要描述:
+ b5 a& M7 h3 o3 t, J9 J. ~0 K
( D/ y, T3 Y- ESDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
! G5 J5 C# L x9 X0 V4 y/ x详细说明:
1 Q9 I9 O: |2 t" Q5 AIslogin //判断登录的方法/ n, J9 R" v7 `8 d1 o' ]
6 m# Q! \6 d2 dsub islogin()+ u3 r. k6 S D& T7 R
' E( C9 c4 H; U) s, ?
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 3 R5 `# Q# r8 a- H2 b, d9 ^; d/ Y. ?& K
- X3 l7 w; h( e: ~
dim t0,t1,t2 : m) F& J2 d) x' M# I" t9 F9 \- K
" n' z$ {4 @; ?2 g* Ut0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
1 M0 ^, U6 a1 H3 q6 R
4 J1 D# V3 h3 }$ Nt1=sdcms.loadcookie("islogin")
u& c9 t% ~# h+ P" q3 n/ D
0 r* K' b2 l6 p$ [0 z/ Xt2=sdcms.loadcookie("loginkey"): S+ O1 m$ h! \! W; {% B% c/ A
; X; ]' `2 t8 S% p/ b# V0 }: Z$ Y9 L
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行6 ?+ e; o8 x* w ]4 Q& B7 z
& a h Z' t" G9 w( a0 r
//
0 [5 {5 t; n! j, o ' H6 H9 h3 _) p% R/ W8 E
sdcms.go "login.asp?act=out"
6 N8 d/ p- j5 \9 ` " P P$ M9 D% E5 u- y; w
exit sub7 N& n( e8 l! X* a
* P6 }4 a( E: r. A% h2 f) Velse
' }: \; O$ G% J6 }8 i6 g$ I
$ K/ t6 B1 m5 {1 p4 [$ U9 Xdim data X7 {9 q- F7 q3 l
7 T, g; R) o) R0 x+ E
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控! c8 X" F0 Q% j& l+ C1 W
o' P6 _7 g2 H m4 \0 N, oif ubound(data)<0 then4 C. [1 \: Q1 R* g: a/ b
$ a! c2 }$ L5 d& N/ u) [, {
sdcms.go "login.asp?act=out"+ M% A6 L& p( y: {7 p
; u3 f! M! _1 |4 l
exit sub
7 n0 I# z3 t+ I/ Z+ y
) j$ r* @( Z5 O6 L# Eelse. q6 a+ M a8 P, |1 z) Z
$ U! U& f- w# V, Y" l/ kif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
) ]) z* p$ v5 U; H1 M7 T3 u& b: y
+ i$ r- ?. ]$ O, Xsdcms.go "login.asp?act=out"
]1 Q* R7 E1 v; I: |3 w+ R
+ y% C" O. D& l" bexit sub
; P+ n: }- N4 H7 T7 x2 g, N/ b ! o, }. @7 u: D! h$ X5 z- E
else: w( U4 s) s; ~; }! v! U% `' j
2 F+ Y3 a! d5 d2 vadminid=data(0,0)* o9 D2 O" ^4 y; q, Z$ A
5 ?% V$ _% [7 E# l
adminname=data(1,0)9 R* _5 k8 ^! U% @2 U) O/ p6 J/ ]! ]
- l, ~- c# D, @$ D4 V
admin_page_lever=data(5,0)
|: v0 l$ e% C; G
' S! t* J) i7 M, [admin_cate_array=data(6,0)
8 H, j5 D$ f( g8 s. D 6 L) `) X) n7 C5 r& x y5 |
admin_cate_lever=data(7,0)
8 V, ?6 Z% H! K4 v8 d
9 p; K' n5 H% f/ o8 |if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=08 h& f8 f0 U- M; n) P
, v: Q0 R& t5 Z" L/ L0 w1 X9 S+ w; @$ W
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0+ }' T$ j# X3 x
2 t! v' ], M/ }: c( hif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0' p5 K! E' `1 I! t' {7 r+ j
% H$ d8 w3 k8 t- z6 C! J3 s7 Z
if clng(admingroupid)<>0 then$ Z3 ?4 p! m/ s$ b5 @: \! u
9 P. e5 K# f- \0 \2 ?$ P3 V' Cadmin_lever_where=" and menuid in("&admin_page_lever&")"
" Q" P& ^5 G, ^ S* Y/ b
3 n: K& p5 {& u' Z5 Bend if
4 b& I3 I+ m1 D 9 r3 n) U% S% q8 N
sdcms.setsession "adminid",adminid Y8 @4 P# t9 f) E1 W; V. h8 G
* k: P0 ~& c5 y7 N+ r/ H
sdcms.setsession "adminname",adminname
2 R$ j8 d; M6 V1 O& q& w
+ M% q* H m/ v. D9 l5 Nsdcms.setsession "admingroupid",data(4,0)- d4 \; c4 X' Z* q- B
/ O3 y& V5 j9 v" m* J6 u
end if
/ e0 A$ `- c3 A h( M" h
& o1 w: p, |7 A( ^. n5 F# Gend if
0 a; w1 T- }4 v$ J+ G3 Q8 y" l ' j7 p, B7 F* \0 f5 J! g
end if( E; n" ^2 ?0 r' y0 b4 f
2 b ]' q' V. Q9 R5 v2 f! W
else
1 E( h ^ w* X/ k* a J. F 9 a: c2 z" V+ T3 o7 o- h0 I7 _1 f' {/ w
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
0 b) p F3 p8 Z8 |1 L - a1 e' v" m1 {
if ubound(data)<0 then
, r6 W, L0 o. q4 d2 R" L9 H / S' C* L& b- r- ^: o& |1 h+ ?/ \
sdcms.go "login.asp?act=out"* C& @6 n/ Z2 v, i; \4 Z
\, S6 m$ E/ d0 i6 A$ x5 q2 I) O
exit sub4 a9 [1 i7 u( T f" O" d9 M
" J2 A/ v4 k1 H/ l2 C( X
else5 h* N+ ~/ y' \/ F7 a/ ^& P
) _6 Z; s7 Q+ Z: G' H. uadmin_page_lever=data(0,0)
6 o( Y: C/ L9 u: a6 `
8 ~ w7 H2 H3 j5 f& S; Hadmin_cate_array=data(1,0)
) L6 w& N* P7 G5 X1 E3 t; }% \( f - q8 V0 U% J5 u3 j' I
admin_cate_lever=data(2,0)( A0 m; s% ]) E$ h+ `& P5 l
/ e# s. t1 f: U0 `* T; x% `
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
' n. L5 A4 k( j4 [! L , m8 \# G i, i/ n( ^2 M
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0) `6 N3 L% j$ Y+ z. S
/ ?1 _# X3 h8 U; ~8 `
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
( G3 Z n# ?) K2 Z; p, E ' j( d5 U3 ^ v% u
if clng(admingroupid)<>0 then& }# C( }1 o+ ?* u" [! x& Z4 [
" W% C9 ]" ^8 B
admin_lever_where=" and menuid in("&admin_page_lever&")"
, Q" J$ a% Y, e K X 3 [; \% Z* z9 ?/ q k" h
end if" ^* @) r+ M2 g# H
{8 Q* o: i9 k, F* {6 ]/ L yend if
# j9 H0 u; K, T& H: N- V
9 m: i: j2 Z% Dend if
5 T% b6 I3 U6 H* h0 F7 w2 i
. L5 ?- `' y( ]/ ]$ y- Iend sub
p% c: o4 T( _+ }漏洞证明:2 S( k* T& N, G0 n; m
看看操作COOKIE的函数
' M% Q6 [' c4 W; A! f; l
7 D% W0 A r3 v j$ o, U4 `% opublic function loadcookie(t0)" z+ z5 [( r, B8 `! V' I5 M
5 {, G/ V3 f+ f( T& j, Zloadcookie=request.cookies(prefix&t0)
1 x( s6 T2 |# y+ t1 K' H + o. P7 m2 m) S- o1 I
end function- g9 @* Z; g) E8 K" O3 _3 Y( E/ a
% k ^1 V8 q/ M+ f% ?: rpublic sub setcookie(byval t0,byval t1)1 w1 z& r# y1 N) ^! u! w. G
3 k; v& | F! H( ?response.cookies(prefix&t0)=t1& _/ _* K# n8 v% K4 W
: ~' _1 w5 Q, l! ?$ o( _$ s
end sub) ?" i! \6 y1 v) o, Z& t/ r1 U) \
$ A8 W# y* g7 k4 k! n0 ]5 L) X
prefix
' F6 A4 `; o$ O6 P* d: F* _, F # k% c$ t; j) y6 y
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值5 E9 v9 x9 j1 |4 @3 t
9 v$ ^- E6 ^5 F U3 I9 n) ?: Vdim prefix% c0 A2 X5 q4 p4 l' E6 l1 T
3 M, C0 ], @3 _7 a" oprefix="1Jb8Ob"
8 g9 a. b6 b& s% C4 y/ L& r / C0 E/ b# G, h, b
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 2 E6 \7 `4 N0 X
" X, W, a4 D" @" v. \2 _6 t; }sub out, e' a6 d( {( |
- [. @# O: q- o2 T' s2 ~sdcms.setsession "adminid","", q3 _- {* e* ?6 V9 n0 d0 k9 \$ y
% r) o8 l h' T0 l8 J' B1 l
sdcms.setsession "adminname",""
) |- V% u+ I9 @8 S- N( w5 b
, X% f8 K; Y6 C! {, R8 R8 Esdcms.setsession "admingroupid",""
6 c) I- m3 ~) N* J) D
2 R; h% c8 j2 i0 a$ n# }: Tsdcms.setcookie "adminid",""
) e7 p/ t& K" ~" i! x# o $ w; [) M% V8 E$ s! g* D3 V% U8 v. m
sdcms.setcookie "loginkey",""2 O& f" e2 d9 w9 {9 P) b
1 h, m5 d0 r7 {# n- S) {8 H" Y9 bsdcms.setcookie "islogin",""- R2 f( f6 ~7 n. g( i3 P
) m' ?: A+ m! v# [0 G3 vsdcms.go "login.asp"# l. f! g/ k/ x2 m6 U. |
* {7 [# Q. ^6 Q/ ?% n
end sub
% b s2 n9 g' S6 Q% l1 r& b
4 c8 z# ~5 v6 H h, S$ z1 X- y @
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!* U e2 l" u6 Y
修复方案:
+ P# B: j' H3 ~ x* a3 H修改函数!
1 D8 d$ ^$ E% L8 h0 W# w |
发表于 2013-7-26 12:42:43
收藏
支持
反对