要描述:: Z0 G1 n8 H9 r$ b% C+ b6 Y
+ H; ?: Q: H1 x) U* q- w$ [SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
5 x5 C! a, L0 @6 ~9 `/ q详细说明:
* L( Y% _/ L' [6 i tIslogin //判断登录的方法
3 q4 Q0 ?7 w8 s9 i, A) x , g" Z! t0 W% J x
sub islogin()
# L" {) n; a0 V
; ~8 r8 k4 o! b: k1 {/ T% \* X8 nif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 9 J, Z$ s5 t# b. v+ D) d* [
! \/ I5 B+ J J2 ~, qdim t0,t1,t2
# q" C# J' K8 E) x # Q5 ?# C1 i" e, E4 W
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie , H& @4 I ]) j: Q) ?
* O( k$ t' Q4 S6 a; M3 w; W
t1=sdcms.loadcookie("islogin")' \( d* l/ i9 _
+ P/ `, W+ i5 C( b
t2=sdcms.loadcookie("loginkey")
( E# t4 ~3 Z3 k- n7 K! R B! Y5 H# @, [) r+ F( y' X
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
1 F' `5 w* L$ d . S& D v6 x9 Q( T/ H) ]0 d
//
% m8 e* W' y: S4 l: F 2 f# ~* t9 U# ]
sdcms.go "login.asp?act=out"
8 ~2 w8 O! |' t" {4 u 1 O9 q! \; `* g6 P$ \8 |
exit sub: A; V0 R. C" i* g
- f, l5 s) N3 E0 |$ b
else( m7 z" r! o3 C7 }! s' u: D
7 n- f% V8 R7 L& j
dim data
7 ]* m! o7 \# X+ n8 r , M0 L7 E1 T4 r1 o5 W, i4 W
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控' ]2 j3 _" s5 v
; ~' n8 A+ w4 [. J
if ubound(data)<0 then
, f& C) e0 x% d' u
5 P& F j- j; q3 j! `! C' `+ L: Ksdcms.go "login.asp?act=out"' @. V, h! `7 E# ~! |
) X* A1 F% K2 y8 e5 g. S0 Pexit sub
- i0 c' D2 p' @! \$ [9 W # o5 z5 S9 _. S# g
else
3 K+ O1 F, Q9 w+ ^' S7 q( {$ _2 \ - ]* }% l7 ]: T: v& N
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then& ^5 C* t/ Z* \. ]
4 |& X; J2 M% Z# C9 B
sdcms.go "login.asp?act=out"
6 {+ r) S( c' X 5 [$ i) `% z4 ~1 q) {# X/ S
exit sub
; I' u# G4 a7 v- V' d+ E
2 I$ O9 n9 I2 {' P5 Y( a2 ]else7 J, L* g; p a$ S
( m' b' S9 W. D8 E5 Ladminid=data(0,0)/ e* c$ s4 @: z; ~0 D9 R8 A
/ b- N; ?* p0 r3 `* o# @6 Eadminname=data(1,0); F6 Z; J/ ? F3 f' h
6 g, u& b. o: o1 G [3 ]- madmin_page_lever=data(5,0)* R" T$ ^, l4 h" X! d
, [' I0 H! K8 q1 E! B
admin_cate_array=data(6,0)
- j) d! H6 k3 l% K! l( m : F5 Z0 I9 ^! k" y. |
admin_cate_lever=data(7,0)
6 c' Q! G- T$ Y, f0 v9 p8 i/ @
2 `8 J# J0 O- E {( pif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
4 S7 Y; M5 {/ v. }) a2 b4 I
+ z' i' G' a/ u- D# A5 vif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
, Z7 @0 k! z4 O8 E2 H- F* G
! n: r8 R! E4 x8 Sif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
6 u9 P; Q7 u% x; H y & S) r: T& \ \
if clng(admingroupid)<>0 then; ~9 d& b: p' t' t6 {4 V/ e- b. n
+ ^" @# }* x9 _ f4 c6 Xadmin_lever_where=" and menuid in("&admin_page_lever&")"
X8 ^9 d% t' k$ h- N7 V7 e 5 y2 n! u, G# E; |
end if0 b t3 }9 i1 Y2 ^, K
; Y; s3 b) V" r6 Y. V/ }3 Osdcms.setsession "adminid",adminid
7 N, t8 @ w8 y9 w7 c ( H) m: [- N) G
sdcms.setsession "adminname",adminname L9 P6 H' G( V7 t; ?" w4 W0 t
% b/ ~7 [, [3 Z8 t, ^
sdcms.setsession "admingroupid",data(4,0)9 C* c% V' ]/ x2 i2 Z
6 g( |9 y! w$ ^" A0 M! ~end if
4 t8 n2 d, ?+ x9 s/ \
7 l' M: h: V; U9 Vend if
) K) Q7 U4 _6 z6 G
; K: K8 M6 m! v8 y" Hend if( B7 I: k( m: Z8 b& }! R0 ~
9 I6 ]8 I, g7 L" J7 e/ {else: a4 N% }0 |8 G& L
8 t Z' Q% Q/ E1 t4 edata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
6 M2 ~+ ^' }) o
! U2 ^# Q; O o* a) {$ Q0 Cif ubound(data)<0 then
- j( y( H" I3 i$ a
$ r& i, d7 e- U1 qsdcms.go "login.asp?act=out"2 [. f9 ]# U4 m* |# u) W+ X* P9 `
+ t8 o" Q3 [$ w! w7 Q5 q# Q
exit sub7 k) v# P; Z; t' R- e
: D! `+ |' x5 Z9 A- kelse
% r. t, Q0 B6 ~& x' A
7 e$ B* x! L' } x0 \/ sadmin_page_lever=data(0,0)
y, k/ w2 ]: k/ U
$ o3 u- v: Q; {8 badmin_cate_array=data(1,0)
; n& l3 V6 P/ t8 S5 a. ?3 E1 u1 J , R$ M1 Q4 M2 B) L- J: z
admin_cate_lever=data(2,0)
# ~9 _' P1 J" R, b) @
, R) R1 W5 B; N2 R) k, E- `if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
- t4 c& L: R5 h2 V
' b5 C$ W* {5 H1 zif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
l+ c' W# @3 o" ]3 T/ _4 I / N' }* x7 S; r# @
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
* I% D# L2 \& q8 [- t
4 b/ `; S$ b6 ~2 M; }; Lif clng(admingroupid)<>0 then. M) ]" R/ x7 i( _- g1 c3 _) s! U
4 P U4 y6 [' P4 a fadmin_lever_where=" and menuid in("&admin_page_lever&")"5 ~/ }6 r$ u2 p7 {
z2 v# p/ `8 F8 ?; l( W
end if
5 t4 ^! }7 |' g4 H% i3 j- v
- N. A& ~7 B7 D% yend if
) \) |- v7 L6 E4 t% C" ?$ @$ s* R' o; g
, A2 O; R. ], l k$ s8 xend if9 z4 Y- `+ U4 @
7 T7 R! I I9 ~- ~% E/ c( Y0 C
end sub
% U1 s, I' m% h/ a漏洞证明:0 R% ?$ A$ c9 d9 C5 U/ v( ^
看看操作COOKIE的函数
: ^" L Z; q. K* L# w; Y4 u$ {( j
# i& P4 t( }: \public function loadcookie(t0)
( M( O; \3 R! a I) x0 P " }' J8 Y) g. L; @
loadcookie=request.cookies(prefix&t0)1 o7 t3 P" e$ F$ k/ x" {
1 @2 e- s; c/ t7 u; G2 vend function" p. X! b) ^, O. ?
- X/ a8 \, Y. O' p* Wpublic sub setcookie(byval t0,byval t1)
5 P0 N, `8 R( I; g0 t 0 Y6 m7 a) |7 J- H( H
response.cookies(prefix&t0)=t1' M0 x# f' n# F/ \& e4 Z( X
$ X5 j! y) J6 f2 A0 A
end sub* w0 e1 D- s7 U& n3 _* n3 g a* X
5 m J6 I7 {) U$ N' z& kprefix
9 q K) }- s4 ]8 L2 D, h. ] : r, e( u/ ^' S9 O4 O5 B3 J
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值% K' v2 t e& ]+ `0 k7 L
d) B2 f5 i1 ndim prefix
& \. y: w0 ]' Z0 A" J9 b6 @* _ I " ~: l$ ]( k9 [/ B* f
prefix="1Jb8Ob"
; J' d1 Q! w# Q, T
: D3 q$ f/ V6 ~2 P7 n1 U* T'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 # p! [& I# T; f# L) w1 H1 x
4 M# }; |* q* A- o$ xsub out
4 Z" H" O2 B, Q- Q5 \, t: E2 w- @ z4 @: F: r8 J- R, ^3 D& }8 M
sdcms.setsession "adminid","") u* n9 Y( V1 V/ K; b
1 b& z5 ?' i N8 J4 W* ]+ s
sdcms.setsession "adminname",""; I( U$ n3 _8 q2 R% Z$ G
- n1 n$ S+ c# q% u2 C1 T7 ~0 b
sdcms.setsession "admingroupid",""' A8 T1 z2 K( e% i* C1 _% p# o
( F' f* I& N. j( }" s$ |0 C" Hsdcms.setcookie "adminid",""5 n& F: U% F, ^; ^# t8 D' y0 F
0 Y/ k0 L2 m6 X8 x, qsdcms.setcookie "loginkey",""& B- P1 `7 I( p, v0 [! }: i1 K& N
0 f& v! b: y( C: ]9 Bsdcms.setcookie "islogin",""
* V1 B* q+ d' n- v! Q3 p
" x) g0 Q/ z. X/ s) ksdcms.go "login.asp"/ D- _% w( B* g( z: A
2 K1 k' n7 a' w: L8 H/ Q9 A. gend sub9 e, V( F% u, m1 N2 K
G5 [. b% r8 b, P' i8 V0 L+ O' u
4 ]: S( M3 ^0 a w利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
$ ?% N" v- M; G& m8 a修复方案:
5 H" `: d: w( R3 r1 S! y% ~1 c修改函数!! e, a# \3 J2 x% I0 B0 _/ ?- f
|
发表于 2013-7-26 12:42:43
收藏
分享
支持
反对