要描述:7 S- a) Y* n( O! k& m0 B- D
@2 H: E1 ?8 o4 d) E S4 |. G& jSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试3 f C6 O- p: |) g' H7 _7 q
详细说明:
6 H4 w2 H, \( IIslogin //判断登录的方法
) ~/ E* q3 ]* q2 U : J2 u7 M, K3 d+ F$ Y: M2 E/ [2 ~
sub islogin()
9 W, l9 }9 j1 j ! R9 L, v8 ?# [$ K
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
4 U" F; l0 b4 S' j6 x+ b . W( C o+ ~+ b2 I
dim t0,t1,t2
5 u3 ?! U" R8 A- m4 J( Q3 Y7 x
5 l/ _$ z T2 Vt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
. Z$ j. F) ?6 [1 N3 L& h d1 ~. F m2 w) w: D* `4 U
t1=sdcms.loadcookie("islogin")
, M, T. ?3 ^! u+ j
; m7 f3 A1 q+ b9 Et2=sdcms.loadcookie("loginkey")
, p6 X. ^( R$ v! T 5 f+ A1 x3 l( ]: f" ^
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行( }$ F( g, ]; B5 q: n& U4 r
8 G1 |. n0 z$ n5 c
//1 F* P* O0 O2 F! f# T. p& b
0 I/ g0 m3 I7 Z6 V9 w8 {
sdcms.go "login.asp?act=out"
4 ~, w: z' F* F# B _4 S1 y2 M' |5 c
* X: y2 f" S& u! }8 B- k. ~exit sub
( }8 i* Y2 v8 K) U. x7 g: n
- H0 ^; f a7 q% F$ Yelse
v/ F4 w' R! K; F, u6 l( D; d
* N: l5 A1 i1 R6 S/ ?8 Gdim data5 {' Y# @2 ~ R- j/ w; E; b
* Y7 p; `' z0 |4 W
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
; y, _6 S4 W7 n : M+ ?1 n \9 L
if ubound(data)<0 then
/ X1 n5 e K& I9 O2 n7 r6 Z # j. ~) d5 o3 k
sdcms.go "login.asp?act=out"$ ^( K1 b, P: D) D8 f( D
' e9 F: G1 A9 Q! [) f/ t, aexit sub
, |' l5 Z8 J# _% M' s; d 5 j' f0 `% }. k5 e
else, Z. _3 w" r0 _5 h; Z
0 M0 `$ A [# P' x* A; h$ f$ z
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then3 y/ c- Q/ t/ Y8 s+ Q
& p( v2 U- m! G* g) I: } t
sdcms.go "login.asp?act=out"' \- v6 b% L$ X7 e) d8 I+ U
1 J1 L( j$ S! v1 f3 \exit sub
+ G* M3 `" z# ~ 0 ~3 @. y6 E' C3 @1 E& X
else
5 x% }2 T. x! {0 z' M
( | w' {* g2 m* j6 l$ F9 z. Xadminid=data(0,0)
# Z7 X, Y7 e7 l) ^- }+ m+ q/ o/ v& I
/ {: L! k) a8 K/ v) Iadminname=data(1,0)& ?2 E6 B0 M9 p2 n
; z9 w& ~" d, S! u* k% a
admin_page_lever=data(5,0)
' H% s9 m5 y. O% ?' J * n4 O) h7 A: e
admin_cate_array=data(6,0)8 z# x8 _& C- x, ?, W! B! Y, D
% ?) x" b- [5 p- Aadmin_cate_lever=data(7,0)3 d! V, a, P1 L2 a$ i$ y
: \0 g& z6 S! R0 R; y! qif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=09 E- e7 f0 N {5 }1 O
: C/ i3 a: M' j8 V, n7 V! J
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0: B/ K. \& r: b Q
: y: |* ?4 b+ T0 ]2 O- zif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
$ U3 W( V* t) T0 J) `) k : [. y3 I2 ~) b0 p7 L4 K7 P9 w
if clng(admingroupid)<>0 then8 r% b+ P* ~! ?
D- @8 j2 F" m- wadmin_lever_where=" and menuid in("&admin_page_lever&")"
4 D" F1 u4 a h6 {3 ^2 L e @
) H0 u. l/ n+ Qend if
9 k0 c# }9 y1 ?# M% r g
- e# v0 `3 r! p' J/ M4 ]sdcms.setsession "adminid",adminid6 g! T$ x+ {5 n+ S
; t& j8 N& y' e7 ^) e9 a! l% x2 i. E
sdcms.setsession "adminname",adminname
! r& `. c A, k I; d- { / F9 N+ `& Q# Z) g4 s7 Z% N
sdcms.setsession "admingroupid",data(4,0)- B& w/ G5 z- }
2 a% D( x3 _! E$ f
end if1 J, Y; \0 _, W, v1 ], Z1 e
J9 a7 o1 \! X2 b
end if* [- T! x) g8 `4 n, K0 ^8 d
y' G, p) D+ E0 |' t+ [end if
$ y& a z5 x3 P' m$ Q 4 V3 j/ y. R2 Y" b5 L
else
. g) m! m" p1 h% t( ?) Z. ` 3 b5 _+ n8 H, U) a+ {/ C
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
) _; } J. f2 _% E/ w+ U: m ' q: [' p1 s4 Z/ r; H* {2 ~
if ubound(data)<0 then5 a* U) v1 e/ }6 B% c
. V4 Y6 S0 ?! O& X: z z
sdcms.go "login.asp?act=out"! I" E& M; e6 p, k! H3 q3 n
2 U/ M' t1 s5 S7 }1 eexit sub
0 a/ z. f. F1 s' {( [
7 G/ o9 U( }5 d/ Pelse
! h4 ]7 w* S$ V- y4 l6 N
# ]+ i$ R( i' H* g1 iadmin_page_lever=data(0,0)
- I2 e( D- ]0 @5 T
! r5 ]6 p9 }4 D, nadmin_cate_array=data(1,0)3 w- O# V0 }1 _! b+ S8 P) _
* s8 q y8 s' ?% E9 m# n/ X3 g) Fadmin_cate_lever=data(2,0), J8 [# Y) a, v4 O
3 u9 n% H4 v; [. z' \6 e5 K
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
+ n6 {; V5 I# Y! B( g
0 R' x! t5 M1 c: y' v9 Cif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
8 l! Z% v8 ?' ^+ J" e : _- ]4 O; m: M' e; i* x
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0$ f3 L* n+ T8 `9 Q
. ?* I- I( z+ s; T0 P- d
if clng(admingroupid)<>0 then1 _ A. U2 q- Y! _: b
2 c5 o- ]5 u9 S& s, l# radmin_lever_where=" and menuid in("&admin_page_lever&")"
8 @# W/ M% m: a7 Z * @9 _7 l- Q! _0 j
end if. {3 d A# ^4 z& t, c
5 \3 a. C4 `7 Q9 Wend if
* r0 T! F( \# V3 I% m 3 m l0 `- s. J! g! ^' h, u
end if
6 \* F/ G6 d1 E0 [9 j2 _- D) V! S
- x1 X. D$ r, A, U( r% Rend sub: j; o! x$ w* r1 F0 {
漏洞证明:
. O! z+ }4 d4 I" V) j& }* q1 O5 g: p看看操作COOKIE的函数
6 S- J. j3 B0 ~" ^$ D! j1 O | / S1 t! C' M8 W/ e
public function loadcookie(t0)
9 p2 t% @- t1 R# n$ I; g
+ n2 R' j2 f# I# aloadcookie=request.cookies(prefix&t0)
2 P. ]4 f7 D3 S# h; @. b) @ 1 d7 H' a5 \5 P' P7 X, L ]. B) n
end function& m) U5 `6 {" L( P* o4 }5 f! Q5 i
! G3 t5 _2 V+ K( {/ \$ Ypublic sub setcookie(byval t0,byval t1)! c6 ~1 w/ R. V9 T ^) d' x2 {) Z
$ W' s# Q" b$ \1 U, }
response.cookies(prefix&t0)=t1
$ e" z( `# y* d2 @7 m
( X- V# q+ W0 ], L1 \$ q+ {% lend sub
! y) B2 Z; G2 R/ F3 j & b q6 c) \. q5 H2 [0 k
prefix3 u( w6 n# e: y S/ N3 ^1 F
B! |+ e, {+ p2 N, ~
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值3 W# t5 |# v$ M, d, k' l
4 ^, C# k) N, t3 Hdim prefix$ g: `' z6 _" W; @2 x$ I% {9 y4 B
6 K) c9 l( {' C6 `2 @prefix="1Jb8Ob"% w4 U/ |: C! d9 s" I o+ x
* M; T' A. W0 n" z$ x' T+ ^: u
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
- @- b2 f6 k6 b, Y9 o* o
* V- r$ Y4 `* C' {' q/ G( Vsub out
+ R* `3 Y1 }' _2 T/ M6 s4 }
- f V/ N' L' _8 Isdcms.setsession "adminid",""
3 @3 A8 Y& S( j
/ R" b" B t4 K( z- ssdcms.setsession "adminname",""0 i) ?+ j8 }% d# v
( C; ^6 v8 n* ^2 r( y; Q4 ]3 _sdcms.setsession "admingroupid",""
; P) h! X0 ^/ @8 T8 s
8 ~' E; K. |! Dsdcms.setcookie "adminid",""
3 }2 k' w+ D4 B$ V* ~4 Q % ~- \1 y1 }- v. h
sdcms.setcookie "loginkey","": Y0 D3 R2 x; j, }6 r4 Q+ e2 G. F
P0 ~& h3 a: ?+ ?sdcms.setcookie "islogin",""
" @5 `& O& i$ q; ?) N' X8 P! h* K % s$ Y2 _3 @% ?8 L
sdcms.go "login.asp"
, n( ~% m9 r+ @6 u+ v 6 A& p( G( F" o9 H* z
end sub3 d( r% E7 ?) Q# W+ O; X; n* w$ k
/ T4 Y0 q0 O' d: O7 e' g" M7 s7 ^
2 t" M& L- }) K/ C6 D! a$ K3 S8 F利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!( v' R \- Y$ \! @
修复方案:
$ U @2 g! E% h修改函数!
5 F% r5 @. _% l6 N+ L/ y3 E |
发表于 2013-7-26 12:42:43
收藏
支持
反对