要描述:
) Z7 P+ a* q1 I; s' h2 Z% L8 y
: m% D7 q" P: R4 o% q6 s/ k3 I5 ?SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
. f5 | K$ _8 ?0 f) w详细说明:: T7 O7 O- f4 R; S& O# F
Islogin //判断登录的方法; S2 C& O9 T6 ~7 Q
, g# Z w- t& x# k3 H; G& m/ N
sub islogin()% `$ x5 ]8 v& k
k' i* x1 B7 [if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then ) q! e( s* B6 s8 Y. K/ S1 I3 b
) ]% D h m# i! r8 L. u
dim t0,t1,t2 8 E2 u# c( n4 q& s3 ~) Q( J/ p
+ L9 X9 C3 I7 g7 q$ Mt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 7 e" S$ @- {: c$ V: A" G
* l3 s# I, y! }' f+ f
t1=sdcms.loadcookie("islogin")2 b/ D0 R* O. _& p
' K3 w6 \% ?; e4 Q4 i' ]3 s+ v2 C5 l
t2=sdcms.loadcookie("loginkey")
; D% v" W& ?3 U$ D2 u. |) \8 \3 V% K ' g( \0 d9 J/ T
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行! ]. y# @' f8 A
, D |, |- u2 ~, h* C$ g) M6 n9 T//
6 i0 K: g& w! K- _
4 t, l; |0 x' H6 L' ?0 wsdcms.go "login.asp?act=out"
. l0 R- [& C5 \: O" p+ k, i3 V
: ^- q) e4 s/ w2 ?1 b/ Bexit sub- |5 z6 C/ v8 e# D; |
% o% E9 D6 G" t) K; |4 i! N/ a$ Y
else
0 v3 v. D. f- x- z5 j! a0 Y . G4 D& J# g5 j" m% ]5 i1 w# }3 {/ j
dim data
+ r( i0 U5 B" z7 h: {6 z$ |) {) z ! H7 V6 o6 x/ Y- B! X n
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
4 x: b* p' m1 q' P. ]- m- ?3 |2 p 2 |) h3 ^5 e. _
if ubound(data)<0 then
( b( Q% \2 `4 `
' \) Z! _1 Y" X! n1 ^1 r7 p' T3 k# csdcms.go "login.asp?act=out"
$ c3 j! f' G% w$ s# u/ A 9 ^3 P* v e8 ?
exit sub M! Y; G9 u$ J( X2 r
2 h; j& F1 s( R: N+ I( eelse; V! o2 ^) a! G# _
4 R: I* d! @% C% s) [- tif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
- \6 O7 {% V4 `4 k( I
3 I2 ]' P( r* \; L$ x1 @sdcms.go "login.asp?act=out"8 Q4 J; |: U Z7 O- X
; j' y, h. C9 i0 l3 texit sub a: F8 \: u K4 v* a; e
: _+ a. k- u9 K, B4 i
else
: ]9 J6 W0 y% s9 D; U, q # u5 k% a( j6 I& i/ T# a
adminid=data(0,0)3 q: D& D* N. S; ]! v7 |3 Y
3 Z# b! ^4 U: D+ m3 `% Z
adminname=data(1,0)9 f; ^/ M/ u, Y- m& Z' U8 B) F7 P
& p" ~% s- l3 t
admin_page_lever=data(5,0)- |6 T n1 b" P
7 {9 K1 Y! x/ L7 badmin_cate_array=data(6,0)
4 C" {+ w1 D- q6 Q% Y( k. z$ M; O
1 x, q. M1 g* } Hadmin_cate_lever=data(7,0). v( ^+ g- r. c3 t$ C2 i- C5 k' P8 _9 C
0 n- ]6 _6 s& w3 C; W
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=04 A5 d+ c, B; c! ?5 K' k% b( Y
7 \3 r2 L: I5 Z2 L2 q/ F" Bif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0$ u' A$ c2 u+ l* ^1 E' u9 b
0 j& \9 Q& E' F/ ~
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0; T9 D9 @2 a5 N# d
2 C F6 Y) x# q6 d- J+ ?, d9 M" {
if clng(admingroupid)<>0 then
& z% G" H$ b5 W8 k: i . ]3 H Y" V+ W& c V3 O- Y
admin_lever_where=" and menuid in("&admin_page_lever&")"
! O* Q) r. V: z$ j! G* ^, ^* t ' l/ g+ W# ?; ^+ k5 J7 N; G
end if1 j! X* p& ?0 Y+ U& D
! m4 F0 [" v8 f* r, d
sdcms.setsession "adminid",adminid: B& s B) K0 X8 b
( \: R+ @0 O2 b% z
sdcms.setsession "adminname",adminname+ P* Z; ~5 y2 ]7 a6 ]
+ a3 i2 H7 a* b. Ssdcms.setsession "admingroupid",data(4,0)/ E s q: I( l1 ?1 ~7 G
, _6 }9 _" ^$ L: ?; mend if
0 y4 a6 \2 a$ C# J: I$ a
/ c; J3 P9 l% Y8 V* P$ \end if
! |6 n9 O7 `! ~: Y+ J! @ 6 q+ ~# O6 ~- e0 I4 c6 X
end if$ L+ V# m. P* ]8 q+ ^
! U: G0 w, K- O" L; _
else
a' s; q' l) i! n- v8 L; ~% G# B - H+ z* f/ l/ b* N0 F7 R
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")/ ?3 W! S# \% r6 ]. w" V
* F( O$ k7 ^% v$ u$ N- m8 k6 N m {
if ubound(data)<0 then
! ~0 U8 c8 R; u: U8 h% ` ' Z7 t+ \' r( d1 W3 H# d s
sdcms.go "login.asp?act=out"- G: b7 x6 t$ J+ N g U
+ x1 I+ r: L- n# x) {. s
exit sub
! Y$ X; `8 [0 W. m0 p7 k$ T
; U% @$ `, A) {. X( B/ I# h! e% Welse
+ X) J7 f* Z1 P/ a! |& \
/ V4 ^2 v; x4 j2 badmin_page_lever=data(0,0)
4 |) G) s# y: [3 ^ Q+ D * z: ]+ Y3 A* q/ k, _2 X; V; j
admin_cate_array=data(1,0)
4 o: W0 [7 b0 A/ [( F. M
3 d# P8 }5 f* g* Y" radmin_cate_lever=data(2,0)! r6 ?& J; ^+ ^9 z: p7 U8 K+ _
: ^% w7 _) D8 ~) W! R( C
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
! I7 X( J/ B( d/ G9 _2 m
' d7 h0 [2 A7 S. ^5 v7 qif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
9 j, l# }2 f% s0 _2 E # P, t5 o8 T H. C: w c/ O- w
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
8 Z% N; N& ^: p; X
4 b* s' H* u) y$ P8 S$ w" U- nif clng(admingroupid)<>0 then/ W# N3 d8 g, i5 r( s$ @
W8 A8 B8 o7 ]. A0 m0 }, S1 ]" W# Badmin_lever_where=" and menuid in("&admin_page_lever&")"9 t6 h; a7 @8 f8 V% B" \
9 z5 m8 s0 |* B3 ]
end if/ n. _- ]0 q/ W- D; b# b
5 g) Z3 M% d/ A% s. ]end if
7 ]7 T% @& ]6 Q4 k( G 6 `, A% }, E( b: j4 j
end if: c6 f" X, p/ O/ z' p. \# h8 Y9 K
1 M+ k, W) S+ L( S& B; W
end sub3 Z- P5 z6 ~9 \$ h! ~& ~
漏洞证明:
( q1 i4 q2 i: [看看操作COOKIE的函数
% Z7 E5 e9 `4 Q5 X/ Z [
J" J: F0 R( ? [6 Wpublic function loadcookie(t0)
# {) d) f0 ~. C! c
4 b: ~5 e; ~- `. {5 ~; B4 B5 rloadcookie=request.cookies(prefix&t0)
1 ]* p- S) u* F. U6 K& k. | - m1 [2 e& o0 Q/ }
end function
8 r6 g& d! E7 X" d) h
# s& K2 C# ?# A1 b+ [7 zpublic sub setcookie(byval t0,byval t1)
/ p/ Z" @/ q; F* Y2 Y5 l& e" X 7 o6 m8 H% |' i9 f, Q3 v3 X# x
response.cookies(prefix&t0)=t1
, m4 c% U/ |; Q5 y" z2 \ $ E% f5 M. w4 N4 T' q- z* z Y
end sub
& I! _, h( q. k8 u4 L ! \ n. P4 d# l! A: F' v/ g7 H
prefix# ]: y" m) U3 T, N
4 o$ d! h: @8 @0 H5 |4 {'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
3 }* t5 t1 G& |% B0 ]1 ?: A ; N/ a0 q4 V" X* E; Q, z) D
dim prefix3 J1 ?( ]5 G# A, K4 ~
{3 P" ^, F! b
prefix="1Jb8Ob"" r; n$ i7 Q5 o! T8 l
5 c$ R* ^" Y" _9 {& a& t7 G0 e: ?'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 0 I0 h& j, E% G$ L: Q5 \$ J% S
, t: F W% W; I* B: _, osub out
* a# e! d8 _. M * q8 |5 H/ ]/ C) d( E
sdcms.setsession "adminid",""+ O+ J+ U( S8 d9 k1 S+ n
7 C" `- v2 x! L* j
sdcms.setsession "adminname",""1 e1 M H' w3 [" C7 T2 e) v
0 P: z9 [% [. k" D) Lsdcms.setsession "admingroupid",""
, Z) f# l7 P/ E- j 4 H, b S p( Q
sdcms.setcookie "adminid",""
7 P' W( ^5 \+ Z/ n% f 2 b* c; I; _: `
sdcms.setcookie "loginkey",""
4 c7 p9 q) ]* V* y; o 1 c7 B3 `. ?1 z
sdcms.setcookie "islogin",""
% n( v; w; F- s9 | 5 P- X+ c$ T' Q, ^' l
sdcms.go "login.asp"; h& Z& n$ t/ g# x
m6 S+ j* \ wend sub
7 t& g1 S/ y. A, \1 k: ?% z " ]' v% |# {& E
" |/ f& I* e7 G9 }! J
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
* ?7 J# e1 ] j: d- F* w/ v修复方案:
& u9 n0 C2 [5 @ g( g7 N5 s* w修改函数!' u! F& m7 Q7 S5 ~: Z* u ?2 k/ O2 x
|
发表于 2013-7-26 12:42:43
收藏
支持
反对