要描述:' \' G- ]$ p; k
: v" V+ J9 I. D# U( ^8 u
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试2 |2 `4 R4 A0 [/ [; L% h& Q
详细说明:
: N" T# g6 }: d3 g" u3 d2 _* jIslogin //判断登录的方法
( Z, x. A) U0 _5 V
; K1 F: M' E3 m! i4 Jsub islogin()
7 j) t- J( f* k+ t( g" B) |
& i5 t# z5 m; d. k: C) N8 U3 mif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
* Z. L. H# ~" W ) v0 a3 u, m; v! B1 T9 S
dim t0,t1,t2
/ j; K/ w$ D' i+ ?5 o
% t4 m6 [4 W; T2 |, ?" ~( ot0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
; u q& h; s V. c3 A) x
" g0 W0 d5 ^; t6 Q) N$ X6 ^t1=sdcms.loadcookie("islogin")# e1 Y. K$ m* T
: h- a& b1 b- r3 r) o6 st2=sdcms.loadcookie("loginkey")% O6 I( z+ d" Y4 u9 g$ k
$ ]- ^* ~% A w: mif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行' W0 {( e5 E9 R2 N! q9 t7 v( M6 [
# Q+ D% k- }7 B5 j/ N$ E6 ?//
r/ v- ?; y% P. o3 g8 ^. g 6 v: S9 E: A2 a6 V+ L7 N3 V
sdcms.go "login.asp?act=out" [ K( p F/ v- Y8 O
6 r; V: ?$ ~6 ~7 `+ G7 r
exit sub
" p0 ~( K- q0 G- \" h! i 5 Y) G" P; V, u/ U+ ?9 g9 o# ~. G( {
else
* q4 |; a6 y* T. V( d
; w! _$ f! h! _9 r# tdim data
! q/ d% m+ T8 f: J F# j) x
" B5 b0 f0 ]# R2 F8 ^7 P2 ]% Ydata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
9 I/ E! w6 l( W7 [" L ?
t8 s, v! a6 z kif ubound(data)<0 then6 ?3 j9 o, G$ T6 N8 ]. R8 Z
7 y9 X3 W$ T) v; M/ z/ J, E+ @; _sdcms.go "login.asp?act=out"
. Z8 {/ V. k2 p2 {4 S9 @7 `& e ; Q! e4 w, t0 a, i, ?2 t% M
exit sub
& ^6 V9 [/ n/ f ( j, {- F! \8 o2 E" ]: C* [ D" K
else
, C0 ]5 e6 a: L. Y: o5 o! M$ H# V) _
! g, X$ L0 ~/ gif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then, I" z- m- b& L& y, a
4 a/ ^" S6 c8 H5 C! A( b
sdcms.go "login.asp?act=out"+ b, c b, h, B# V$ `8 K" o, V3 R0 X
- a/ E8 ]' z' L" L
exit sub( I: W3 n E) q/ c& _, ]. R, v
( W/ F2 a0 C( f3 Eelse
' ]3 U1 ~3 [- e/ m 0 d) y) m. e: x; U
adminid=data(0,0)
% [% {* L7 P% q2 z) z3 y' D7 M0 T 5 L3 Z- `% o/ c/ l. \
adminname=data(1,0)
- I1 h5 a* H) f5 V- g
% Q+ r9 ?: R* {8 f; Wadmin_page_lever=data(5,0)
- T |8 ~) O$ h: R0 Z# r
4 B! v) q, H0 n/ s# J* l$ tadmin_cate_array=data(6,0)6 M" T) A( A4 V# Z
' q) `, k/ P' Q* iadmin_cate_lever=data(7,0)- T/ g7 B5 M c0 r5 q v
l6 f, i5 l7 ^# {3 q3 Q& N, i
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0+ z5 H& a% z& i0 z l' a R* Q4 [
3 R" U8 g* T9 K% A2 o+ m
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
% B% I$ R8 h3 e8 @+ a; z( |( Z 1 }% m+ {! C; G8 L
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
, u, G9 x% L# b, m 1 I8 q7 F) J7 k/ W0 g0 v1 W
if clng(admingroupid)<>0 then
! O( v c4 n0 d' I/ b/ `" Y 7 s7 \9 g `! `. m& K& m
admin_lever_where=" and menuid in("&admin_page_lever&")"1 }2 a$ B S! |7 ]! k. g! N3 ~
, e7 R/ M0 _& X3 {
end if; _: O S( Z4 v1 E4 V
% O, d7 h2 a- ?! Jsdcms.setsession "adminid",adminid
) [' X; N5 d+ b5 U0 s 2 y4 E: J' o/ H6 G' V1 J
sdcms.setsession "adminname",adminname
- U6 T3 W% p& q; ^/ o4 C
0 e1 D$ a! `: k4 ^7 v. Vsdcms.setsession "admingroupid",data(4,0)& r/ V3 e9 x6 C" |, q+ L& t
/ p. W w; N; ]2 o1 z5 c# S# f5 tend if
4 e: K) k* z( T1 t/ K4 l! L4 @* h V6 e
+ C' l* v1 V4 Yend if
$ B7 ? N& X" |2 {# f. M
$ }4 T9 j* Q6 u% y4 yend if
% z% s. d* r7 k# ~# ~ 5 h! ~% E) g4 n+ A: q! Z F4 f
else
: J( U S& S8 c; v+ D
- o% ~' _! a/ O8 S' edata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
+ m6 U! v. I" _ S6 b % O3 n" n0 L x, B; p4 C9 P
if ubound(data)<0 then; C, B3 q* E J2 C3 ]5 z
. R, P5 V1 Z3 d8 h8 f: r9 isdcms.go "login.asp?act=out"* f1 V! N' M' h/ d& b9 r
. }0 p- D2 c1 M8 ] {- e1 \exit sub
: H3 g" {! u0 z! X4 c ; E4 B# X9 |# j* F+ Y4 B) X
else
2 w# }1 z- b+ r' g 4 a& i. z d1 p/ X
admin_page_lever=data(0,0)
. r. b7 o) v& F6 W
+ ]* n- E; K( i/ k% iadmin_cate_array=data(1,0)
: F1 u9 r# }% s: l* i5 i ' f6 ^7 w; P. n! X4 y/ h+ G
admin_cate_lever=data(2,0)8 Q0 `4 A8 I2 G& i2 {
) V; ]3 ]4 I# |4 {& x0 v9 F% ^if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
$ l" A2 u' y" Y B5 S# _
! `1 N8 U: x! W0 rif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0 [' S( P4 x& z3 m$ u" D
, O g S8 T9 u1 N4 l* r
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
! ?& Q$ b; S! }* v2 n) X4 [/ n/ @
2 v0 G2 t0 m4 c/ A( Fif clng(admingroupid)<>0 then
: X X1 t; U! u* q & \& g+ h e4 q- e, V
admin_lever_where=" and menuid in("&admin_page_lever&")"
' e" \5 j4 Z+ }5 G
! M; I/ T5 S* ^/ Q" \end if
+ Z3 K7 C' W' S6 L1 Q9 j8 K2 P L % v& P# }/ M. A& v( w" ]
end if
% n& \* l! V1 S& D6 H7 a
% B6 x$ I& Y# b2 G* kend if
! t( T- ^ B- s) x! e
, u8 r' \! X, R7 E. kend sub
# i: K9 P. ` _9 }" p, U+ ^+ i6 J漏洞证明:
' h/ ?) B" W9 @, K看看操作COOKIE的函数% W% p) v0 j: m
: u+ n* p- z8 i9 l) }$ o
public function loadcookie(t0)/ f8 @# N5 _ [ h' H
" p4 i$ M7 S% D$ u9 i5 h3 uloadcookie=request.cookies(prefix&t0); K, V: @- Y6 |: h( p8 m+ j) n
& W! k3 [+ ~% i6 d5 t4 Lend function
$ q( z* d6 S9 W9 D8 [1 O 9 S% k5 u* g9 o6 g! S; {
public sub setcookie(byval t0,byval t1)# N/ a( C( b2 Z4 I% L6 i, o
% O/ ?5 D6 p" i. R* t5 o
response.cookies(prefix&t0)=t1
% u1 ?0 {, ?: n/ C# j* z R0 { + R) W( }7 k- I* r9 a8 B
end sub6 E5 X% U- F- I6 [3 J
( B8 N- D. p5 d2 ~prefix
b* @& J* J8 k; Q+ Y7 b ! [8 l5 v) |1 q& j! d+ c+ d
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
0 I7 w- u2 Z8 o: Y0 k, C
6 ^) A! _$ U3 \4 C8 J, ndim prefix/ Z) G g) C! p$ Z/ a
! O5 t P2 m6 F0 `& i4 L
prefix="1Jb8Ob"2 v7 }+ M4 f; S1 T; Y
& o }, u b& W4 D6 C& f+ @* \
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 0 P" M2 c( y7 `2 W' {
6 V& E* S% ~' w4 |7 }% V5 Qsub out
* j; d5 h* {' o3 R5 X& A3 ]) R ( T. ~* V4 x w; j! Y9 z' L& ]
sdcms.setsession "adminid",""
, m- f0 ]- Q- y 0 o7 B7 ?; P" j5 d) i
sdcms.setsession "adminname",""6 M: D q4 a. z
: ]4 r( L7 t/ S& m9 psdcms.setsession "admingroupid",""
6 _8 k6 w( ?1 `* g6 G# ]/ }
# x8 _1 G, Q5 ^ O; d. \2 Esdcms.setcookie "adminid",""% J8 V% }9 ]8 i1 O! @
! Z& ~, w2 C5 q' ^3 o
sdcms.setcookie "loginkey","". w" j: x p) h x( x; c) J% U. u
+ z. b4 U- z- L8 ~( E( Qsdcms.setcookie "islogin",""3 p- l* | F, l+ @
; Q- ]' w4 c& j* D7 S2 Q$ Dsdcms.go "login.asp"
+ F2 n9 d/ R) z) {. E: `3 y
7 b! }. ]6 }/ z6 k$ q3 z9 E! \- _" Hend sub! T% s3 t* p/ G8 u7 O( h4 c) m
& `5 S4 H% U# @) d) c3 o
/ f, C, V* p! H7 J* }利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!3 B$ s4 p! q, |6 S) ?& s, L
修复方案:
, t0 n6 Z8 a8 O4 [; X# j* A5 Q修改函数!# P. W; N6 @4 s0 w0 U
|
发表于 2013-7-26 12:42:43
收藏
支持
反对