标题: SDCMS后台绕过直接进入漏洞 [打印本页] 作者: admin 时间: 2013-7-26 12:42 标题: SDCMS后台绕过直接进入漏洞 要描述: # P6 ~' Y2 R! {! {% C: g . v) N4 n2 ^2 w3 W( K& d4 RSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试. C8 k8 L" B/ j4 V. W
详细说明: 8 b% X3 s; p! QIslogin //判断登录的方法 8 G) M* y B* p4 _& o ' j5 u* E. A- j6 W5 l9 esub islogin() 7 @( S* ~9 j6 y, n 8 _2 D# F2 k, B1 s
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then ( L! V/ L. j0 Q* v! n) r! B 1 x( X @9 B1 y6 ~- p* ]- }
dim t0,t1,t2 # W' ]0 l* R' \# v ( h3 k6 }% o( {$ H, T, Jt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie + j( b m: y+ q4 \ q3 V. Z/ L- u
4 p" K: z& D$ o+ Ot1=sdcms.loadcookie("islogin"), T! J5 C& b$ D
) k* t# e2 i4 L
t2=sdcms.loadcookie("loginkey")5 R7 b; w z+ B
6 k+ B. n2 r! l1 I( @/ |if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行 ; R6 b2 B" t1 m4 N $ G' q0 v0 M8 z! T
// + X! V: }; M: i1 r1 X/ L' l o - g% F7 x: ?7 Y1 csdcms.go "login.asp?act=out"* ~1 z2 `, R- u" y, V: k0 E
; H& f/ R5 ~( V" i8 l
exit sub ( [/ j2 i) h' V! `7 f 9 Y6 y6 h/ P" a$ M' o5 J1 W6 Zelse ( Y0 P" K D- b- u% d: Q" u. _9 K N ' v/ W( V" Q; P( |+ z+ y+ y& |dim data3 j H+ j9 n7 o. F% X$ d
) R5 h* Z8 s% \9 Y# x( T
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控( r0 a. ?% ~9 H! o
- n5 h- V5 G m( u0 O5 L8 [
if ubound(data)<0 then ' Y$ ?: e. C6 t- n ` $ z% u' t' U" {* o2 F/ hsdcms.go "login.asp?act=out" ! |) b( { h* t v; E6 f3 b% @ 3 ]8 I) Z- K2 b# z/ t4 z" f, K, kexit sub( t; b9 W, `! P4 W0 m) M9 k0 @) s
D+ m1 A( F7 ]* V7 i! E0 a( zelse% o: Z* m. J# I2 }! V
& N o0 q0 Q7 k; f2 e3 e& z
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then : u6 T; j, _9 C! T" [) v # {) V0 F8 g! @+ y9 [* I% @6 w$ Z
sdcms.go "login.asp?act=out" J1 K, Z6 b( u& L( Q: \ " Y2 Y( o# G" ?! v' Dexit sub u) k3 j% c. L4 S$ ~ E
' l, b+ R1 k3 b% V% u- o" R3 a" L
else8 V2 d% L0 {4 O* y) O5 T) M
4 V+ l( Q3 h# Kadminid=data(0,0) 4 p* v% y( y- A/ p. ` / {/ D# ]; W: k5 e. H
adminname=data(1,0) ; A# F) r3 B) [2 B 4 A+ `1 u: K. p( D0 U; ladmin_page_lever=data(5,0) . J5 t$ F ^ U 6 S2 ]- H& |* Q4 _ H
admin_cate_array=data(6,0) 8 c y3 R! I, D3 S- w ~( B # P. _# q7 E; `' P1 C& t" ?admin_cate_lever=data(7,0) : {$ B$ N; [8 M5 |% H& v4 r ! e* \5 b" {% W9 n$ wif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0 n' Z' M& e. K- k! Z
' R; m" D9 ]. y& [
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=02 T) }$ E4 b+ _7 L4 n
* K$ W3 u ?# F$ J9 y) d4 j0 t
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=02 T$ Z$ D5 _7 C
# B0 S7 V' c7 Yif clng(admingroupid)<>0 then 9 R/ T5 p* y: @1 z ~/ X R . F) _' `; M. H* I% H
admin_lever_where=" and menuid in("&admin_page_lever&")"5 i+ ?1 d+ N3 Z2 ?
0 j( G* o5 G3 ], p$ \
end if ( a; c, g- A8 r U 0 d, R/ i# a$ L# u
sdcms.setsession "adminid",adminid) p) v! o; ~, L' s/ d
9 U% r, _$ e& a# Z- L+ R9 j, M
sdcms.setsession "adminname",adminname 6 z' {: B* K5 N# K" O6 {1 U8 Q : {' |+ B/ t% w. P; e$ r6 |
sdcms.setsession "admingroupid",data(4,0)4 P% X; y5 M9 p# j% Z
8 V$ b. b1 S$ K' Z+ ~2 J1 B6 m5 ?
end if 0 y8 R8 \- B2 k: H: U. j$ z' j3 O1 h 6 E7 e. B) L; E3 T, R/ E
end if . J& z5 Z/ i, E1 Z5 u 2 H& p! B) [' {4 G( M6 J2 h! s
end if) h) b) Q4 n8 O) ~0 {& C
" m, s. K) Y: ?1 c1 A# Yelse . d) U# f9 u& G+ _7 O ' g1 O6 @- [7 ?# L, _
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")3 Z. X, M7 L, Q* w+ ]" S
; o9 o6 k7 k8 a7 y5 c. L" j8 zif ubound(data)<0 then 1 j6 U- N |: o: g # o' [7 k2 b( t0 ^4 K% D2 Psdcms.go "login.asp?act=out"& h. a6 z; e2 u" `9 {% W