要描述:
) r @+ c9 l( T( t- L% O; H# g7 [
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
6 ^' }) {' D6 _1 o& c详细说明:# Y* `2 w: H6 S8 o
Islogin //判断登录的方法
a! t: i! d) V ' [ B9 L# c/ S3 s8 p4 B6 S9 D: U
sub islogin()6 g0 \) w0 ?8 d
& t0 V* u5 s6 U1 K0 [if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 6 Y- _2 Z- }) O: ~ j
; |) F+ o- O' L3 }. p1 adim t0,t1,t2 , J; z0 r: q. I6 d4 v
9 X1 L8 E3 a) y/ _" ^9 nt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie : ]( t: U2 W6 y+ ^$ F4 o2 c
$ C$ u- d' N) W& }: J. a% P
t1=sdcms.loadcookie("islogin")7 \: Z* V" l0 K( f7 I4 i) h
4 u3 @3 K/ U. ?" t5 n2 f
t2=sdcms.loadcookie("loginkey")% J* t/ n2 x8 @. S1 a/ \, s" l
6 V! p/ ?% H+ z5 K
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行7 n& ^1 d0 w( p* {
; z2 v5 e# e% C W//+ {4 V- e- T8 C1 ?+ [! x( z) ?5 |$ w
1 Z- _1 W3 f8 H1 a z1 `sdcms.go "login.asp?act=out"
0 a L3 N! `! c- g8 h 8 ]" B$ g. E. d
exit sub5 ^+ Z0 \- F9 Q( B! ?2 Q5 j
, E* s: s# S' w5 }; f& W% l( ?
else
( j+ k+ A9 ^9 _# m" Z' x3 H @; d 9 |: ^9 D3 F# |0 W4 x+ ]
dim data. i7 q ?* b2 n% h
4 H* k# z# B9 w$ h7 n8 S$ t
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
! Z4 }8 G# Y" Y& z$ n
& w2 Q; D' f2 |( Kif ubound(data)<0 then6 l/ u9 B8 i P, T
7 b5 o, f4 C$ s( ^4 U/ B, gsdcms.go "login.asp?act=out"4 U; G% Z8 h4 Q2 r/ L7 T& C
8 S0 A! c% _, m
exit sub9 m+ ~4 K9 i5 ^8 N. ]; ~, f! y
- U8 d" {7 M$ U7 h" S' oelse
: [6 @5 @# @% z* y
9 ~( O# B2 ^/ Kif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
. |2 S5 r+ Q. H* U & G3 Z& X0 X3 O: M
sdcms.go "login.asp?act=out"% F3 k+ t4 c% Q
' x& g0 W9 r5 e- C6 h( zexit sub
' V9 a7 a! g o) H8 |" D6 E: g # Y( \ f+ e! @$ X
else
9 X2 N! V F$ t: m0 z 3 L# M. W7 G2 i7 V- ^+ l, J5 h
adminid=data(0,0)6 t3 L; f0 [( }% k
3 W, f$ `! J& a/ J9 radminname=data(1,0)0 b! L; Q$ K) a
B' _' w" @& j7 Z
admin_page_lever=data(5,0)
# s" g6 k* }) O: r5 @. G 7 E5 M* _+ ^ }
admin_cate_array=data(6,0)
+ f9 d( h9 b7 I3 i " K+ }' N, e8 M3 f! ~# c
admin_cate_lever=data(7,0)) Y; C% v9 X0 F$ E4 Z# j8 q: Y
$ w, J5 ~0 X/ {9 M& K2 cif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0/ ?' f8 B: `8 Z& d* ]; N1 q
3 C! @; u8 e7 e. B6 N* W$ q, _9 dif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0: R; Q/ l: E( z# s" P7 B4 i/ B
! x1 ]* g" N0 D8 {1 v9 V2 M c. xif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
* X4 c' h8 U% ~8 T / x: V0 O0 M/ k( V
if clng(admingroupid)<>0 then9 x0 `7 R. d* l$ B/ h1 C3 ^
4 [; f( [1 e+ Q* Gadmin_lever_where=" and menuid in("&admin_page_lever&")"
3 R, m) j- {3 D d0 S 5 i4 L6 c+ ?% V# s, y/ T
end if9 R( `5 E" s" n& h( N
5 ?2 B& V- V& {/ H8 hsdcms.setsession "adminid",adminid ]/ Q8 k& J4 r) C2 E
9 E+ B5 m' S5 \& j& Gsdcms.setsession "adminname",adminname
' p7 Q# r. g- {1 K8 l6 o
3 }+ Y; z4 D4 i) b ~) G' ^8 psdcms.setsession "admingroupid",data(4,0)6 U h& l0 a K. V# l
% i( E D5 f5 m. {) L6 f- aend if& `! q" Y6 a, ?+ ~8 _
h+ X5 v. q9 i0 {, }
end if: |4 T; p' S# a7 I) A1 W* [! O- E9 S
T! A0 E+ \ _) [* Send if
. L2 n9 @% ]' t7 Y4 ~: E : D: d9 A" a. [; y3 H' `
else5 B6 u: F( W: x; a8 \
0 C" Z; X+ e7 ]! |data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")" K% c1 ^8 V M8 N
4 o/ ?$ H L/ ]7 Kif ubound(data)<0 then" X0 ^% V, c" b' l& w% t
$ H0 e4 `- Q+ ?% q: `/ }
sdcms.go "login.asp?act=out"
3 D- C% O. F/ ^ e- m/ G' ~6 i6 L4 [9 s5 k) k
exit sub
M8 ^& [7 Z% L4 |4 |. }' ^+ i1 F
( \+ U `, B" M" F2 C0 v) a9 Eelse0 A+ f- k" u. X7 K k* u
" ?9 j/ H) ^% y: s0 R- d% O* C4 W
admin_page_lever=data(0,0)5 F& A8 u" [, Z9 p
1 R2 q, @/ v9 U# t6 O: u3 a# ^admin_cate_array=data(1,0)0 Z: D$ h& l; g6 y9 X8 C/ q1 L
5 p E% N: ?8 \! d
admin_cate_lever=data(2,0): A" s$ G8 |8 z3 a% N
0 M$ Y* [; [6 A# ?4 ?0 |9 qif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0/ C* y$ N% z. _. @
# T9 {( c# m4 n! {$ ~' zif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=05 O3 B0 x( b5 Y% t
* t4 F, O9 O6 h+ W, t/ M" R7 M3 pif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
: u3 Q5 @: k. v5 z0 ^& C4 s 2 r5 S% m) n/ m2 Y3 M
if clng(admingroupid)<>0 then# Z8 i+ e8 K9 J$ p
* X8 h w; H, g# k3 R& W8 V7 @admin_lever_where=" and menuid in("&admin_page_lever&")"3 G: t% d$ u7 q
4 K4 O, W( O; G0 b) q$ O5 O
end if* v; K' T+ N8 {: G( [! {. A( r# {) A/ L
1 X# s2 s/ b% x+ X4 F( e+ |
end if
" Z1 z( S8 A3 I9 Z- u2 W9 a3 z* i 0 b; j. ~4 m5 q* c* D; Q8 U! Z. y$ v
end if
6 o# S; X9 n& c% F! E0 o ; T9 x$ ~, \$ |$ s3 s
end sub7 k) `, |3 |: ~# f6 t& e, H
漏洞证明:# _6 l+ g, U4 d9 z' U% e
看看操作COOKIE的函数
) X% ~# e7 e. }! }8 D8 U( ~1 ` 2 f5 `& S. R& b/ _: N @2 c& s( k
public function loadcookie(t0), o* l# V1 V1 H7 t" O: @
! H; k2 a E0 q# _loadcookie=request.cookies(prefix&t0)& B* k$ ^& {, y( J1 v# g q4 w" A$ ^
( T6 u& c# U5 I+ u
end function8 j3 ^1 O. Z% H; t- U& C: A
" \1 P, Q$ j* s" y# Npublic sub setcookie(byval t0,byval t1)
! S8 F: D7 L. h. Z3 q: z8 W* ]; F 4 \ C1 _: x5 H1 `' d: _
response.cookies(prefix&t0)=t1
# ]+ N/ f: d N7 b& Y) }# u 8 ]& v3 X7 [- `7 G
end sub0 X& x! d5 T" A( T* Q
& L9 ^. o v: P+ A' {1 w [0 [9 @1 @7 pprefix
2 U* w8 }9 r- i Y' ` $ d1 [; n' x. w: P, q
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
( {! Y( L- H7 ~/ r% i
3 P6 E. K3 P6 h4 A2 {6 [4 O! `dim prefix" m( m* n7 F: k$ z5 H5 W
& _* F$ I& f, D+ ]
prefix="1Jb8Ob"
$ n4 C. `! o0 G4 b% x7 R I+ W
( O. q; h& s$ V4 c'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 - C) }: e" i, [) O
- e: _# @2 u/ Y4 W9 g2 R/ qsub out' m, K1 t5 t8 h! Z
% g5 G& Z& F" v! F7 \6 u
sdcms.setsession "adminid",""
6 [5 B' f! H2 @$ ]
% J1 R$ b% ^+ k3 [2 s7 lsdcms.setsession "adminname",""/ ~' |4 l* p- A$ ^( \5 E) y) {$ s
6 _2 c) I) ?0 g6 q8 M4 M" r
sdcms.setsession "admingroupid",""7 W: }* ? W; b7 I6 N3 L
- e3 @" l- n% i# {# gsdcms.setcookie "adminid",""
% F: |1 O2 }0 F, g
# ?, b5 @4 x/ o5 xsdcms.setcookie "loginkey",""/ Y6 v; o0 W2 g1 J& i
7 i3 ?8 S" ~5 @
sdcms.setcookie "islogin",""$ q: X* F; {2 A- S3 r
3 `5 B9 x; w- S4 _4 xsdcms.go "login.asp"
0 Y) z: B( X, A5 k' c: G6 r' Q
7 L! b2 g0 k! y5 e6 V2 Y0 C# Fend sub2 ]9 G" p3 t; ~) o# a
, ~! @ c0 ?) y! m1 q E * l2 k+ O+ z" F& v4 ?
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!, U+ T! H9 A: A0 R
修复方案:. d+ h, Q7 z) h! W. w
修改函数!
5 Q* y( r2 e% ?$ b6 z7 N9 M; p! z |
发表于 2013-7-26 12:42:43
收藏
支持
反对