要描述:& A8 |- c" b1 ?$ n# v4 ^# W
2 D5 x5 G7 a2 O8 u& NSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试) E3 z. s7 n _, ?2 b
详细说明:. o; P, u: c) N
Islogin //判断登录的方法+ t0 u7 N( ~1 {) ?2 @, N9 z J e
0 A- ?, g2 R+ u: }$ J# }' q# ]
sub islogin()
' |& ~5 N$ u5 X% R# s, F
/ h& a; r4 o$ Oif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
* `( c9 I2 G/ K- x. c5 c. w9 w Y
Q j! C1 l7 E2 bdim t0,t1,t2 8 {6 A) ? t I y: m
% u% O1 l+ ^9 ]+ E
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie - |" G9 d1 z7 a8 p, T* |$ w
# } u% V& y" l) p
t1=sdcms.loadcookie("islogin")/ ]& C$ {" l0 Y$ z+ h7 U! R9 I* j
: D7 a; W! h% W5 m
t2=sdcms.loadcookie("loginkey")) B5 Z) @5 P( g3 W
5 z1 n2 k0 r" ?, D! u
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行3 T+ z' q# X! b
( z. D$ \8 m4 ?) Y
//
, m, F: I6 c" R! h' | 6 X0 J* n5 T: a# p3 e: u: X" `( Z
sdcms.go "login.asp?act=out"& t* l1 |' t& M2 a3 D8 @9 S
! o8 } H/ O+ {; Z
exit sub, W' Q! u8 m( f3 C3 Z
S4 E) L) k, N4 K/ jelse
# m: u4 |: K' x' s9 z* N2 m 2 o& b0 I3 z: L- N; G* R
dim data
7 \# d7 U- W3 h) }0 I+ |
5 ^/ P2 ?+ c" Cdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
8 p/ W6 |# b5 c9 V* B5 S) k
. J) q! b8 u/ T9 Q6 ^if ubound(data)<0 then6 ^" M# U" ~1 Y m. c& h
/ i1 ]" |* Q& b9 csdcms.go "login.asp?act=out"
: m7 ?4 X% n1 U/ E / d& s" e& x# x
exit sub
`9 a r u: _6 \* a! J + e0 f, \; l' R V: e0 t: y7 d& U
else
! t' ?2 L! w! Y5 @6 a, Q
7 y' k% ~- F( P& ~if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
2 e9 W5 g0 M0 S6 o - G& e. ^/ N6 ^: k6 n
sdcms.go "login.asp?act=out"
9 E1 _# H; D# {" q4 y! I
, q0 e7 _) u4 z8 _! ~exit sub7 X+ q) l4 W+ S7 X
9 I, h+ U8 V$ b7 _) z7 N
else- v: Z& T$ `, E
4 X& \' P4 i# r: z! K/ Radminid=data(0,0)
' f1 u* G+ D; f6 a . o& j- `/ ~% F3 e8 c
adminname=data(1,0)2 _0 ^) t. d( Y9 Y0 F
" z, g5 O1 l- C. [7 C' m4 ]
admin_page_lever=data(5,0)
& [; J z( |$ X% x * f* G5 Q/ _# s6 q
admin_cate_array=data(6,0)
4 e6 F0 t9 f$ T8 U1 r
4 I/ o0 S" X; nadmin_cate_lever=data(7,0)1 v% H* \ h6 d
@5 o M. J# V4 e: S! ]' E" o7 |, r+ e% h
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0% E% ?4 g- p6 L# a: Y( Z# h
- C& r' G! W g: ?0 |, B" e$ ^if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
( m9 I( |/ C$ C6 ]8 a" F. `
/ Q2 s7 L( e( d6 k, k- Aif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
, O p, \- D M* K" ]( T4 p + ]& W! B8 D6 @6 l! @' }
if clng(admingroupid)<>0 then9 \' \( z, d/ @& y' o0 i
; h/ g1 F6 t z2 madmin_lever_where=" and menuid in("&admin_page_lever&")"3 C& Q( {5 \% U. a7 E5 H+ D
+ j. R$ t1 u \' Oend if' I2 \: l5 _% \: i+ c* w
% m D- L b6 M- s5 l" }sdcms.setsession "adminid",adminid
4 L0 m+ b" F1 k" S, Z l+ e( X/ ]' C9 z% h8 i& G
sdcms.setsession "adminname",adminname1 Z0 X/ ~. K9 N- l0 k$ o- b
% N6 A7 j* s( v3 H& n& ~( q$ ?
sdcms.setsession "admingroupid",data(4,0), g3 t: H8 Z! \3 V, s
+ M! [% v2 u: Y, {3 W ^
end if
5 A4 v8 K' @0 b" C; b; ~1 O
9 U. w6 P+ c6 Hend if
5 J: K+ O* p( w4 N' P2 g * @) w1 p1 m" ~0 L) j
end if
' t+ i( g' M: ~' [+ r @/ F1 z " ]& K3 h% O' a- Y: p
else+ W) k$ E4 i/ v/ `% W- R
" h, {; u4 X' q* T8 \) Cdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")1 d$ q8 y. C+ R% R2 J) ^
# P3 d. Z3 r' D9 v$ ]: U
if ubound(data)<0 then
3 |5 l! i" ^- r3 g4 ^5 o 4 p& G2 n6 w; l2 y5 b
sdcms.go "login.asp?act=out"8 ^& _/ |- v9 [7 u
9 c/ E$ [+ R1 }3 b5 L! mexit sub! u( R) j* g6 Z. @( G9 v/ I
* J' z% W3 U0 A1 V& j/ K: g2 R$ L
else
2 r9 X- ~( T5 S4 X. N
: b( {6 M, |- |( ~0 R1 ?admin_page_lever=data(0,0)
( W" ?$ ]; L. @# c( p. g/ o ! T5 _ E# S6 F, |- @
admin_cate_array=data(1,0)8 A) Z3 q! Y- F& I
5 {( ^5 B/ e2 z" |& X Fadmin_cate_lever=data(2,0)
: m) P0 E% D1 Z3 o
# Q& ?" j. u) B# Wif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
9 |9 a4 ]! f# D7 L
! g7 n" t B$ m9 gif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0" M( Z4 [# U" F
2 L/ S/ Y% h: d1 ^if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0( O2 b, r! P9 v; v; ~% ?( U' }
0 N$ o W5 q, L6 M
if clng(admingroupid)<>0 then- Y- A/ h! S# y9 w( c
" y8 l' E% D8 }/ l2 Radmin_lever_where=" and menuid in("&admin_page_lever&")"+ } a% ~; r. q" b
; P9 f# @3 [* ?# d+ @; J9 h! [& |7 O
end if
3 N1 _! ], J7 E7 N1 i0 c8 ]1 a
( G' p- N' e9 v2 T7 t( Rend if' ]0 V2 y) a. j; a- d% k9 u
, P7 p# }- a B, D3 U, L' m, n
end if" B3 `8 g, k6 w& M9 s/ N: l
6 z5 E: v3 V5 Y) k$ L+ L
end sub6 _0 D: N) {2 }5 q& w0 n& {
漏洞证明:- h. w3 J N, [& j: @- C4 C
看看操作COOKIE的函数' x1 Z, x7 c0 R2 b+ q. D: v
: ^, j4 q) l' Wpublic function loadcookie(t0)
* M* u- t" e6 t2 |4 X' ^* x" Y1 n5 ^ 0 [9 p- z" ^( v0 Z; P
loadcookie=request.cookies(prefix&t0)
' v M, t) V# t % Z" B' b- P# y4 I
end function6 D) a. r4 W4 w
1 q0 `" Q, }& e; Y. n$ y6 Dpublic sub setcookie(byval t0,byval t1)
3 L8 w, r: Q' `7 g7 j: ^- g
4 Q" R/ a+ ^' i' c& k, a: q4 o# Uresponse.cookies(prefix&t0)=t1
5 O. d- T( V/ `( q! A' k$ L$ d
) |6 o! j' ~7 D' o5 k; @* ^end sub0 r5 T0 ~% Z! W* S4 I7 }( p+ m0 Q
* f7 y U5 {' F; R/ l- K
prefix" A1 C4 n$ [4 @' A
) D g4 p$ ^1 u2 \5 M'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值5 ]% p/ i' n. P
' E* l" V* E1 o9 @# Pdim prefix% V& E# D0 \; V G6 l1 K0 j' S
6 T6 v3 G, n A0 j4 v6 k
prefix="1Jb8Ob"
9 V0 U3 d! E8 T( V 3 `" k8 a4 D+ t* M
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 8 S9 r2 T3 \3 A6 t4 s# m: _. n: |" T
8 }- p, J {9 ~$ C: qsub out
7 h* E6 d n1 H) u+ y' M
1 g1 v$ w- V+ s& F4 k. W! B0 xsdcms.setsession "adminid",""/ z0 ^- R/ w& J& Q( `/ j! P
6 M e$ H6 ?5 u3 O: e3 o/ j- bsdcms.setsession "adminname",""
% Q6 Z0 v" ~; L4 I
& C! v! s; v2 Z5 D: wsdcms.setsession "admingroupid",""
^9 j0 T6 {: j: a6 V! }" I3 f / ~/ g3 U* a8 E; `2 W4 F
sdcms.setcookie "adminid",""
: O8 h( {9 N0 _' b
$ l3 Y8 q r/ N) o2 T3 R) b( Wsdcms.setcookie "loginkey","") V; m8 K5 Y8 d5 H, ]% \/ m8 }" G
( a, R, j" y- q: ], v! a. q& Wsdcms.setcookie "islogin",""
1 _4 _: e* {! p. o: m+ ~: u ; M- w2 v# Y R4 i8 q7 ?- p8 q
sdcms.go "login.asp"( B& v( Z; }% U" B9 A0 f; V
# d" b9 t- P# uend sub2 w/ |$ {2 G' A
+ T5 H3 L5 l$ F
% [- |- f8 n2 k* h9 v. E% x; U
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!+ x. O/ P/ B! X
修复方案:! O/ b, r- p" l
修改函数!, X: g/ X! f5 m: ?! t- Q
|
发表于 2013-7-26 12:42:43
收藏
支持
反对