要描述:9 G6 H' ^5 T* s, F
R c! _/ q' t9 g" j1 R
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试% \* j$ @* ]. P6 i2 V6 o/ M
详细说明:
1 M1 s& M* u# _Islogin //判断登录的方法* w( Z* c* u7 H: L8 e
& ~3 u( N( u, Zsub islogin()
% [" Z% y- E- L5 `8 N: N 0 F+ o6 Z/ v& r+ ]! P/ I7 t1 ]
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 2 u1 R- U& U0 i9 _
9 c! {) N! j7 ?# R( f5 Cdim t0,t1,t2
3 n+ z2 C1 F! n4 r# Q5 J5 j
! A/ e& T: b# j1 p7 y2 ]! dt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie ; L; a8 f* i8 S$ C* _
! ]/ f j% H" P3 S9 zt1=sdcms.loadcookie("islogin")
- A0 t. y4 ?* b8 ?! c / D& S/ t& F1 y# I! p
t2=sdcms.loadcookie("loginkey")/ u; @/ f/ g$ v2 g+ b& o: g3 L
3 G) r3 x3 c( L1 G. Z) w2 n
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行2 P! u4 k; v% o9 j; {
$ |1 \# F- p3 m. }8 ]/ E. a" ]$ W% G
//
! W# J- Y7 t1 k; b' F1 V" I6 s
/ A" ?+ @ o3 P: t. Bsdcms.go "login.asp?act=out"1 u2 h2 y, ~, l3 @5 f7 u! [
% i! Y( q, F$ y5 T9 ^exit sub; N2 e9 a' ]2 M+ Q; E
1 R8 }9 [/ H$ q- j' [else" e5 C1 f0 Y, W
. M( F% h' t; \5 t' Q7 ^2 S6 z! {8 P2 Cdim data; M: z8 a% y7 ?3 [. a* n3 |" R
; ^: L& O/ ~0 h2 k$ ]data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控' s+ ]0 p) U1 S4 |& A6 G: {
0 m- {- G# @/ f& bif ubound(data)<0 then. V& z$ l8 F, s9 d
" s# P' o9 V- I; P: U7 g( s- O
sdcms.go "login.asp?act=out"1 C" s$ g% ^- A9 F" h( ]1 X
2 r# U/ z6 V4 ?% ^' X. S, rexit sub
( R; U7 c y7 Z- @0 _ 6 \: I* x; l* D6 L7 D/ U4 c
else. Y* m' G. g3 w( z; n$ X: U
3 {/ f2 J* F7 Bif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
2 n! n% ]6 D6 R1 u" E5 b8 K
+ d8 a3 u2 ]! W8 d2 ]! \1 p4 isdcms.go "login.asp?act=out"( L( \, b( z+ t* B3 ~( M* V4 {& r
- W; P% f4 s4 L4 O1 A9 _, B% ~
exit sub& j* [* c9 `3 |- v* s6 I
1 a, }, U5 @% x2 I) v0 N- J
else; D/ o- D9 }3 | D$ x! P7 M2 e. J) i. l
3 i) I1 @& B5 X6 J' }6 N; S: hadminid=data(0,0)9 x' r% t3 U) r* N$ K
3 O) @ i6 B, v+ f( ?9 N7 M
adminname=data(1,0)
6 n4 G5 B } D* u* U" } ; E7 ~: f+ }5 g8 z" d% n
admin_page_lever=data(5,0)
- C7 v& P" |) u/ K g0 w - @ U+ |4 S$ o/ p
admin_cate_array=data(6,0)
6 z* m# C. i& T5 o+ D
$ y# h+ }. D8 q! k sadmin_cate_lever=data(7,0)! K: n8 k3 f0 k% B8 p9 ]
( t, ]+ y. H) J& c# sif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0* c2 `$ J h4 x6 c5 ~
( i; t& q- O' P7 z3 u/ Z$ @if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=08 ~4 l; v0 W4 n+ K
" h0 y& @. ?5 |, y& I6 A
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0" ]2 W) l( U3 z2 W$ L
. V9 p% d7 N) {5 M' a
if clng(admingroupid)<>0 then% j2 j6 u8 E# ~7 J- r4 G5 A0 u
8 f4 S7 m. J* x5 ?5 y6 K+ H; q
admin_lever_where=" and menuid in("&admin_page_lever&")"
& M# e4 Q4 D* E( l* l & l% u5 S# j: v* H5 g
end if
# Z% ]. r/ W8 l2 Y8 F' ^ ) n3 r& @* v- t5 x1 c. k
sdcms.setsession "adminid",adminid
3 w ^, H2 F. \2 L' }) Q9 y) d % L! d- n1 y& W, d, U( f
sdcms.setsession "adminname",adminname
& H( d: A2 E' T8 }7 F
3 A# _+ }6 C9 c/ m6 k" Asdcms.setsession "admingroupid",data(4,0)
0 W( @0 P+ e7 u; _9 V' h% I- H
8 A& m9 x( J9 F- ~3 k* v* H/ dend if0 U E$ y- k; K- b' Z% w m/ y
- {5 N2 j# i; F: W1 z4 o5 j$ rend if+ w1 _1 |( g# i2 G( A
9 g: ?8 e8 A9 h; u) k
end if
' ] g0 R* w7 w ! `; z1 Q% B' }& V4 x" m `* d
else
9 V6 p: d) i$ k9 |$ G; R( a. B
" R. b3 H% ?1 F+ U. t: jdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
- Q8 E5 T/ l# L( \ M
# y4 k: j, h' j1 F6 t4 O \3 ~if ubound(data)<0 then
0 _) e1 _- }) U3 K# c % i9 e! ^: O8 X6 t
sdcms.go "login.asp?act=out"8 h7 e" g) H* d; j4 C8 c4 A: X
! r% H" `! [! Q2 u# N- ~8 b
exit sub6 Q2 f( @9 N8 S* } u
" E1 k j! y- ^( ~
else
" j( f9 C! n4 h {: C* e ! i* q9 S3 k- t ]( }3 d: Q/ e
admin_page_lever=data(0,0)
5 u3 Q8 C' d7 c+ v$ r$ T 4 M9 S/ E3 v4 p
admin_cate_array=data(1,0)6 z* J+ Y; u: L( o% s
+ o% b8 ]3 ^7 f! c( m4 X8 }* J3 [admin_cate_lever=data(2,0)
# j* M: |% D& y& N' t
- Z4 Y n ~- K/ C# E% Q& jif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
) n8 x& H: `4 A( h1 A3 q! E+ t3 X& K
4 N4 g' {$ u8 H; c3 @if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
0 H. B2 u I- a- Z
2 p7 D2 O) u8 S# \0 Zif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=07 |: c# k; P2 R6 n; j. I& Y( [
4 t. z) i, v" X: w& z3 d& i9 P& Eif clng(admingroupid)<>0 then, U& n- N9 C; @" k* K( h% C
7 n5 I, J m1 o! H* s0 i1 G
admin_lever_where=" and menuid in("&admin_page_lever&")"
$ J9 ]. o% R. M. `6 P7 |$ }% t
9 ~2 {( h, b" dend if/ d1 R. l5 h$ B2 \- e; s
& G8 ?- G/ [ y( C- E
end if
" }7 o; `6 M$ Q9 S7 ~+ Q5 I9 K9 U
7 p8 |5 [ H, i4 _end if
0 X) ~5 i8 ~+ G& P: I1 q. l & ~$ a. w3 F0 W4 D
end sub- C. L0 p/ D; U9 ]
漏洞证明:
) E0 e; u$ l! O9 u0 l. t看看操作COOKIE的函数
& @6 o8 g2 M6 R. f) |, r, M 6 Z' E- x0 ?7 }
public function loadcookie(t0)
; }* i4 }3 I5 A3 w- h& i. ?
, K* s8 l" [3 k6 Iloadcookie=request.cookies(prefix&t0)
/ d4 u9 H; {5 Q1 x% K & F% ~# O6 g' E' U2 }7 M# D3 B, H& E
end function
6 l* @4 U* P) Z$ H( f) m * T4 x/ A, f) f" E
public sub setcookie(byval t0,byval t1)
( c N& L2 s5 m: `/ V3 y% B
$ {" W ~2 y: s$ k8 F- B8 nresponse.cookies(prefix&t0)=t1
. H. p$ e( _- X% c9 h3 a2 X, \6 r
% \5 ?: H) N, o8 B7 X# K3 Aend sub
" A6 ~* G1 f6 i/ G& ^5 G $ M4 e% H) |: F3 M# Z1 c
prefix
( @4 Q! ^9 t) l- I7 Q. K % q: J6 V9 i Y
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值6 t8 D% ?! u; h; w- c: f
. ^5 T+ s( G( {3 K& p* s
dim prefix
# t, a% b! J" A, y
! H- r2 f. ^% D! G. Hprefix="1Jb8Ob": j+ T, P3 }4 B
& E# u3 {! w- I5 |8 f) G'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 7 T. I/ l( ]2 U1 N# _" ~ C
, O6 Q, |; |4 _5 r6 m2 v/ xsub out
, O! \) n6 A2 r8 u2 B; q) F/ X
( C9 c6 y. ^+ {: Csdcms.setsession "adminid",""0 c) M4 r0 {$ I8 j" R
& b, y7 w9 d* b) w( t9 \8 U
sdcms.setsession "adminname",""
+ s2 c& y4 r3 ^+ W. L
+ M# z# l1 L5 y2 x2 a0 fsdcms.setsession "admingroupid",""
& j7 [ q: k, g+ R; ]3 z: A
& [2 ^0 Y1 W1 c8 w psdcms.setcookie "adminid",""
2 d4 [9 j# j2 m0 v' G8 g$ d # ~3 q+ D* i" d, s& V9 F
sdcms.setcookie "loginkey",""' D3 _7 K5 ~% n! z. R: o2 [4 ~9 @
) X# V/ F( B1 D* ^# Z: s
sdcms.setcookie "islogin",""
f6 Z6 t+ s4 X
" P6 m4 l$ v' Q8 U; _8 xsdcms.go "login.asp"
* ]+ r# c! f6 {: `* j0 D
) t _# V/ m+ i* w% F* s8 cend sub! z5 j) S$ \- y$ W7 R
9 Z0 k5 E7 d! X
% [7 E* o2 Q9 b% Y( C. w0 N5 ^利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!" `+ h, s4 S. [. ?& v
修复方案:1 Q* V) e4 i& ^4 r8 a/ W$ r6 z6 M
修改函数!1 i+ N: I7 q5 I9 A
|
发表于 2013-7-26 12:42:43
收藏
支持
反对