要描述:
+ Y9 a8 O9 N& K
2 g5 K- m( ]1 A, ASDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试/ f R( D% S/ N- |+ _. Z
详细说明:. Y- v6 J( [; v
Islogin //判断登录的方法
7 A; N2 R2 Z) w+ f+ P+ A5 } 9 X6 I3 {6 S' }$ A( x
sub islogin()$ _3 W0 e; M9 S
2 A4 y# R$ l" d0 v2 Uif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 7 s5 @+ g4 P6 ~
& v- c0 Q& ]! q( [
dim t0,t1,t2
" @4 w' n$ Z4 r4 r8 n # |7 h( E; X4 z- s8 S
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 5 {7 M" x! u G
8 M* `: C3 @- B& F! v
t1=sdcms.loadcookie("islogin")
+ l: S/ l! s# Y0 M6 T/ E' L6 t( T
4 E# {6 B8 q7 F' `5 M1 K/ ot2=sdcms.loadcookie("loginkey")8 B9 U' q8 A2 f6 I6 v
' m" H0 s* `2 q4 Mif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行" P7 H: |- l& R' j
9 U, R1 X* O( i ?6 ?( U
//
. P- c6 x" C4 S6 r ; J+ l* Z3 O2 _% l. J& W
sdcms.go "login.asp?act=out"
9 y k% }* ~; u
7 @' m8 d1 ^6 @5 N/ p- @exit sub
. e$ N: ?# e7 e& k* K
& @, g+ p! J0 i eelse
J9 n# w4 d" O" b5 E+ s8 q- h " w: f1 T: c6 a- r- U
dim data
/ S4 l9 t. J. l2 x% z; C" }6 X
I( q4 K/ R) D5 L0 v6 C; d i6 qdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控! ^- d0 _0 W, T' g5 J8 m, o* ~! E
' X, `$ C# c' J8 s2 S0 m! bif ubound(data)<0 then
% F) J/ C4 K, T( @6 E
, }( ^0 m+ V$ A. E$ B5 `sdcms.go "login.asp?act=out"
7 u* Z$ K9 g- t( i
+ y( {% B% N2 G# lexit sub/ n2 i3 Z; Y+ C1 N8 \
" Y6 P, b. m; F9 D( W$ }else% q$ X2 H) g: g) p R* }) Z
5 U' `: B( A% n: Q
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then i/ D% o0 ]7 o. P5 x U
; A; d' {- x2 S, \0 V# f8 V% o& q. l
sdcms.go "login.asp?act=out"
$ t6 C+ k% e0 m5 W$ v4 |0 q+ l $ f: q+ y7 n& ^1 S
exit sub
# ]8 h7 F" b% d- j7 [0 }4 j
f7 B# @1 M: a% xelse3 E% }" \) y3 p+ u- H
; u5 H) h3 t/ radminid=data(0,0)
. X! s: n6 [2 e" x' T* i# t' p, j+ P; t 5 }+ o/ `, ~6 p# Q0 g
adminname=data(1,0). K) e; R8 P3 ]$ u* H# H
2 O% M, h2 n; R0 s4 d9 N, Z
admin_page_lever=data(5,0)
/ r9 S) N' o: l3 w! p7 o" z% O ; j2 x' z) E" O) u7 v
admin_cate_array=data(6,0)
1 M* g" F [% a. B) j, R$ h! B 6 M4 h+ }2 _" F3 K
admin_cate_lever=data(7,0) f' D) c( O" }# M ^! g
/ t+ [9 x5 z, A$ c/ Mif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=07 p& v7 F Z' E# W3 D8 e
4 g# F0 ?( Y5 k6 J& e$ @2 V. D7 o
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
) O9 u* k0 l9 x) ?2 e
, E8 p9 X# D& W- ?if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=08 O( |/ U# l2 h2 [% [
! b! D, f, ~3 R2 ?: Xif clng(admingroupid)<>0 then
: m' n6 ]# g2 h) s, O/ C, ^5 p/ D5 J
9 h/ Y- C+ Y0 }- v3 z* @8 |admin_lever_where=" and menuid in("&admin_page_lever&")"% }9 g. X/ b- f( l0 T
: Y' D7 k1 _+ \3 B+ _
end if( E& k0 n: s2 Z9 Q9 k& w. |
8 d1 h9 O! H/ |# q% Ysdcms.setsession "adminid",adminid
& G8 r& d/ ] n! }1 q' Z
- O P: r1 T2 M% Osdcms.setsession "adminname",adminname9 z& O9 d, v( i
* _- M. Q" Q4 r: v4 M# ?sdcms.setsession "admingroupid",data(4,0)
0 z" v. E. |0 @9 T) Z o% \ * k2 R5 ~2 E4 |6 p' n& b6 m6 L
end if# q6 l! N) \6 G+ K
8 M. Q* l) \9 Q" f% V" e- T$ t5 u& ?
end if
3 d0 D/ m# h8 f
. P7 k* \$ a! ?3 b3 k) n% }, k4 {end if* H" r/ ]1 Q9 h4 X2 }' E6 }
2 q8 m: L5 y- s: n7 I& L2 Kelse( @2 {* d5 @- j* O# o- ?! ?; {
4 u" [, r; q6 h4 w. \0 d4 B$ edata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
b. V. y, w, X0 H& x
# q9 \* q7 }7 H( t4 J0 |' W; Oif ubound(data)<0 then% W: C: F7 A' C) ~* |3 I
[1 q: Y/ S; j/ L4 K6 w/ W2 j
sdcms.go "login.asp?act=out"4 J' o3 T; `$ u8 _& S7 {$ K
, N! i, {$ ~$ G. O
exit sub R8 N. }7 V7 M, M2 I$ ]9 z$ z% |
% a& i: [8 u. m9 Q0 P1 {
else
6 _* F% W, `$ @! ]- {; {
* ?" \: H6 d4 ~ O7 c. m2 Iadmin_page_lever=data(0,0)5 }) O: D8 s S9 f9 k- {
8 |, A* t( C2 c8 Q9 ?
admin_cate_array=data(1,0)9 b) K7 j/ p% [+ S6 i+ X
/ v1 t V1 d p/ X! Q% h: D8 q: xadmin_cate_lever=data(2,0)8 ?7 k) s& A' |" Q& }
0 b% \$ j2 d8 ~3 C2 pif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0; K z+ ~; j( r p6 X, e% [
+ B# M# U! C I; i0 {2 U. [6 B
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
/ m9 R; S' ^9 \' ] / Y3 p* w+ l' N* r% _; K8 q& p
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
$ ?+ _. T W; H& b , i/ w& I ]2 z6 L
if clng(admingroupid)<>0 then
: P8 a- q( W, @ z! [5 F8 b! \ 4 h$ x3 T' U4 I" @ J
admin_lever_where=" and menuid in("&admin_page_lever&")"4 s0 f) n1 @. {: w4 X+ z& x
* Q8 Z7 b& F6 h
end if
. C, ]' V, P4 _2 V1 ] % s8 ]! L+ ?+ T8 i0 ^) a! |: M/ ]
end if
# R3 ~" N4 h7 @) e6 I 6 J# M3 N6 Y$ P' J% u
end if$ G5 z# `# o6 Q8 ~3 F+ l
- G7 N# L5 e& Q0 ]end sub4 o) S" h0 c' r; f9 M
漏洞证明:
# C) H3 B- O6 I& j看看操作COOKIE的函数3 e/ @! U4 n. x$ ^2 g2 q3 Y7 G
4 M g- H$ R# l* _( ~% m2 A
public function loadcookie(t0)
1 `$ n" j0 v' G6 T, r8 q3 s6 d ' W+ [8 {: V/ x- D, y
loadcookie=request.cookies(prefix&t0)3 M/ i( k% ~8 |4 y5 v5 e
$ ]2 H4 [6 ~1 S/ Q/ E' ^" s) B6 Yend function6 {- j& A; H+ H5 B. N
$ a+ |, e4 w5 v( e2 x6 }7 u& `
public sub setcookie(byval t0,byval t1)
; X( h: g( I, J6 a2 I5 w O' J( u$ u; w4 F6 Z/ e% I- O
response.cookies(prefix&t0)=t1
7 \$ O t, B" W' K/ j; @
5 J3 _2 O7 V6 j. e7 w% hend sub
9 s! B( a$ D* @* q0 e5 X5 R7 i * S) f2 d1 h: e+ f2 Z& F. F
prefix
- G. u, W- N7 X: A
$ x" ? M- i2 b" ], g- J7 J3 m z" U'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
. ~5 u# U- O' U# w, h7 ] y 6 C% K7 p8 }- G2 A0 V
dim prefix6 a+ ?; c* i* |, b' `6 E
# Z5 N0 v" t' z* S
prefix="1Jb8Ob"
* A7 g) C3 Q* ^1 D; O' { - L8 W' f7 m6 c8 c) x
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
& H1 K7 X( u a* \1 M4 [0 l" J
! @. u5 }, H: o6 O& `- V# nsub out
9 D L/ C! v) F" _; E4 ?
4 h% h/ Q5 W4 @( psdcms.setsession "adminid",""! z) A: `5 _/ H2 B3 C/ M( |& Z4 H" G
2 J# W1 ^+ Y- L; A; c- ?/ jsdcms.setsession "adminname",""
7 d8 t; N% I# h$ G5 g w 6 @* z0 _9 L3 l/ N
sdcms.setsession "admingroupid",""
0 x# f0 {% q& J8 w( a & D4 Z7 U: `4 N+ t6 Q* c8 m4 q+ V
sdcms.setcookie "adminid",""9 L9 x$ w5 n! g0 J. F. j
' b& [2 b6 ^! L
sdcms.setcookie "loginkey",""
0 ]3 v# I+ Q$ {- @& ^
0 _1 m& T [ `. D1 Vsdcms.setcookie "islogin",""
+ ?+ a8 {) g$ B z" l" m- Y # X- S3 l: V8 \$ a
sdcms.go "login.asp"
, l4 Q* E. D4 b; i) R 2 H. S0 Y! n+ ~7 e! J
end sub
4 l4 ~: V5 j, N/ N* x/ X+ F
0 G B. Q1 w1 L/ i ^) h 2 E- O' m6 ] M
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!7 n) v' \7 c" a' D4 k
修复方案:
z8 L6 o- e' U3 Z) V1 k修改函数!& T8 b# P. H8 J7 s' q9 [' d' T& l2 V
|
发表于 2013-7-26 12:42:43
收藏
支持
反对