要描述:" X3 S3 G' L" B9 s7 L2 X" g- }) \7 i
) v, `# B+ _& M$ p. `SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试# j. n# w- q" p$ e. m
详细说明:/ Y/ B4 D8 c! c4 V- N7 p- B
Islogin //判断登录的方法( V4 m) \! s6 J$ D: Y m
# \- T6 \6 a1 v/ K S
sub islogin()) O8 q. A' k& u \+ ?
* Y% |; D7 l) B4 t" J
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then + V, L* k6 v! W# a6 L% w+ N2 p
" `' |+ @$ e2 `1 A% u: }4 l2 P/ Q
dim t0,t1,t2 ) l4 r, w/ r0 \- [. g8 o2 ]& [. v
% V* _* Z- A. H9 w5 @% h, tt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
2 U; t, e5 j. J6 ?5 X/ p
" b9 v) _& v0 S L$ w. Tt1=sdcms.loadcookie("islogin")
: ~/ |/ ~# S2 G# B - U" \/ f' p/ p1 x8 n
t2=sdcms.loadcookie("loginkey"). [. i5 R9 {+ o& ]* f
H, u% b$ F9 b0 H; x" t1 fif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
* h B6 T9 u* M* ~) } + \( W# b) _9 ^
//' H* ?8 R( B& W' ~4 { F. H3 G
3 h/ y4 t5 ^' \8 msdcms.go "login.asp?act=out"
1 @0 E8 f4 ^' p3 V S( M% I
! }1 ]! q" _6 R& i7 G0 Bexit sub
& s& ~9 R, K& N, Y- \ # d8 {1 l7 L# U* W( v
else( N9 k' j1 `- X( S/ g
; ]! R# U( \& b1 ?" l4 p: ^( m' y2 Ndim data/ X" D- Q4 I! u
" M' g, x2 ?5 U; [4 tdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
0 j4 n# C+ B; ^# q% h
# l2 B$ R$ C" m; dif ubound(data)<0 then
2 N, r) ^3 C- J$ \
& Y8 D- s* X5 y. v( a3 [7 ^sdcms.go "login.asp?act=out"% P5 W. m0 B p! T! G6 @
/ w/ B" y5 m- E: l, ^6 b9 J8 s! K$ }
exit sub1 z; n% W' s! w# ?
6 M, V# E0 O2 E+ g5 \
else
, q- }2 I, K% @$ p+ P
* D6 V. k$ x0 d8 ~if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then8 V, |5 L4 d/ Z9 P
6 W9 C' g: ]6 W# S0 l5 J6 ^. isdcms.go "login.asp?act=out"$ f8 P# D$ M* ?& W3 L
5 L& b% o9 V: i, T; [( |
exit sub! @: M, k+ W9 F) i4 f( `4 h; D
( C9 T5 k# x4 H. [5 A6 u# Lelse
/ D4 m7 X: n1 }" L
( e6 S7 |) S4 S. e) vadminid=data(0,0)
( Z; i# c2 D* a0 h0 F3 w" B0 x
2 a( m |* u& s% o- Gadminname=data(1,0)
- u/ k L- x- u* V$ r* D p$ Z3 @
D2 {9 M- J% A6 I' y8 Q/ W; f5 Ladmin_page_lever=data(5,0)
+ d f6 Y: I( ~
% {1 n$ b/ Q2 I8 Wadmin_cate_array=data(6,0)8 V! N6 r9 b9 ~" h- R
z: S0 U4 C3 j- jadmin_cate_lever=data(7,0)
- [* m2 R$ d! L; x
& A, _4 |" G& Y6 hif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
2 j% i, G$ v' F # x, N) n9 |9 J ?
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0" P. v. [; T2 Z$ R7 X: H
1 e' ]' `1 _: D0 ]# C6 x) M
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
/ m# d5 J$ g' n4 ?2 j7 O! n: F 9 t" |. }" Y* u [% W/ \% |% Y
if clng(admingroupid)<>0 then
! O: q- Z. D; l: V9 |
- x1 U0 a& T! E1 h" v. radmin_lever_where=" and menuid in("&admin_page_lever&")"
& n/ r5 t( E. G$ B$ R% [# R4 j , r! h5 x8 K. b* M% q l; R/ v
end if6 a9 |' N( K" X; W, N6 ^
|! a4 }7 ]' esdcms.setsession "adminid",adminid7 v [- Z! A) [# `
2 b+ Q# U5 _0 |7 ?5 ^& X2 Q
sdcms.setsession "adminname",adminname6 ] ^; D; d& n8 T; b8 f
; N3 Y, q5 S0 p9 p/ M3 _
sdcms.setsession "admingroupid",data(4,0)8 {+ l9 { P% Z" P$ s8 a* n
9 _% o6 W9 f4 T* T! e' a4 fend if
% [% p/ g" O% b7 Y" c+ A7 Q
# z& i; U3 E0 Q+ d, f' l( }end if6 b& Z; N0 T6 A& u+ p9 R5 W( ^. }# R
* ~; e6 E7 @7 j* c
end if
& L+ k' R4 R& U4 f7 M' ^# |( k
/ h9 t S# y. @8 a) T. D5 Lelse
/ J, k* P. g& E( ]
2 R/ x- i! m7 Z/ l) `: r6 ]data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
1 B# U: g( f, e * F. |6 N% E& v) P. [
if ubound(data)<0 then
7 o J5 y3 m0 a/ {
( E& W9 P# ^/ n3 l' k/ c0 }& Rsdcms.go "login.asp?act=out"
- _4 l1 D: d( N9 | 7 m7 C& Z6 s# Y% n9 ?, q' [4 p; m
exit sub
. v% o& c) h: ?4 y/ n/ \: V+ j' R - V3 T$ z- b% `/ V' [
else
; _+ h4 _- u$ r& x
6 t1 o; V8 S1 b, V& f3 @6 Nadmin_page_lever=data(0,0)
# Z: E, k/ P5 J1 `, c2 T# l* e
8 [, B3 z- j: Z% N- I. W/ Dadmin_cate_array=data(1,0): i' O* Z4 B$ [
/ o$ f& j; n6 B) Y" V: jadmin_cate_lever=data(2,0)
+ I; x+ G y1 n; ?, c
6 D! K6 F9 V' W; h4 @if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=04 k$ e$ _6 F$ O& x
! M. y# g9 _5 t- y' w. o
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
$ v4 h/ ~5 a2 f6 V5 i: x4 @ ' n4 Q' j' v/ q$ C. N
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0- [4 C; I$ |" r9 i4 f
* T' O. E. o5 w6 k" D1 s
if clng(admingroupid)<>0 then' H- T) _+ D1 M+ i* ^
7 n1 j+ D* b5 L+ }admin_lever_where=" and menuid in("&admin_page_lever&")"
7 F! ?5 c! X' m; U+ r3 O- I 9 F6 ?& Y5 p' a- g, ?: J; D
end if
% T7 G& D- A: E9 Y' J4 I5 t W0 \ 4 o' F3 P, t6 n: d2 l% |
end if
, J: b6 d9 L! P0 G _ z9 d# S9 s: Y) n- `- `9 B* p
end if
% ?2 P* [3 x: L6 W( C , G* j V9 P6 p5 y
end sub
. Z" U- y5 C; Z3 t; S漏洞证明:
% [% s6 S' l' ]4 G看看操作COOKIE的函数; ~, a0 o0 Q) ^. {# T! ?9 I/ f
- A& f1 L/ ]1 b# @" Xpublic function loadcookie(t0)6 \* m8 r2 E+ S2 d
* E7 F4 D: j, w- cloadcookie=request.cookies(prefix&t0)6 P' s0 {4 {, ~
8 W0 r" o4 z; {. C: r
end function
1 e2 z; y& X6 ^# q* G" ?6 x& M. v7 h
* C9 }) J0 Y s0 h1 r' ypublic sub setcookie(byval t0,byval t1)- ^6 w5 K T9 G U/ B7 ~; q6 H
7 U1 J* u7 ?$ ^8 w9 g, p- D
response.cookies(prefix&t0)=t1- N) k I4 |/ H, ~% p) u9 [! m
( j, v' T1 B: B. c; a7 K
end sub
" s4 F z4 W [% [) E6 s( F! a2 O
6 \0 C5 m3 I$ G/ Uprefix
0 y, p) A) _# ~0 M, n3 s7 P
( v* q# A! M0 ?2 L6 e'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
6 A8 x: B' w2 \ 0 |/ g+ D/ T$ J
dim prefix
7 |0 i2 V/ f% ]6 G; K: l; g( i2 N5 x
% w* H* C3 N3 w0 x f" Iprefix="1Jb8Ob"
2 `! I. | K. Z# v L! j& I/ s
; H! H$ A6 Y; Y'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
* X0 u! b- _; W# N9 W# f H . l, [+ L0 {, ]7 h2 k( \& d
sub out
6 ?- e% u! K V# E/ S' g 6 b& G, P2 |& r* { K
sdcms.setsession "adminid",""( y" Q$ v3 x8 z: {
( H: @( M$ {8 R, K8 T0 psdcms.setsession "adminname","": d; C9 E; Q! n
9 k" f$ Y8 q1 A5 ssdcms.setsession "admingroupid",""; c4 Z: V) {( X5 O8 D6 W
- S0 o a8 b1 e, I+ S0 Ysdcms.setcookie "adminid","". c! a+ p) q( B- n& ~3 \
, f4 m; b. R! N: Asdcms.setcookie "loginkey",""; y9 I% S/ n: n" P6 M9 {" ?
3 t- s& p2 N; ]( Y" \sdcms.setcookie "islogin",""5 s9 x2 Q- \& i2 g/ w1 f! t
/ p4 b4 @6 H9 usdcms.go "login.asp"
4 P: V9 \. @; K6 `8 V- C : T! _3 f% p# I. N4 Q9 K
end sub
7 V9 m! I7 k; k" T; J* M / Z! a$ Q1 i; P6 N4 G" {6 G6 U
$ n, ?, v) x$ c9 c5 u& t+ h8 q3 C) v
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了! T: C1 |! u, r9 Z' @
修复方案:; B( Z7 o( t6 U1 x+ \1 e1 o5 t$ v
修改函数!" r5 s5 x$ g, G$ \4 |& I3 i- P
|
发表于 2013-7-26 12:42:43
收藏
支持
反对