; A5 i4 m$ J, W4 b# C* _sub islogin()/ w1 J/ B' y1 `0 x! L& P' L
6 M! w, G, z' l
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 9 x' C: n! C% [. Q; `' j 4 R! }% s) e" h4 F6 P3 {
dim t0,t1,t2 5 r6 k A! C6 f$ K7 k8 @ & ]) O4 ]2 m4 U2 T
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie # j1 X- r; I& d
0 n0 r* A S" m' |# {
t1=sdcms.loadcookie("islogin") " X5 h' V! t) B$ k% x0 w / c% K$ w7 y! l# A
t2=sdcms.loadcookie("loginkey")- I( Q4 {( U' ~8 S
; h' R V }9 W. \5 F X
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行! J" O2 Z) P1 W; H
I1 f. Y& g, f8 b# v* p* M. i// 2 G. r$ S) g: F& T # U# [4 u# W2 ?' r4 M! w+ h
sdcms.go "login.asp?act=out"& o5 s8 s: @- R" ]
/ n" V2 X) Q1 n: N
exit sub& s+ {) Z- e( r9 Z3 ^7 ~9 Y
6 F+ L0 I: J h( a) o# felse: d8 R3 b% {6 q) W% u& u
. I( n4 \# V7 Q9 T+ e
dim data $ B0 V+ P. w* M2 R2 U& C7 K$ _( c8 l . ]- q2 S5 A# }3 t% G, b9 N
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控 V _9 o7 I4 {* Y . h* m! u; q" P; j9 d) kif ubound(data)<0 then , w7 i9 P6 P# Y/ Q; x. x4 V 7 @4 F% F" ]& n; H" t$ t! ^sdcms.go "login.asp?act=out"! P& Z' |2 R& \5 k7 n; G
) v* o7 T2 m- {8 N* U5 f8 W5 d+ f/ N
exit sub " x2 r1 r5 h0 E; C# K + S+ _# Y5 W8 [' |' t4 x+ Gelse2 L5 s) U9 ~2 |8 T7 U- u
6 a# Q0 r- Y. w" ?& ]if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then . C% ^- e' j! ]/ X0 z- e0 ~% _; W 3 j1 C' |( w: o" K1 r
sdcms.go "login.asp?act=out" ^1 e, I/ [( h ! b! B2 k( h# z# m; ?exit sub - I4 ^6 L& P4 D" s / p( ^0 `1 N1 belse ( G+ N' g; x+ v/ S6 ^ , p8 Q3 A4 c' V5 W$ V( X7 f
adminid=data(0,0) ( T& E) o) b( q: N6 y/ E. j/ k . Y4 J0 g6 n: N! [3 m
adminname=data(1,0)2 f) t s0 z7 _# e7 q
# I' F7 v) L( C2 Z9 G2 U
admin_page_lever=data(5,0)/ b. G* v+ F! \# Y; ?9 W
' v$ X5 a% {# Wadmin_cate_array=data(6,0)' y. w8 w2 p2 i3 W" Z- o5 V4 E
" V$ I9 b1 o1 B; o5 @+ Tadmin_cate_lever=data(7,0) * A. ~. K% O, q" R$ O 9 w6 ?; m h; L2 W4 S$ B
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0: _, K4 @4 e1 A! {2 w
4 v M7 L" G% i) n' j" r
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0% l; k& M3 Q/ ?# Q7 N. Y* [" X( b
9 y$ h+ f `& \1 m- Q
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=02 B$ O; F! C6 {( M, N3 `: n
/ q W `& D# u* E4 t
if clng(admingroupid)<>0 then : U1 U d' O+ Q8 H/ H - l$ f8 }) p4 R$ v( N4 d: a8 ?
admin_lever_where=" and menuid in("&admin_page_lever&")" 1 l- v3 q% N8 r& c+ q, b" D; W" r" B$ J . _+ c, s' J1 T& L5 P0 z7 D! `9 O
end if 1 N$ H( I: @( y) D* `0 F ! S/ Q1 y8 F! x' A! R+ Z3 e; Msdcms.setsession "adminid",adminid - \* g" f7 f6 ^- f k0 q v/ i2 ~* E& U2 S9 r) r' c! N- Osdcms.setsession "adminname",adminname8 S- o% W/ o$ A/ f0 U
9 m3 l7 _. V, Q1 a
sdcms.setsession "admingroupid",data(4,0)! }/ x4 B! Y: m0 \" s
* m. s+ y0 D5 w& `
end if0 O7 p4 {& `( J
- D. d& @$ O/ rend if/ n4 [0 K' A; |' L. c. \
9 l8 z) P# V9 J( N
end if1 I+ n8 w/ l! T5 i3 u7 A
6 W9 S/ d8 X. h) y$ y+ I
else # |6 n' k) S! |$ X3 ^ 7 |* s' U+ |, [
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")- i$ W6 d! |0 c0 i
1 Z, {- J g' K+ D9 kif ubound(data)<0 then ' O3 _1 _' G( D. j 9 V) [" y/ q W. Q F6 b; J
sdcms.go "login.asp?act=out"2 J3 h6 {& Z9 q- l2 u) q2 v
0 B8 D4 e8 c/ L0 {
exit sub 7 J' ^9 b" h# N6 V1 Q 1 r* n S4 E! K- A8 Q( T t0 }else$ T3 c( b4 Q3 X4 O2 `0 p8 Y- \& a
0 |; m% _6 |/ o: Z6 |- x7 Uadmin_page_lever=data(0,0)$ d7 j4 ^9 j' S X* a. Y8 t
5 |6 a, m. Q" }3 B% `admin_cate_lever=data(2,0) 9 ]2 z) R6 {4 i 4 V' ]$ w) ^( Mif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=07 n8 v. C8 V3 n
- I( K ?0 v' @( g
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0 + X4 j. T% H- e" X/ i ; ^' U: v8 d9 I9 R6 P, m9 eif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0+ S" Q o9 N3 W1 X @) Y& n$ Z
9 ]/ S/ [! k l7 mif clng(admingroupid)<>0 then6 Y1 B3 w% l2 @2 X+ h
) a1 H9 S) m8 L% F+ h5 I, J
admin_lever_where=" and menuid in("&admin_page_lever&")"4 F$ Q4 j, F7 }8 q4 @; U, A
0 d9 s+ N8 t B7 q- {
end if% K g( C+ d# H" M
7 O2 u6 m8 t8 Q, |end if' W; j$ d w) u9 l# Q" M& u+ X
' P2 ?, C. d9 [9 p X
end if* a2 E5 [: V1 C+ S
6 U3 p6 Y: x% E Wend sub 2 e8 f8 X% E' {1 f' Q% }. s! [漏洞证明: ; t7 i/ X- q. T4 d: j/ O; M看看操作COOKIE的函数 7 j, c0 Y' t3 ]* ~1 t' @0 q0 h; P + U. b) G+ t W* C: `: e: ]$ d
public function loadcookie(t0) ) _3 @; G6 S% ?$ V+ B) K3 J / c9 Z0 }5 r8 W( m
loadcookie=request.cookies(prefix&t0)1 O# S$ A( x/ T0 Y# j2 o5 c% }
9 w5 `" ?9 \( ?% F* d
end function" s/ t, P) X" A, Y& Z' e
X& Y6 ?4 G/ K
public sub setcookie(byval t0,byval t1) , z2 {# w6 }. K 2 Q: O# \, }3 }" j+ c2 r- s
response.cookies(prefix&t0)=t1: Q, n Q6 p! ~! f
5 k$ T* K) f4 Z( N! K& _3 {end sub; N3 O+ V9 B& x
1 i# e6 o; b" [$ x- Yprefix 8 V4 W9 j. v! u5 u1 ~ 3 D- e2 x# L. c* n'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值" E$ f% w$ s# E$ H' [) Q
( n. P. t8 c0 l7 Y
dim prefix # r0 O) X5 a2 t' X: O9 f & B8 n$ c. y. \! @2 k( k
prefix="1Jb8Ob"$ r( x/ T! y4 H# p P/ C
5 y2 ^' Q9 f% U1 E' d x) f7 _'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 2 g* Z$ v! D' d9 p 5 F% M7 A1 ^7 C4 t! Ssub out; q7 J5 ?; F, t$ x# n
1 r m3 j" E8 g9 [6 T8 I- c
sdcms.setsession "adminid","" * z8 y, K! A2 o* P4 T ) S3 {8 [# V; c
sdcms.setsession "adminname",""# X. @0 N" z) u) U* S* O2 w3 k3 B
" N J3 ] t# a( n# s' u
sdcms.setsession "admingroupid","" - h' ]8 _& @- Z# J+ M9 O8 z0 J 6 P* u. P' x0 |: Z4 r) P- H' Hsdcms.setcookie "adminid",""6 Z$ A+ ?/ ?. u" C
# E- k' }4 b4 W' bsdcms.setcookie "loginkey",""+ J: J! g/ a: Z. m9 h1 V% q8 R
, _$ \# L1 Y3 ?3 p& @/ @7 e6 F8 esdcms.setcookie "islogin","" & | d0 j( Q f. z/ L: T1 C 8 U; J4 Y: F( [9 V: _* J( H% }sdcms.go "login.asp"! p+ \1 g: Q. Z1 N9 l( q) p
- q" y3 F b' e, j- f. i7 f+ d, ]
end sub. k p. f) x# z3 l" u0 I+ ^
2 Q' K5 l, h' l; ]$ L0 C
, A* B4 }9 d$ Z# D$ A0 \6 a' c
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!, R2 ]. {3 d+ U) m4 D
修复方案:* ~/ ?. v7 J3 z/ T7 O9 b
修改函数! |# j6 V' l/ M) I