要描述:8 I2 g* T# k. f& s# N: t
8 _& @) Q3 S+ e9 E: {, c- V
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
0 V% t4 H8 ?6 G/ Q1 P9 w1 q. a详细说明:/ ?4 V7 u0 |/ A9 ]: j' l
Islogin //判断登录的方法
- X( l. d% Q1 n2 X [$ k 8 f$ O9 O P5 d, F
sub islogin()3 |* B5 y/ e/ J4 \& S
$ O1 @( L! b& V: ]( k1 M5 Q, mif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
, H! F+ X6 ]4 L+ O6 W, {: T+ ]) m9 q
) ^" y% ]7 k L4 O/ q) _6 F8 mdim t0,t1,t2
+ F) ?' A& a5 O- g8 C: X ( d2 D/ G- |. e7 k* z* \/ G. F
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 5 k! ]. a) @1 M5 Q
+ H6 }) H5 W6 F2 _t1=sdcms.loadcookie("islogin")6 F8 y& T; g$ X; r( b
/ N8 ~4 U0 K, D$ d! F. Gt2=sdcms.loadcookie("loginkey")
8 s5 g3 ]' C: } 5 ~. Q, N0 n& b
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
! C. w# ]; x$ T0 h) f p2 f, \
+ T [( n. @3 W7 a) G* \- b: z//
2 l6 r8 ^% b9 k. ~( A8 q* f3 c
5 J. t3 k; D* X1 ]sdcms.go "login.asp?act=out"
6 n7 t+ b/ L$ k: K
6 }; b, n4 v8 s, N8 ?$ Z- z4 U! M9 x6 [exit sub
, l: B8 |3 ~5 x y' `
- ] S+ ^7 E& k6 F7 I. aelse, y0 z7 z! m1 [
& g" z0 m$ h. z
dim data
; e. {) R) a, x. R% C
/ U% V/ |$ K: c" L3 L Vdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控 E8 x) |/ j6 m
. M+ S6 m( J- Q3 V. A8 {3 S/ Y
if ubound(data)<0 then
7 ?( {* R8 b% n
) A W- Q% X( F; fsdcms.go "login.asp?act=out"
; E3 w, c& ^4 x: r9 W
" [0 P7 e, m9 l, d0 A* Iexit sub* {- }6 h3 a$ _) c# d
' m* o3 H7 B6 p' @* m: @& O6 Z3 velse2 N4 a0 X# O# c' z) {% E1 h; A* L1 d
7 v6 R0 |+ z1 Q3 l, [
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
/ E$ Y8 v: M6 S* k/ e2 { 1 G& H5 k1 Z/ x0 _9 F
sdcms.go "login.asp?act=out"0 w, R( i& M. V8 x3 G9 d9 e" x* U
1 Z+ v8 y5 k& k, E. R! Lexit sub/ u0 a; ^' ^! {& r. }7 v) T
; R- Z% O5 |$ Z# h% a9 \' ^else& Z1 V& Y6 H7 X
1 |% t4 L e* F& h& madminid=data(0,0)
# z* a) s2 F6 e, A8 ^' P ( L5 W$ z0 S9 R* j& F
adminname=data(1,0)
8 Q w8 N/ p! R- o7 i
0 `6 }3 m' `( qadmin_page_lever=data(5,0)
& n5 E" l3 q% C: A8 x/ u1 H
/ n, p, ^# R# Oadmin_cate_array=data(6,0)0 S. d+ R; C5 R7 k" V
( A% S! a: c! ]9 j2 i
admin_cate_lever=data(7,0)
6 z2 S: c2 j; c 1 f4 a+ f5 P+ Q! Q0 ^' E
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
6 u1 B0 m9 Z Z7 s
& ]0 Y0 M* k7 ?. nif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0. l' U6 ]+ o% A# A# v9 p, ?
6 B4 _3 \( g4 `3 g( B3 R; l$ sif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
% y) t3 T- P, z2 w, }. k
5 e v8 ]3 S/ H+ rif clng(admingroupid)<>0 then
( f- d8 ~- B! I& Q1 f. r5 F: i: L
. C# e/ s+ }* s g! A& oadmin_lever_where=" and menuid in("&admin_page_lever&")"5 S* s+ P7 b8 m3 S# @
2 L6 ]3 [- T; x2 t( r6 I- A$ E
end if$ S7 C' `) ?9 A( c5 ~
! e: e0 v0 N/ M( Xsdcms.setsession "adminid",adminid
* x3 e( r+ P8 x4 F" J; y7 q- o # ]" }5 O% J: I) P; I
sdcms.setsession "adminname",adminname
3 t; G8 U7 w. c/ i
0 [/ y7 K% f+ Esdcms.setsession "admingroupid",data(4,0)0 Q8 v; @# H& `
- A0 z/ j: ~+ {2 {- C2 I9 H
end if
- E1 B$ T K* _) F: q
7 \* d7 T O$ p0 f8 R& W0 v% u# Vend if
* j- B5 t, k7 s4 z4 J5 w
; w) Z* `$ W7 s. j [end if
* d3 V3 c! F3 x) t5 f0 Z, H# u5 G
1 r) l7 K; F: ~2 G9 h0 Relse
2 Z9 c0 d. n/ Q/ q; Q
* g0 w; \* I; k) G% l3 edata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
. L; T( ~% [" v& d7 V
% @+ }2 H9 r6 ]- [+ g$ b [2 ~if ubound(data)<0 then
8 |# R3 W+ @# ]& b2 M
. G1 ^1 q0 Y0 ^* Hsdcms.go "login.asp?act=out"
1 g/ n5 A6 X& G
; h8 Y! I4 u# _. p P$ T; gexit sub8 F7 y( x1 n" G1 N% h, H1 X9 L
) y1 _& _4 O2 u& a" H
else! h2 }& X4 l9 l p9 a( s
5 t3 N- z7 `+ h, A% W/ W3 x2 U
admin_page_lever=data(0,0)
: t- @7 X% g, s8 j* e! _8 ~
5 z! p! n( [7 U/ `admin_cate_array=data(1,0)
5 d" k) D7 }9 u# w4 q) Y ; C5 D' v7 e6 j3 y" H
admin_cate_lever=data(2,0)* p) u" P* B, W( @* G. O
& q" o8 d: m/ W# Z# ]; M
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=02 X' V) p% f' h2 I
3 f" r/ _* Y; Z7 x
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=04 l+ x7 c2 F. S, G
! [. Z% d) x5 gif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0+ l$ A" }- a! p$ ?- p9 N
! v: R W4 b/ i q8 L9 q3 B+ `# nif clng(admingroupid)<>0 then
. q6 `* M1 r! I. D- U
; d9 d5 F1 R% ^2 [5 Z. Zadmin_lever_where=" and menuid in("&admin_page_lever&")"; Z0 A- t, Z! b
1 d& c7 ~: K7 _. e/ Iend if
3 z, A+ n. A0 x0 f
3 i ^- r" H3 a5 [/ xend if
3 E- X2 E3 S, U m1 D6 F8 h6 N
6 j' S' w; {, ]: [; Xend if
8 b J8 i; t6 p% t( \ ! m) G# n& @3 [/ R
end sub
& G$ o* ? a+ p* A漏洞证明:
7 S1 J/ I+ q/ N$ ~1 {4 B/ t4 ]8 x看看操作COOKIE的函数 z# I$ t, J* s W( ~) H0 E8 T
- f u6 J1 S. o, L* @0 l. [
public function loadcookie(t0)
# o- \" a$ ?2 n" o1 m! `8 c $ d. ~) W/ c* s! G
loadcookie=request.cookies(prefix&t0)
9 E1 p! b5 y7 S7 O: n; H4 }0 U. v
! c2 b9 O( E* N( U5 `# _# l7 L9 j3 ]end function4 M X; `5 m6 c- i! v- ^
% D. ?& j3 Y# F6 ]5 L; h/ f* o4 bpublic sub setcookie(byval t0,byval t1)+ c# P4 C' Q) E$ q# t G, {5 U
) k' Z0 E% I" d' L {response.cookies(prefix&t0)=t13 ] `2 B! R' n6 J! B( n3 A
5 ~6 E- T# R; x+ B( S
end sub
, ~8 H7 C6 P3 v1 Z$ ^. m. x f X
4 c6 W, x! V) g3 X# s$ v: Iprefix! F0 V$ v0 v# ?9 _
% f2 @; U% C, l+ s' q'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
" W. |' |6 {2 v( O, Q3 d
5 e2 ?6 L' r3 L2 f( i( sdim prefix
2 U3 A) C9 }9 v- b
7 h T! u; z, k; B, Nprefix="1Jb8Ob"+ v3 e1 Y" i7 K O7 o
+ a7 M2 d; @' j# J8 P0 c'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 2 h% O0 C- Q3 ?3 a, v
' [& m1 t* }7 W; g
sub out
3 v! ^" m8 r; Y G8 D2 ]
) B/ |9 u7 c" n. M: msdcms.setsession "adminid",""
' h' U9 _. l0 L! B
]0 [* o3 b! d! \0 f. U& H6 Zsdcms.setsession "adminname",""6 O/ M7 x9 U# R8 z0 g" W
. Z' }) A4 b4 [: ^/ a k
sdcms.setsession "admingroupid",""- p, P1 ?- S( v' O N: _
" U; Q; H; {' c' }sdcms.setcookie "adminid",""( {6 q* P0 F& Z; m- I$ a0 D2 D% h
: A5 E6 f. Z. n4 Y5 _7 b9 O1 hsdcms.setcookie "loginkey",""
2 o+ c5 \. s. o9 A
- \$ X5 i9 C# e5 W a5 {+ Q" U; }+ Csdcms.setcookie "islogin",""
& G9 g, R6 C6 Z' N4 N
% Y" t+ q4 t* ~, U4 F7 L; Usdcms.go "login.asp"
* \ y' s1 B3 F' s" c* r, k ) N3 | Y% H, F6 Q3 w
end sub
& h9 D% n7 e1 g1 a x0 q
+ Z' X5 `! u# u ~% i5 u
* C; S' r) d2 ~" h利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
) u6 y" I( R, Z" o- P: S3 z6 @修复方案:8 i2 h5 R" `, o" @
修改函数!+ J: G) Y, J6 Z* v( y# G7 q6 p- k
|