要描述:
% h% V$ @$ e5 T
* @' a0 v& ~* bSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
9 s3 J3 ~+ X5 ]2 A; E2 u详细说明:
; z9 C: @% |5 jIslogin //判断登录的方法' N# [7 b: h- L+ d# W# u* y$ ^
/ y% p& V3 w" @2 Wsub islogin()
! M" X. ?" j$ H. @% z- j2 F, N
$ U I! F) \, @1 xif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then $ b u8 {, q+ }% H' q2 T
; V: ~5 v5 G, Gdim t0,t1,t2
: [ ^4 G. ~* H1 A" @
& Q$ U! Q: b" j$ O) Lt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie * S' n N/ g# G: L [3 r3 g
# t$ A4 E) s4 W- e$ C; L5 Tt1=sdcms.loadcookie("islogin"): t1 {8 O k+ ~% r- e4 ^1 J
0 a% p8 d/ n" h- i9 b0 q& b7 @t2=sdcms.loadcookie("loginkey")
0 Z* P5 k c* y
/ g$ x, U. e; o# B* l$ D+ p, Z( ^if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
, @8 ~9 J+ v4 L8 ]" m8 _' d0 z0 g
- Z. u( Y9 u# J/ [( p//( h( N5 G$ ?9 o: X7 f/ B
: s0 \7 q$ O5 e( n
sdcms.go "login.asp?act=out"- ^2 @7 i: M; g# q. u9 Q+ m
6 D5 I: q. |( q+ Z3 u2 e, fexit sub1 y f2 _$ \7 s) g, H
# ~% G! j9 H4 w, |' B
else. w3 N' g! T5 P( ~4 j
) p0 M6 ^ l6 i: V m! ]7 F9 {# t$ S
dim data
" g. Q: u/ f* G* Y
% ]3 o7 \" n, } @1 _' cdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
# c2 n. i( N# h; M8 A# Z9 H / x2 B: S+ z$ \8 r/ U
if ubound(data)<0 then+ Q- u+ [9 w1 q( a+ z8 |: t, {
$ l! J$ J# a. I+ |4 Isdcms.go "login.asp?act=out"
! E0 p0 J8 e3 a+ ^! N. ^, l
) A5 d# f3 O' Q( t- `! ]: y1 u4 mexit sub4 V. P& E1 z [ ]" l
" n9 Q; J' O$ o v4 ~else
1 ^: _, V# o" b! f 2 ]* p6 U# H- X, j
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then* _# w% ^1 i( p0 N& G$ y0 y
4 ]8 m& `& h/ {
sdcms.go "login.asp?act=out"8 T! ?2 y P; \5 p* {7 W# E
S" d" H6 G; |9 `( dexit sub, z) L8 W% y: o
0 G7 N. H2 z) ~: F9 ^5 L! P7 Qelse: o) H: q. s# R! J7 |$ }
2 Z- A6 j6 ^* a9 P" d
adminid=data(0,0)
& H4 a3 A7 d; j% I: O: b, { - L$ w3 F, X5 ^* i% ^% v
adminname=data(1,0)
% P3 ^0 H e6 H7 V, N& a
% v" {/ F% N2 s5 K t# x* Yadmin_page_lever=data(5,0)( v+ S, P4 H4 J) m! T, S2 p
& U/ s0 W9 i' g5 @+ Y$ X
admin_cate_array=data(6,0)
% R, \: y/ |: {( W/ _
, J" p# c5 D8 D3 L0 W0 wadmin_cate_lever=data(7,0)
7 Y$ c& u" q0 a& V7 u( H; V
, i; u0 ~/ F3 T$ Aif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
2 |9 ?7 l' j) ]: j2 {
- p- A6 ]0 Y# F8 b% t% f) ]( @, Kif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0% ]/ E7 ?$ ?$ B; W$ ?
1 s2 C0 {5 Z7 x& j5 T9 g. O5 tif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
r* G7 Y# [ n- j) q & |+ G3 ?( q* a* A' y
if clng(admingroupid)<>0 then/ R$ I- u& ?' D% A+ {% H+ u+ R
( i, ~. Q& k% H+ a( f; X. o
admin_lever_where=" and menuid in("&admin_page_lever&")"
# y5 A) J0 U; a 5 V; m+ I6 Q$ J+ h/ \: G
end if2 t$ [1 s: S9 }( y! j
3 _9 @2 P( {) e8 D
sdcms.setsession "adminid",adminid
" p9 @; R9 Q8 E |
+ t" K! P) ?& z1 s' N* g# jsdcms.setsession "adminname",adminname
2 @3 F9 Z Y! f9 l$ J; F, t9 t, g
' h2 i& l- t# G4 ?( dsdcms.setsession "admingroupid",data(4,0)% c/ r5 e4 _# s: i. Z6 i4 {5 o
- R) ~9 _- i2 s) w) ]; F. A
end if( z5 o' R8 R, P% [; |9 E3 h T* m
, U Q q# f) |+ w' bend if6 I* h, B2 K* A; y8 j
q( H6 ]- X5 v. fend if! F6 d2 q8 ^: e1 c0 ^* }: s
. u# ~$ u; C% f: h, E/ T4 M
else0 `: Q: E& r: s: g
U! J% s" q) N. T; e/ Pdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
' `8 d) n9 G6 K6 u3 @% }
5 w {3 [' b1 n0 t+ wif ubound(data)<0 then$ } A- y0 j4 P5 H4 C
' I0 i/ ~& V+ S( L3 M& r
sdcms.go "login.asp?act=out"
5 r& ?8 q# X( i* n
Z' V, q4 D) X. m( k/ b9 hexit sub
1 t! s% x0 ^' L; Y ; H3 [( f: P: F3 J- S+ g: s+ L
else5 a7 @& l; ]7 O* l, R
- G' z- B! ^8 |1 c% M5 o& `admin_page_lever=data(0,0)
3 m V1 {/ A6 b, e6 G7 Q3 j
& t0 C# j; _: s. ?8 x: xadmin_cate_array=data(1,0)8 b7 [4 C9 D3 Z0 ?8 T
) m1 d& k1 [; |4 A. i3 B. K T9 ]8 i
admin_cate_lever=data(2,0)
: T3 x7 _0 {% ~6 Y: i: [2 F1 v
% |. B# T5 E$ d" D& H. yif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0" e. t3 J+ ]& B' t+ H' H
. a" E) H4 L( j- w# [5 qif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=08 v6 R$ q* n# K; L" n$ y4 X' |
5 o3 A; `. ?2 @" a2 |- i1 N& i) fif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
( M% ?8 H, \3 A! s# T1 M( u" ^2 a3 y 0 W$ P8 k2 t+ t4 M) u- S, `
if clng(admingroupid)<>0 then+ G# ^( [; w* B' ]8 a) H2 }+ X: N
' l7 l( P: A a- k( a
admin_lever_where=" and menuid in("&admin_page_lever&")"0 ^; J: a, W" |8 B& k7 c
- ]& p, E3 u! u: m5 i$ S1 J' o
end if
1 _) V7 h4 A: h1 |% O" d
+ a. o1 U/ a$ f2 }end if
# S+ l6 W; l/ }
0 {) l8 W1 d2 i+ `2 xend if* t' L+ f0 w4 i
" A1 N" f( u! a+ Uend sub9 L3 v% {. a1 [( R2 g, J' c
漏洞证明:
$ u/ B4 ^6 e2 _) g- X: s8 Q0 ~& f看看操作COOKIE的函数
+ N2 p+ v# R- v" L+ `7 f1 {! y ( G9 k; m) p- B6 P2 ?/ ~
public function loadcookie(t0)$ ^5 K( ?. M v* W
0 e6 i; P: @, x# p9 sloadcookie=request.cookies(prefix&t0)
0 ]4 F9 o7 `6 J% ?. K0 S
0 y7 H7 t6 {0 U5 g& H! Aend function) a" R% @9 t# R$ {7 W& B
' y% d9 a: D1 rpublic sub setcookie(byval t0,byval t1)
) ?6 T8 D/ ?5 l8 n8 \" o% m
! p( r" _$ B. L8 m0 [3 ` vresponse.cookies(prefix&t0)=t1" p* f5 _+ x' y7 J2 T6 z
& k ^0 D q# l" D( j: c9 Vend sub! G. Z4 [7 ]9 k
1 d- ?, v3 w) y _
prefix5 R' z0 Q, J9 v1 R2 D
/ B, J7 @, K! U/ ^* T) `'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值2 H% p" x/ Z8 k+ R6 _
- a- l J' e% o, [ tdim prefix- U& |% Q8 w* Y7 A# D/ d* }
8 N3 j3 r% M0 I; x/ Sprefix="1Jb8Ob"
, N$ [6 s9 t1 R- i " O% N7 Q$ J; K# s
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
. ? | c; A. f+ S1 I! j- j- ] 3 W, J; s% \" _5 z
sub out
" P# @% s% N N! B! p5 F: { B2 R / P3 |/ a; l; @( h3 |% @
sdcms.setsession "adminid","". t; a0 H7 B/ `) l5 E' b& m/ n2 I, H
- ?3 ], e9 y" U1 x/ U
sdcms.setsession "adminname",""! L4 G) w; I: ^1 n( G
s' P" T6 F x- Isdcms.setsession "admingroupid","". i+ P7 h' c) q$ e' t( e
) `- m J0 J1 ^9 ]6 z& I- L
sdcms.setcookie "adminid",""6 \# k7 I. e- T2 s0 b5 t$ [* [
& _+ s4 K5 A8 t+ E
sdcms.setcookie "loginkey","") r3 I1 B& N ]/ Q- c6 A
% Q1 K+ `( d8 Nsdcms.setcookie "islogin",""
% n- W$ R0 F% l2 l* W5 X
6 v* d4 h) N0 e% [& wsdcms.go "login.asp"
: u" q/ P/ A& E6 p4 b+ q0 B
5 \) l" e* d' Y+ _ F8 @end sub. I" h2 N" P$ }' ^7 h) n
( x2 x- x: l& N& X
$ \2 g& }3 i# X8 w$ n利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
7 n# F0 @) P K" X- s2 |3 n修复方案:) }& z1 c1 n! `& n- S; P1 o/ t
修改函数!4 J, b6 U7 \, \6 r
|
发表于 2013-7-26 12:42:43
收藏
支持
反对