要描述:
* I4 v6 g8 A! `# f9 L, z
3 C+ v+ |5 G* `; { W: mSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试! s: {0 I, Y& K" q
详细说明:2 X4 m, R9 }6 L
Islogin //判断登录的方法- J4 D% ?" [0 q. d8 ?9 {/ Z7 f
9 U2 U# D; T" q$ Z+ f( u
sub islogin()
+ ~& B; l4 |2 k
; j) s2 `( `/ u( _: L, tif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
% T1 O% h; A k6 d5 L& n ( F; c# T( R+ S1 g8 R) j
dim t0,t1,t2
2 c, _- T) L$ G) Q* x; X0 V9 q; Q3 C( P
" v3 `* M3 t6 T: X4 W: A( ]t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie ; A/ `0 o! y7 `( D
% `+ y0 s& b C5 D
t1=sdcms.loadcookie("islogin")
, n# H- I5 H" j: h5 {4 H) ? 3 \- `3 ]) C6 H/ }
t2=sdcms.loadcookie("loginkey")) D+ Q% r. r# i8 ?5 \
' g9 @1 [7 u* {& `if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行5 D* D% @8 p$ k F- P
" b" k* b; d8 E//
- ?) a! M! S" Y' \+ m4 Y3 g% A 6 D8 z Y$ |8 j, O9 C1 M0 ]& l$ q
sdcms.go "login.asp?act=out"& L7 \& \& f: _. m! E8 i
1 U8 j& B/ F; }& } D# Z
exit sub/ |5 s) B: t+ v/ F: v
( ]' s! r H8 y3 |2 ?! \8 _
else
9 m$ H X; H$ l* ?
/ c2 ^) i: r4 Z# _dim data
7 k* V- W. E- F) y; T7 Y# \9 ? p! | 7 O5 C; D; B5 k! d' Z4 P
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控0 \- F( j# ^, ^, |
3 V+ J# S& s; G
if ubound(data)<0 then0 t6 K% m/ f5 @8 ?7 u) P5 X& K) X
" S+ Y a7 f4 B9 c# ]4 x; l, q, z# Isdcms.go "login.asp?act=out", w8 \+ e9 f s9 J! P
3 p1 p( X( F7 ~
exit sub, s" i8 h+ C4 }7 C
" k. X) t1 \% B: V) y. Selse
8 e8 |( A; u" M1 k* G 0 {) d% G! f, G# i
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then8 `; ~( p! R2 i3 ]! M% u
) J% F* X4 L) l9 d8 J. {) r/ dsdcms.go "login.asp?act=out"4 o' o4 P% t7 t9 s! `3 I& n
" C. }. _( x1 e$ `5 d' c% W4 e% H
exit sub
! d7 L0 k% ^" S; m2 d
; |4 \1 W% [& R7 M( k, |1 [else
# E9 A7 Z' O7 z* B0 u/ H) K
" M. b- F4 ~$ Y4 h6 f! j; Vadminid=data(0,0)
0 }5 P3 s1 v$ {8 L9 P! c
. p: _) f# m1 p0 k, G1 t" h3 ~adminname=data(1,0)& x) ^6 U, M# F$ o3 S
; d. [* I5 {, [0 w" zadmin_page_lever=data(5,0)* V, t. ~5 a1 H r5 \6 G
3 \, c o5 d9 Q! ~ Y' i' f
admin_cate_array=data(6,0)4 s/ a" A$ U: @( e
3 h6 g8 Z: h. H Iadmin_cate_lever=data(7,0)
% w) ]% k q& g" q1 s+ k6 r, @* h
, s* O6 r, R8 U! D# }0 L; Hif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=00 T5 j9 S a9 O. F& ]" n
5 l9 @8 `7 I9 e- `if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=06 b$ G" U; ?/ P% Z; b
" E e3 l2 e4 g* r6 U3 P6 l0 e/ I7 ?$ Dif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0* s. B% T+ O+ P) Z! ^/ ?/ O
* c' R7 u% p2 K* T; oif clng(admingroupid)<>0 then
: x; [: e9 j1 V, ~8 e6 T2 x
6 s! p& m( a% \: q2 Uadmin_lever_where=" and menuid in("&admin_page_lever&")"
; |% S. T4 h, ^ " [0 Q6 C/ T! J
end if, a% t: R' x+ ]2 r" ]
% J% c) V7 d" n4 `+ v+ t) a! K
sdcms.setsession "adminid",adminid
; E+ P% g7 E5 ] ' s+ ?% W1 R# `
sdcms.setsession "adminname",adminname
5 t! k: l3 `% U# W( W$ ^7 g ' U6 w% H" m! l& I6 k8 V$ n8 o, ?5 i
sdcms.setsession "admingroupid",data(4,0): J6 w* [9 e+ C' D/ r9 A* ~
1 m; W0 x% v: |0 E
end if
" u" J, P4 _8 h
Y5 J) z2 i% P6 W1 X( Y5 Nend if
, G( Y; F3 ^9 j6 F i
+ T& `3 \! h2 Z( a" E$ Pend if; V+ q8 _; N& S' Q$ I0 U- @
/ u8 K( b/ m, s* Ielse' T8 ~- Q% q% \4 s4 b" L
' o3 E* e% u+ q; X m
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")8 N7 w4 _+ I7 a
4 w/ H' @/ r7 ^5 P. I- A& m8 S
if ubound(data)<0 then
! P. R# M' U% b! N
& q; m; }: |1 M" O: I, o! }sdcms.go "login.asp?act=out"
~0 U! f Y1 V1 y9 e
8 | m3 J% r: C5 Oexit sub9 y+ s* [8 I2 N3 l' }
; ?' u4 |$ ~5 h4 V- b2 Pelse
6 d, _1 n) I! g: z7 B+ F & g K$ Q: c3 F9 @4 I5 D
admin_page_lever=data(0,0); E! c( J) m" F) V2 O
. ~* M3 v! x4 ^( uadmin_cate_array=data(1,0)
1 h0 w! M; O: ^# a2 p X e7 P& a, X, q) k U8 p" {: `
admin_cate_lever=data(2,0)& M1 t* Q* q) [( v0 C4 c* L# W
" o @: U" y7 ~) n" Iif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
9 ~# m6 ]" p) z0 y& c 4 E2 Z* w9 n- J+ t( F
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0* T3 A& }; b5 G2 d
/ d% i1 w% X% t/ d" Aif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
. ]! Q* r% D8 |3 H # S2 {, V" {& h# W( L" Z @
if clng(admingroupid)<>0 then/ J/ h. B+ o6 |5 N1 [. ]+ d) d
/ d0 W% G3 {, J# c! Y# ?% R7 k% E
admin_lever_where=" and menuid in("&admin_page_lever&")"
, W* d5 h: J7 C4 J1 M. c h1 `% O B % Z" p3 e$ `; X* T/ i
end if
- q$ C* l9 {8 P) b7 m$ h + a) w, [6 B, E) n% D
end if
' b. E- e7 b6 u / Q" \4 J, X# n+ L% x& W
end if
* C+ D* F0 r" O , E* s2 o1 ]0 U0 ?" M
end sub6 s4 K0 T0 J1 d
漏洞证明:
: J: D- D$ S5 V" d; G9 r# ~3 X$ m看看操作COOKIE的函数
# e( Z. U2 p, }' `2 F6 q% ? , i# M% k/ `. ?4 I
public function loadcookie(t0)0 O8 A/ \" G& J$ j+ L
; O3 P4 m0 t a1 x! S7 R
loadcookie=request.cookies(prefix&t0), J; o$ N7 b. |
9 L: `9 d# l; d0 u4 X2 x. bend function
! ^1 f/ I6 c- Y! A
^2 W( Q0 K% S, M, Y- u% @public sub setcookie(byval t0,byval t1)) x! h' p$ H( a C) r O% q
) m' H+ I2 L; T" I6 n8 N g6 _response.cookies(prefix&t0)=t1# C% p6 Y1 Y; g* C$ {
& r' e9 y) q4 Z9 \1 y; u2 K3 Nend sub" p$ F: @( `2 D& v
5 d% ^$ N. l$ m! R, `prefix
4 A8 `" G0 r% q6 J( U & C ]3 H" y0 Q( o; ?
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
. E7 M' g9 h9 X% e 8 E9 q7 p; ~8 c7 p
dim prefix. M4 G! g$ Z$ |; w/ M6 ^: i" Q
: }3 ^, J% ]1 `. `4 u# I. @( p
prefix="1Jb8Ob"0 M( n+ v. ~. h. e# t) W
) s) Q# `' ]% X# o; |'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 : [. m6 k) J# \, _: C X
' P a; M+ S) ?8 x$ b- fsub out
3 w0 e+ w" Z% C+ C% B( g ! R8 K/ A& R3 v: ]
sdcms.setsession "adminid",""
( r D% N3 g/ E! d+ D; Y" ^9 w . z: ^/ j* q6 e& z, V4 U
sdcms.setsession "adminname",""- o: h5 N0 W' x. v' C+ j6 O
- H2 r' X( y" Xsdcms.setsession "admingroupid",""9 v1 ` ^6 b- M
) r2 Y! q5 f8 A) B" J; ]6 |$ asdcms.setcookie "adminid",""; ^0 r ?. f7 N) W1 j
( O$ d5 _7 a# h- v' Z1 H6 J. f: K6 g
sdcms.setcookie "loginkey",""
+ j( s7 u( z' E1 }$ v( l . g% u( b0 o% R; n, ~8 \* h. p
sdcms.setcookie "islogin",""
0 D B6 @: o9 c/ }, u
# c' \1 ]) ~1 W- u5 jsdcms.go "login.asp"$ w8 u. B0 d- w$ L$ T" G6 i
?/ w+ W: k- p3 c! u- q8 S4 D6 jend sub
. d& y3 b* V! v0 U' J& H7 J ; m4 G5 o+ j" N0 ~0 [
7 \9 _6 @ Y$ x
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
6 ]- y) T( u; C1 C% r修复方案:$ X1 x+ @: S1 O& S
修改函数!4 _ C$ m. N/ V8 c$ F, Y, p
|
发表于 2013-7-26 12:42:43
收藏
支持
反对