要描述:) F( o0 ?/ ?4 J( v
: m: x4 p& Y) Z! O7 K9 R
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试) V+ i0 M' m6 Z% C5 Q" j
详细说明:' k# A Q; Q0 @5 X6 S
Islogin //判断登录的方法 O6 O: H) T4 S" L7 |1 n+ F
3 g' N5 v* M7 o: `4 N+ q& {
sub islogin()
( R2 y3 _4 |, F9 W0 g6 [" f
3 I0 v+ m s) b0 Eif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then , d! {* V9 a: g
: q$ K/ n7 i- S' Z( A9 hdim t0,t1,t2 # e5 x3 R! d+ D* F- \1 s2 E, ~
- M; W0 b3 K5 z/ X( {
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
8 {% r% P0 |$ v1 Q 3 m" I, H ?7 D5 y* U
t1=sdcms.loadcookie("islogin")6 s8 C. e9 k1 ]+ t$ v+ _+ l* ]' V
* z* a7 ?9 ~& a* u/ M+ _/ Q% Jt2=sdcms.loadcookie("loginkey")
: a1 P F! }8 B0 \( u) X' d
1 E: G5 k1 a0 P1 J O; s3 K$ h$ [if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
6 Z7 A1 F C+ }7 k! Y
8 {0 u$ H* c; E: { K+ r' i// ^* `1 X5 d( V5 K
; j9 Q, z- u9 I- w
sdcms.go "login.asp?act=out"+ [3 x0 b( P p4 x5 x
& ?1 d3 F( a- {" A& f. lexit sub& ?5 o( {( X5 A) E9 O
8 r/ P& U9 L7 @/ P/ Delse
; S/ P* `0 }+ Q, T- ~- {4 f
- ]3 v9 \* m" T- d! k: q4 r9 idim data
2 l2 N& Y/ _8 X
0 F( \6 ^$ y9 {: t) L' mdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
9 C9 E3 q4 ?. @0 M. b6 Y4 k/ [6 D5 A
) W. R1 |+ g# Y/ F" z2 d7 Oif ubound(data)<0 then
' | `( B, I3 x6 _% o
$ z' h; D5 K- q$ s- l4 q% f, N4 q0 isdcms.go "login.asp?act=out"
% `# F% y) d5 q $ Z) b) \* A! ?( k% O" U3 T
exit sub) h+ x h+ X: K2 P8 [
N9 |( F* I, e x0 Xelse! m B$ Z5 m" |0 @. [7 y; O
% A7 Z, R$ g6 G% v- v6 C9 n0 M
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then: P* e/ y9 [4 e! q' O4 b; E( @5 e
: L4 r% z2 Z7 R8 S j( n# P5 u/ _
sdcms.go "login.asp?act=out"' `' }% A' L$ I- O$ J/ u, U- ^
9 J3 V! P1 b; D1 U
exit sub
* o. q3 Q `$ ]1 ^% ^ 5 Y9 ?% ]% b C" B( v5 i% K5 P
else
) O* r# U7 i$ `1 }/ F
; {2 }9 V! `) n& gadminid=data(0,0)
6 D8 `6 i+ Y2 _
9 G$ i0 w& M2 Y) V, C. p9 w; D4 C8 kadminname=data(1,0)
( U( D1 [; M" s9 T8 ^. O . b- W" {) N. G3 f' l Y* r! B: `
admin_page_lever=data(5,0)9 x) {! a3 F, p+ U: c* G* ` J" e4 |
5 k+ B g4 n) u) v
admin_cate_array=data(6,0)! G& y! @5 I* ~6 z9 N* c
- R( p0 r. {' i( e+ O# u
admin_cate_lever=data(7,0)
+ P" u$ ^2 I o9 v0 f' p
/ ]8 V& t; M% e. w0 n1 A$ Q0 Sif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=00 ]7 E' m( S) R, G" `' [% |" \
6 P" Q$ o( D$ h f3 ~8 h" Z/ u# F7 I; jif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0 [# }; i1 P% [/ S6 @- j
/ Q# w! J6 O/ x2 Q( y# Z4 V0 W6 d
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
* F* E3 J+ ]0 Q) J) m
: o* F5 h0 O/ P3 Y0 v& G8 V$ `7 {if clng(admingroupid)<>0 then
8 D7 e7 [5 B: k8 z6 @0 G, k z: q0 B" |6 r2 E8 U, D
admin_lever_where=" and menuid in("&admin_page_lever&")"
* o* ~2 N% x: G4 k+ [- [ 8 z1 [" A+ j0 F9 U1 C( w
end if
7 M" Z4 F+ {7 W
5 Y1 R& ]* C% k5 G6 w- Psdcms.setsession "adminid",adminid
* e# T; D, m a1 [
3 o/ H! O$ Q9 d+ m- x* A% s. d- R% D6 L& Lsdcms.setsession "adminname",adminname
: ?) x+ w9 Y1 b5 `
+ C7 ?5 Z! O* s. Hsdcms.setsession "admingroupid",data(4,0)9 i( P) m* b+ w3 k+ Q
) h0 k% ^- m# E9 K0 `1 oend if
" T# X- z1 i, |" L b0 k, D& }' | 0 s% M* L' \6 ] ?* b
end if: c, T7 K! j! ^6 N1 y# g% T. j
3 R. w2 P6 Y" a" Hend if
$ K5 j S( K! W* b3 S7 `6 h- |& ]
0 q! L4 g# Y* p8 Oelse
( o6 V" s9 {; N- T 8 n2 {; \* t$ G$ @; W9 q' E
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
7 D" W) _; E3 g) Q
% z: l7 q# i$ I; ?; O* {if ubound(data)<0 then: w1 X' \- N1 ^; M/ i# R2 y$ U( b) z
9 Y; c* K+ g o, b( rsdcms.go "login.asp?act=out"4 o" }8 O# s' m- T1 a
. p: x/ d# I) U' p: A, _# Y+ w" {) ?exit sub) L) D+ k7 R3 `3 @. y+ o% L% R% p! P
3 q9 ]( j. U) {else! {) d! @- P" W5 p
1 c5 Q& o1 z3 y, u% D- s% R) qadmin_page_lever=data(0,0)6 ^% _# Y: M2 p/ r+ ~ U. _
: H n' E% A2 @% t: W
admin_cate_array=data(1,0)
& E5 l% u9 P5 F9 G9 w0 i
, V% L; F) w; p# S8 D2 x Wadmin_cate_lever=data(2,0)
9 {1 w! E. j" {: P4 T" | 6 k( E6 @& i1 ?+ y9 {, h
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0" @$ N8 O3 ] O# h: ~% w5 ?4 _
. B* q, a2 B' t# cif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0- ]9 i# _0 ?$ ] f }& @, H
+ u2 ~' y( S' J! f9 r! y P
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0$ k4 z* b' c' Z' ^
' W8 ^4 n( P8 f. t! Q# v+ _2 Cif clng(admingroupid)<>0 then
: \) w" A V, ~) v) Z3 a( f / x- Q% U6 T" K
admin_lever_where=" and menuid in("&admin_page_lever&")"9 l u k4 k8 r0 c; a
- T" F0 h& ~# J6 Y+ J
end if
# R* ]8 V+ G: j3 j8 w
) O5 L' W5 W! V4 ?' @end if i& @( [ T; s" _4 y0 @
( ^4 ~" F: q$ m8 C4 r$ Q+ |end if2 Q5 H5 D7 s: L% }. _7 g' R0 b
3 ?. m ?" B6 Y! `: `end sub
) Q: s3 C8 _' d) K1 I漏洞证明:
" R1 Q' `. e( z6 F看看操作COOKIE的函数/ z! ]. b+ D9 q7 B. s) ~( W
4 {* O2 H/ }/ B
public function loadcookie(t0)
9 T/ G" q# ^( e % ]- h. _1 M3 D/ i
loadcookie=request.cookies(prefix&t0)0 ]6 z4 ]+ [5 x* l1 ]& e
+ u, x1 p) c* m; _2 U* Rend function
1 r3 S; Y! d/ v1 M0 b
# \3 B" F- r9 e9 A! |9 _- L8 fpublic sub setcookie(byval t0,byval t1)
& h; m. O6 ]1 T) L ! G4 g' e J6 [' i& i
response.cookies(prefix&t0)=t1
- D. u$ X* J7 j R# V; N; V% y
: K1 x% H4 t5 p2 r) U, D6 iend sub
/ f1 f6 K! Q) C2 [; L ! f2 v: o* M7 H3 v" o% \
prefix
; c2 r7 u6 o. {3 b0 W , m+ ?, i; h3 p) e0 k- L) J
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值9 p C5 @& p: P! `* z- p
3 P* E5 h5 N5 V3 Q
dim prefix) |% u- d+ D4 s5 g4 \3 B
x6 `$ g- C, W
prefix="1Jb8Ob"
) H# k: S4 v0 e0 `0 _" \% [ 7 g% |7 i: P. ^3 N" {- K
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 - y7 M8 d U: m' B- c
/ `; A% b9 B4 Hsub out
% s$ Y. G" m; w& Z$ |
7 _/ t) @+ x: r- y T" qsdcms.setsession "adminid",""' D: H$ Y. `% ~) _1 ], \
e. n: F \# I* p) y+ H
sdcms.setsession "adminname",""2 m D9 V1 f7 w0 {9 W
" e t0 L2 t. O: O4 G( ^* k, S$ `sdcms.setsession "admingroupid",""* n M' u+ C6 q
8 B# O$ {% I# S$ x+ ?sdcms.setcookie "adminid",""
* e l) A' u2 S) g+ s5 O% ?
8 A3 I; T" {. G+ w8 o; dsdcms.setcookie "loginkey",""
% O8 W8 y: s% [, l 8 j. V4 Q; g$ X
sdcms.setcookie "islogin","". F: n, ~5 ]* I5 N2 X+ S9 w# `) j
5 l: Z4 u& X/ Z. t+ M
sdcms.go "login.asp"& c3 Q: Q2 w3 c; \" Y$ Y
) I9 Z- ~+ D9 s/ i& {; K) ^" ?( G2 Vend sub0 _- ^; R7 J+ o
% f) G% O* n/ E' y ( J Y3 G* w8 `( U+ i% O3 @0 Y" j
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
0 ?% S1 s( n; r. S, Q修复方案: T3 ~' O( P. E1 }2 _/ _# w
修改函数!2 H7 }* N( m" L @& B: v. l
|
发表于 2013-7-26 12:42:43
收藏
支持
反对