要描述:
, ^- K* h7 j, v1 `3 K& _
) q" x0 v& p( b2 G( ~SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
~* B; d* u/ t, Y: |详细说明:0 j% `9 H4 G3 \2 t# `) {$ a
Islogin //判断登录的方法
6 t) n! x; g& p% |5 q' |! m# H 6 B1 r6 W) h2 F9 V2 q2 G! c
sub islogin()5 C4 u8 F9 W- c V9 ?% Y
3 b6 }) G" ?5 f1 x1 L) o6 uif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
3 v! V1 M3 R9 M - a+ w2 W; E- G2 e
dim t0,t1,t2
+ z5 v! ^/ r# X4 \ 1 S m# z5 K8 h7 P
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie % j, Z& Z- f- ] G
& C$ ^( X9 l2 Y, L( `( `t1=sdcms.loadcookie("islogin")1 Z" t( D7 n; |% B4 p/ [
. ~9 V- e" j0 R) jt2=sdcms.loadcookie("loginkey")( V# r8 }& \0 X9 a- p9 i, E
1 L: G+ y4 T* {5 t2 o/ ?8 {
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
1 x4 t( C; H0 ?% _1 U2 T
! |# L0 S/ v/ e( M9 _( j//- ?" \# b" t; a) S( O$ V) R
1 e& K3 Q' k1 ]5 ^' X
sdcms.go "login.asp?act=out"
+ ]. \9 Y- l4 i4 b' S6 l
2 `6 S/ V3 k% @$ B: e7 V( }6 sexit sub
4 @+ e$ S* E0 ]5 z6 t
6 A& v6 l5 b1 q3 Z3 Aelse
* n" L& w& E$ b5 d. p 1 Y9 p. F8 K! @% L8 R, h* U
dim data
1 y+ o7 Y0 h3 Y9 d; i6 a
! U5 O' C6 U2 e" P7 O# E9 sdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
' J, C4 B; P! @( W7 y : L0 B1 \5 U% N1 v/ [
if ubound(data)<0 then
0 y: u8 o9 V! }% u 7 a: P9 h9 S! m' s" o
sdcms.go "login.asp?act=out"& X3 ]$ a) l- ^2 ~; Y6 v# E( ^* o
0 n( G, c8 a# u$ _' t
exit sub# g. N% _% B& i1 t% I
" ?* I% o# X/ Q: S: B; B6 ?
else* T2 A( p0 I. o
6 Q3 k) K! U+ q% }3 ?) p. Y9 P$ G
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then( f' \+ }; |& l" f
/ E/ F) K. T, v2 A% W% N
sdcms.go "login.asp?act=out"
) }: z" o( h# J+ \% N & f$ |1 D7 n% R# K2 P7 h0 p
exit sub
% g( P' \, ]0 y" c2 P * S* a+ E( [8 o d2 n" J. K
else; z5 h+ j6 Z6 T+ y& k+ s
. u) `9 ^+ q9 M8 W" Qadminid=data(0,0)
+ x4 k6 c$ _; W7 C: a/ T' `9 v
% X4 ]9 @4 {, _6 v% {, u0 ?adminname=data(1,0) @- P! _6 a: E+ ~% S
* Z5 K' P% J7 t4 l S
admin_page_lever=data(5,0)
# T# ?- h. p& C- O$ _$ I" S
$ c8 f+ c1 U X, gadmin_cate_array=data(6,0)
8 N1 @1 e* r5 A . U4 {( W9 y2 S+ v# J" }
admin_cate_lever=data(7,0)
5 u3 n# |7 L( y+ X& p1 M6 b9 W 9 I! Y2 F6 u2 w8 M
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
& b6 P4 @5 y: X: W: A) ^
1 {) k7 V+ G4 q& Y7 k* ^ _if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0% n& J% P, a! E; v4 e3 j( T9 { h
$ B( l' Q) y F- b) ~4 S
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0/ X+ P" @7 w# b( R9 T8 [
\3 I6 s0 \8 y3 J' j
if clng(admingroupid)<>0 then b" c, V0 i9 l- K- v% R- [
" V4 M, p6 O- D/ xadmin_lever_where=" and menuid in("&admin_page_lever&")"
0 H$ J3 o1 C! j5 h( P4 [ $ [ l/ j* N% A8 E! v
end if: l* Q% O9 K! ~% k
2 p% n& E9 ?0 ]% n4 s+ H3 _
sdcms.setsession "adminid",adminid
% s5 k; W h7 i' B
& J& G3 r) V f, t( R- n0 Msdcms.setsession "adminname",adminname9 a% ~6 n3 E$ p+ E0 c
; O" u" X I. L3 ksdcms.setsession "admingroupid",data(4,0)4 J; |2 E9 j7 a7 L9 I
6 [ P# v3 |* s/ v- M1 o1 Mend if
9 d5 ~9 |, l$ I7 U6 Z) J) ^' A
* f5 E- n ~# z4 Z7 ?end if; `8 v! I1 W& q, V
5 n% B( B+ E7 ~* o1 d0 rend if
4 ^( p3 h9 w. B$ ?
, h. C8 W7 _7 d- Z) |: welse) ]) X' I. @& x- ~, M4 P4 E
3 Q- N9 x# F( T3 C+ B
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
( M8 Q2 J7 c" v 9 p( Z6 u9 m. r3 ^1 K; `1 g
if ubound(data)<0 then9 |) o( r$ o( D) Q; f
2 M; j6 f# y0 t2 m* z: J3 l$ g: fsdcms.go "login.asp?act=out"
1 E6 {3 C' j* x0 x- u 4 L+ q) ^8 J X5 g$ ~
exit sub
, q- @9 k7 b, s1 X# @& Y ( m2 P# x5 N! F6 m" V% I
else$ C8 _$ {+ h9 i6 h
0 U. s2 J" ?8 p
admin_page_lever=data(0,0)
: @! M! K- U! S! h
0 y, c# d6 F: o7 v! I9 z {3 }admin_cate_array=data(1,0)
' m" r" y6 X1 [& m! Y+ F
. z# @/ w7 K; ? t; `, f) Madmin_cate_lever=data(2,0)
, }* d. ?9 v( z& S# x S
% u! z2 {- i$ m8 P; Jif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
3 E% ~% [/ F/ i
* J# k' y8 {6 J! {! _if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0 I% W6 a4 ~4 _6 X9 l
7 \* a! u$ _) _if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
: V* b- P- T% _& O/ \ ; O3 q, f/ Y1 ^0 u& L
if clng(admingroupid)<>0 then7 J6 P" T9 F9 H7 g
# X3 v9 f# u; G1 q7 l
admin_lever_where=" and menuid in("&admin_page_lever&")"4 i, Y4 ?$ Z9 x* \& L6 @
0 w5 c* K! Z9 H% o( |
end if
) X* Y( ^ j( ~! S9 A2 T5 v6 D
6 e1 B: u: `- V6 @ p6 T: Bend if7 ~" R a: L4 Z3 X
) D. W2 T) B5 F/ U7 Kend if
. I- ^, G% I2 f" o' c7 T $ |5 z4 o7 L$ D+ U- ] f
end sub
5 z6 R, E" N. ]$ r. {5 u+ J漏洞证明:
% z) Z( @+ n! {; R o# R看看操作COOKIE的函数
/ _2 S) Y6 y) V( {( I' I
2 L! ^7 C# R& R5 }3 m$ i" f# spublic function loadcookie(t0)
* |; @) A. Y9 H7 G+ g, b
6 c2 b0 }6 V+ ?( X" o' Oloadcookie=request.cookies(prefix&t0)
; E( N4 W: k/ a# K. ^
* b0 s/ j# S1 w O6 @5 Hend function' w/ ?, Q/ I$ a5 D$ d. u, u
. G* q; x2 k+ V( u
public sub setcookie(byval t0,byval t1)3 O7 H8 Y5 G1 N) W. }8 s3 t
7 f) h! r+ \0 [8 `3 ]response.cookies(prefix&t0)=t1! V v7 S. R. c# l& F* q
. j, w2 ]7 A4 _, N3 K9 p9 v8 w
end sub8 z+ o. v F" G
( P# z3 F4 g; q$ F) G0 D* O, rprefix
2 h( ]6 Z; @; Q2 u& z * ^; v3 t! q% A/ G& h
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
' K2 u P! q& V. K+ c& e$ `7 H ( u8 f6 r' J* R: [
dim prefix
" \# D Q2 Z& \/ H. |$ C1 | * T% j7 o# b9 u5 Y' ^# {8 [# r
prefix="1Jb8Ob"
2 r* {- D' r! R8 Z4 Q: E" Z
) M' C; |" J, ^/ M) M& p'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 / \6 Z X3 q- G! h! g
7 q0 `" i) O, I9 @( M$ I- Jsub out; O* l" C0 ^. ]& A
% S, R5 p, x% h9 f! C! wsdcms.setsession "adminid",""
+ I R6 g5 Z Y+ v6 x
. o0 `7 \- g* csdcms.setsession "adminname","" Z5 W9 O+ _7 }, n8 z. e+ {
8 L( z4 ?" K4 R, X2 i# K# Y& V
sdcms.setsession "admingroupid",""0 z1 P" e6 a! A4 ?1 D \) q
/ }! ~, D+ ]: ~& r" l' ]9 \
sdcms.setcookie "adminid",""
* m( m; y2 a) _! E! T( X
- R& b/ d2 x- ^8 `sdcms.setcookie "loginkey",""
. G! n" i! R9 V* J ) w7 m6 }) \7 k5 `
sdcms.setcookie "islogin",""- o' R6 o( \4 `4 E* s
0 \5 r# a) q5 B asdcms.go "login.asp"3 m! Q3 [6 t; I1 x. Y5 R @ [2 o
% j6 [% B* D$ `- Y3 G `2 I
end sub
~2 h4 n+ w0 ?0 R3 k9 L7 x
9 G. s4 J2 b! [$ U+ O$ b
' u2 ^- u' l4 o5 g利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!# d! K# U1 D: Y* q( }: |
修复方案:/ c# c2 c5 K* l4 l2 \
修改函数!- l3 Y8 L; y9 i, i5 {2 ~
|