要描述:
8 B5 j b+ F# y p/ s$ u. L* j) z4 M5 M' [6 h& v
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试* A* K/ w# m: j3 e/ P2 D+ m J, k
详细说明:! {( e$ q: l& M( A
Islogin //判断登录的方法
6 P5 V, i9 V: q' j ~7 A" J. ]
3 c' ~' |" y0 o. rsub islogin()2 u- v+ H! U( O$ [2 Y
0 B+ `% [% p. u" C' C
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
) k0 Z4 h" L8 ~6 ?* Y( p
; _! o* h0 k" Kdim t0,t1,t2
4 Y0 X, Y7 P# }0 n, s( r6 |+ M + F6 R7 I2 ~+ O- S4 _* ]0 i% r
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 9 z# Y' O1 o* J0 L+ {2 Y. d% E
' ~' I6 d5 `8 U9 L3 f7 z& ?t1=sdcms.loadcookie("islogin")
# X* K N& Z1 ~% E / k, ~/ j- s# G; ~& a9 E, R
t2=sdcms.loadcookie("loginkey")
3 }! o, z# L, T 0 q6 n& }3 ~3 Z' G: c) X/ q
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行3 n. Q) q2 B! X8 S, ?
( o. L" g/ X) N( `: H1 O8 S% C, n//" x1 ]! J* G! ]
; J1 [& {# r* c+ V0 Z# t5 K6 Esdcms.go "login.asp?act=out"
1 }' m) w3 b! e& V; O2 ~2 u* j ( m9 s/ _9 ~5 B3 m- P; D
exit sub- Y/ S4 ]4 j# B7 ]9 y, e; w
2 H- R9 c" t8 j1 kelse" ^ F, M5 p, k: Q5 p5 I- p
' x2 l+ l3 J; {5 h$ Xdim data6 k9 |' h7 ^! T
' t4 b4 {* X; G/ wdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控4 n. W- Q7 z8 d) v1 n$ P; X
+ X* H- w( p- P5 N
if ubound(data)<0 then7 x6 y/ y# f# x% k) D! T
- Z/ g6 t+ Y/ D1 W& i
sdcms.go "login.asp?act=out"5 x7 {. h) F( ` |" K; F q! U
+ q# t" _; E# j$ e) u Vexit sub K& X4 ?: O& O- t: ~
1 _, M8 P6 v: J. p: P( s% Z
else
* _7 G) D7 h$ C3 [ / L1 p. V; K& ^& c
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then. R, r( Y4 n7 W6 S4 P
( F" ?& j$ b) r: g5 k8 Psdcms.go "login.asp?act=out"
0 }! f% ]' C4 C 8 W3 e: {' p3 t
exit sub* ~: h3 w! r+ U0 |( N
6 `2 G! _5 s* `" S0 S: s5 R- W
else
, {& o9 @5 C- l& W" y ) ^/ Y; a- V8 Z1 f
adminid=data(0,0)$ w( `7 F; C- m6 h
% @" {( i8 P" ?# T* gadminname=data(1,0)" i, r% j2 ?0 j' j
6 r. D8 \5 t2 qadmin_page_lever=data(5,0)$ u6 y+ P% z) o w: s/ u( ]
5 B5 y" N9 M1 Madmin_cate_array=data(6,0)
! l) J' U0 H) W: ?9 J " y) h& _9 A+ Y$ }- ]8 B
admin_cate_lever=data(7,0)
5 W/ c0 F/ @. r6 V, t% U
5 w, W! B& M2 L+ ^: lif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
( H8 Z$ E7 [3 @/ u. g. B8 M
* U3 b( }+ x+ c# \2 }if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0# K, O0 n' o4 ]! Y6 h/ o: Y5 `
0 s# e: g! d; U9 r0 s. l
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
" m' O/ L! I2 A; _0 |" l; V 1 ?: w2 ~! o: r5 X9 U' h
if clng(admingroupid)<>0 then( w( q R/ E# p! Q
& Z0 \0 J* j [/ a8 J: z1 Kadmin_lever_where=" and menuid in("&admin_page_lever&")"" ~5 @; h! K2 b
( E2 V+ C O i; |1 G% X+ Send if: s' e1 J, f9 P8 \# B7 v% W6 [8 q
* t- H- J: P) Q
sdcms.setsession "adminid",adminid8 _, Y' P/ M& ?. K9 ^8 o z
; W% D: D) q3 t' {* X
sdcms.setsession "adminname",adminname
, t3 F' G* Z& w# a
0 H; Y' l, r; C& vsdcms.setsession "admingroupid",data(4,0)
; D/ S# F* F# ]$ m4 H( n7 ^
5 C( m1 h* b/ O( i+ S! oend if
- R* C; e% T+ g, q 8 B+ U: @4 n0 f" _/ P+ [
end if+ c, K. e) _! l0 @/ [+ f N) |
0 p3 ?2 K ^1 f$ T( ~$ [$ J
end if
- o$ a; X% m+ l
9 t0 L* L/ w5 `! e7 ^+ nelse& C5 q3 l0 u" ~/ e, y
+ l; ]8 z( a5 e8 Y( Q. Ldata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
; W" T& G C, w- s
5 |" X- }8 {/ O. C4 tif ubound(data)<0 then
: N2 A8 R! @: P% `; `
8 U6 R% J7 k. O# t9 w* m0 B7 P- csdcms.go "login.asp?act=out" D, J1 ~8 _, e" O K1 P
& f- D% m/ ~# m* pexit sub1 |, }! C4 O1 {- A$ g
" x2 ?$ r8 D9 c! @
else
4 Z2 P7 m) b @' w
; `! C# k; S/ o3 jadmin_page_lever=data(0,0)$ M2 g- E* @( _4 _3 F, M. [
6 O' L3 k+ ?; ~0 e- nadmin_cate_array=data(1,0)
3 V' u, m% f3 d
8 A" q) t! c) c( K6 [# J( X0 Y' Uadmin_cate_lever=data(2,0). m* A5 h7 o& Z
9 T0 y8 [ p. k, ?if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0; o1 D, C# M8 t( m: @. Z9 w9 }
% R- R6 d1 o( _5 y4 Z
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
# Q5 M; n* ^2 Z& k6 J
Y. C6 T" o7 Y$ S h2 _# kif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
( P9 {/ }0 V, ~. d! a 5 A( E8 x* n9 T: R
if clng(admingroupid)<>0 then
# v. `2 d; G4 x# Y+ e' Q, q
: b* o: |- z B. v- j" n! Ladmin_lever_where=" and menuid in("&admin_page_lever&")"
6 e3 I* x/ @$ M$ ~ 2 |6 S, T' r1 o V+ H
end if# t3 n, J0 ?! ~+ I, Z8 ~5 p
% y7 Y+ U0 T8 x4 Oend if. L, d6 s$ r$ T/ q; N( q6 X6 L
" T. A0 `& v2 O/ f0 [; o9 Jend if
* ?% u+ b0 A0 a; R 5 t: A" w3 l, L# ^
end sub
1 K5 d! H& }* @4 {6 u漏洞证明:( G$ k0 |9 R( ^' L7 m! t' g; e
看看操作COOKIE的函数$ v# V: f; J( K ~6 H
# B0 J& c' L4 e* t: t2 Q$ opublic function loadcookie(t0)
2 }; G5 {$ @! V- d' g
" F$ x- Y; f* f' |8 Y/ n7 wloadcookie=request.cookies(prefix&t0)
! N2 }% b8 i# z
: h1 w8 v( R4 E7 Z9 Kend function
0 K- T$ R! r( D# r% c 0 ]* ^& e6 l/ j; r. o8 f5 w9 ?
public sub setcookie(byval t0,byval t1)9 K7 L' p! Y' E' a0 Q, Y
. g4 b& t8 r9 B1 G& P1 p* j! Xresponse.cookies(prefix&t0)=t1
5 |9 r# {- I$ q+ z5 _
- W1 A0 ^5 T3 [+ N* Kend sub! {, Y' G: y/ B
+ V% Q @# n/ n1 a7 P
prefix; s* Q2 Q N& k6 N5 {: D) [1 m( C+ @
6 y: h0 b5 E( U9 S: ]; ^
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
% y/ O; }4 |' C/ L4 ?4 C
! w$ O; u' H! `dim prefix
) B/ \/ f, ^1 {3 W# I0 @
2 x t# r7 N d# r: R; aprefix="1Jb8Ob") |/ }/ S: j. U
( v% y3 Y# c% e1 h
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
7 {3 q G* k- j; a) d; s
' I: r" v* [8 K2 Rsub out9 ?4 [% p0 Y4 W& w, J2 Z1 e, X1 e( ~
- p1 Z" |3 y7 h8 n+ g
sdcms.setsession "adminid",""+ u8 Y9 N S8 X- c
n/ R9 V! H! [" D, N1 m
sdcms.setsession "adminname",""
# p7 C* ?( F. {$ _
9 ?# A$ r o% N( |sdcms.setsession "admingroupid",""% X+ Q6 q0 q' i1 q
! p8 b. p; m* ], j% O/ Q- W$ Ksdcms.setcookie "adminid",""
0 A6 ~' i9 B1 @9 F5 D) ^4 i' v
# Y* a9 I. E; c) esdcms.setcookie "loginkey",""7 [! r8 E. H3 v# o
" x# R3 m+ A; i) l0 qsdcms.setcookie "islogin","", s) Z! Q8 T5 ^
. k& A# k& s6 e! ^( b8 S# T
sdcms.go "login.asp"
: _& i3 G" O& q1 k 4 y, o( {6 m& m) x+ r# B$ r" U: |
end sub- o. N7 j! E2 s
3 z8 ^. ~1 I) [6 k6 w1 m: a
/ g5 H5 G, z/ q" b3 i. |5 S利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
; B* |3 X3 A* r1 y修复方案:7 w3 K% W# l# m
修改函数!4 _ q( M4 ` L( p; |6 u' k
|
发表于 2013-7-26 12:42:43
收藏
支持
反对