要描述:# \" I4 a: h3 z6 E+ N& l3 v: h" d
) C; d7 f7 l' T2 bSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试/ Q5 f: W4 C/ a4 S# e! W7 O
详细说明:! d+ [8 i0 B" r+ k
Islogin //判断登录的方法
4 t# C8 {7 L3 t3 _ # u: ]/ `* O: A
sub islogin()' G! g' E% d9 @4 }/ n. J: u6 p
( Y0 t% W3 z! Q N0 aif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
# g) [+ o3 y1 |4 b0 a1 d, T% m2 B! N % }" H5 _# i# N5 a) @
dim t0,t1,t2
$ S8 o e( J/ O1 v' J " \; \1 Y7 R# i3 h3 O
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
4 a0 O* ?3 Z3 s5 z
% j# ~+ S( c/ b7 G2 jt1=sdcms.loadcookie("islogin")6 j1 ^) W6 u: K7 \7 K) Z
$ _- i0 g" a" N! t0 _. ~t2=sdcms.loadcookie("loginkey")1 A& r1 a9 l* I9 n6 T
5 @; A: X8 v5 D# G* d& I# N
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
% E2 Z+ r6 |! f- ?6 N3 c
0 F+ b" j D6 h3 _: F) A; f# U//: E5 d6 L- U9 ?9 h
7 m+ d% V$ }/ B* z0 e3 L) l( J* x
sdcms.go "login.asp?act=out"4 n/ P. X$ d [& F
4 f7 Z d( a) {/ d4 _2 k8 S/ N
exit sub+ i6 C4 @4 u' ^0 S% V
9 `. X; z; V j6 K7 r# belse
' I' r; X0 X5 S 2 t+ w y# ^4 t6 U) B# Y, t5 s
dim data$ @+ W- V' W; W0 T: Z3 F7 C, h
7 |! H2 {# c! ddata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
* L# c* G- K6 Z* V 9 \& W" P! x* J* V
if ubound(data)<0 then
5 `. e) E; ^& G: }" L4 V$ u 7 A' L! {% |$ ]( L" g
sdcms.go "login.asp?act=out"( C, h8 \, W6 I" k/ C. L
0 _- U0 e3 \* g3 i2 E# R- Y9 Dexit sub
' F. A7 O9 U! X$ ]+ y9 Z
0 j/ p' S+ ^7 l) \else
5 y+ P6 o K: Q; u5 I; d! G+ p
# p0 [% [8 y s7 z1 tif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then/ r7 l7 \3 H3 P3 D4 O
; b; L+ D* j- l* Ssdcms.go "login.asp?act=out"3 m" i+ I6 e1 C4 v# B) M
; ?* f3 l1 \2 rexit sub+ G( L! M" W* D) [0 r0 k
5 ]! h9 p C+ \4 m/ l6 L
else0 ~* Q- t1 v! E
4 [/ N4 \: S2 M4 b' G+ | c& c
adminid=data(0,0)) c: T2 r7 e# P) N2 H
9 E" {+ q( v6 h" d% O# o. q
adminname=data(1,0)
: E& J3 {! |6 V; D' _# j& ^( i / N9 M& a8 @9 }
admin_page_lever=data(5,0)( `3 b/ M" ]: @$ T R8 b
7 N# i( Z1 x# k: {4 C
admin_cate_array=data(6,0)* \, J6 b9 M, z$ n) |; {: ~
5 k7 O" p: ^4 R$ |
admin_cate_lever=data(7,0)1 S( r$ ^' U3 O( |3 q5 Y7 |
; P7 U5 ?. w; J. x' mif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
& s8 u& T/ w" [$ E) K& m
- o. w' h! e" f6 L y) C9 i6 Xif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
! L7 R5 @% {( [4 o% H ! Y) N' x1 C" T* l6 f
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
- o9 _" Z* L+ z% m2 w
+ R7 v0 w9 z! R& D3 p5 x- Oif clng(admingroupid)<>0 then
' b, o% c' G4 U- L) W: U. A 6 [( x9 M- M) ~: r2 T; a b
admin_lever_where=" and menuid in("&admin_page_lever&")"
! u. j% m5 c3 U7 G P4 I( R: t 6 L# U0 K" d: L0 x& x" u" w
end if+ M& P$ S+ W" N6 N
0 D: }7 F5 Z# E: P2 ?8 e) s# O" q
sdcms.setsession "adminid",adminid8 X! Y# |: |2 \$ P. w& L& }* i
8 ]2 z2 t% ~5 r$ @3 T: y6 S- {& q
sdcms.setsession "adminname",adminname
. C+ X; H! Y$ d
3 G& d4 h9 z) [# T- m! I& f3 Asdcms.setsession "admingroupid",data(4,0)
3 B2 |# A9 g: q7 L4 j/ F* X6 L
; I3 U) |* _$ S% vend if
6 B! E( ]7 j$ c- D. r " D/ W4 k- v" K$ X1 S
end if% k: S2 |( U3 ^/ `* c6 M/ E
7 Q% ^* k: |( D4 u* {$ [0 |- Jend if
$ ~8 [ n( C! l+ U/ A
( ?1 w" z. A; ^9 O7 e- ^else- n a( @* B* y# T
: |! p( C6 [4 w% ]data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
4 x- S" |; r. D+ ]& O
: M3 V, d& }; v1 w, ^" Oif ubound(data)<0 then
* M9 }" A$ c+ n8 a
& E6 L$ ]* n, Q( ?7 D! H: Csdcms.go "login.asp?act=out"
* |, S9 }( _ {% W$ {5 X, ~/ y
8 x1 B! P+ F2 ~1 P6 dexit sub
- \: V) H; I6 L+ K. p, V; f& U% p & v+ c( _1 [2 T" E
else& N) w4 q4 \4 J+ i
J, t& O: f7 }4 s8 k% ~
admin_page_lever=data(0,0)) D$ g6 B" Z0 B+ ~* a4 m
$ B' ~* e# b p2 O4 h5 Kadmin_cate_array=data(1,0)
5 U2 i" ]; O& E- ?# E" E O
( m+ |) L3 c9 F+ Y! Zadmin_cate_lever=data(2,0)
! }& o% X9 @) [$ V8 O ! @& y$ A9 S) r
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0# i, n4 g* P1 d1 M3 v" Y. B2 b; T3 _
% w1 g& t, g9 j5 M' i, {$ e8 ?1 e
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=07 H7 |! {, q, u1 D1 d
$ b- X$ z# ~$ m) ?( e! u% o) gif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=09 b+ N9 j, M) ?2 z* v& U
" U: A" V. W. v. t2 N2 Lif clng(admingroupid)<>0 then! ^3 {) ?9 ~+ _' c1 ^, [
% g/ n: ^4 d! [0 P/ ~4 f1 w9 Z% S
admin_lever_where=" and menuid in("&admin_page_lever&")"9 v9 E0 X) _$ ^; ^2 M7 {3 X
' r% h% f. h: ?$ l) ]5 n W1 E0 B7 [
end if
' w* ]+ n/ J: x, c+ C$ m2 q# b
9 h. o* b. l& {; [. Aend if
5 w% Z6 _% Z4 E. h& W7 ] \8 v " p/ A+ }0 H& r! ]0 T
end if
$ a, ?$ F, }( q / `6 L, R2 P; W; r5 x% L1 K
end sub" Z6 K! A) W6 X4 {' s1 v7 }0 L
漏洞证明:
3 m( l( D: s! [看看操作COOKIE的函数
& ~+ ^9 M9 I/ `: J$ q: @5 c/ \0 q
2 K% ?) b- m) o6 @' Apublic function loadcookie(t0)
& Q; Q' P) y5 J$ o+ w
$ i S [7 Q% b5 B$ Qloadcookie=request.cookies(prefix&t0)
+ K: w: Z S C* n v* F& n$ e * E, N$ z/ t, d) b2 K5 c4 Z
end function0 N; x. h- \) U$ V
. ?! t& Y7 w( J. C) N' Xpublic sub setcookie(byval t0,byval t1)
( v: B( T6 g, g( q% H9 h% z
8 U' _" r! S- O3 T; S) N3 hresponse.cookies(prefix&t0)=t1. p P" ^4 V/ o
: L6 n# N" a2 C. Zend sub
+ I L7 M# i; j0 S
0 ^# A I9 q* ~6 @' ?7 ~. k4 E0 K7 b. Uprefix8 Y, F1 A" ?! f8 B& N0 N
3 m, s( Q: X k& n'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
* x h% N4 l. P0 H2 J) r ; h5 T" }$ A8 e+ H7 N0 s3 D
dim prefix
. s' t: Z6 e7 g, [! ~
3 @9 ]2 ^' Q. o+ `9 Dprefix="1Jb8Ob"8 b2 J4 @+ m# j' j0 E; {
- c9 v, v6 X$ e'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
( P4 G' p1 s: r8 a0 ]" ~
7 V b6 q- k4 m$ Wsub out4 K5 P2 X: T# N* L
- [9 \1 O# t4 P5 T: _( ^( B
sdcms.setsession "adminid",""2 {" Q9 a6 d# t1 p
* k* t |1 H0 c, S0 ~sdcms.setsession "adminname",""/ a( v( W6 G- T/ F& v) y
+ [0 \. U! O ~& p1 z6 t( @$ K
sdcms.setsession "admingroupid",""! `" S O! p" u! G; }
9 v! k% j1 f( K- c- Wsdcms.setcookie "adminid",""/ D+ [7 W7 ~! E& K" D- u9 \7 {& ~
. B5 r! L" l3 u8 v8 A! ~sdcms.setcookie "loginkey",""8 j: M, u" e6 N& w8 M
( s1 [; E4 e6 @: d0 y" V
sdcms.setcookie "islogin",""- }$ p# X+ [: z( k3 R+ ~
* p& p# W9 ^4 f+ a( O3 Y
sdcms.go "login.asp"
3 p/ a8 t* k) ~5 a; D- F8 L/ a ; H5 r! f v T
end sub: [0 l! V7 ~/ |' _: v) x
; |, ]/ S; D, N; r2 S |8 [! z+ f3 W) T * Z5 [( V7 i# d% F, ^
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
7 c3 T* v9 j5 h E5 p7 G' T& X修复方案:
5 O! V/ t8 j) T+ n: r修改函数!2 n6 ^( l# f4 ~9 r( G
|
发表于 2013-7-26 12:42:43
收藏
支持
反对