; D5 b& A- t( p3 Lif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 8 s$ u( A( F8 B. P : G0 k4 _- S! O$ P" hdim t0,t1,t2 2 z' n) |! I# g) H8 Q; \+ m# z5 t. B
% i7 \0 u9 m) a. V6 h- Tt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 9 i9 U& ^& V" Y 9 X* H2 Q' \; p; v
t1=sdcms.loadcookie("islogin") % c- s. i, K& r3 R1 v % K+ V* {4 s4 ?" at2=sdcms.loadcookie("loginkey")9 \8 b1 A( b. q; \( t
8 S% V$ _, T6 {) lif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行 8 H- o2 [; e% k5 j3 ~ , G2 n7 N" ]& t; g2 Z//. K) P" b' p) u
2 `' Z% f6 |+ G& d" Nsdcms.go "login.asp?act=out"" ~& A: w& k- B$ W) p* [4 @
0 L. j3 _" A. b$ Q; y' Y
exit sub4 R8 [% a% D3 c1 s# t9 { J
, m8 B6 U8 \6 W% g* d0 t9 m
else 1 P8 m! G# g0 w' c! m/ j' N% U ) L/ {( E7 T& l
dim data 6 X, Y5 ?; J/ E. ]8 \ X- @5 Z$ _ % r1 c: v* F, c0 V: I( o
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控( j! t! D5 p0 Q; G7 d/ {( B3 q
0 j& A% F/ E8 b" J, {8 D, g, }
if ubound(data)<0 then / e8 _- B* a6 q i, K4 o/ L* v 5 ` e" Y3 c1 z# W9 ?2 V# M
sdcms.go "login.asp?act=out" 4 r; k8 @- D( g5 u* W' k2 X7 k% Y - I6 g; [( O& d" [& D, U
exit sub' g2 ]8 h! F) }
: [+ B& b9 V U9 C$ k! |
else: l1 [# }% ^1 g1 ]
: E/ ~: b8 D6 A
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then+ r9 B T- Q7 |* {2 b
+ f: s" ~# ~* Q. q- G. P9 wsdcms.go "login.asp?act=out" 9 C1 U1 A& o% V 4 I$ [, B* ?/ \" Y' v9 Q) d, H! Y$ I1 J
exit sub q+ _4 S+ M U: ^9 j H
# d# W6 `' D2 `/ {; celse3 P& u9 o2 Z$ d
; B g: A- ], L8 qadminid=data(0,0) ; j" h) n. @# W, l 0 l" l1 C& [" O2 Cadminname=data(1,0)( E- h8 C5 V2 u
. |6 n3 D k, j6 E. z8 }* Tadmin_page_lever=data(5,0) % v' j; v# W3 y' m ! [ q# G3 o# g) qadmin_cate_array=data(6,0) ( C ^' [" y) H! z- t" Q5 G - F9 `# {% C! `& X( J
admin_cate_lever=data(7,0) . v- p: I) [) ?& ^0 N& L8 v " r8 d$ o# _: R: }3 d& `3 Bif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0, `! A+ p; s* s h, E' c+ ~* j. ]1 M
7 ~/ ^" U+ t5 {8 |if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0 E) h: U6 W! V3 r% M4 L2 u% t 6 N& R9 z9 J; L' e6 Kif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0 N% l6 e: @, a, k+ S5 [8 B 5 H2 S# W) K: m. nif clng(admingroupid)<>0 then 1 g$ l$ ~1 d: p; [/ H0 \6 Y # h0 P! E" P; e' Nadmin_lever_where=" and menuid in("&admin_page_lever&")" & y! F# T; i2 d; O" h! u 3 r( Y9 W5 Q+ v
end if* }& o" }2 M- ]/ E
* J, C2 w `8 Vsdcms.setsession "adminid",adminid/ \" O4 O$ f8 m1 k
/ ~% A# W; O7 o0 q0 L% N) U3 p6 N* {
sdcms.setsession "adminname",adminname 0 G2 h3 M+ u& h& m 3 D& k/ A# F3 ]" p. z1 g, s2 ]. ^
sdcms.setsession "admingroupid",data(4,0) 3 G, r) P) A0 T3 d 5 e' t2 N2 F5 p S* x' ]0 gend if% G1 j. ~; J N+ y+ u
8 w% N! r: N, z
end if+ \. v, A/ o; W+ u- _
$ r7 t, ]2 G4 ^
end if! _3 Z3 `$ w* G- [0 E" n
) ]1 O' {) a( B! Helse 4 u3 f7 X! e4 ` 4 }) Y: }, k, ~, g
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")) n7 C, l- D1 {0 ?9 F' O
& C! R4 m9 e7 ~0 v+ W. ?6 m
if ubound(data)<0 then 1 |' d6 x; u8 R" g4 \" q- Q * F8 c8 d) J% u& \# ~sdcms.go "login.asp?act=out" ; E& @. L! I! x; w; V - Y8 J) B' c2 J- b3 D- bexit sub4 ]7 H- b: I3 A1 I- O
' h; J" w4 h2 r9 ?0 ^+ celse# E! c' R1 ^" |: P! j# b& R8 b
+ n+ M/ V0 E" i% B( K2 S% y: n" x4 }
admin_page_lever=data(0,0) ! f, ]$ b# h* z' Z) @& o2 f- @! N 5 M9 q, _1 N2 ]+ Y+ M
admin_cate_array=data(1,0) 3 w# o9 m( U8 h% f) r' h W ! x- o# u6 s! u% o5 |- ~admin_cate_lever=data(2,0) - c- Y$ u8 @# D; K9 b : t% b; I0 X, k( G) C) d, Kif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0 8 E0 i ?7 G, ? T$ k1 ?4 Q6 P, E9 l: g5 J
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0 : { g8 b5 Y/ e" c2 ^8 n e- q) ^" N: L8 U% Fif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0" D7 w; I6 C t3 @
5 E9 t+ O& ^' F; g6 j! g( q" c* o$ ]if clng(admingroupid)<>0 then 7 p1 ^3 v6 R+ f 9 d4 Y4 J& @1 h( B6 e
admin_lever_where=" and menuid in("&admin_page_lever&")" ! S8 V# _* ?# }* m. u7 K1 [ - s" E% S6 I2 }end if( r: @8 ~4 a. z( k" \- m
/ ?3 q6 V' |7 q2 F, L& w& Yend if ' R% E) R/ L& K. e* B . M& X. u% O6 e: J- @; c }end if 5 \9 y* Z$ G4 u6 P- `4 I% W E % h9 J2 N# C# T: |( s$ qend sub , x- @1 H }! s5 p' `+ B% `漏洞证明:- ]( k+ Z9 V8 `
看看操作COOKIE的函数! _: n) k9 |0 d N2 A$ I0 `* B' k
& N/ \1 a: z; J8 y- ^% {: @
public function loadcookie(t0): E+ }/ e T. d. U4 f" ?& I
( P/ V/ d6 s: Zloadcookie=request.cookies(prefix&t0) : a: r3 F6 {# ^1 ^# r0 } 7 y0 j% y J9 V; C, `" N
end function: g+ Y. g/ N, b
( Z/ I! Z+ K6 x
public sub setcookie(byval t0,byval t1)# h' Z2 V, ^ R: e2 G( m1 R3 x
B7 c. f0 N) v- j4 O' Q
response.cookies(prefix&t0)=t1 $ g! b' \+ A8 R+ ] & P' k R, H) o1 R+ s' H: e _3 D
end sub z0 n1 e) v; Y7 Z" }
) N/ e3 G! [% a6 f; B: }prefix" D" L1 R+ {" q6 R8 g' ^2 d) t5 |6 f
; M7 f( k. l0 N+ P- ^
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值+ q/ G. ?& c. }+ O1 o2 v6 h
" Q4 f, Y# ~# @4 `dim prefix + E3 g. F: Z8 H; s# L# T8 n6 ^4 b 7 H1 c& u$ N( [; m
prefix="1Jb8Ob"7 X& C% B! G# M6 d
- w9 ]4 x- R4 s& G7 _'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 ' c/ Y8 A6 N0 r2 W. C& y' w5 A: B . Q7 H4 g3 k2 Y, K! S* h
sub out 7 p6 _4 n! [ Q: E ( f7 H4 S# E+ O3 vsdcms.setsession "adminid","" ; _% t) n: \2 z4 n ' X6 a* c3 e8 Q: U5 [sdcms.setsession "adminname","" 5 P/ i; }% m* @- c5 F. L 6 \0 U7 O& v5 f( _sdcms.setsession "admingroupid","" / O1 r o- ~1 ]( {+ q( a8 @ ' n" c# K- k1 a# u9 }5 N4 Osdcms.setcookie "adminid",""; a8 b# Q( \2 ]1 x! Y( o
6 k& K- t! p# `4 i9 H
sdcms.setcookie "loginkey",""& w3 Y z v- H) x0 ^) Q. K
/ Q7 ^1 w) r! W2 j' j- ^9 _7 asdcms.setcookie "islogin",""2 H! g( d! |, A# m9 s: R
" @9 x: C. i3 p7 u: A. s9 t+ V
sdcms.go "login.asp" / X2 J$ l& }# g 6 x: Q2 w7 K }; tend sub 4 J7 \9 z4 z( w 2 |5 R" U4 Q. L 1 T! i: C. s" R$ Z, _利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了! & x$ E% i6 W; D# D! N/ f修复方案: + \/ g7 A M8 M5 P: L3 h修改函数!0 k0 J) Z/ `4 x