要描述:2 ~( o+ r0 k6 Z6 C6 Q4 g
}: |+ K6 y, q7 w* j" z; e/ F8 Z3 hSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试5 g% ? j, k) y: W
详细说明:
1 B2 `" T. f8 U2 V; TIslogin //判断登录的方法
, D- H5 e; {, L4 t 6 ?! i1 c; [4 ?0 l
sub islogin()
" @+ J" ~1 n9 m X# b, ]9 [
& [9 m# o$ N( h& qif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then ! v- P. p3 B3 H* L7 ~3 a/ m. n3 o
( M8 K8 Y; l( t$ ydim t0,t1,t2 b: x8 |8 g5 d; q! ?4 s, A4 z1 V
3 s: X0 E! l9 ~4 F% e! ^
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie . t- D8 |* O8 A$ x7 C, ~( v
+ [ ?# @$ T+ \- T
t1=sdcms.loadcookie("islogin")
6 g2 a1 V+ ~) _2 D2 \- @2 j2 @& j - p4 b' x8 F" N+ ^; Q+ N( H
t2=sdcms.loadcookie("loginkey")2 k2 S7 ?( _. u% `7 i, |6 [. N
2 l, D# |8 {) P W9 ]& B3 V
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行2 t: y, M) R* G w( U0 {- g! u
: }" x3 E- Q) A7 q//8 \5 l& O9 x, P" \
+ Q' ]0 o* U+ [& ~8 F) d
sdcms.go "login.asp?act=out") S' o, S+ D, U/ D
( n+ z) O) |2 V; o" h* A3 ?exit sub
" j/ ]& s3 h. I5 Z# ` ) B) k' s+ q8 b" c
else6 F/ y2 n7 C3 _- [$ j- Z9 o
1 W% o7 f% h0 d8 h9 s
dim data) E- `3 G/ u8 a/ i# `, \
! X& `6 w; _6 ]! c! E4 I+ E
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控* i7 V3 o; u: |% s1 ~( k
9 i* \8 k; p! ^- Y' R
if ubound(data)<0 then! v2 U( T- S6 z. D3 @6 s2 |
|5 K* G( `$ e6 X- Y
sdcms.go "login.asp?act=out") D' d$ D4 p2 Q
2 w3 r1 M% g( _+ Z9 r) }2 J, V
exit sub) S% L0 w; @& A. `- Y$ B1 S2 J
* n5 y1 }% P& c0 S& o0 t7 Delse
' y1 ?! ?# c6 k 5 R/ V9 @/ H0 X3 A
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then# j9 b! D9 P1 n9 A* X
0 j& k, x% @7 z/ z0 t2 ?2 ?sdcms.go "login.asp?act=out"$ R' J- x% L- b/ H
8 r- e+ W+ L' z# B- r0 W1 ^
exit sub4 I* {- \8 t4 M$ F. z
9 _1 Y9 {; j$ B9 \" D/ ~
else. v9 x, @3 E7 B& N- t' J
* J/ C2 K. @2 ]1 r1 P/ ~/ I6 f3 Wadminid=data(0,0)- Q& K# B F% @4 j& R- [' Y' Q- r- p
2 R5 K$ f1 }. v$ Xadminname=data(1,0)
! }4 F% ]4 n5 ^+ |9 u4 S! O 2 R( s- ?8 O! x! E, f& l$ U- t+ [
admin_page_lever=data(5,0)
6 {& q0 O& D- w* i
' u; U$ d, _5 O6 a L. j5 Hadmin_cate_array=data(6,0)2 }, c$ c1 w3 f/ w8 U3 r5 H
& F3 C7 N9 H% R( J* a6 R; K3 d
admin_cate_lever=data(7,0)
N7 V& o" B4 g! L8 E
* i9 a2 W# V3 |( h- k, D! Xif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0 g4 O) y1 q& v- C$ v9 |
( h) S4 @2 j$ v6 n7 z4 Uif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0% e* B" c# c: M# o- }3 g/ N$ Q0 A
. R- w# a9 P7 U& X) {
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
' |4 E- K' `6 C) p" W% r3 Z; x& S
% S7 E1 o7 m% w5 _( @if clng(admingroupid)<>0 then1 O' n6 L [/ x2 [
! p: k) o5 y' F0 C! O! x. G' F* j# }admin_lever_where=" and menuid in("&admin_page_lever&")"/ _0 K! }. X7 j& ]
8 [8 ~# U2 f7 i/ [: Gend if
& @9 ?) d" ]- C# O
l4 ?( t. N" Q6 I- H$ U' {( A- Xsdcms.setsession "adminid",adminid
, O, G8 M% j( ?, j+ u# |0 b, z
1 b5 t6 Y% d4 [sdcms.setsession "adminname",adminname+ p+ K3 T8 G; o% B
# V0 a% H- E4 Fsdcms.setsession "admingroupid",data(4,0)
$ J/ k& Z% V0 O9 s9 Q. m: z1 m/ n
+ x$ p3 c5 k6 X8 i! cend if
4 a3 c/ L+ Q: h/ g! F
& E+ V M. e( r0 o7 `end if M' Y, v& V5 U" E1 `
$ m9 c+ Q! `* Y3 t
end if& D. Y/ E5 ~/ \5 k1 b
' J' R' w- Z+ l. b/ p
else Q" x9 }- |: z# I' ~2 h# O
, |4 c- Y7 m3 s6 e' i: ?data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")) P, b, f6 i, G2 i4 d
2 k" g2 o# I" f5 L/ ?4 M: x. U# N- vif ubound(data)<0 then2 `2 {$ T( w# l& X. Z+ Z8 s
4 C6 N: L( p) M! B- Usdcms.go "login.asp?act=out"
1 T9 D, z! p. @& }+ `8 W0 I & t% M2 r. y7 i
exit sub
/ a! o( J x( j: l8 Q. S
/ E' q7 ?6 u: k6 f' ]9 ^. Pelse
- i. P `- M2 G8 x9 i + [2 j9 j1 ]- h$ x$ A A
admin_page_lever=data(0,0)2 U$ z7 Z! [: h5 p
1 Q. }0 R1 r; X- H! o k& p
admin_cate_array=data(1,0)
{5 \2 g0 Q: q . f- W( P1 D0 p: j+ x
admin_cate_lever=data(2,0)
: h1 j- ~( k; y. f! P7 k 6 W& _# [4 O' f! L
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0( N# e! r" ^! L8 ~
8 W; a2 I, e5 ]2 `if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
' ~9 n. s3 U& u7 z1 o* b 5 y6 A3 g1 Y; l* w
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0, t# l/ f1 g, X( `
) o! z/ l3 n) @; k0 G# D+ w. L/ M
if clng(admingroupid)<>0 then, |, J$ u1 o% ~ I1 Y" G
8 g1 f% ^8 a& ~+ @' n
admin_lever_where=" and menuid in("&admin_page_lever&")"
- \) ]" J+ A% S; ^0 L
! o/ T. g7 N# T4 e& xend if
) [# `. d) J" e. o 2 z6 J6 `0 p; p' F P
end if
7 Y* k7 W6 l! ^5 Q+ i+ u$ T
9 Z; R) f- o. g. i. z5 Qend if
]8 f) v# P$ T3 n( k. W0 z* c ! @( V8 K5 w) _& D2 B, ]+ H9 A
end sub* m: I4 V- p0 N4 I7 v
漏洞证明:
# H6 d3 g( d+ y看看操作COOKIE的函数
2 {. d Y! y1 R, V/ j$ z1 C
* a5 N% P& Z- H5 S) Kpublic function loadcookie(t0)& T9 s+ E2 g7 C) K0 o- _& i) M
& B* X1 M0 c5 P$ D; N
loadcookie=request.cookies(prefix&t0)
1 @1 a- ?3 U7 [8 x6 p% u
0 M2 @9 M7 a1 O! aend function# N/ m. d8 L$ }, Y
% v6 Q! y5 W% c' L$ Y3 i! j* R$ ~
public sub setcookie(byval t0,byval t1)
- ~! c5 E6 m; ~, t7 L& [! A# y
3 P, W* q7 L2 \7 R Hresponse.cookies(prefix&t0)=t1% n% @2 A: T+ \9 ^/ k5 _
3 @2 S! A0 r& j2 |5 Iend sub
' X, f9 `6 G9 l1 } - x5 S, M# a4 ?; }& p
prefix9 b+ E" n) V x& e3 p$ x
! C* ]) X- o5 }# x0 C1 a
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值" C q1 ?5 }: A: N- L
: ? i7 t% d/ ~" ], _dim prefix
/ t9 F! a' J* b
' }, m& p B# g% R1 v! cprefix="1Jb8Ob"/ U& ]3 y6 w+ F9 P+ y( J: p
4 T( n+ l( X& ]2 k! K Z& A'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
$ ~7 \0 ?1 Z" W* e2 m1 I 3 D* M! r3 |; B7 i- {
sub out" b" `3 y1 e6 w( ?' T! W
F" ]. s1 E3 x' A* }2 X, g" osdcms.setsession "adminid",""
% y+ G5 _5 ~$ |8 a0 n3 q
- S* c$ i7 w3 I2 w/ y9 Y; Lsdcms.setsession "adminname",""
2 S8 @. h" S+ z; f9 k8 D
+ U" t' z* [5 J5 Nsdcms.setsession "admingroupid","") H) ]3 z( o( D- O: p2 p& B" v2 K
x6 B$ |# U. L' J# Msdcms.setcookie "adminid",""
/ n: l9 s7 S' `4 }6 z" ~
1 s3 [" d) U8 j2 i1 `3 Jsdcms.setcookie "loginkey",""
+ N! ?/ y- Z s7 u- K/ ~* p
) `4 [; E% I0 q. P8 osdcms.setcookie "islogin",""
4 k4 n- r# o- O0 k
# y1 Z/ m y, j+ d) [sdcms.go "login.asp"+ ~, L2 C7 K0 i1 B; B: p
+ _& Z1 I/ b" [; x# L& s: C
end sub# t5 }; g. C: r7 ~% N }6 ^7 y
4 X) R0 d4 B, p4 }+ {4 S 6 _/ f) L) y' k5 }. x
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
% d* u6 A& C. W修复方案:
" A: Q t* r) R, ?! `1 v5 f修改函数!$ `& \5 Y C+ j* X
|
发表于 2013-7-26 12:42:43
收藏
支持
反对