要描述:4 O- L2 j, m" ]( I2 H$ P
+ K, y) n" v8 FSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试) `2 {" Q: e S. D0 T
详细说明:0 c. a0 l* V) w0 D* y
Islogin //判断登录的方法
; k% ?2 L9 n6 S8 [ , u7 E+ d/ p! S5 o" ~
sub islogin()
d2 V0 Y p. o% }1 d+ t( l ! @ O" Z; O3 T, t3 h
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
; g' C" @+ ^- Q2 z9 @ : G+ x/ D$ C1 z4 a
dim t0,t1,t2
* j6 g+ {2 b" Q; A1 r8 Y % i/ O9 K Q' N @/ G" A
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
+ q3 s6 t! H% T+ ] 9 C0 s/ D) e' n1 W& T W& l
t1=sdcms.loadcookie("islogin")
. ^# J5 F* _6 X" h; c 4 b6 E1 k, P8 u/ I# w
t2=sdcms.loadcookie("loginkey")
) H+ a" B) N# l# p
% A; T) N0 l5 ~2 i6 M2 k# g r4 `" aif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
% o$ O4 [" A! a1 x5 e5 E( Q 1 T* G& c2 G' ?' u) n
//
* k" }$ j# ~+ x9 `0 [( X4 k* t 9 v+ {" k/ t6 q# D7 o1 H+ g
sdcms.go "login.asp?act=out"1 k0 E1 t/ ^; @7 K5 j4 V3 N/ W
4 ^4 u9 X& C' C5 u3 Pexit sub3 I- n* v* |4 Y* x' N- P
8 i# F# i7 T3 Y7 J$ P1 g5 r
else6 J: p m! {% w0 f, F. @6 i. L* ^
) ]$ g5 ]. d7 v% K- qdim data
" F* J% `: ]+ j8 k2 J, b / ]* V" y) X) l9 [3 a( e% v' x) o; J7 ?
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
. d: }2 I) s! ` Z ) {3 `* \0 |% J5 ]
if ubound(data)<0 then
1 Q( g2 o+ h- [" Z) } - v, S, V. r: u- M+ h: x: j
sdcms.go "login.asp?act=out"
+ j0 C( n* \9 s7 W+ q( ~ 1 N, M5 ~- N; W d3 b: @
exit sub6 ~7 G% G1 ]) X
7 M5 n* b) }3 A) Q# c
else
( v$ x2 G2 Q: S2 R; U p
# T) T9 ^- F0 ?3 M! Qif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then& N/ {& L! l, P1 q( `
5 V: }( H2 X* s; H8 C2 F
sdcms.go "login.asp?act=out"
$ X- v/ o2 e! ^; v0 J* Y
9 m9 g6 j) X, {4 V: h( s. y, Gexit sub
% Z$ E F0 o6 w+ B0 ~ 9 i! _% v8 \$ k$ y7 ~6 ^$ x
else9 Q/ i) r. B! k6 x
7 p' ~+ N' [' q4 P' t% Cadminid=data(0,0)
- i* I& j A2 a) Y* ` , v3 N" W; V- \! i; h1 e, B! s
adminname=data(1,0)
# _; l5 [+ {! I' ^& f5 [
; }" z! G/ A8 k+ i; Y% ]9 Radmin_page_lever=data(5,0)3 ~9 q3 _" X, j0 \2 s- c
# E& v1 y9 Z* h
admin_cate_array=data(6,0)
* `+ Q& v8 V3 d4 F- H) ]$ B 3 O% S* |$ f7 @8 Z
admin_cate_lever=data(7,0), X S! R, O9 r/ c7 m+ ~% Q$ c
& m, ]8 R6 N) y2 A# w. A) xif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0$ q% t- O9 v' J8 G
' o. U2 r2 W* J6 [: fif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
8 N# V. M. C! Z2 _7 I # V0 _+ h8 t6 ^, H2 O
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
Z: z1 K3 W& Z8 ? v& n 7 |1 A: b3 D4 ~7 \; c3 _
if clng(admingroupid)<>0 then
T3 k- U/ ]6 q' ~% @ 2 w7 z3 g! y% y) c3 W
admin_lever_where=" and menuid in("&admin_page_lever&")"% Y8 q( X+ m: u# z3 d0 a w5 z3 T
$ ?; ]) Y9 P7 r$ j4 A/ x
end if
) C8 e" n; j; K9 O$ ?
^* A7 K1 t- l$ A( \- Esdcms.setsession "adminid",adminid" ~, T, b& R' ^
% f2 {! ^: t5 s% y, l% lsdcms.setsession "adminname",adminname
/ z. x: Z' m t ; Y7 K$ w( b5 V, M: B
sdcms.setsession "admingroupid",data(4,0)
! D0 C- a/ h3 k9 w5 W
! u: P/ ~' Y; b- dend if0 q4 L6 s% Y: I/ y! | B U$ e
6 P& s" v3 |8 t+ W0 E q6 t! {
end if( ?$ t; m. m0 p' c+ K) i; }
* K6 ?3 V6 z# K0 P3 t( u2 f8 ^. K
end if3 K! W) W1 S0 q2 R; I
$ F3 C% M0 W0 b& Z/ Pelse
" V x, N' E+ }' H
. w# v. l5 J: {( e* j7 Udata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"",""), P3 ^. D; p/ \/ {+ b
4 v B2 Y* i" [* F! H& B" Qif ubound(data)<0 then
, N' E! K$ q' u: Q- ^. d; I . d8 `0 o, w5 Q/ |
sdcms.go "login.asp?act=out"
) {, \; K4 v" L1 E6 b# ]- @ 0 r# i% o# V! U+ h, |
exit sub( v0 w H: u: V! E
! t& L7 Q% }0 ?; Aelse$ j R: g8 Y* [4 a9 H# Z) [
1 B! h& g9 h( D, Wadmin_page_lever=data(0,0)
5 w$ k- W1 m% ` , n& k: g; e; B- V# p @
admin_cate_array=data(1,0)# O' T! i1 o8 G7 K- e6 _! E J, |8 r
/ w h' B. q: i4 \
admin_cate_lever=data(2,0)
+ k: ^7 ]( s) y6 o" b, ]' O
, [6 B7 |3 ~* Z7 v4 m" `% Tif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
7 S3 d+ P Z; Y/ g3 e6 ?" _) D2 W9 n
5 P* n3 D* n7 z+ {if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
4 q% [: r B- y
3 A5 ^% [% s+ {if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
* c% @' z* a! t6 Z ' l0 r( ?1 Q5 J4 s
if clng(admingroupid)<>0 then$ R8 e2 f8 K- O; x2 |5 u& E2 U* B1 b
- B2 @( D& I2 n0 d/ B
admin_lever_where=" and menuid in("&admin_page_lever&")"
; j* t H( k* D. _ Y 5 a. C0 q5 g. ~! _5 C) P( a
end if
, Q2 Q; s% C& u% P) Y
$ c$ j0 r( G. B; u; W/ v( o; |end if
K7 k) m. z+ ^
6 |+ s* T$ @% T) Iend if
9 J' R- |& @4 c9 P ; T2 c6 @ C% f6 u/ z$ O
end sub4 o8 M9 \: \7 m; g& e
漏洞证明:
" K8 \ ?; r1 A/ N$ _2 [看看操作COOKIE的函数# p: m# Y* N+ T) ]" R5 u
1 b6 s; w; N# r5 p
public function loadcookie(t0)
( x5 E, T7 M2 s5 u) u! C0 B , M* H9 y9 j& Z4 |# z# Q+ e- B% R
loadcookie=request.cookies(prefix&t0)9 H. V: ?* v! W; h8 r& [! R
6 j1 p/ S0 X0 W: F
end function: {3 u* F* ]. y+ e8 h) G1 ^6 {
6 J# o0 k6 l* W3 e+ ipublic sub setcookie(byval t0,byval t1)% h0 z) x: s+ y4 S) w
! ^* B( N6 }) p! G& z8 i' iresponse.cookies(prefix&t0)=t1, w1 Q9 {6 {( S$ G4 X; r# z
x# S4 h" x( x: u: Y+ xend sub
+ s6 b3 X' x# r5 O) N$ x# [7 s& Q
/ R' e: T {" _: _1 C$ d/ ]prefix
, J- }* b& x$ A# v
( G0 C. m: [' N! C8 C! ~'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值+ @& C1 H# i& K; m& x* }. M
$ a& ~& d; J8 ~: D6 p7 }( m
dim prefix* t( I* R* R* A. e+ `! Q. D
7 |( R( i7 `" P% o
prefix="1Jb8Ob"# q' n: m& q( E: ?
* L( h. x S( X/ d7 ^% I/ J0 W, ['这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 ' [: q) D9 m1 V* P- v
8 H# M, o' w2 K1 e
sub out
0 I1 q+ L6 `9 ^ + b. V0 a6 M( ^: b
sdcms.setsession "adminid",""/ y6 I/ H7 o2 M5 {5 R$ T% [1 ^' n7 H
# P" J( r8 B" u( ^* c4 |sdcms.setsession "adminname",""8 W3 h5 n6 O% S* V' `& z# y
3 O8 G9 M1 H1 B6 z0 D
sdcms.setsession "admingroupid",""
' S5 {6 I0 k- q7 b0 q2 @ ; J ?4 P+ q' B/ |/ M3 Q$ P
sdcms.setcookie "adminid",""! H9 r1 |7 n8 ~6 i; m" P, ^
3 a) o( l& P! |! d, ]" N
sdcms.setcookie "loginkey",""' S+ k9 w4 x/ O+ v: a
2 @4 ~! ^: Z# V* r/ S9 q
sdcms.setcookie "islogin",""$ d/ s. \" y p# C
8 v! e# ], a! j) W4 esdcms.go "login.asp"6 W& Q/ k% Q+ r( V% Q; i. [. d/ D W
# t; ?7 |+ p* K# Send sub. \1 ?9 S7 e4 j' V8 u
* W8 u7 ~; k7 G" \
2 T: m, T; D, d0 F( ]利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!5 w( \. H3 Q- `2 H- g0 S
修复方案:
1 d# w2 D+ J: y. r7 K修改函数!2 X- K; g& s" |0 f
|
发表于 2013-7-26 12:42:43
收藏
支持
反对