2 x- r& J6 Y5 {( x! VSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试 ! F2 ?- N' d! G1 S) G9 f! W& l详细说明: , {4 |0 B U9 c6 [% J e" l+ rIslogin //判断登录的方法 ' r, V7 {( c* g3 C& n6 P K # @, X- s# v- @
sub islogin() 8 O3 c/ ?* B C) E + H$ ~; k+ v i& M) Lif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then * `6 h$ g1 M6 {
5 M2 g( F6 S2 zdim t0,t1,t2 - C3 D. d- D. R6 b3 q6 j) Z$ t* P. b
) s8 V; Q& B/ r% ut0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie # p, ]- y9 n6 r; U5 D * j! U4 K. |( a; H& F5 k# M
t1=sdcms.loadcookie("islogin")% l/ [" [4 p. i
4 X' [* e; y5 p9 }t2=sdcms.loadcookie("loginkey") 6 t/ m$ V$ N( [0 D* b # c! K9 I! E- ?+ c; @
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行- h7 k' a; U6 {7 l. I$ S: z7 o
7 O3 W: N( \" w4 P6 _. C( m
// - u; ~) l; P- t* h8 @ # W6 T- S' M/ T
sdcms.go "login.asp?act=out"1 ~7 d( b b$ z. c0 v
0 k( Y, p3 t7 k9 b$ `4 Pexit sub; S$ H7 Q& M1 O' \* C
8 m4 {! y1 G: @6 p$ s+ h% U) g' melse $ V( o. @' ]% w ; {8 z$ a \ u* ^" u
dim data' n. _; J$ }; V, h/ Y: e2 E
: m0 f4 R7 s+ a* |$ r4 u6 r7 }
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控 3 M" \ b' O! B8 | 9 o& n/ y( ?8 J2 |9 `6 Q1 k3 C
if ubound(data)<0 then! {) i& D, o& R. O, G
- b2 v% C& n- t$ W9 m
sdcms.go "login.asp?act=out"6 w' H* f3 L9 X( r# A5 P
$ A! X# P) t5 }+ r7 N7 [2 R$ T
exit sub5 O! u4 ~8 p5 Y
4 C9 O& S- Y0 c/ l, `1 lelse7 Z |3 }' n) G: J7 w
' t, q& L* O7 `& Q% `( u* {7 ~* iif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then 1 u8 s6 R' {0 w+ h. O5 o: a1 n , ~5 S9 j9 V7 \ @! T; n( [5 W9 X
sdcms.go "login.asp?act=out" ) |& {! f6 d5 U7 m0 h1 u; I$ W " G& T$ v0 D' q5 }! ~
exit sub A+ O- q% W8 h' w" Z7 W' L% v - B$ I6 _" E+ A6 Z2 ^/ a
else 2 _2 a. u/ r$ K 2 k) c7 G8 |: _% r6 X' nadminid=data(0,0) O" L: s% V3 p. j" T ]" X2 i: U
, B8 e( b C3 W' f0 r- zadminname=data(1,0) 2 k* Y) q, m" F$ o$ L& \( m & g. t" C% _: C: Z- eadmin_page_lever=data(5,0) 4 G. [3 B* I2 ?0 y6 F$ v' C# J - u/ |0 m* [) |5 p2 o/ k$ s
admin_cate_array=data(6,0) / l G5 M& V' ?8 z" y) u) F ; k; O5 ^* }6 T; O9 W8 s7 ~6 Nadmin_cate_lever=data(7,0)1 s+ \, d( u; c0 w+ j. ]
6 n1 ], z" M( D$ u7 k
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0/ U& P0 l; e- z8 }8 _
" h4 q9 k; }4 a/ dif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0" b, [: T& H5 \$ z! j
" M) S. _5 i( m" v" g
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0 + A$ X5 n: u. Y2 ~1 M! s9 g & z( h h5 o9 c: r% A& i) D; P. k
if clng(admingroupid)<>0 then + F+ Q0 V$ _2 t3 q; v+ P8 O 0 H/ h5 {) y) Tadmin_lever_where=" and menuid in("&admin_page_lever&")"& E: p/ v M/ i5 u% C& Y
% I- g. m/ T4 B# i. l/ ]
end if! \6 C4 m7 S1 z$ {
$ j! D' z" ~, }- m9 Lsdcms.setsession "adminname",adminname " Z% N& _4 c( m6 p3 n8 Z2 t # g p+ @5 D" Z+ e( ssdcms.setsession "admingroupid",data(4,0)2 E' i" z, C4 z& c: F7 d
6 w7 R# y- Z! Q: N: kend if$ A2 F7 y7 h; v, D' c
4 @5 G* W! A0 @3 q0 [( Mend if - d. n4 I: D$ L _ 6 M9 u w: D5 F. a
end if 8 }( S( l$ k+ K# Q& W/ G- h! Z( X 7 F3 E8 f. o6 M7 V* ?else0 i# \, h! o+ s3 E& C# M
! Y4 D7 s6 m: L1 `- L9 n9 Hdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","") K5 q$ [9 p3 w; J* }1 ~$ S [, y: S- K& o* c B
if ubound(data)<0 then2 N% J. p0 ?; {; [* h
+ P O' U- i5 m# J+ [
sdcms.go "login.asp?act=out"5 Q6 U( M' x5 P
p- j' c3 [% _
exit sub# C/ E( @7 a. O! q# b& ~# j4 f
' P9 x2 q4 }# ^( welse4 x+ J5 `# F) A# _) ~9 S
1 d0 a9 t( u x( w3 T; i9 Ladmin_page_lever=data(0,0) % Z: o$ v& t7 n : h" O" E/ p$ Uadmin_cate_array=data(1,0) ( i: d) s' K: ]+ h* P * S7 z6 z. ^7 D, R$ m4 u2 i
admin_cate_lever=data(2,0)! R0 \1 t) \% Q& W, H- m
# h9 Y' T; n4 |, ~3 O, Qif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=03 O: Y! K0 M4 E0 O. f
& t6 m" q; z% w& w
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0 & E/ |* ?3 w( o* D$ M " ?. Q8 r2 H, X, o* G- a- [
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0 ' e) H+ t9 R# X 4 O* `4 O, w3 y: @% C; [+ [, dif clng(admingroupid)<>0 then* V. j0 f5 Q+ w* u- E0 W
0 ~- J0 o/ @0 Z8 J& Oadmin_lever_where=" and menuid in("&admin_page_lever&")"8 y2 N4 @# y( J+ h: i8 x
7 r1 w5 v& P! X6 m
end if / ^3 n" G- V! ] 9 \; P, a* Z5 i% h" K! ]2 ]: y8 _
end if ) v' D6 t/ I' h$ K* d / o G" z& \) ^# e [
end if ' W) D# h# D! P$ V" F$ P 9 c: B7 u5 {( T$ A# G, Hend sub/ l3 a/ L% o+ w3 x
漏洞证明: 0 q9 d1 ?2 @7 S* x. O u) D( Q& t5 c看看操作COOKIE的函数9 t% {3 J. e I
. r% d& p) P) Z m* Ypublic function loadcookie(t0) 7 ?7 p- ~8 x6 M 3 R& T ]. `3 [. R4 t# F0 W2 floadcookie=request.cookies(prefix&t0)2 x6 U5 y7 a; q$ r2 M- W; v3 O
! K2 H6 f( w; O4 _! }8 b
end function* t8 d0 ]" a! W2 R$ ~' v9 m# L" ?
5 j- U3 }$ U" l+ I8 }
public sub setcookie(byval t0,byval t1) 1 P! `- d9 R4 K+ r 2 A9 t; `- i* r! l6 \$ \9 d' D" Presponse.cookies(prefix&t0)=t1 + i5 n% ?# s* p2 m; `/ d+ t7 k: X. i ; d! E8 ?, {8 W) ^' nend sub }* l- J+ V. N) q# I4 O4 ^) _
4 p! ]8 {: Q; B% f% ?4 Wprefix ( r, u- Q* G. }$ N/ `8 u( j G1 B* g4 X6 z6 I% w" O. M
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值$ B; m T# P8 T. r" w$ K! t. @ t
, K: ~% ?( A0 _0 M9 N( Hdim prefix 6 ^% y9 k" W6 h2 O $ U& B$ ?! W/ g! i# r
prefix="1Jb8Ob" 6 J: W! z1 B/ S. @6 q1 z2 x 3 h% E7 D" @+ e& K$ v& J7 ~'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 8 Y, ]) e0 z V 5 ?: Z ]1 U' I) j6 s( G" G5 n
sub out' c& \' D D9 D$ o6 R& k5 e
8 n* g4 f. v- s2 @" z: Esdcms.setsession "adminid","" * @3 U+ ?1 z/ S; d" | ( x0 M6 _5 Y: Z# Hsdcms.setsession "adminname","" $ J: `& d% ]0 i# _ " ^! Z2 q9 I. O: ?7 ^0 T" L' I3 E
sdcms.setsession "admingroupid","" , Y& b' v1 ~" g* m7 s P: T v3 ^+ C) I; [
sdcms.setcookie "adminid","" . j2 b; V% o/ E; _ a/ A" J- d0 m 3 b- U! {7 d3 ?) ~sdcms.setcookie "loginkey",""* H2 w( L8 _- {3 _; d
' v/ C* C9 ~1 S& m" m- w9 _5 R
sdcms.setcookie "islogin",""4 O' W0 v/ Z! b/ }& N' @8 T) f
4 a5 l5 j% L' S; e# W4 nsdcms.go "login.asp" . ?, J/ J! z6 c; Z+ {0 p - ~6 R# `! \6 Y5 B; t5 J% E
end sub0 _) x9 [0 t2 R/ b5 }. n* i