要描述:
9 e" z; T+ U" k7 [( c
3 A3 [' @! a) K: ESDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试/ ^" `: X8 P9 M& F2 R; J$ t+ D
详细说明:; H j8 o& ~2 n7 w
Islogin //判断登录的方法* g0 ^% s9 j: c/ b1 V1 p8 Z: L$ C
d1 p- p5 H* _- b8 J$ Y# X' Gsub islogin()
, Q' K& s1 u9 @/ x
7 d" E: z! P7 h* hif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 1 c* G1 S/ _2 E! |
7 w: R+ ]$ }( B2 Y" F
dim t0,t1,t2 4 t0 o+ ~2 W0 O: V# R
( u9 h4 L1 O3 T! _
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie / J% D4 p9 ^, a, o+ e
2 e9 d& d) r* g @0 mt1=sdcms.loadcookie("islogin")
1 e2 Z6 x; ?: a9 i
% o! @; c. w9 K6 I6 Q' J1 e: tt2=sdcms.loadcookie("loginkey")
! s3 a. a1 b1 z4 m ! K0 ]4 }( I s
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行, a0 a- e! H: j
' Z6 t- h* L5 e' G+ I7 i8 d% B
//
9 W, o% g, H2 b; o7 l) ?1 z
: j0 r( H8 m4 N" hsdcms.go "login.asp?act=out"
( l X+ H" t+ i0 L* w9 s * M! {) w( C4 h0 _( |( S+ H! P$ R Y
exit sub
2 r _4 c' o& g9 }% |: x. T( R ) f) S5 r+ Q/ h9 v. _. Z
else
' Q( V3 R/ p9 C# I
7 [6 F4 o- c0 b* k: u0 c! Ydim data
& b: r2 U. @2 s4 A) q4 E1 h: T" Y
, n F" Z# _8 [ e" @1 X. Vdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控2 a* Z; F" D8 T9 f
; O5 O" o' U5 `0 h. S) ^ x
if ubound(data)<0 then/ f% S k9 |/ c/ q6 p) r/ u8 N
9 d2 s5 w, W; }- K- q1 x) Wsdcms.go "login.asp?act=out"
$ N. @# g. M5 S3 b ; L; n8 P, T8 f8 l
exit sub5 {2 O- [2 R7 Q' @1 d1 e' m X4 H
+ i/ A, |7 S# D A* g# selse7 o8 l( Q: L5 l( l9 Z
- y; r+ [ ?' b `' o! tif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
# Y5 F5 T5 w; L. E5 A
. F* F% `1 o1 R* H+ x. Ysdcms.go "login.asp?act=out"# i6 T/ E6 L& W! d) {
6 s6 X5 d+ z& X3 @
exit sub& }7 N6 c) ~1 s
9 r, Z, j% T D' U5 J6 X+ [3 K2 \else
8 d( s* O- A2 Q2 i9 {- ] e ; B) L/ A. f' ^
adminid=data(0,0)5 d4 Z: ?% M1 i/ X S
8 A1 P/ m/ s$ A9 l$ L
adminname=data(1,0)
/ _5 x6 S: W7 M+ j' K( x
( d( M. s) V( Tadmin_page_lever=data(5,0)
. W% K7 e, j. ~' e( f
& d1 o: f! ~+ B$ O0 n; Eadmin_cate_array=data(6,0)7 c8 v" B: b Y$ I3 ^
- i8 w, Q' z& l D: d
admin_cate_lever=data(7,0): Z3 K) |9 d( H5 i$ Z
+ }$ c% l$ D+ p- t& P
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0. I) g5 x" z) d0 M2 A9 p
: H* r( I, {$ p4 H9 M4 rif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
$ c. L9 j' g: h8 A I3 ~! C
[- D3 b$ z3 I: v C h+ mif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
2 J% J+ z1 l* r4 I) B( ?: K ' t% k/ y) X2 _. {" o1 l
if clng(admingroupid)<>0 then
" v5 J1 ?! x" [8 i+ G+ S ; |( g" j% T. A; n# D# u
admin_lever_where=" and menuid in("&admin_page_lever&")"& J5 t# C- K9 u" n) e2 C% b
& d' ~: R5 _( w* _1 Send if
0 w' w" X. B3 P0 I! F, @' V5 Z& k . |4 h% ~) G1 J( P1 r# R8 |5 D
sdcms.setsession "adminid",adminid9 m) _; k% a6 t# f& u
7 m' i& K. N" _6 ~( jsdcms.setsession "adminname",adminname: U" q4 |( b+ n# _2 T, k# w
8 I D9 K- T1 d$ }5 a7 k: usdcms.setsession "admingroupid",data(4,0)/ [, h7 \$ Z0 A, ]1 o
/ w3 n' p, F( g$ f6 T
end if8 ?0 A6 K# S4 C( J$ [0 I2 k0 ]
) @3 q0 O6 m( kend if
% C' d0 ?& h# b
$ e. v7 J% t8 ?( P. Wend if' }( c$ ?6 C z6 h3 |
+ s6 m# @1 w/ W% | _7 Jelse: n( {: g! G7 k. U
0 O2 T! F! U1 a& H0 a2 b+ O
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
/ l; Z/ h$ r0 t8 p9 K / d0 o: X; {9 E' k( Z: R6 q
if ubound(data)<0 then" [1 t1 o P# w( d1 {" w. U
' P0 y f; v2 R9 o8 ?7 e8 F- h3 r
sdcms.go "login.asp?act=out"6 ?! d& b! A0 F* w$ v
3 |# |7 \, J4 t; `8 E9 d& y
exit sub1 q! l8 P4 q, |# M; K* C
) t4 g( J, ]+ w& @& h# E) B/ Felse
& R/ L. n- }2 N% u$ Z$ ^
7 l a: k7 m2 I2 Y. L) z. J$ Cadmin_page_lever=data(0,0) t& @) ?; J6 _2 Y
: Z, b% V1 L& |4 i' z3 Iadmin_cate_array=data(1,0)( v' J! B3 ~- ^% M# U& l9 Q" `: N: H
4 R7 s( R# m) Q' d# [3 jadmin_cate_lever=data(2,0)
/ Y1 l2 y8 Q' t 0 Y6 C$ _: y/ k8 S" K/ T: c
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0% C7 I1 U6 A4 N$ d) U# w
& m" m" E: [6 x2 m
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0; s0 V1 p/ K! Y
3 E% i9 l s; E
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0& p$ Q, B# o4 J- \" t
! L/ {* o. k" I1 sif clng(admingroupid)<>0 then- c0 @9 D9 Z# s+ i4 g P8 |
& ~" A7 B- N4 ], Dadmin_lever_where=" and menuid in("&admin_page_lever&")" R. `! h' w. _+ e" K, j
1 E) z3 N7 S J2 X5 q
end if# Z! O$ }! p+ H! j; N; ^
6 G5 _0 C* U, v& s9 C% Pend if& k: Q! I* }8 p$ _: P0 d
/ D0 |) k+ M( J! w3 H! Y( A; g: q9 oend if! y- k; \; m- j5 A- g8 X
# L3 T2 o* x% V$ J
end sub
1 ~0 L5 G6 A) [/ X8 n* W漏洞证明:: P% v3 P1 u5 _( j0 B1 h4 P8 p, U
看看操作COOKIE的函数2 f1 m6 ]( y- x! L/ v
; j3 j0 r7 O/ spublic function loadcookie(t0)
, |! @6 r. ^! K% z$ X2 | ) E1 X- I2 i' Z
loadcookie=request.cookies(prefix&t0)4 x; f/ o, E. r3 T/ h
+ e' U; n9 h4 r" A3 C4 T8 f% Hend function/ W7 c8 C k( Z8 R! k
: |1 ]' O9 _, G. x
public sub setcookie(byval t0,byval t1)( {7 A& j0 k# @- Y: P
" y3 T4 l' {6 n, |% j# N; Tresponse.cookies(prefix&t0)=t1 V3 ?% w+ ~$ O8 \
* `# q3 l$ d- H9 Pend sub) }. Z) ~ c, [5 h0 h" S4 v+ i
1 K- r- Q7 z/ S! m4 V) g7 }
prefix
' G+ x% M! P: k! Y0 H, A x , J; J- h9 e3 h M W
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
. [. ~/ z- L/ L$ l$ D/ ` ) `4 I& W8 y' q' U) u
dim prefix
* _3 v- T1 ~1 B & o, R6 l0 S1 x" X
prefix="1Jb8Ob"
0 v1 N7 @: D% i# W
( j7 i g: T) u5 C'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
4 O) r, _) m+ \, R& K$ g 5 S: A e- J8 ^; M! F5 f/ ]9 `
sub out* e1 V) t! ?" ~1 ~$ h; G& e
1 s& U! m3 T5 s+ Isdcms.setsession "adminid",""' i o4 p' {2 P* j% {( I
& J$ x7 P6 a- `/ \sdcms.setsession "adminname","": I6 M7 z* J# i/ F/ K! e* y5 x
/ @% S8 C0 Z3 N! l ~" Y
sdcms.setsession "admingroupid",""
# \ I3 Z) C* |4 p 3 ~/ w; w" K1 g0 n) _/ c1 p
sdcms.setcookie "adminid",""
( m' O' m6 s5 }# ?, g. w " g5 R; S* h% z
sdcms.setcookie "loginkey",""
* Q' z7 Q8 t$ f; X( t4 ^# H " z; W6 K1 {" [' M9 t9 m- y
sdcms.setcookie "islogin",""
& X- I" g' l, O4 C! ~9 |" o & d. R* o) F( L. `* i
sdcms.go "login.asp"
5 `3 Q) H0 p) O! e, Z' s0 [2 V# p
) j7 {7 K8 i E; t2 xend sub" `' X3 e# T) }, _# A
$ H* S U' ?$ V1 u2 e: m4 Q3 q & J2 c3 G* l& q2 u2 D4 ]
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
+ e4 I2 ^* t: n" ^$ G9 d修复方案:
) F U/ O; L' u# b6 X修改函数!# Q3 f8 i' [& \
|
发表于 2013-7-26 12:42:43
收藏
支持
反对