要描述:
: v3 Z% J* u) b7 H! y7 m* `
" E6 L- N y& ]% E* P8 ISDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
) e7 B) K: [$ B: z5 Q6 o( m详细说明:2 G! J+ V' s* ~; C P$ L
Islogin //判断登录的方法+ L! f& z& ]0 {0 p
; P+ ^8 x# Y7 j* nsub islogin()
6 I; E5 D# R# G. `4 |5 B1 K - r5 x8 R {0 A* V: R9 v
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
- O& i% z* K. E& |! d0 R
4 }, W' g* Z! sdim t0,t1,t2 ' X" a9 E; f s3 D' ]6 Q1 R* A
; P+ G/ p* c) Q5 ?8 x! O" E
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
% M/ @) ]5 N. E7 n 4 B" K2 J" z4 j
t1=sdcms.loadcookie("islogin")( k& {. [: s6 X! F( D1 O
6 _* r$ i( ?' S. M0 K/ nt2=sdcms.loadcookie("loginkey")
7 E4 A% [7 R7 y: d& U3 S # Q. a+ k1 ]1 w1 @: _1 s
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
5 [! j0 Y! R9 H) W. ?( W. z1 g
' |/ m' l+ v# w//
1 y' ~- N$ {$ I) L, b( q
# L) U' {* P" S0 {' u Ksdcms.go "login.asp?act=out". {0 q) m5 ~/ [; k1 S
; W0 I4 b) i! `8 Yexit sub
* k C8 b+ V, v# S; N2 Z / @' m8 v7 D3 q2 w
else x L2 A1 l1 y& E! z
: [6 g; y/ J* i7 u1 ~# ?6 d
dim data
/ c! z) o$ q( w1 o9 i# L+ e " j. [1 e2 u7 P! m
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
$ \6 R. l3 o" g' U2 P7 M' h Y
: ? {, }5 u, d2 J6 xif ubound(data)<0 then
/ s/ J z% w, } % W; n& [; m( Y, M% }
sdcms.go "login.asp?act=out"4 U) _: \6 D. D6 {1 q6 ~7 |3 G' g
* T0 s1 n. C U
exit sub: p6 Y% s5 K0 N
5 E. H% O: B% Belse$ u4 ~; ^$ S: b' o& X! \
' o( L; C; ~6 q7 R0 [$ E V
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
( D# f, S% M0 d$ y
: h3 b: ]& S& osdcms.go "login.asp?act=out", i! `& F' m( H5 j
! W. L; r* J) n8 f6 h; z" f! u
exit sub; o" }: J3 L0 R# g# h
1 v. U1 Q7 p' p: g5 ]. melse+ T' k$ h! {2 Z
3 d o9 m6 `0 x& ]adminid=data(0,0)3 n0 B1 {& Z& r4 F: y' ~. K$ `
( a- U# k6 g* |adminname=data(1,0)8 }" V4 e9 q0 [. B8 K
' s3 Z/ A9 Z# B A% i! G3 U# E2 g) m
admin_page_lever=data(5,0)
. s) r7 U/ N- y6 Y: e" V+ d. n: f 5 F N/ |0 u# Z
admin_cate_array=data(6,0)
0 g2 ^0 y3 P: G& N
3 o( G/ j* i: {- Hadmin_cate_lever=data(7,0)
6 Q2 r8 G6 w6 r) p) D. P+ ` * ~ p7 R& |# T; ?# z+ K. Q4 W
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0% V7 G1 B( T+ l- Y0 ? G
3 H. Q: ^7 z5 b' R x5 g W$ ?if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0 H9 @8 J" F% w& O i. `
" i2 P) P9 N0 s! Q, k% F
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
0 c3 g" @1 y) P5 n # R6 Y& }* K1 d$ s
if clng(admingroupid)<>0 then! {$ [3 ~$ D7 G8 l( P, g8 {4 k
+ T$ }8 j% X$ R% sadmin_lever_where=" and menuid in("&admin_page_lever&")"4 i V0 z. }) k, c5 y
# q# \4 @% M# w1 zend if
% Q- J0 w: m G& z' E1 c$ b8 d
: f' d' Q' f1 D+ d, {# ~sdcms.setsession "adminid",adminid) [2 d/ N2 y2 n2 Z
$ o. [- J2 G( Bsdcms.setsession "adminname",adminname5 ]" F# {9 U' ]& B* w
! }7 @! ^( X8 y
sdcms.setsession "admingroupid",data(4,0)
+ `/ I9 j5 {0 f. ] ' K3 {5 j. W: T
end if% b2 R& X, p' j# y1 `/ E
7 D4 |2 t K- R* rend if
( x5 n* a. {6 n( p# K
+ y6 U/ w% R9 gend if
) b! ?% I+ u3 G
/ ^( E' ?, o$ B! N- y# w, z4 celse5 O9 |$ G2 l9 `! l
! A. r% r, z( p
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
; S* [& m- G6 Q; s- n( G$ y! Y' T
* V$ }( S3 w0 }8 E! mif ubound(data)<0 then; W0 i, j5 o6 Y& Q9 z8 Z$ a
) V+ ~& @2 v" Z/ t6 h
sdcms.go "login.asp?act=out"( w$ U( P: q5 S
8 y3 o5 j( y- s6 @; ]exit sub: w k! r( K3 n4 h# p
; {+ p6 t U: I6 }# e
else
) J, `6 e+ _7 z1 x/ Q, g2 M) U/ k6 O " C. [* a* O. p. v3 A
admin_page_lever=data(0,0)
6 j+ {. Y, ?" v9 v - K" l0 b. q9 H9 Y9 H' ?9 B
admin_cate_array=data(1,0)) T4 q- Z1 [) Y. r4 G0 }7 Y0 X
% Z* I0 L$ U& M9 J; T6 j0 u9 ]admin_cate_lever=data(2,0)
, Z! d6 z# G+ h! e @6 |7 U" z, ~ 4 Q+ I& p/ v6 I/ E' Q$ \: o; S. m
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
& u3 u( c+ N4 `* S, | : `& H$ a1 i, Z7 U' k
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=01 P3 m6 R5 h9 j! r) }: v
9 Y) l: f, G3 L3 z1 \if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0( O& n9 z0 h z
8 ^9 D' Z, k% S/ v" B L; G7 ]
if clng(admingroupid)<>0 then
5 D0 e% X. e1 E3 U6 j6 |4 Z
6 ]6 L6 ^, O0 x' w9 padmin_lever_where=" and menuid in("&admin_page_lever&")"
* L5 Q. G U& Y- t! u/ R4 b; Z
/ \0 D5 Y+ s+ n' K/ x/ J. e9 l1 s! Jend if
0 Z1 R* L( N7 b- D* p - ^9 \. O Z8 S3 E: l( D# D0 _3 O
end if
* \ K" ^) M& } ^7 o
5 j0 ]9 S0 `9 j$ P: v+ Lend if- b$ ?4 M% Z6 h! \5 y
! U% R9 b) ]3 v1 {! ]end sub
/ i: u$ p. h' I2 u6 v7 r# U1 T漏洞证明:# u! H/ p) N' k* ?
看看操作COOKIE的函数: F. u. d9 D5 T. V% ^8 w/ V. Y
) y0 z0 @, I3 @public function loadcookie(t0)) A9 n$ k: k: Q" i
5 S: L' C* I. ?$ R
loadcookie=request.cookies(prefix&t0)2 e& F6 Y7 c& R9 E6 _, G
, ^& F3 s5 g5 I& L) c
end function
% `2 N0 s, S: D8 N0 ~
% `. [8 J6 t+ {/ q2 C' rpublic sub setcookie(byval t0,byval t1)2 o5 z2 T$ D) S! R- u2 S: L
# s* n/ z. h4 X- d( f4 x
response.cookies(prefix&t0)=t1$ }) d$ s* u& ]- H
2 V7 ?) C ]3 K: ^7 b- h. ^% xend sub3 g7 r3 l! i8 n' b9 h
% [4 P! ?' u0 W- a; H. E3 i% q
prefix0 _) V7 Q T1 M
9 _9 ]8 h! K% F$ P
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值2 I# ?: D+ Y U
7 l; [' N% B4 S% _" rdim prefix% ]& K9 r9 ` F/ h$ ]$ |3 @
; ?$ U" @4 F. k- X3 E: N* X) P) {prefix="1Jb8Ob"
( L S% w7 j, I0 g. S ; z7 m6 J3 J. e4 Y; P
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 8 ? a- `) a* M+ k+ ?/ E8 z
; o J& e5 y, D: \- ksub out
( u8 U, i- y" ^0 W " I* V$ O5 C# Z {. q
sdcms.setsession "adminid",""% F/ s9 a- W2 K" r
k. e3 u# c/ d) n, X
sdcms.setsession "adminname","") r: {! N1 ]+ ?. ?1 h! x
1 l5 ^# n. _* Z/ k: T1 z
sdcms.setsession "admingroupid",""
* Q# y2 F% t; R* I9 R8 G
6 F3 h' C" O, ^: I1 Y+ Asdcms.setcookie "adminid",""
3 G' }" I! a8 p# I4 c! t
# O( G+ L$ R% R; ksdcms.setcookie "loginkey",""2 j* P: K: _. _
; t0 O( N ~7 r5 @1 j
sdcms.setcookie "islogin","") N/ s) w0 z0 G* P
" u& |) s* R+ X" j* c: S \+ V
sdcms.go "login.asp"
; S% R' D7 U9 Q J( a. j- ?1 V9 g
end sub
) _* k W: E" U7 b 8 A4 t) o$ ^7 ~8 k
, F1 E a6 U( y6 y- m% }
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
; H$ }5 b' p# s/ H8 m2 x3 O3 p4 J修复方案:
! a" N# t: y% s+ V修改函数!
2 }) z: _& J: @' y& \5 ~ |
发表于 2013-7-26 12:42:43
收藏
支持
反对