要描述:7 L( C, k% M4 _0 o B( x
% b4 g- \ F9 }. V+ nSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
. I) C' q9 b8 D0 k5 N& G3 j详细说明:) N9 ?( H6 y+ F6 m2 D: X
Islogin //判断登录的方法5 |4 W' U: D8 r; q% g; `9 Q
7 Y- }; E% }) J, b% a; Y2 s1 |
sub islogin()$ r3 T6 r: P6 p
8 E, V: x0 G6 |6 Bif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
9 p {& L" a' j) \( N9 E5 f
- H9 P6 u& N! v V- edim t0,t1,t2
, O* }5 J8 f2 c
$ J$ l. {$ ?, t* Vt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
- ?0 m7 }8 B& Q
, j! d( m$ D8 A' K$ Lt1=sdcms.loadcookie("islogin"); X j' k5 K3 {
% @, L5 K7 P" p6 a) B
t2=sdcms.loadcookie("loginkey")
3 ]; b2 H5 u8 ?7 h% ^' H3 n
4 J6 t+ @2 K$ p8 E. q0 |8 `if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
" P( k5 e9 A* Q ' T7 X* \' g5 q9 z
//' U' r4 b2 B" J2 }% h- [
6 u; o% d/ A$ Q; U5 R" q, W9 y* ]
sdcms.go "login.asp?act=out" ~: ^" A2 g9 a1 q
2 j& {5 b/ y4 ^' A9 kexit sub! \" c" H" e9 M+ }9 i& E3 p
/ T, w) V* L5 o9 Q
else/ y, B; e& E; T5 M4 {( t
+ W! z) c6 U" b) {/ b0 Ydim data- _' i+ ~/ O4 B. U! L/ O' d
/ @( \: `# T& S+ n# i6 c* M
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控! K/ m. a3 Y u
6 [3 K1 ?7 w3 Q9 ?
if ubound(data)<0 then$ B5 c1 B4 z) ?
; j+ i& S0 J2 Isdcms.go "login.asp?act=out"
0 C u4 z8 T; U3 I$ H 1 J/ M! b" ?. R9 N7 ~5 K( d
exit sub# y" Z; A2 D( m2 `, E$ `
6 E% h+ Q7 x0 Z8 x+ S
else
, `6 G0 j R0 K$ [& ?/ p# K* u P 9 t$ U# s' b5 b/ u
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then1 }: [0 X& a6 F% L/ c, s# j4 Z4 I: T: M
5 S& H% V- s! n
sdcms.go "login.asp?act=out"
) y* l# |- }* r0 J' i( m ! g. A5 V& }% R' K. S
exit sub. F6 n. p% n( d
) Z" g, X+ n. i* }0 J/ p
else; Z( Q2 w/ F" C
: Q3 g( H9 w$ t$ r$ D5 y8 iadminid=data(0,0)# ~6 | Y g* {9 }% ~
V1 x8 A5 Z! p) U y
adminname=data(1,0); n# I$ j' d0 O6 `4 y' i
. H7 h4 o1 ~6 Uadmin_page_lever=data(5,0)5 I' q: R8 @, y6 E" k% ~9 |
7 m; G% w) e1 @7 S( Q$ Z7 d( u& z# b
admin_cate_array=data(6,0)
( n* V1 U) Z8 R4 D" f) N+ c( V6 M0 R# P # Z+ L& Q f( S- m. Q; a
admin_cate_lever=data(7,0)
1 u" m; H3 m* X' T1 A
9 W8 @8 |- b% H% Nif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
- Y! a" {1 Y9 h7 N! q* ~
g1 c" ]3 B( w& g2 H+ hif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=01 O0 z+ X+ r W8 B
5 W# p# j, }& v% O6 Y' t
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
/ R" W e' K7 I2 \9 W5 N
d+ H" @' i* v* Rif clng(admingroupid)<>0 then' ~" {. r- V9 w4 ~- M, l
4 l" U. R7 k3 L; Kadmin_lever_where=" and menuid in("&admin_page_lever&")"
8 [& e9 k0 e4 e7 X$ z6 a) c+ T+ W + x1 w# D1 P$ Q- A+ ~2 D
end if+ k3 n1 _& e- [- Y0 h2 V! z
* c4 [7 w( U! X( ?+ P7 O) y) O
sdcms.setsession "adminid",adminid) x/ k7 F$ ]/ {
, P9 @) l0 ^6 y; |" f
sdcms.setsession "adminname",adminname" B# i) O* d$ I/ K; T+ i- G8 g- n
- h/ C( _! f8 I" p3 o" s" j* R6 usdcms.setsession "admingroupid",data(4,0)
5 q; ?1 R3 G+ E$ y( z$ p
* y3 k7 M- Y! L" }2 g7 W* gend if
3 t& r \! e @: X5 D2 X ) w. u7 R, e }7 ?- N
end if
. ?2 n5 o- P# C& @8 o 5 _4 l S3 i6 S) @3 \& A1 O( R
end if
& r2 K/ c' a' `* J# |( q7 H+ Q
% | E1 H4 j$ d3 v2 l' E9 D: Qelse2 j* C8 w f% O
9 r# L' a! U Odata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
|. M' S1 o* }/ c, g2 q* h
- R! I0 w+ I& X- [. g( pif ubound(data)<0 then
& N2 w# H, j1 R* Q/ d1 w
% _) r' Z" y% K/ k: A) c9 v, U: Nsdcms.go "login.asp?act=out"% K* Q" \. [- W" h
( i u; [6 y! n3 |0 b' u
exit sub% [6 W6 K. M/ }
+ ^6 e! ]0 t! [
else
8 n7 f& o+ e# S( d! w
4 ~0 }9 v5 U! r" Y( [admin_page_lever=data(0,0)
6 \2 P. m$ l4 M) Q9 \8 N7 z , g/ U" b" {; K( y& Z9 K
admin_cate_array=data(1,0) }. V+ N2 _8 _/ ]; r" k9 v3 B
/ U/ _* q; }" l0 d7 r
admin_cate_lever=data(2,0)
: H# f: v# a8 s. S4 ?5 ?( [
1 }5 o0 F% V6 Y$ p6 Gif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
+ E5 Y, p) F: j! A( C& h8 l
$ \* v) X q0 m: W; Q/ k# Fif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0+ i9 J; _/ H* O' D) m9 t t$ u5 {
1 ~8 K0 ?* E W$ q6 I
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
* q$ g* v& d0 k3 c, s* g& v 1 w% [* b% F4 o$ `& S
if clng(admingroupid)<>0 then
1 T: ~. ]# |" L# p5 a
$ e2 O y' c6 O: L+ N9 iadmin_lever_where=" and menuid in("&admin_page_lever&")"1 s7 f, o! J' t D
! F/ G2 o! K3 M! u9 X
end if
& l4 t) q% P; d Y6 M) F/ D 6 f. r, g' S1 F. s
end if
8 W8 V1 e% h* c1 [
' T( N2 \% B( {% ^3 J4 ~end if* ~ v2 b) I8 k E( g: D: M& f& x
! q- T+ T. b3 ?% fend sub. z v) U7 X1 G
漏洞证明:
. m2 t8 G+ Y6 |6 S看看操作COOKIE的函数
, N( ^- Q+ h# q ; x& v% R4 @2 G& w2 I
public function loadcookie(t0)
3 T2 u- v; A+ k; \5 K ) r1 c0 N v' G7 [, _4 P3 \2 Y3 T
loadcookie=request.cookies(prefix&t0)
7 e$ u7 f2 d T0 u3 y& l: I4 T8 \ ; J- R3 n3 c/ J8 g
end function
/ ]* a4 w( c' K 3 h3 h5 }% I6 G' b5 b+ K5 m
public sub setcookie(byval t0,byval t1)
! T5 ?% x( K* r; \9 v" q6 R0 [ 1 [9 _' |+ D, \# j; Q
response.cookies(prefix&t0)=t1
0 B6 y+ }" j2 y; _% _ : X$ d& P5 w# F0 Q. ^/ ^
end sub
/ E9 [% V$ B( H# f( L* u, \ ; R: {# N; P* `4 `; n
prefix
' d; ~- v' a7 }- p1 a8 W5 t 1 c1 l5 U' m0 \7 O4 q
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
1 C+ G$ n& A" C - f/ u( D; Q2 }* D3 Z( G" A y
dim prefix
) q- X* {2 @2 E" w7 Z; A H 9 X9 \! a- y: N, T1 H6 s! c8 j
prefix="1Jb8Ob"
! [% Y* V5 T! U: j6 w1 l; ]' B
' F/ }& c6 F6 ~. k& m'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 8 W7 ~. q5 X( w/ ^8 a
3 Z0 y# T+ o* s( w7 b* J, isub out, S, r4 h0 m C+ G
& N, D3 Q! n+ ?6 k
sdcms.setsession "adminid",""
0 t; f h/ [$ _4 j) p7 Z! s
8 z( ]5 K5 Z+ ~: V8 esdcms.setsession "adminname",""
& A, e+ d0 }7 m' K & U9 p$ s1 Z- e8 c/ N1 ?; U
sdcms.setsession "admingroupid",""# I) H- P7 W) z& E; B* \7 L' l
* f, z5 v. t% D* Esdcms.setcookie "adminid",""
" U1 B7 G: h- J$ I B5 W / f+ Y8 J9 N0 T8 j5 R
sdcms.setcookie "loginkey",""
3 j' F- K8 A3 G# O; _" R) P% j/ P ' D: a6 \& \- M8 z- h( B3 r
sdcms.setcookie "islogin",""! k" N6 ^/ E* J4 O# P% ]+ C
) D% O0 j* A; U' Tsdcms.go "login.asp"
9 k* j& W+ C6 O1 n6 |! |& m
7 P: T3 U; o/ J7 m+ Pend sub+ r' x# k. L' q+ P! V
3 |- L# M9 |& L; C* @( ~% c
; F" B* B1 @% W+ v L I* E利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!% g. U# R6 w5 |0 F6 \+ C
修复方案:
$ F1 r( v( e& L2 G/ r I修改函数!2 ^9 ^/ K6 K! I( O0 M
|
发表于 2013-7-26 12:42:43
收藏
支持
反对