要描述:
& z4 t' G) {* \3 f" S, H# _
: Z( }8 N7 S7 V" _/ PSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试6 m1 X3 v0 I5 G3 M l
详细说明:0 U0 s" t3 M. h) P2 u
Islogin //判断登录的方法
! u7 o' e4 D1 i B+ G( q: o- [ 0 _. z* x6 o4 o* w
sub islogin()
4 e4 N3 D+ E: ^- @" Y
# X' O4 w, x. pif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then / j1 k3 ~/ M: n E M
& h L6 r) a N+ p7 F
dim t0,t1,t2 6 [# N! C1 h. Q+ I
, ]+ N( d$ l0 D5 Dt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
; @9 d8 [& h5 g" F/ W , C3 R% l' c! m$ j' j
t1=sdcms.loadcookie("islogin")" ]: {6 E' K( a- ^& c$ f
& `5 e1 ~; W8 d4 [+ A+ St2=sdcms.loadcookie("loginkey")% `) B! B) g C$ G6 u1 ^4 }
( ^: N) _) J B$ Yif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
7 P }* `. s+ m8 N1 \ P2 \
0 j. h) |/ |5 L7 \5 ]1 z8 P//
% g$ ` D$ p, T! E8 T& \ 4 r# y7 g; N3 s6 a
sdcms.go "login.asp?act=out"
, w* _+ |% |; q2 M9 M0 @ 0 z% d7 U8 i* G6 D" ]% t9 K
exit sub
- G7 o& f+ \! C7 [5 k7 a1 X" ]
5 U* p6 a& o8 `; J$ a2 welse7 V; l$ o: t" t; b4 d
( Q2 O0 o k& n7 f" ], xdim data
% p; J: y% e% ]% ~% X 2 p J( f% Z: \$ Y& U
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
+ h6 \; T" }, ? ( D* }! e* f+ a+ [4 M. d! D
if ubound(data)<0 then( V) \6 X$ _' F: M
9 A# q4 E9 w' z9 d. `3 e9 k
sdcms.go "login.asp?act=out"
* g- @( G7 o! A+ Q' l- w2 q- k# C
/ E! [$ V+ G1 F8 {exit sub
% I% k# G; x6 T ' t* b4 B2 n% [8 ~1 _; R8 I
else
/ A, {' \" E9 W# ^$ v
: j& r- @$ p& T3 d$ Wif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then( b7 X: ? Z+ `
% \6 [6 ^; E8 n2 K
sdcms.go "login.asp?act=out"
; d1 e: B, ?6 t, k4 D! L4 Y" \
% J) ]: M6 p1 h2 g7 j6 i7 {+ Kexit sub5 r5 f, `2 H# [* K# \% G$ x) [0 t
) b6 O; a5 A9 a4 m& p+ p
else+ W9 F; d$ [3 n
; [1 e: J9 S# Y+ {( Gadminid=data(0,0)7 F' L" Y, X0 K o( ? Y/ v
" D z* s7 d% S
adminname=data(1,0)8 Z. H; g% }/ H1 Z& w1 U
- P1 q% B6 R% C$ eadmin_page_lever=data(5,0)* v7 J0 d( O# T- m
! m' J( A6 T3 }; m3 [# fadmin_cate_array=data(6,0): P# i' F" v, D3 ^$ ]$ L4 C
5 _. w& g, E3 t- A( Q- Cadmin_cate_lever=data(7,0)
2 _% f. _5 _: g) V $ r$ A b* v' v
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
4 n1 ^# n( {* l% U
/ V6 q9 U. ^# K) b. q/ A# Q0 u, Fif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
/ x, `) S5 l9 J) X/ G ]! L8 P # e0 c1 t* a/ \/ m" s
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
' \) u# y' T }* Z7 E6 c
' b4 H4 a, ]* D# \. @1 aif clng(admingroupid)<>0 then
5 y; ^0 |2 Z& S. ~* w% I- v: Q
% f- E. ?; e$ t zadmin_lever_where=" and menuid in("&admin_page_lever&")"
1 B! N+ |( R5 `' U1 E* p2 i, } ; C0 ^) _, a: `% V. S( s% u( T% M
end if+ I" Z/ @0 G" W% k% ~: ?' c1 [
* @- e6 i A' ^4 `, Hsdcms.setsession "adminid",adminid
! Q! z% J; D# i7 i) _3 ]6 Y& P! ] / p9 `+ \, w% h# \! c
sdcms.setsession "adminname",adminname
" K( n' W* D% i* H % e' P3 \. K$ U, e8 o
sdcms.setsession "admingroupid",data(4,0)- w, ~" {/ i. ]# {
. }. \& y9 G: W% `2 E, ^' |
end if
* x) U) i2 m* V2 [8 `7 D1 S2 q 8 d& I) A7 S/ r# h' g
end if
3 S" c7 \' |/ {# b, ~" D! R. Q2 [0 h * c# I8 \ ^: z( G: D5 ^
end if5 _3 h4 ?; ?; T" U3 l7 w" a d/ G: l
0 g0 i8 G2 D( j) r n2 g
else
' W0 W. H4 q% X9 O1 V% E. }: h l6 J* \& E( M! P/ a
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
q3 |, e2 }8 U; e. i
9 C& i( p% f" f' \! M0 F( Aif ubound(data)<0 then: E8 |( M8 P& A. s0 _
+ }8 n0 P5 `8 c* s: o2 s
sdcms.go "login.asp?act=out"
% c3 R- |0 R2 [7 q+ z, g' F/ {' r / t# z0 N7 |6 M7 A1 T
exit sub. P' R. A( |2 T
. T, t+ F5 A# felse( M" e( n, F+ `- u! `" z
' [$ F8 C) [3 J( d
admin_page_lever=data(0,0)/ k& W% N+ {# A6 r
, V5 g! A, m% `8 x! e# Eadmin_cate_array=data(1,0)
4 }8 M$ n( n7 a/ f3 @7 j
! k2 k- y5 v4 t2 ]( w0 x1 Gadmin_cate_lever=data(2,0)# P$ z* K0 `8 |& G
: h6 G v+ f8 V* L
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
. W3 \& p! {5 b$ I ( n& I. h/ y& g
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0- Q: @! `" U2 B, S2 {
* O+ R" }' U, [% @4 r/ [% c% Y
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0" _* D. q0 V5 W3 K. @2 t
, Y( }* o0 i. l2 w7 V6 Y. E/ w& B$ }
if clng(admingroupid)<>0 then
; s+ H- p* Y- b, \% i
) ~" _* o8 j" H6 q2 eadmin_lever_where=" and menuid in("&admin_page_lever&")"9 `( M/ d7 {! y, W0 Z
. B6 [# I* {. c, Eend if9 ^$ `. G! S/ d2 v
+ O C6 S0 Y+ d N
end if
) f6 D2 j4 `) M& O1 y$ P
, h6 O" @) ]) i+ }7 r6 F! Qend if6 F/ i/ y o8 _
1 T$ X) {7 U" ^$ V u( y* Zend sub
U5 m8 A6 A6 r! W2 E T漏洞证明:
! O) Q8 ?- Q+ s" P4 _看看操作COOKIE的函数
+ ?+ G( ^4 e& q( a' O
' U2 y) ^8 x n% V, b Wpublic function loadcookie(t0); ]% ]7 q1 P& P2 A( q
, [; ]$ `" V9 D1 t( I. u; ]" l6 H2 R4 Xloadcookie=request.cookies(prefix&t0)/ ^- y$ u" R9 z, e6 Z! h& G
0 x* \; y O& u, q% `( D/ ?end function0 F0 L* S P! d" b8 T9 ~" y8 s
0 e* Q, }4 w' d n& [4 vpublic sub setcookie(byval t0,byval t1)3 z S3 A8 j+ k) X- Q7 \/ C. G! @
( {4 A$ o/ d3 e i0 O! Q! eresponse.cookies(prefix&t0)=t1
: Q9 e/ v0 ~4 b# q6 {% U . f1 I E9 w% p/ b# ^( M* E
end sub6 V" ^7 C, w; y) S, r0 x1 f. d
# l$ v3 |: k0 e4 eprefix+ J; e8 \5 N! F7 b
" i5 @, [- ?- z
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
' P+ I, Z! ^: X4 e 5 b2 O2 C1 z" m
dim prefix, [8 Z- ~( N" f) x; n, I4 n! \, l: t3 M
. @4 O) F [, r4 T$ Z/ l7 q9 Z
prefix="1Jb8Ob"
% p2 D& `* G0 T+ V. |7 w - s' i: T( ~$ j. @% s
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 * Y. s* e6 k0 F# k# H; ^
( B9 \, W' @9 O8 z
sub out
3 z" B: ^) t: \4 D 2 Y( ^8 o, F" @! R
sdcms.setsession "adminid",""
8 g: c/ M9 z5 k+ g" p C; n% h: A
8 v3 K/ U Y2 E" S+ Rsdcms.setsession "adminname",""
! Q/ o6 ?5 v4 D " Z: Y9 y4 J& N |2 [# t# P. s
sdcms.setsession "admingroupid",""3 e, J7 o$ U7 ^! b% K
( ~2 {5 o* S4 r. L$ ]
sdcms.setcookie "adminid",""4 q- p' t1 G _, S9 g6 A
+ f3 ?; D' P# S6 A/ g; l2 ?
sdcms.setcookie "loginkey",""
" L: @! ]( V1 K, @. a
" A/ Q! A k" f- b( b7 ?) jsdcms.setcookie "islogin",""3 v1 d& u$ x$ m2 i" c9 P
; Q m+ q l. b* Bsdcms.go "login.asp", x" }/ j0 i" M# D: K: E0 V7 H
4 \9 q$ T0 B3 [) g, ]) W% B+ r
end sub7 X' J/ w) w+ P7 i x
7 t0 c( }- J( `9 F& Z( [+ z5 h8 t
8 H0 u3 `- Q' [" V% G3 P
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
" g, u5 @7 I8 Y( E0 \修复方案:/ h) H3 \5 ^, q
修改函数!
8 m* [$ Z( p" S' c3 Y |
发表于 2013-7-26 12:42:43
收藏
支持
反对