要描述:) Z1 ]) K! {9 p4 g
2 U# M( |' H! n; G. ]$ VSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试& m6 ^* R0 }3 q' S2 d) z& O% B- c3 ?
详细说明:* e# z9 O6 g0 ]4 s2 I. [
Islogin //判断登录的方法/ a0 u) {. E3 H) N8 y; Q
" f- e$ f H9 R/ }3 X! nsub islogin()
! z# _ A5 @) O- q/ M3 J# Y8 C- t ; L$ l; Q* w t, n; D$ F
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then 4 X! L5 `7 \8 D: I; u* j; w) [
% e6 {# _& W; L: ~, hdim t0,t1,t2 " a* |) u) ]$ v: n
0 d' K2 `% Y# y: I6 S. f2 |
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
6 p1 L T2 J1 I: u9 b3 g
7 q8 ?* K& e2 ? y* v5 At1=sdcms.loadcookie("islogin")
/ R2 `9 K7 ]0 {( o u + U2 v% o4 y5 q$ I3 k
t2=sdcms.loadcookie("loginkey")
) w+ y6 X5 V- u; r/ y( T. M
, e7 H8 p Q1 M; Eif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
' _! g! x/ [% y3 m. ]' @
. H% N7 K+ S& K; K& r6 d$ B//" R5 y2 b8 K, l9 b
& p# ] d$ v8 u9 F$ \" R
sdcms.go "login.asp?act=out"4 R- z, p: Q; x O
1 {" ~0 s: \" d6 H
exit sub5 J. i; p3 L* h! o' O( i
' a$ r I4 ]8 }" Q/ L6 welse& s- Z; p# s( [) `& g: ~% |
+ G4 ?' u' l! u$ Y" S2 ]' Q! V2 P
dim data
4 e; g% P b" z0 s % P% T2 G/ h5 q# H' Y
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
' O. X k, j( `- U# u) N
+ n" e u3 z7 dif ubound(data)<0 then: W( F0 \7 D, a" F. I2 r6 D
- n2 J& l0 |$ v2 @$ F( k4 {sdcms.go "login.asp?act=out"- E/ O& Q; _9 [4 x
9 i8 c5 ?3 N" I+ i4 O! E' L5 l
exit sub
# s @4 H% z0 _: f$ |
% i3 q( N4 a5 Y% ~else
# l: A7 T9 l7 H* k" P 1 k0 ], N$ ]! E1 z: O: N
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then* K; \+ {% r- n
* s' P8 n) |' U5 [1 Q6 s% X4 H! psdcms.go "login.asp?act=out". T3 g$ |' a# b$ y/ @, Y+ v4 u
/ ^- f6 f; p- z1 V; u
exit sub% @; v' k3 H# X) g
8 q9 T) t1 e" A, v) w) ~
else: F0 C3 B# Y+ v: M+ M- n8 M. x
1 K5 u* h' I/ t5 y6 cadminid=data(0,0)1 ?) S9 V6 u H* _- h/ b
, Y4 q7 G8 c0 [' N8 H" Q
adminname=data(1,0)9 B' f$ b- l6 T) z
+ A' z+ L0 K/ nadmin_page_lever=data(5,0)
5 k+ y% f- S8 B& X% G
' j1 k' G' J0 ]0 [3 H, aadmin_cate_array=data(6,0)
' y4 Z, H7 u3 e5 M, E! b/ m4 q9 x
o! M# F% R& A# ~8 I0 \admin_cate_lever=data(7,0). B" C' X+ g' ?6 L A1 r
+ k9 E, B, S- j: Z/ oif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0* r" f: C6 b3 t' d/ Z, O
2 E5 Y1 B8 p( X# i1 N, L) jif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
* ]$ r2 a* l2 s' H4 i; t- A 8 |+ b7 u$ {* C( T9 T9 `( @
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
- y' }6 J y/ ]' g2 s ' ^9 h; E' u* H6 c P
if clng(admingroupid)<>0 then
/ A& T% D/ ~- \& Q S4 G* W 5 _5 r1 ~5 h7 n/ e9 X
admin_lever_where=" and menuid in("&admin_page_lever&")"3 ^! B$ E3 }" r9 V+ s
8 i D, p7 D6 [end if
( t+ X' z$ t4 _8 W4 P9 [- D $ E" A j$ a b" L1 x% Z
sdcms.setsession "adminid",adminid& h6 R8 f# Z6 \$ [, _- t( u
; I% `6 X; Y3 I# `* h' C
sdcms.setsession "adminname",adminname1 l, Q" m* [; S& |
. O0 I' C5 `5 Y2 @- P, |
sdcms.setsession "admingroupid",data(4,0)
$ ^- T9 U4 `( p7 R; W! X
5 w2 H6 w7 H$ O& @% uend if1 r. v, d3 g; {% x/ R" u
) X/ ~1 ^ z/ g4 m
end if
% p+ ]0 Q/ a e7 U% ] {0 k. [ E' m3 Y' Y0 a
end if
8 H5 \! y) K- D; w7 ]% l 5 t7 s* K; Z1 M
else( ^# f! Z3 P- i; u* r! J
+ E" O6 r4 Y! c9 X& G1 j
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
" {' X) b N( k0 b
/ ~( q6 T8 R# C+ L$ o% I. xif ubound(data)<0 then; [9 r6 T1 _' B& `% k! ]1 {1 S# Y& V
t" q% m3 Z$ ^$ n
sdcms.go "login.asp?act=out"
' ?$ B) ^% t- X. U6 o
; |* [7 ^2 C2 {exit sub
0 Q* h3 h1 I4 a4 m4 I% t6 | & V1 v. P- x$ i x* u7 f3 `# h( S
else, k7 I" D. f, L4 B. H
9 s4 z( w5 v- b4 l* w, y5 d6 H
admin_page_lever=data(0,0): s8 D( J+ L+ W( Z! u; @) U
5 l: R! {, m, v9 V6 U# y/ }" v) z5 zadmin_cate_array=data(1,0)0 V8 m" w; x. E
j6 k' k7 f. T1 ^5 F! X0 J9 {
admin_cate_lever=data(2,0)
$ r2 a, x7 S9 E6 H; s( k2 i% w : g) K3 Q6 Y* @) }
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=09 I3 \! T. R' n
, b' t8 Y; [, Y$ C. A6 S* T4 L) Xif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=03 C2 K& v, A' C9 Y& M
# T2 y3 A) l$ h0 m& b5 }% O0 U" gif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=02 V+ R8 B- T9 I1 p$ B& O
' {& T. j8 [5 L: h* Wif clng(admingroupid)<>0 then3 c- C' e1 M) m4 r" }. @9 O3 i
6 n6 Y: j3 ~1 Z, T+ L8 ?5 fadmin_lever_where=" and menuid in("&admin_page_lever&")"
. [: Y5 r# X1 q$ p- ^ * g8 x( e: n a/ o+ f& G
end if% ` e1 G- h% i' d
' Q0 V. t( @+ L0 Eend if% I2 H# N7 K2 i3 T+ N
5 F' l, p. x h- `- t9 i. oend if
/ o2 Q, i6 l$ w# i) G ) |: Y2 v: ?/ o5 G% d9 y: D/ w
end sub4 `0 a; W+ I2 R; }9 T) Z
漏洞证明:
, x Q5 ^6 a2 d8 V) E看看操作COOKIE的函数
# n0 h/ b5 j; G" O5 X3 k! {# k3 I ( h" @3 @/ ^- N5 Q6 b
public function loadcookie(t0)5 _% H9 R; n, [1 M- }9 [+ i
9 ~! P t6 B- C$ u
loadcookie=request.cookies(prefix&t0)/ f" ?+ e w. }! v4 E( j( Q2 l" |0 b1 w
8 o5 ^) r9 |! `/ i6 _
end function& v/ u4 y9 t8 A! ]
: D' X; h4 ]+ v; `public sub setcookie(byval t0,byval t1)$ T7 W+ @7 ^( |7 @' l% K
8 l, v. l3 k6 l T/ W! Y. L5 `response.cookies(prefix&t0)=t1: M- v' b( e/ e2 x6 H' w
& {# m$ w8 \1 G' jend sub
8 A% g c- m3 K6 X 9 w, F9 \$ v: ]& m$ S
prefix
- M: I# u3 g( N- ~. u& `: V
! T' Q! O4 O3 C% F. ?4 [/ c'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
: A; F3 Z' f+ I6 V. Z! ?9 ?! O# ?
( J7 z' F+ ~$ F# B2 m; U4 sdim prefix% @9 M; l. v2 c$ z6 N) k3 }% G
! z7 A l$ p7 c3 C
prefix="1Jb8Ob"+ U" q3 S& @$ C1 C) m
/ r' k9 t t: l: D( C. j/ X( c
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
) \6 ]3 q3 }0 X2 \* y
4 u' w& y9 c9 x/ p* N. {0 ~sub out- m- X8 s8 B; i2 d/ s3 i3 q
0 e9 Q6 W: G- N C! r
sdcms.setsession "adminid","") ^+ o$ q! T* w
8 N1 Y& g6 p! G( ]
sdcms.setsession "adminname",""
$ Y" b1 j+ S7 u! ~6 v8 V
9 W- X7 B6 q* [( ?9 K# {sdcms.setsession "admingroupid","", o1 L1 p5 H3 y( [6 l( ]
8 z9 @" w5 C3 k; X( E5 E9 \. t1 g8 esdcms.setcookie "adminid",""$ H- @% v; C5 v! T8 a. {6 p
- g7 d7 m6 H! o( g+ n0 `" E
sdcms.setcookie "loginkey",""
! _+ g, E0 Y- {! ?
2 g3 }: Z1 s8 B# U6 Esdcms.setcookie "islogin",""0 z/ { _: F8 z& y) _
7 _$ ^0 K. C3 ]# ^6 X
sdcms.go "login.asp", \- A" s7 [( X
2 O2 x$ l7 R m! s1 U$ O+ q4 l
end sub
8 e4 F2 p* K* s4 Q; P & {0 c2 n* }# [5 N
9 G, t8 c. z" g: P
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!4 i4 |" N6 T, j! w; ~$ c
修复方案:% |9 V! H& N, H
修改函数!
u, I# a5 _& m6 `, ]% Q/ ] |
发表于 2013-7-26 12:42:43
收藏
支持
反对