要描述:& Y/ J% W D% E h) Y7 i
9 `" J% n1 u- O7 eSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试+ Q1 V/ ?9 d X
详细说明:8 c K+ E, X% c. g
Islogin //判断登录的方法
3 S1 V: h1 \1 O, J$ P5 O1 n" A. u , w0 K- W2 b/ h/ Q2 F0 L- s" [
sub islogin()0 R) a( r( {6 |# X$ W1 T$ n6 R
2 @, I( c: c3 C8 J2 n% G: aif sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
; E! a1 t0 z9 b# K6 ?5 f " \( Y0 o* u! ?- O0 E) v
dim t0,t1,t2 7 ^# T ~- H8 P& G
, h8 K# ^5 _" g$ A' H, a
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 2 f3 w9 K( ?# m
; \& l' R5 @. ], H' v
t1=sdcms.loadcookie("islogin")7 u# E& {- G8 ^' Y; E
/ N" w$ \+ M4 \! i0 ]
t2=sdcms.loadcookie("loginkey")/ C8 ^. B. b3 o3 l0 M( ~
$ Q2 F$ k( m/ z B( eif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行* L* M# ?7 D& Y; g w
( q% j/ ~7 h2 ^4 l2 Z//
1 b5 _+ L4 W5 K' v
" m6 s4 Q$ B# V8 g& v+ msdcms.go "login.asp?act=out"
6 V- N$ V0 u. ~9 U; G
; m' l! P" B- f \: t/ @6 ^4 e. qexit sub; W2 q7 X3 h: y- M( _$ J+ t% `4 m
4 n, o! b5 Y7 ~" v/ W- @; ?else% k+ t, w! l7 H. Z
) l! |1 Z! C$ i* u; t3 n* T6 zdim data, d4 J/ P3 X' Y. k- {8 q
/ V- ~5 E1 G, A# n, ~data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控( m! o; c- w z9 ?6 x- L J
5 A! k } [4 A+ t. Lif ubound(data)<0 then2 l3 \+ V! e1 q. h% B
7 [/ g* U4 `; x' X5 b
sdcms.go "login.asp?act=out"
0 t( `( c7 j' c6 S) V9 z 2 i" f: A9 T s( R
exit sub5 }. P J1 }1 s2 u8 B* `1 _$ _
) C/ t* P2 t& c
else
2 d+ f; K7 y1 x4 w4 _4 N& [: J( u
# k: U. I. A7 g4 P8 f5 g. u8 Wif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then' v/ I- i9 q. F' t3 N( @2 ~
$ c& U/ R/ |2 V9 U6 Ysdcms.go "login.asp?act=out"/ I: h3 q2 l; ^' Q. s
$ S: K" z, R) k3 j+ z% W4 g4 X
exit sub
6 B1 M) G2 Q- K' N* L
+ i8 v3 y [* F0 X2 u: k( Selse9 e/ @. }' }4 X- z8 V
" j9 ~, K7 j, M5 i& z+ n
adminid=data(0,0)5 O2 \$ V- A9 y$ Z+ D6 x( D
8 @% ^; v) ]& Jadminname=data(1,0)2 n9 l' \1 ~! L4 o8 _* T
& x7 x! I' H% F1 i! ]9 S5 J. G' S
admin_page_lever=data(5,0)
6 w& Z6 D) n( c- y+ ^0 i- C) { . r& t. c! x- s! }- \9 R; i
admin_cate_array=data(6,0), b, {0 M, M) p! }5 R6 O# Y! X! o" r* \
9 N/ P1 e$ l3 p2 hadmin_cate_lever=data(7,0)2 ]& f2 B# v# i( A/ e2 l! q" y
0 F% q7 R7 ~% \( V2 I
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0, X2 F0 ~& r. M( e- ?! O B
. n9 z% K; n# l3 R4 r; g
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0: U2 d) w- S3 G' e; u
& {% ^( T6 @$ V a+ Fif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
" K- U' A7 H& s( Z . W/ Z A0 ~3 O! E) y0 D5 Q
if clng(admingroupid)<>0 then
5 N+ y4 D4 E% u" D" K( G; x 3 f1 b5 i3 K j5 u, H/ w7 r' ^4 R: @
admin_lever_where=" and menuid in("&admin_page_lever&")"# i' ]' H, q4 X* y6 U. b0 a
) `. y: x, v2 J2 t0 Bend if
2 F- \( n# c8 M8 `1 c! o1 x$ u Q$ x* G3 c; z/ }# W, I" [4 T
sdcms.setsession "adminid",adminid5 r7 f4 n. M: E! u
, S6 v: l4 P% j$ w# x
sdcms.setsession "adminname",adminname% X: J6 D. Y9 v5 e* c# N: ~
$ G8 l0 G" | N+ {$ s
sdcms.setsession "admingroupid",data(4,0)# f& J+ `! r+ e+ l% o% o* \
+ ^4 Z8 N a/ |1 wend if
8 l2 r) M/ `9 z, S1 _. n8 Y/ u; G 9 a9 J3 x a4 c4 B' a
end if. ^5 g+ f4 I, u# j0 Z( L
7 `: M9 Z6 a* x
end if
! U$ m( q1 ^+ k/ n" I
/ O" K- R% }% R, a3 o# aelse8 a+ _( i1 {6 l. h; d
+ H7 D1 R p* U3 u6 B Ndata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
# u1 m3 H1 c* a# h3 H; Y& O9 C6 N c
_: W2 f. g" T7 X5 y) Zif ubound(data)<0 then( G; S( u: S4 o. T' T
9 z' U' ]! { V9 H
sdcms.go "login.asp?act=out"% d0 Q- D* r7 S$ e6 k3 M
$ J: ~) C7 r- X$ Oexit sub
. U b: p" i' v- `, J; m! C. T
- z, i0 m7 m, i/ E3 d* Welse
: F) Y1 B3 F4 j, f
! g! n9 c# w# S5 C( Eadmin_page_lever=data(0,0)
1 b3 I. D' Q( Y# e7 v7 Z0 T 5 Q& @# u' ~! C
admin_cate_array=data(1,0)
; X, o; p( y$ b$ m- C1 e9 Q , N6 @0 o: y3 ~! f% `5 u
admin_cate_lever=data(2,0)( H/ M+ I- ]3 Y
1 L" ^# \9 t) t$ l \+ o8 K! q
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0- f! k9 ~" ^: u# n T' U
) g% y, Q5 _8 `if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
# C$ t7 t8 G! q- L5 f) ~) @
; Z7 D" c! c. v1 O' z: w9 Tif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
) P" W$ ^$ ]5 P5 ~0 P% n: J& ] 7 L+ l- _, p' _$ u+ E
if clng(admingroupid)<>0 then
, H1 L- q! f0 |: w4 {4 J2 q+ g 2 Z( K/ w$ I5 s) n* @
admin_lever_where=" and menuid in("&admin_page_lever&")". s. R0 r; ~ `
% K! c4 O+ T; N6 _end if9 ?$ U% i, _- U/ n. b
$ f+ p8 z$ N: X; Q1 }+ T5 c
end if, T1 o/ c) D& q
' T. o/ d/ l# qend if
# {' h) ?8 v G
+ D6 Q' A P& Y2 q% eend sub) `+ m+ M# n$ K4 z. b& R" P7 V
漏洞证明:
! r! ?% T4 z8 q$ J4 U) T看看操作COOKIE的函数9 z, y4 G7 B+ \: V
. b" t3 J T4 }# apublic function loadcookie(t0)9 @" {6 @0 G! X" p! S$ W2 W c# Z( }, L
0 m% z4 |6 b- j3 o% c
loadcookie=request.cookies(prefix&t0)$ f* k5 p" F$ e! c
* [% Q0 w# e1 d7 ]( J. O. _
end function
% D7 `& B7 `9 p( X0 E2 d. f9 ^
+ ^3 X. ]$ Y% w2 p: l. jpublic sub setcookie(byval t0,byval t1)4 Q1 Q( f+ s1 `( g/ i- V0 L& A
d H f8 K0 Q4 X
response.cookies(prefix&t0)=t1
/ h, P% u8 J( F ) v8 X' M4 e; H( j
end sub; C k5 J. W4 I5 m9 I- w
6 y* ~( D* Z$ W$ O- l
prefix
6 b: Z( g. l* s+ ]; ?! L% i% ~ ; R1 F3 D& ?# p9 D
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值- d. s" m0 {" D& L \; Z6 i5 G
% v! Q2 r& A5 n* O2 M; |dim prefix
* \/ `, F8 T6 [5 h
) I( ]: i* `6 eprefix="1Jb8Ob"
. T! W" ~+ p9 M; o$ U
& n, }1 E7 y+ p'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 : Y2 | ]0 ~% p6 {/ ^
4 W& u! d* D- z5 M* N8 S% ssub out) W* D5 o0 y3 y0 R
8 F9 i/ R; Y N$ I/ i
sdcms.setsession "adminid","". d; U& C- C# { K: ^& f
/ a5 {/ v" r p( z3 ]/ W
sdcms.setsession "adminname","", l! G3 j8 f- D, |- g. O1 S
5 c S6 M }, I$ T5 M3 t) _
sdcms.setsession "admingroupid",""- x" r' }! b# h. _0 s& ~
% u d1 [, Y, A' f' e( Y! |1 osdcms.setcookie "adminid",""# \# `' I1 A" M2 x! M
& [6 S9 T' G9 L0 J
sdcms.setcookie "loginkey",""
# O" X# C# J0 ]: P4 k " R6 d1 c! h; b& D9 g& V; N4 H
sdcms.setcookie "islogin",""
4 B6 w+ t* f: P 8 E( t$ G5 C5 ~& P
sdcms.go "login.asp"
7 D+ [4 s% Z: N! O. g& f! `$ S* J$ u 1 M' G2 [8 T6 Q6 A( R7 z
end sub
2 u9 \4 X4 u; p4 Y$ g1 M) A P- s2 N: v& B8 @2 d
% A2 l: o8 S4 A利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
+ Z! T$ z% u. e) N修复方案:
# v9 w' |. p0 m3 q! }$ U( ?修改函数! s/ w! v6 M* Q1 F
|
发表于 2013-7-26 12:42:43
收藏
支持
反对