要描述:6 C0 t) @/ m) Q% P# G0 u
: b) ?1 q: T8 L
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
! Z, i8 V$ M1 O! F详细说明:
% a8 L- W! C( n( P7 z" PIslogin //判断登录的方法
- _3 U6 @* _+ M2 d
1 O6 `% A4 u8 C5 R0 q' M# P/ h1 \sub islogin()
: A3 i4 a3 n8 t* K* G( a& L# f
" l' _ J/ a) p. ~% _if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 3 K; N0 Y( m( }, v% z! W8 n( H
+ u; R+ t1 M0 _) }( sdim t0,t1,t2
9 |' f5 z" @; Y2 N! K: b0 N . A0 m. F& @# i9 q5 e
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
# d" _: L' @/ ?( P) E9 Q / X" [6 [! G& j6 v: ]( d( n6 p
t1=sdcms.loadcookie("islogin")
7 i3 X/ w& f4 y: o' J2 u
1 d4 w6 R0 L. U7 c' [% p7 T it2=sdcms.loadcookie("loginkey")
7 X% [+ N& I9 f2 F 8 H5 W$ u. h* _
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
1 I2 z' ]0 X9 m; t 7 l: K H t* n/ Z+ O' k; |
//
, F4 W1 ]& T+ D b& @% t
0 G5 N* Z! y1 Bsdcms.go "login.asp?act=out"
8 v5 t7 l/ w b. E ]/ h- H
% R- L: _& D! E f0 aexit sub A, t6 Q( c T0 \! C
7 f- p" W- Y+ D. L
else8 v/ x2 }0 `( T0 J: B" F
6 Q4 V( Z! P- b6 m+ s7 N
dim data
8 t1 ^ F# n% F( J" ~: x8 G2 I
, T! u+ F* i' w- @& a0 i7 `8 `data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
: |' G: s" |5 A0 B, y* a7 G7 Z ! ^# [ V) B3 W3 i
if ubound(data)<0 then; Z T9 R! v4 H% V- j8 L
2 \1 u/ [9 M1 R( z8 lsdcms.go "login.asp?act=out"
6 f$ R$ V1 x6 S! B% ]2 @ _
- E6 S7 f$ J% g' S2 Pexit sub8 E4 w/ m" p( u" K# A% n% t2 U
1 \9 M* C1 t4 T1 e4 v+ ielse% @2 u0 m+ g) q
; Y) v2 h& G2 M- M6 x. Nif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
8 G' U m* d( S5 O8 |' W y 8 R( G( o# B" ~7 p/ P: K
sdcms.go "login.asp?act=out"$ G$ ]# j) b& ]/ S( P9 V
+ U Y4 w- K& i+ H# u) w+ E8 ]exit sub2 D8 x- i0 g, E# r9 G! B
1 k& J9 y3 _7 t9 R1 ~! Z* _else' n! Y! R" v6 G5 b! y
7 S" X Y, T5 ]5 G& ]4 Q/ l! hadminid=data(0,0)
# @* Y% b- ]6 A- Y
' e# [, j0 z/ K, E" |' D5 fadminname=data(1,0)
4 ^1 b1 q/ `6 t" v% o
) c3 V: J# R) i; l# L3 Xadmin_page_lever=data(5,0)1 u& M1 Y+ n$ r
9 A3 w2 M" _6 ^& p
admin_cate_array=data(6,0)
4 v0 `5 \7 C. _; q3 Y9 _' p
0 ^. E- {1 j3 Z$ v: i8 zadmin_cate_lever=data(7,0)
- j: k1 F7 q% z3 h. x( q9 o/ s5 F
% v9 i. u: m3 p8 p: Eif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
( n; H8 d6 ~/ F: m) s6 l
; V8 }: I* Q4 c2 I2 Xif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0/ n% E+ {; `. ]( R# g
0 W3 F! C6 t; w6 I; u
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=00 c5 Y4 G! h; f+ R4 [
: a; v$ k* V$ `0 m" k5 X/ O% zif clng(admingroupid)<>0 then
; G* R; v* n( H$ S* X% m 2 m- W2 b8 D1 g; {8 d
admin_lever_where=" and menuid in("&admin_page_lever&")"
9 a& G9 B1 W* T6 V & ]7 \* K% c/ \& ~( i+ H
end if" g. o$ C. J1 [. L
# J. U$ O2 f! h- n5 s! u* n
sdcms.setsession "adminid",adminid. t0 ^7 M2 `& P; l
2 ^( G, M6 N1 R" C: a8 f' M
sdcms.setsession "adminname",adminname
% {' E; _ r9 j, E3 ]6 X* [
3 `% X- M0 q7 i; Wsdcms.setsession "admingroupid",data(4,0)
' q, \9 ]& w/ s ) s' P, q4 {# t
end if: j- Z0 n n m" m8 p9 e
, V6 \1 m& D% r, Send if
, m- G7 j7 U0 L; H; _% }8 X6 ] + o; K! U5 V ?! H7 U8 h
end if
2 g+ W' b' X: i
0 X. P& C6 `" [4 S) N/ m7 S+ gelse
( t- N h+ r+ ?' N/ Q7 U7 R/ Y& V
! m& p* o5 V: ^1 W2 K/ E0 U# u6 g: N$ Bdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
$ O: |9 K" f: S" n9 r! s% x0 G ( U& s8 K) V u6 B
if ubound(data)<0 then
8 E. k9 h1 ^" ^0 h( _1 C( [
) L' A& t( s( ?# Osdcms.go "login.asp?act=out"
% b( ]* N2 y* ^3 F% R' f* n- ]
! B4 q/ v, C, y( ?: Gexit sub
2 L5 U g4 o9 i' n; A: K 2 p8 h! v6 E( p& [& L3 A
else. F. ?& j4 G( W
! k9 a9 V% j6 S3 J3 `( ?0 ?9 [
admin_page_lever=data(0,0): I# `5 J6 c! f5 ]
$ Z K& m. v/ c2 e, V2 F# padmin_cate_array=data(1,0)! \9 M$ t: U2 f$ n' ?
/ f2 i% L! x( l+ C# Zadmin_cate_lever=data(2,0)! a/ R# D7 d5 F$ q* O
4 N; Y. y+ c6 h/ Q# X
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0# p; J0 j5 @* \, J
2 M6 h1 ]& a2 i/ O
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
. F( y$ [! P9 F& `
# j* P, Q) E1 g" j" x( ^if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0/ q! x7 X4 e/ l. R+ r) D2 ~5 \
6 t2 x* S) d2 A5 g6 Tif clng(admingroupid)<>0 then
# o2 f0 P% i% O- a. ^# O: i 8 y' G4 I- F" X* z
admin_lever_where=" and menuid in("&admin_page_lever&")"
% @4 ?! Y6 G2 S p4 N# R8 E / g% b6 g" d! O: l" l! P! u* B
end if( J: z" \" ^7 u+ H
& i/ n9 |8 w) J6 x' i( h$ g; b
end if
$ ?; B8 D$ F4 p2 {" A# g& O( p
: u- K4 f4 ]0 W4 p1 k L9 c- gend if
9 ] g1 I- q$ N' U5 r
; p1 O J6 a7 i, x0 _& x, qend sub
2 K* b$ `8 r4 V漏洞证明:; F) R; p9 j s2 F4 P
看看操作COOKIE的函数. p3 T8 W0 b$ g) D
2 i$ _- n+ u) @! N% m6 G, X- Ypublic function loadcookie(t0)% f0 b# f) r4 F/ r0 n
' A) F, L5 i" X/ G- R
loadcookie=request.cookies(prefix&t0)2 U: p# m% n5 n1 P8 T0 B
& ?/ x" |$ W: ~9 W; [end function* n% e9 v5 A8 y! n f9 p3 D2 y
1 G% I: o" t, V6 }
public sub setcookie(byval t0,byval t1)
9 a2 F) _1 U8 p2 `( [ 4 u9 E- k" Z- U; `- F5 A1 ^
response.cookies(prefix&t0)=t13 \6 R$ I) D! x8 J' f$ M
5 H: J6 M$ X! Y9 j6 D- q
end sub' u! Z0 M0 }. w% G) H
' M& `9 J$ W! y8 Uprefix
2 o {! k9 g9 H& |; I * B7 v, C# ?" d0 s; ?1 ]
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
' G( x% z& V* d e2 `3 J' O# o
( p' R' v# K0 S. Vdim prefix5 w2 P1 [6 m; P6 W4 j: U
; t4 ^5 e, ~7 i. s, ]; R6 B F
prefix="1Jb8Ob"2 z/ S% g0 ?% r. K* t
! k' Z$ e) z6 a1 C& C3 T7 q% j'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 & J$ ]: Y2 w0 {: J* a* _7 }7 n
2 f& c0 ~+ x- C! a; X* Z
sub out' J; Y; k0 y: n; y$ t2 {
+ Z& {$ z5 Z! u/ \ s2 ~1 Esdcms.setsession "adminid",""
& L ?8 q# D/ g ^3 ?) N
/ Z9 |- A5 Y( Q5 G3 C1 M( }sdcms.setsession "adminname",""
+ L/ x6 H5 h; o6 e: B# m! l9 K
, A* m6 H& b+ b' l9 J, [sdcms.setsession "admingroupid",""
+ v3 l$ h R3 j3 _& [. ~
& ]: S8 L- k6 d5 X4 F Fsdcms.setcookie "adminid","": X2 p9 P6 u( h
. r7 Z' Z2 `9 ~1 D9 v. Y0 Asdcms.setcookie "loginkey",""
1 S: m( }( V( \5 f, a# X
$ X! w% G+ @+ _sdcms.setcookie "islogin",""+ r7 i3 r( i. V# c" v5 e# C
9 `2 S: r1 _* a
sdcms.go "login.asp". M- H) O4 v, T) a' p
' q5 O* G+ u. y6 d/ W4 i. g- t
end sub
' B% [! z( m8 o: W4 M. K9 A ( p, v" C' ]0 a/ l6 n
) A7 `( v- q- D% i: g利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!& }$ A: e4 w' Y
修复方案:; F( ^- F# U& F8 Q' L- Q( g$ ?
修改函数!
6 X% Y$ Z8 G/ v! Y |
发表于 2013-7-26 12:42:43
收藏
支持
反对