要描述:
0 K7 h2 z9 e5 }# m! G+ a& {
/ p! ]! J: L! ~3 ySDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试) m% [/ E9 o. V: [
详细说明:
- M1 z6 `7 e9 p; P3 k0 j% GIslogin //判断登录的方法
X, Y; m5 k7 f7 B! H 9 m& `. q1 v- T
sub islogin()
, J/ k! R5 ?7 C3 w. k7 G( O, C % z6 H' o4 t; C( z. o" r
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 6 G& ^/ t, E) P4 O
/ L ?2 f* H8 Q
dim t0,t1,t2
4 H$ H* O% D: C8 }- `/ ]
- P; e: }- r9 Q' h0 w; St0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
, W/ P- K; r) _8 p0 Y+ L
0 D# U) n5 L lt1=sdcms.loadcookie("islogin")3 {3 x+ p, c4 {! X: f
/ n/ W8 {' u3 l/ M* L# yt2=sdcms.loadcookie("loginkey")
1 f/ H) M: Q" I8 W4 e1 J4 | , n# l8 p3 m% c% f& _2 h
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
: l- R3 J/ B$ u/ G* G. L: D: j
% }" Q# o& F2 ^* |//
) m+ \7 i6 e! W& \5 U
+ a* L8 \, {9 F9 R) ] w3 Y8 Rsdcms.go "login.asp?act=out"# s( Y& _7 l/ b- F# t( ~" ~
. p" p n- ^6 s$ I
exit sub3 P2 l* e, `" u
* R% A/ W5 S7 o# }7 m4 C( x" I
else3 v7 [6 I. ?/ |; E6 o0 k1 z
# ?/ G9 [ c, `* A
dim data+ V0 `3 x% I( B. P
6 g) d5 N7 T2 f
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
2 S9 z4 |0 c3 I1 L% r) C . x' ^, e. Z0 F0 f5 W. r
if ubound(data)<0 then
' Q9 ~% D0 w( [5 X9 r & ]- K. V' H, h6 a. ?8 t
sdcms.go "login.asp?act=out". o& w2 A3 L2 N8 l+ h1 Q( r) l, h+ \% d' h
* C5 ^2 D* ~* c. yexit sub
O5 b2 [; W: y7 P5 C) ]! A 7 A, q! I) x& G k( ~
else
7 @' u6 A6 A8 I' U' G
+ f8 C# @1 y+ {, lif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then: ^ \' X& V8 R
( Y. V( n1 G) P9 u+ F& W D! Fsdcms.go "login.asp?act=out"- o% e" U V) a
, A- c; Z c } y, ?exit sub
; K& C6 M( N- S' t) O
% Y# `. T3 A5 J1 U2 X0 o. [$ G/ D# celse
D+ a# E% N; N6 p3 f! A
( @, t, r/ ^# }# p3 L, ]( g7 Zadminid=data(0,0)
/ z; l& F4 Z0 c0 y ^' w & G" z/ B3 D( Q3 Z8 |( H P
adminname=data(1,0)
4 n8 }2 H7 M2 v$ K, u8 W 4 Q; c- Q% d) G$ F1 F G; Z3 B e
admin_page_lever=data(5,0)( j( X" V& F1 v% @
, N' k3 w+ u/ ~( w; radmin_cate_array=data(6,0)" ]6 f" h# m1 P+ _# M: V
% g8 I& l& i3 L* Z5 }admin_cate_lever=data(7,0)( v' b; Y1 B5 I9 b2 ]5 O
0 |( p' e3 k3 y
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0- m4 c& T" V% j6 B6 y# b
% n8 U' ]. `8 ?" C J* o
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0( H" h% U* Y& H- o$ {
5 E+ J) \' d6 q* `8 l+ `3 O5 K
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
7 v; @2 w! s# s* H9 Z. y, H: M
; j0 m8 k+ i0 X8 u: a2 \9 G( xif clng(admingroupid)<>0 then
. ?( ]- }" n2 M8 h
; L, i# y- I" e2 _& Q7 cadmin_lever_where=" and menuid in("&admin_page_lever&")": x1 L) @; }- k7 N5 K3 `
$ Z. M v7 H$ F0 _) w Eend if+ x9 q. x5 m+ r0 H6 P
/ _9 Y: S/ }1 B8 V3 osdcms.setsession "adminid",adminid
7 E: ^( q) E# @ P5 r$ k+ }- k: ?
, b+ r& u( K7 O: R3 p1 \" Usdcms.setsession "adminname",adminname
; N' K! F* c1 O% L: ~
$ E, S# R+ u9 w _0 f# Y Xsdcms.setsession "admingroupid",data(4,0)' |+ u' I/ @3 z& y5 Y( T# K7 o: |
1 k( z' ?- _& e- D' w, y/ Cend if
1 w$ \7 ~9 Y; U1 Y$ T$ g# R0 V 7 u5 _% [0 s! X4 H9 t
end if
. ?7 J: `# H+ _- |& H : N. |+ A7 |: P" s7 ]. ?
end if6 _6 ~! ]8 @4 b; G- J. Y) b. J2 {
; f% {6 H; N9 a
else9 K0 [. _( T* q; r4 z4 Y3 B8 D
# ] t" f" e/ g' _data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
( S1 U5 M5 F4 `! x0 i! |0 p' z
5 N! E a7 p4 G+ ~$ Vif ubound(data)<0 then
% q3 T! s1 W+ h$ x
- V+ ]4 e; l* z& @8 }+ gsdcms.go "login.asp?act=out"% g9 j3 I* a/ M: l* g
: D% j" I6 @2 U* r; U, n9 I9 `
exit sub" k: N, m* a: }7 }4 V
7 r( a1 G$ Z* p$ V% Q3 p" K0 T
else
( X3 k# x' @; \2 b1 N . ?4 P- E0 n" F: R6 r6 d4 P
admin_page_lever=data(0,0)
: H' e9 d( ^/ M* [8 A( i! j
4 u! T* y( F' ~- X; f5 t9 ?* |admin_cate_array=data(1,0)
- a" S. ~+ Q' J! x5 L8 A& Y
. I. ^7 @% B! ?7 N$ ^admin_cate_lever=data(2,0)
1 m* D. s: h% b- h" i 9 C6 ^, e' R. `! _
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0/ z: @ y! S9 I# ^* D
, w$ @" j6 _) n. |9 ]
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
' Z/ m+ q% r- H- }
' U/ L' S9 I4 E0 Nif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=08 J5 |6 t. C7 f% N* M5 U: w6 A5 ^
6 H2 N; U, d0 f4 i$ b" D* s5 V/ Xif clng(admingroupid)<>0 then
" e; i; p0 T9 _- ?) a5 I : \& A: I* P: e" O; k$ N/ n+ B$ z9 `
admin_lever_where=" and menuid in("&admin_page_lever&")"+ \! Z' K6 W, V6 ~; w2 q [
1 Q# }5 ~- B$ K [' Z3 Oend if
' ^- K; R- L5 |0 S% t) A# x4 p* p 2 d) m4 \1 U' b1 q3 T _8 c
end if
5 `+ m" X; l1 B9 i
6 A( N; M. i5 Y" |6 ^end if
6 X7 y& y: j: \- P6 ?' ~
1 r i) q9 o/ w9 O& p) Hend sub: {3 K; a4 X$ L0 u' m
漏洞证明:* X7 G6 U9 Z( U* ~& m6 Z
看看操作COOKIE的函数
' y9 D2 r! z9 h) P
4 ^; L; V& o% P# vpublic function loadcookie(t0)
% \. R* V: P2 {/ E) H" V 6 D$ K: v1 s4 e3 O+ j0 e
loadcookie=request.cookies(prefix&t0)5 g) i# O; H" x& b& p2 J
, Z# W1 c. M/ Q
end function
) O) {) ^+ o( s' n; n* i+ d. y7 ` ' C+ ^& J' G% b* F. s/ N A: E v
public sub setcookie(byval t0,byval t1)
& c/ j# H' l, G- F% ?
" k. `1 `& s7 h/ k7 Vresponse.cookies(prefix&t0)=t1
: f# H/ k1 y! k6 ~. J( B0 e
1 u( @" N, H, e1 pend sub' A8 x; h4 d. b o
A' w: ]; i6 h% W# u& V: F) @( R
prefix
4 u# \9 N/ k) n& n ' Q% U' _6 f# a6 \1 E
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
8 M( @2 u8 s3 k0 l( G2 Y' V & W: X$ t& ?) y- v2 b Q
dim prefix
4 _* U( a g! g% v# R0 O2 ? 2 ?/ w8 |' }: M$ a* d
prefix="1Jb8Ob"
( K$ K( R+ T; G+ T& ]( |
8 @/ O b$ g7 e/ r9 b'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 8 y% Z* J0 z( q- o3 q+ r
8 X' |$ @$ D5 |& I$ L
sub out
! i1 V. s' R/ o+ j- R! f; E" Z& h
+ M5 W2 A' u F! E6 z3 gsdcms.setsession "adminid","" I4 D2 w- t, R8 z1 Q8 @$ f$ U' Q
0 ^% @/ {% @$ |% F7 w1 I6 M1 r
sdcms.setsession "adminname",""4 s9 d8 e0 N' F3 |, O: G. T+ j# ?# I9 `
) j% u/ F; G/ s f
sdcms.setsession "admingroupid",""
$ N2 S9 o; `& K' V c& Z; S
% z7 r( |, {6 I% h& I6 Tsdcms.setcookie "adminid","". ?( b$ T" g; }8 d
" u! O1 ]: f6 A" |+ N4 wsdcms.setcookie "loginkey","". G9 i5 z! H* W F7 }" N
% I! ?5 K0 _% F1 l5 esdcms.setcookie "islogin",""
* n: h& R0 x( ]% A9 t/ c
8 i K, T: S' @& q1 Rsdcms.go "login.asp"% @5 y( S$ {0 [9 D! ^9 d- C$ n: t
6 R! U d M; U" H, u/ ^
end sub* I; c% C6 U9 U3 N5 F4 v" B/ o3 s
- i- D! J$ u2 X3 b( _9 N9 A- {
% b7 _# c+ Y& @ ~利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
; @) v! [% _( e2 C0 H修复方案:% V5 a, l1 q" B) y3 Q8 f
修改函数!5 s: n, q4 ^' e
|