
9 B2 F8 N b" ?; ~, a" ?5 kadmin_cate_array=data(1,0)
' z. W- q2 R# z% ]* o9 ?3 F
: @/ e# i6 @5 V5 n9 ladmin_cate_lever=data(2,0)* b+ |$ L3 k) i+ v5 V5 H
0 W6 e" e( c9 w# U# ~if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=02 S1 W( K- a8 t I% O8 r
9 q8 ~: @( C0 ]2 p2 uif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
# ]% G4 J' U6 \0 o0 r ( `* {! N- _, w* M# H# X' P
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0! s% o l/ M* f
* _- T x4 |; w4 ]. `
if clng(admingroupid)<>0 then* ?" s* F! w" H0 q0 i8 f
/ @2 m9 \* X/ k b/ D
admin_lever_where=" and menuid in("&admin_page_lever&")"$ ?* l4 N9 L5 |! d
4 B7 a8 F' Q: C- _end if
( b1 ]' t& {9 P, f; }
8 {( u- g2 f: b; Bend if) d2 U! j4 g3 A4 Z2 K8 [; x
: w+ ^& k0 E+ p/ I0 R) M$ h
end if
5 ], y9 {' a: n& [) h3 `2 H$ O
. k; u' k( f& V$ G# K* vend sub
* X, ~0 y( V8 M. P# m+ P漏洞证明:; y3 Y/ {* r& Z8 Y0 ]
看看操作COOKIE的函数( Q' X! L. M3 M/ F4 T
3 k% D ~; p$ Z6 T( _
public function loadcookie(t0)9 [: J! F, r' @5 V. {1 f
. T3 b6 _" w1 Z/ E2 ]2 t
loadcookie=request.cookies(prefix&t0)7 k0 Z- }3 Q# }0 Z A1 n q2 b- b4 ~
' W: }- G8 t' c- v1 h& {5 t& L- [2 e: R
end function- a- ~( s; T( W; [9 E) E( @
* O! f* M" v* Y% o( \4 apublic sub setcookie(byval t0,byval t1)
+ Y( Z2 A! b4 f- Q% R4 e8 c
+ O6 P' a3 x7 X! i8 u }5 eresponse.cookies(prefix&t0)=t1
$ K" y2 p/ c8 K ?. } 5 M; S5 y- M7 i. U4 I; h9 E
end sub
; H$ d: a0 E( ~* Y! {# V ( [' v% J5 A9 k, N' d7 S% F( @* w- V
prefix
2 n5 l. K0 d6 d
A% i: N! J6 S2 S" P& F+ _'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
L' P. h% w$ u 5 k7 K0 p+ ]- W6 j1 ~
dim prefix
b! h \% l: G7 O7 g1 K6 c
$ l2 _/ O0 C; M/ }/ R8 `) J Yprefix="1Jb8Ob"1 Q% w0 J$ J) l' E) H: K
9 i9 w' c/ o4 g+ J. h4 k
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
& N7 A) W0 }! k$ X& N4 A
5 B5 b% S6 U L/ f0 l! N- Ksub out' K5 T' F$ m& d
, |' p" R! {& J/ a. Y3 d
sdcms.setsession "adminid",""1 z' N. l! A# t, s
8 [: l- M7 T: k+ c M5 l8 l
sdcms.setsession "adminname",""# q" Y! W* C8 w- X1 @
+ ?6 d% T1 A1 D; @5 @5 ssdcms.setsession "admingroupid","" g3 G! j3 a* }3 c3 w1 ]
4 F; R8 m3 ~3 k6 b( u8 ~: ysdcms.setcookie "adminid",""
8 v2 A* d) I: t% ]& {. x" N
. A$ v' |! d5 f/ ~% d7 p- {9 G3 ?sdcms.setcookie "loginkey",""
7 p/ |+ q5 V1 G; J/ G
. B3 D' p6 c- S7 E+ H B; nsdcms.setcookie "islogin",""# ^& V! E( b/ z* ]8 |
4 L, @0 u+ v' F& @+ Hsdcms.go "login.asp"
# d' d [7 u% r R; P5 J+ w$ Q$ u 6 B1 E. }+ {8 @" c3 e
end sub3 B0 |, U' `2 Q. [- p
( j5 g/ j& J9 _# O1 m2 n 7 e9 j7 F$ E) T+ O
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
# M7 z! G) L- j& |1 w8 g修复方案:
# S7 c, Z$ `3 b3 v" L6 R修改函数!% }/ C* I7 \, Z R5 s# a% g! n
|
发表于 2013-7-26 12:42:43
收藏
支持
反对