要描述:' ]- ]" O- `; g0 H
$ x6 }: H& y. S, l/ dSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试+ ?5 x; S( X( j- E) ~
详细说明:
* x' V. Z9 g& C6 k1 J$ F& q5 l6 w& RIslogin //判断登录的方法 T, Y! u1 X) J- j
* R3 c) r/ o. D) h( }4 ?' u1 A
sub islogin()8 x2 C+ U6 X$ j1 k s
9 x7 z% i% L" ~
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
' L4 u: y% t3 L5 G* v# N9 ^
0 U; l. ^. l1 @8 h" J& U0 c) ?dim t0,t1,t2 % g; U& H$ s: b* M: {) d) p
7 k, d7 s/ J( b! O/ E+ O
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
. T7 ?3 K5 G y7 N' R7 J
+ t0 `/ D! j7 i! Xt1=sdcms.loadcookie("islogin")! M e, ]& [+ [9 I: J" t6 X
- |: v& b; e, X$ p- x
t2=sdcms.loadcookie("loginkey")9 R7 k. U: L9 r8 ^. v; O# M
7 ^' y) p8 h- T( x5 _if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
- E; H# \( h: ^( S, D8 ` 1 _1 C7 s! q* G
//; s2 B# N; K+ p X
1 w7 z1 K. O: D( o5 }( @# Q) h- t
sdcms.go "login.asp?act=out"+ D& w9 _% ?4 x
: D& C9 I% @! ~: Y4 X7 A( K6 E, S. Z
exit sub; x5 Q( W0 r* s" ^
6 R; j5 U& y' V! b! ~3 Z) I( a$ zelse
" P1 W [+ P4 a, f0 |6 y U/ i 5 m8 V" a/ A% d% t S
dim data
9 \. F2 d( u# T; n x1 B - D2 Q/ Y2 P. \4 e& p* |0 }
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
6 {$ h/ p0 s: e ?- Q W # d7 k5 Q' L7 f1 l$ m7 e: ?
if ubound(data)<0 then3 V% i- w" k8 ~) F0 [
' ^6 {+ L6 [6 q: ?% z. h! L
sdcms.go "login.asp?act=out"
0 ^; ^' j) x: x* \! O5 `, _" P9 \ 6 D# M2 G3 y6 H
exit sub
, r; b4 c% X6 S( y$ m# S
3 a/ n3 P2 w* Oelse
6 S! M; K1 ~; n9 o# W4 F- I$ \ : ^3 w; I7 F$ n: h/ q- Y T" B
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then; E8 k7 T2 {% g
$ X& i9 h( {" ^9 t& P) Xsdcms.go "login.asp?act=out"* p, j+ V: ~. w
5 d5 e/ y# z# r, `exit sub# B2 i% x w8 ]' S, G, M4 i4 ]+ z: X3 X
+ g/ n$ b3 j1 P8 Q! felse
/ @/ [. H- `; |( u$ M3 i , j1 W0 A- K9 z2 O: ^
adminid=data(0,0)" l- `( q2 I- |& r! M
8 g2 J5 J; r4 r' X+ v
adminname=data(1,0)
4 ~% o5 B+ x5 A) O8 v - k4 Y8 l" [* d+ j. F% J
admin_page_lever=data(5,0)
- Z2 e( O! s( ] 5 e4 l! o: b8 ^ I6 s8 _
admin_cate_array=data(6,0)
2 ^/ k+ m7 X3 t) I; x+ s # K3 w9 e0 E; N0 E
admin_cate_lever=data(7,0)3 ?+ G# I4 _* c8 E, _. z
. N( R9 _/ N) {" X$ mif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0 S4 n+ C+ q' I2 d- L
3 [1 V+ P0 T3 Y$ ~" Y4 Qif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
- g1 H% T6 a7 g" Q/ `3 L1 Q
7 d; l4 v$ W9 C5 d6 V( uif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
7 Y- F. e N8 F$ b3 w 5 C8 F' n: ~5 S( w+ m& s
if clng(admingroupid)<>0 then, \! \+ p4 {: i, ?; l9 ]
# q0 H8 N8 j! H0 a/ o* R9 l7 uadmin_lever_where=" and menuid in("&admin_page_lever&")"
5 u; p. D* Z/ D* p ( W' S- a u' d5 ^7 |3 G. A. t# F" J; _
end if
* _7 `2 g0 d# p! q1 K8 t
$ q; s3 k& h' Z y' ^2 {sdcms.setsession "adminid",adminid
0 A a- @% L+ ^9 h% G9 k : O: e" D2 [. @$ h7 [
sdcms.setsession "adminname",adminname% l" X" H. y# c
4 s. Q" `5 C ]0 `
sdcms.setsession "admingroupid",data(4,0)* n8 \% p1 k, _2 w: |
2 W- y7 K9 y9 k8 {% f1 p" vend if$ Q9 t. n1 V v" b6 E1 `
7 M0 x4 E* [8 |end if* W0 _3 N% r! Y$ U" E8 v$ J, h
! m- ^7 ]. F/ ]
end if4 L/ V- _& ~2 p2 H5 `' S
: _$ X$ { W( O& L( Jelse5 N z& J4 c/ [4 A: Z. }0 Z% g
! X+ g% |# d$ ~' g
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
# q/ L% }, F/ K9 H l 0 r1 Q7 M: V% e
if ubound(data)<0 then) l r2 y" B. W9 X# z( M# s
( ~; s( u8 E5 M3 L; k' v6 M. S
sdcms.go "login.asp?act=out"
: p7 Z5 }! ~1 U6 C2 Y9 [0 w2 z
6 t: k% B4 W+ Q F/ Q0 {! nexit sub, } B7 n: s2 M- C: \/ U* V
M3 t5 Z. N7 o4 ?* h
else
5 p% s8 n$ O( V6 f" `4 f7 l
( L P$ G' f6 h% C# ?7 L! T7 Nadmin_page_lever=data(0,0)
- T/ _: u0 n9 {
: }2 a8 u; m& T2 _: v1 V& p1 e, V5 yadmin_cate_array=data(1,0)
% M! a; L, U- b: F1 L : U1 Y% V& r v7 y' \2 h0 n L
admin_cate_lever=data(2,0)
6 n# I; c4 a) p, c O$ L6 P2 [, c' N
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=07 t, y7 f7 s1 k. _; c0 {) \8 n% U
/ Y6 i7 U0 D6 C6 `( H6 b) Dif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0$ J. q: _/ ?0 V# {- S) ?2 V+ b
4 Y6 R5 L& W C# q8 ~if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
; G. I) Z0 i# G% |! I, M
& F) X x1 J9 x4 V$ Fif clng(admingroupid)<>0 then
+ Y7 C+ p3 u8 A5 I0 f3 s 9 s1 l `% W' Q6 C2 t% M
admin_lever_where=" and menuid in("&admin_page_lever&")"
+ n2 L; m7 l' B% K. o* H5 ` 4 O6 M& C! C/ g, T# [
end if8 B5 t: S' ` M4 ~
( I# s/ Z) c3 S6 iend if
. `( i8 o' P, u/ L ) o- D1 ^; D3 L2 I; A
end if
( Y; G0 ]3 D1 ^: ^
' _5 c" i/ j6 O1 {. Rend sub
* X) D1 w+ D* b# L4 S! O漏洞证明:
0 k& u1 ], @3 X- c3 o e2 S0 N& y看看操作COOKIE的函数
( e% S, `! d) O; b: @
9 S' z* J; o" r3 h- d4 xpublic function loadcookie(t0); ^+ O( P/ q$ _! @5 \: T2 }# q
# [6 p; O# [9 w) G5 K% i0 ?
loadcookie=request.cookies(prefix&t0)0 x" N% Y6 ?4 ]1 J5 s8 O1 A1 v
: x% M% m" F! @/ J
end function' a& A% ~/ \6 ~- \& a- z, C; Q
+ Z* j+ n3 K+ f7 opublic sub setcookie(byval t0,byval t1)) l0 Z h+ e! P0 O' P
+ p7 ^8 K0 [4 B" kresponse.cookies(prefix&t0)=t1
/ P" B k/ a5 ^$ } , {4 K5 Q6 M- e# c( m# g
end sub& |1 F/ y2 ?! d3 Z+ S5 a
6 _# v6 u- j! g2 ~
prefix
4 H" x5 x* ] j
e9 s( N" H4 n1 y1 e- {5 P'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
2 ~2 [/ c0 X" l4 w; P0 @7 K* |
! n9 Q! w4 s: E6 I# q) hdim prefix
( s2 f# u7 I& A% F; e8 ?7 I
$ B) @1 ^/ w, m7 U/ T, Nprefix="1Jb8Ob"+ Z2 A0 d" V! @
! A1 G: H, p* n+ V/ K. p; }! x1 K
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
8 Q0 L/ P4 D- v$ f' k2 A$ |/ v* r ; } o& @ n7 v4 I+ ^
sub out
3 ]( y. t; _7 S
8 p1 [' E$ R3 Z3 usdcms.setsession "adminid",""5 F" t% D: H, N7 j7 A0 l
+ w) a1 P+ u* B( ?
sdcms.setsession "adminname",""+ m M6 ?8 V: {9 t: ~, \
# i) p% I C* ]9 C* F& w* {
sdcms.setsession "admingroupid",""
7 d; I# a7 `; y3 a& ~ " y5 P* i, e# h2 ^2 b. v+ x8 A* k
sdcms.setcookie "adminid",""
1 s- e" T( p- W- j% E 6 J% ?3 V( ?2 y6 _$ G
sdcms.setcookie "loginkey",""
" p" M! U4 y1 g+ v
" ~& J1 _3 L* Q( o$ R5 R3 Nsdcms.setcookie "islogin",""/ { ]' Z2 u1 E( ^% n& M
- q' B. Y& J7 s1 n% R
sdcms.go "login.asp"
8 i, o7 J7 `; Z ], b/ F0 J0 _& {7 v
end sub, E$ c) Y: `' k( ?; ~; R
" p' A$ B4 h$ ?! o6 H- n# q8 o5 Q $ R3 z8 I. x' `9 d/ M! F6 k
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
" r: ^+ ?5 L% N修复方案:
" X, H3 S8 T h0 M+ `5 c修改函数!
" [: j' v! a7 e: { |
发表于 2013-7-26 12:42:43
收藏
支持
反对