SDCMS后台绕过直接进入漏洞

admin

要描述：

SDCMS后台绕过直接进入：测试版本2.0 beta2 其他版本未测试
详细说明：
: b/ n2 b# }4 I$ W  ^) q/ oIslogin //判断登录的方法

sub islogin()
6 m( Z5 |0 J( F3 E9 V* @3 q; b
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
$ W" J# K/ G$ `' H+ e: }1 o
0 U8 o, h4 m" n# H+ F/ Kdim t0,t1,t2

8 }! {. c7 j9 d" Vt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie

& a- [) T5 b1 r- c  B/ I3 [t1=sdcms.loadcookie("islogin")

. O5 u  ?/ F- F% L& ft2=sdcms.loadcookie("loginkey")
1 a9 W% a' Q% g# M6 ]
- ^( u7 J/ z: f6 u! bif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
' \6 [! `$ A" \- y& c# ^  [
//
) f5 t5 m1 F1 Q+ d2 {6 b% [  G& c2 S
& K" P: e% Q$ \5 |- M! msdcms.go "login.asp?act=out"
! D0 u' H* Q% J2 Q  w# _
exit sub

else

dim data
: t* C: G6 }6 w; ?' \
; D0 }% k+ S/ L: |& Jdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
; y' F  S) x& P% |0 P, ]
if ubound(data)<0 then
* v' q) V2 E/ |$ I  f$ y/ c3 I
sdcms.go "login.asp?act=out"
. B, \: O' _1 N& t
0 J7 w0 l2 l3 }: yexit sub
  f  c4 S$ S5 C9 s- ^, s/ O3 c8 i4 E
! H. W$ q& J" Zelse
& L' a# {8 S. s
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
& A, v. |$ Q+ M& ]) y
sdcms.go "login.asp?act=out"

  e# h6 Z; c" H* Cexit sub

else
7 u6 R" D$ z) R: y; G5 E
adminid=data(0,0)

adminname=data(1,0)

admin_page_lever=data(5,0)
& L1 S4 b+ s4 D0 e( N2 n" @  P
1 L1 g7 a7 Z( d5 d; Qadmin_cate_array=data(6,0)
0 w& K! @, x0 D
+ P' T4 Z0 W* U+ H9 Xadmin_cate_lever=data(7,0)
! f& |1 i8 B  v; p
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
: D) a6 ^9 ^% v3 S
( P2 r: Q2 L- w! I/ W. Tif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
" u* W: t& L. ^
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
  t" [5 [8 I. y3 {2 C% R, p
2 M0 V0 O3 w- J- J$ aif clng(admingroupid)<>0 then

! R" m% W- G5 u! Q3 tadmin_lever_where=" and menuid in("&admin_page_lever&")"

end if
9 V3 k) Q6 a9 q4 L
2 p' f/ A- M+ D/ Q1 Asdcms.setsession "adminid",adminid
, V$ m& b3 P+ Q( _
5 G6 Y# P1 E& U6 B- a, i" vsdcms.setsession "adminname",adminname
6 p9 H: L9 I1 f+ U
sdcms.setsession "admingroupid",data(4,0)
1 _( D9 g) }6 |5 A7 |
end if

end if

end if

+ b! ^  j% B, v! b+ _* b: i/ melse
3 @! v! X0 U4 l5 A3 ?) j
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")

. \' f" e! n$ {* Eif ubound(data)<0 then

sdcms.go "login.asp?act=out"
! l9 e/ O& `7 s* d4 K
6 F# E# i* [; P4 |exit sub
) l; U1 I9 n) ^7 C: T7 e( M, D
else

- O, _2 F9 H2 A7 Q! R7 |! u% c& Aadmin_page_lever=data(0,0)
* H4 p: O1 Z5 @
( B, l0 x" n  i8 U5 c) s  radmin_cate_array=data(1,0)
; |9 R' D, K6 J6 k+ |" ]; _) w
0 ^% m* v' ], V( U( zadmin_cate_lever=data(2,0)

1 _, q. b  o4 b1 R3 ]if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0

if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
! }$ A) U% l8 {; @5 f3 u7 l& B
$ L: u3 h7 r+ H) _" |if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
4 X' ^9 m& M( r  G4 i& _( F' U6 G# P
  c4 S& D+ N) I' ]) w9 M( ^if clng(admingroupid)<>0 then

7 v; Z; l2 U0 ^2 ]3 }( c( E; X! g) ]2 Jadmin_lever_where=" and menuid in("&admin_page_lever&")"

3 p+ C3 z* V1 Oend if
/ f* d6 r- k8 \" E
end if

; N# A5 B2 S1 ^# X7 L( Uend if
+ `) M( Z  I# c8 l, f
+ b6 k* X0 R! g+ F  gend sub
漏洞证明：
看看操作COOKIE的函数

public function loadcookie(t0)
' ^, H6 x, i$ s* C* T  |. j' I
loadcookie=request.cookies(prefix&t0)
; D0 Y; z% u8 R
- h9 A- g9 F9 ^1 Yend function
5 e2 u5 P0 m. q6 _
public sub setcookie(byval t0,byval t1)

2 K/ [( i8 y! p/ _3 l+ F" s: M2 e* Vresponse.cookies(prefix&t0)=t1
' T$ i$ q! S$ p7 X5 T
end sub

) j" W% b1 T$ r" Nprefix

7 }( H- m7 d' G! q* }6 W'变量前缀，如一个空间下多次使用本程序的话，请每个程序配置不同的值

dim prefix

prefix="1Jb8Ob"
5 F5 ?# E  G' Q) [4 O& t5 p- v
1 b! i7 h$ G! x' [8 J( v2 g4 X$ q% P  T'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
5 x# j/ H, M$ b5 `5 Y
sub out

: M! a% m8 o: y2 U# d$ R3 Y- S% msdcms.setsession "adminid",""
5 O0 m: W- y5 e) b+ A. Y# [/ e, X
/ W* O3 J& a- s* Q3 l  I" vsdcms.setsession "adminname",""
6 s+ r" l; x( x* b" B5 p$ N. m
sdcms.setsession "admingroupid",""
" p: A! e' d! r+ l
sdcms.setcookie "adminid",""

3 E5 W9 P5 c) Q$ r" O' |sdcms.setcookie "loginkey",""

0 _" ?3 D( g/ Rsdcms.setcookie "islogin",""

4 ?6 z5 S6 [/ Y  b% V$ F' jsdcms.go "login.asp"

end sub

9 L  U7 T- t, a7 e$ m
利用方法：设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台，就可以了！
修复方案：
/ Y  H8 J# H4 i" ~2 q  `修改函数！
% D  {- T( B7 Y$ D- ?. k