要描述:, Q4 t% A* |5 S8 Q7 l! Y
0 ]0 u; v+ V/ R- E8 O# h5 PSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试/ G1 M3 k" N' j$ T, L
详细说明:! l. ?( [5 w" Z+ L3 C/ }( U3 a
Islogin //判断登录的方法$ Y- P/ a$ K6 x1 w
5 q$ w+ w+ H* z2 f
sub islogin()/ ~/ x5 B; W! P
' f$ ]5 f: z, }( o, [; I+ |
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
5 r& |! W. h- n5 S9 {
5 E4 \; @# u6 W0 ]1 Ndim t0,t1,t2 3 Y0 @! u( i4 h# }, J
7 l, m) j8 J, r+ k, g5 H
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
9 E+ H5 W% z9 ^) p% l/ [- M2 ^& N
% `$ m) J3 d) T5 W' W8 It1=sdcms.loadcookie("islogin")
. g$ e9 p5 w9 t) q8 \; U
* B# O# S' S4 `; B6 j6 z) Qt2=sdcms.loadcookie("loginkey")
3 z) Q. c- L- B 5 F% |% j3 x) t, ~' B6 j2 a
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行: a7 c, p5 i! R3 I0 W
9 u, B, d* ]( R5 J1 a5 G5 {//8 X5 r5 e+ O; \! |! f
/ E7 {4 o, e0 M3 D7 G9 U3 V
sdcms.go "login.asp?act=out"
; o# W! F6 `4 ~& J. e
2 S Z V" E4 n* V* I: Kexit sub
' U% J9 f3 n2 \. S : I; z9 |0 H, l9 u
else
1 h# Y& c6 P& ], l8 M( S" ~ ( V3 U; z% b* @. X3 W; g: I7 y
dim data
6 }/ ^: b, d- d' b( I6 U" t & I! _& I' i" ~* J& E) x U
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控9 B( P# S6 O3 h- ~: m
1 c6 C8 Q0 ~! f3 k7 s; A8 h; Q
if ubound(data)<0 then& z" n6 q! `7 T$ [) W, B' p
$ I9 j* o1 q% I D! D
sdcms.go "login.asp?act=out": g( F, l. y. c5 p. ?# {
- T" @0 O6 \$ m; B% C3 \# Z
exit sub+ v$ h3 D7 Y8 X: b5 ?# |1 m0 Z
* [) {2 F5 J; T2 t0 V- G8 nelse" f9 {$ F7 T& l$ O4 z. x9 G7 k
& }0 \8 Y e% _$ m U. eif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then/ f3 P, p9 i; {4 {) Z, A8 c$ T
0 G: ]5 |% I* e# h. V% R' E5 b! x3 ?+ z
sdcms.go "login.asp?act=out"
* O, ~. n; ]* t4 g/ i + h5 e7 X& ]9 P3 `" r) b- [; {9 k
exit sub
: S8 ?9 G B" j" a4 d/ T
4 P. @3 O3 Z# S5 \else& C h$ Z( s. I. f7 ]2 d, Z8 }6 C
: q. a% T- A* \$ j9 q$ J3 P6 }8 c+ d6 W# oadminid=data(0,0)
% n9 z1 [6 |0 ?# t" L& o' L5 x 7 f, g: ~+ e, r; u
adminname=data(1,0). q5 I/ g* c% n8 L. R' L9 ?
9 Y& X n3 \0 I7 x; r+ O; ^admin_page_lever=data(5,0)% m" a k1 W" _
' x, i2 X# t" }8 U# h3 K6 g, h8 Z$ Gadmin_cate_array=data(6,0)
4 p0 d) \0 {( ^6 } " ^7 E! } o1 m2 b
admin_cate_lever=data(7,0)
* P/ p# m8 W3 r: O
( T9 o f: I" h, O7 jif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0% A7 f# v k( v0 h- K Q
& \) i$ K4 J6 U& aif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
$ m7 `( O4 y) ]- C1 X 0 b0 F* Y$ w9 M- r% ~
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0' s4 u# i! u8 h/ K( z! f
. \ H- V! m' T( g3 Yif clng(admingroupid)<>0 then
0 z- f# f- v5 p v/ J/ j % U* K' ~# Z1 K j' q
admin_lever_where=" and menuid in("&admin_page_lever&")"
! K Z0 }( e2 v3 j5 {: P& o 6 z8 J1 \3 h; Y- A! s8 w+ }" S
end if
: V7 j/ \! l9 J3 ]- s
2 i: M7 l% G/ i/ xsdcms.setsession "adminid",adminid& y2 s- j, M: K( }
: }- D! Q- {! M2 t' y, Isdcms.setsession "adminname",adminname
% B; O. |& `/ }/ E( d. ]3 @
7 z4 [' a$ ^* B: c4 W- ^sdcms.setsession "admingroupid",data(4,0)3 h6 W. B' C" _, S$ K: `
, @ e. d; s$ `3 ?8 wend if0 w5 ?& P0 @: t: g2 n6 M& h
1 G8 i1 U5 @; C' s
end if
% q- Z$ m; o1 r$ K3 K! ~ ) h& o w+ I$ I ~! W5 l- L' `! b
end if6 {" n4 i: O0 n8 s4 A
; s* J. Q4 f' K
else- S. Z9 c2 l/ r/ g8 o* l/ i6 F2 `
" t5 F9 i) h0 h1 R* P& q! Y
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
w8 y$ V$ o! }; B& { " I: `. a3 A9 U" R" ~( l
if ubound(data)<0 then4 m- Z# o7 j4 K4 k/ ~. ]
4 I+ |1 n) W& k" ?4 j m2 {. Esdcms.go "login.asp?act=out"
4 H6 h% _2 n' g+ e , T! z# O+ b6 \" _/ s
exit sub( S* q8 d0 D) e* p# X# _. l
$ c, K+ ~6 I k# }
else/ H6 w1 g7 x6 Y9 \5 N
5 Z- ]9 D' y. E2 g
admin_page_lever=data(0,0)2 O3 c( K, U! r7 L3 S- S# y. F' v
5 @# \& a4 N0 y6 Radmin_cate_array=data(1,0)
2 b4 b7 g& ?4 I1 y$ y# ~9 h7 B# y5 E
" R. [" G. l: T& R. x" P6 l% vadmin_cate_lever=data(2,0)* j$ ]! I k/ @; T- w- ?
) {/ o6 z9 u, C- y; jif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=00 b) [' C7 v: c7 |; \6 ]' _/ \
s; B/ c; G) R( @3 D0 ]5 D
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
# P4 B! q1 ~8 C. [( V0 Z
7 R, J# w0 B2 J. Bif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
6 ]9 ]1 ]1 C! }# B7 n( p* M2 ~ ( w: ^ g$ N6 W1 B2 Y
if clng(admingroupid)<>0 then
6 S8 r1 G# q; u. | % n/ g& L8 _ s
admin_lever_where=" and menuid in("&admin_page_lever&")"6 N6 S( n3 I8 [3 L1 P. n. Y1 @
9 i% R9 s) L& O8 p. l) G2 ?end if
) f7 U! B2 u) k8 m+ H
! R7 Q3 ^! w; {3 H+ }& Nend if
4 Q& u3 h, U9 A7 h* @. N& m* g
: T" g7 h) E7 Q2 i6 [0 N9 H" Zend if
' }, w6 P: E9 `; L: J - o0 B3 z1 J& |8 _: u
end sub
( W$ I9 {8 r$ Z% b漏洞证明:
( o& I8 p/ v( t- B1 J, [8 i9 S看看操作COOKIE的函数/ N6 L8 `; Q# ]
# h8 X' n3 S! Z- K4 i
public function loadcookie(t0)! z: K4 e4 l1 p
- ^! X( \" o6 ^; c/ C
loadcookie=request.cookies(prefix&t0)% ?: K. p% t: ~
9 H! b/ b2 _9 tend function
: s" I+ X! E& W7 r6 N: p5 D ! ^! e5 ~. E* C) C7 C# n9 F7 q- _( ^
public sub setcookie(byval t0,byval t1)+ ^! \- w8 g+ T3 |
: Q3 |& s9 l: Z8 g
response.cookies(prefix&t0)=t16 O7 M K4 M6 M9 p; d1 K& F
: m& a- S9 Z# K1 H6 N5 p: Vend sub# b; {8 A/ e& \; O3 r$ S9 ~+ P
/ _5 N4 i# ?! j
prefix
7 h/ O$ D# _( h8 ?1 G1 U1 g - _. b& Z+ Y% C/ _# @9 o
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
+ m. P8 N- D3 }: Y3 t
: d/ H4 H4 i8 m2 S4 ^dim prefix4 B t6 Z+ ~4 Y, I q1 ~' g
2 Q2 b3 X% m! q. y: o6 ]
prefix="1Jb8Ob"( d, X' i7 S- B5 h7 Y6 H
9 N! f! f8 A/ z7 {! ^'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
* v$ K4 H }. p- \) B+ `
* S; b$ h- m5 k- M2 Y6 Usub out0 q# Z$ d9 f; D2 @0 n
& g4 ?: p; B9 a7 T, Hsdcms.setsession "adminid",""% z- |5 h# g+ P& h0 q
1 V; A- O$ o/ q, csdcms.setsession "adminname",""4 F; H8 r. h, z
6 W- g* _5 i0 |( }" Vsdcms.setsession "admingroupid",""! g' H! j' p1 p' g/ G& k* d
7 y0 l) X- Z) r7 f5 U/ E1 l# Nsdcms.setcookie "adminid",""
3 v$ C; B& I: {% i. ^ 3 g1 f! G* h; W$ g
sdcms.setcookie "loginkey",""0 j8 L7 V. U3 j
4 c' y+ e& f$ V+ S% V/ m
sdcms.setcookie "islogin",""5 H0 s7 ~7 D+ u# K" T# V
+ h$ A8 x2 M3 q7 h" hsdcms.go "login.asp"1 N I7 a% Q: D6 T- n
: e3 N5 D" \2 N& ?! iend sub, c2 z* F+ B- ~" i' N; c! c
+ ]* A8 J/ P: w1 P0 j# U; L
$ v# n, A6 j V0 r
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!8 G% Q' @ ~% X: i; v+ R* _
修复方案:
, O8 W( h, ~5 I5 h, q( Q! }修改函数!% S5 {$ K1 t$ K( `3 |$ R5 K8 R) e
|
发表于 2013-7-26 12:42:43
收藏
支持
反对