要描述:
) i4 ]8 ]# p4 Z
" L$ t% z$ t" d- X: d% a( t! ^SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
. {4 y$ l1 w1 h: `! P详细说明:' A4 \7 T2 \# K! z: y6 ]- E" `# B' W
Islogin //判断登录的方法# b6 W* C3 G. Q% j+ x$ a
+ n% L6 f d. [" {+ z" g; D2 n- Bsub islogin()
" l$ Y4 j' e( b! U/ ] # w- t4 w4 w, F% P
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
2 J7 x2 p, [ A* b! y! [3 x8 ? # T. h3 K6 S' M
dim t0,t1,t2
8 h) m- ^+ s# M! X2 g
f; p7 Y% d) ^6 }1 c, wt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 6 L* \: l! g8 _6 h
* y# ~# j; s% Rt1=sdcms.loadcookie("islogin")5 X$ }3 U6 m b% @4 I/ T( R0 g: Z" P* t
# Z/ z# y4 A' d0 ?3 ]! t' _5 Ct2=sdcms.loadcookie("loginkey")
' c6 q0 {* C# N4 s! i$ r9 D& p 9 ?( A; }. ~ K3 Z9 B5 `3 c5 `
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行9 ^" j4 M4 T; m" o7 J' k
! p- K$ O) g! g6 o9 V# L) @# @$ Z
//
$ l" ?" H- {- R2 J# } 4 _& m! U. a3 h! {- g6 z: Q$ r
sdcms.go "login.asp?act=out"
: m. o7 O# {% O$ v. k1 T
; M4 w W. z' z( T6 G3 P3 Lexit sub5 ^( J- R6 {3 s
) V4 ?9 w% A3 Z. J! S) ielse8 F1 U0 _0 V) s8 u2 y
6 N$ B( z. v+ u. q* ~
dim data
9 p9 ]% j5 f+ W% w# V+ \" Y) V ( V& {% T. |; \4 u9 h. c" _
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控% k* ? p) p9 g6 H M) t* [6 C
" d# p+ f- B2 O7 `* Z
if ubound(data)<0 then; u6 G; I4 S2 J% f6 v. ~( h# _) P& o
4 g0 f3 e3 ~8 b0 P; Tsdcms.go "login.asp?act=out"
$ o1 X2 ?" I0 f4 l$ O 8 t, y& J8 K7 \
exit sub; E: b; s+ l% e; j* M
6 t' e' z" E! L( Pelse
; T' g; v1 ^) \! G! _ 8 w; A0 V4 ^) s3 y
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
& F! F k: k9 f1 R9 n. H0 g8 X 2 e! j$ K3 Z$ N% S
sdcms.go "login.asp?act=out" k- Z" s, I% z3 W: p* e
. B$ O1 A$ [; C1 aexit sub3 V; J+ Q! s; s; t7 {% i! z
6 q4 e6 p# _$ a3 \9 belse: X5 O' ?7 o) r! ?* Y3 `7 B+ G1 s! z
$ ?4 _. K% d5 |1 Y b1 M m3 s; h& gadminid=data(0,0)
1 n$ U1 W. K5 e/ u$ X, G# D ( M- e1 L3 c+ R+ }+ A2 ]
adminname=data(1,0)8 a7 ^6 y( p$ s2 ]8 ^* }
3 ]/ r6 v7 V4 o) l2 v: @
admin_page_lever=data(5,0)
3 n ^, {4 g* m) p6 t% k3 u% f: i 4 [: d- T0 q) s4 m/ y
admin_cate_array=data(6,0)9 v @1 F( _4 V {) e; h% m
0 P c( p0 I* ]+ f7 ]; d9 b% b8 madmin_cate_lever=data(7,0)
7 z8 U |2 w2 \ | 9 z3 |8 f8 M( ~% x
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
; \8 A: F4 z/ z* \+ j' p2 f H2 Y( Q& t1 [& _3 _5 A, B1 \& q8 E
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=03 C7 u, z9 M7 E) j4 t; z+ d
% x' A5 u7 D. P6 Y% T; u, Vif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0+ C# G) H$ [& `! o. h% A
4 f8 R3 e' O. u7 o
if clng(admingroupid)<>0 then
q+ \& M- j7 z7 b/ M+ a# |$ ` , r8 s, q# |" d( Q0 l5 {
admin_lever_where=" and menuid in("&admin_page_lever&")"
: u" M+ S8 v# o. r- N$ j6 D 2 c$ y) Y! x0 R8 K
end if
9 g6 U. v k, F4 ~: T: F. j
& `/ X, B) Z" ?sdcms.setsession "adminid",adminid
+ _* [* X% |/ K5 j5 \9 I! o
' c( G% \) B/ B. f6 f7 F8 M) z' ssdcms.setsession "adminname",adminname
* v$ w( m! N: l# x ) ^# \% a. U9 z; K0 Q3 |; [
sdcms.setsession "admingroupid",data(4,0)
6 x0 h5 \1 ?. B- ^5 L
3 Y( I6 O+ g2 Z+ h9 O- _6 s6 ?end if) K. J# ]6 d A) A5 g& i/ n
?* @* S! R0 e' P4 t1 p
end if4 q4 r, j7 N8 n
/ q" d: c9 a! b0 r9 [0 ~$ D# }9 b
end if
# v. G2 k+ A. P2 P( {5 ` # ~' x d9 @& C# ]5 N- {
else
) R: M, K% P1 t9 w% N6 c) { t7 J
/ C2 @! F4 g% f; d% R) ?$ l' ^ Jdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
8 X# ]: F* I+ G; H( } 0 ~/ w6 z- I8 H# x" d f
if ubound(data)<0 then
* W# I% ?3 _5 u3 K2 v0 d% U+ n 1 g9 F7 m- U" h
sdcms.go "login.asp?act=out"( Z- q1 }3 L& o8 O r
& [6 z+ X: R0 z3 D; _exit sub- I+ h4 F; H1 T2 L
5 l8 J7 r/ w" a' S( J7 Zelse
5 ^! ~) G4 O8 m- L1 S5 S
" ^, r _$ N! h( m+ Padmin_page_lever=data(0,0)* I! n P8 A1 f2 k- k% ^7 ]: N
/ T2 l% o/ p( L1 I; P+ M
admin_cate_array=data(1,0)! p/ I Z$ Q; Q
/ k- S3 n+ j. H& e$ hadmin_cate_lever=data(2,0)
) R. _ P& v9 \3 j ) }0 D9 x! F+ H9 h' u& l8 f
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0) ?, j+ h3 A* w6 v. m
. W, t" r+ ]; w; w& d# c; Q6 e. Y
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
* [/ }* Q4 S6 ?, k f
# h \9 z8 r& [8 K: K3 Bif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
2 O! O8 B9 u( ]7 ~
3 \- ?' i: e6 Z/ J$ vif clng(admingroupid)<>0 then
7 l% s3 U' S; c6 u- t ( w! r* y3 X' Z. Q9 e
admin_lever_where=" and menuid in("&admin_page_lever&")"2 d5 P7 [- x3 @- ?
. a3 F& {, F( F5 j0 zend if
9 T( d- n) G+ A; ^' D. i9 P
! t/ G+ p" x1 l t& X) |, a! F$ _4 uend if
! T2 Q+ P& c+ t8 l7 O" m a% r q) @0 ^5 B! G
end if
6 \) Q& [& F6 Q: ` 6 M5 Y2 l. s; S: F8 Y
end sub: B. u. N: d+ X, I
漏洞证明:
: E5 D# Q# v" p9 P! w- d: [看看操作COOKIE的函数. i, o" u/ M7 E$ F
& @5 i# Y, `8 D! Q+ Lpublic function loadcookie(t0)
" p% d' P: S: r D7 Q3 Q7 ]6 H1 W- v+ ^- @
loadcookie=request.cookies(prefix&t0)
3 W/ k2 O9 k$ x6 Z* r/ ]: X \ # \7 @9 _, e! |: w" d
end function% V9 x, C1 N' ?& B# A6 J* Q& ?) s
/ j" M1 z8 i `3 X$ Zpublic sub setcookie(byval t0,byval t1)( |6 H( t6 }& \8 l# t6 u
! [' F. Z. v: |; Z3 E9 R/ ^5 ]
response.cookies(prefix&t0)=t1) u9 J: d5 L* q2 N; @+ u
( |( D c& T7 v8 eend sub
) N7 t5 W' v9 I# N P- h
& ?, i4 A# x) E' ], S* kprefix
# [) y. W$ E6 r" N' B
/ V- N3 p% N$ L1 F'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
* Y' B4 t8 i* c1 Z+ j
8 T& r+ D J. U/ q6 ?dim prefix
$ V' b+ E" x- s0 P; h5 Z j+ \ $ ^ s+ R+ C2 |. g" l! L
prefix="1Jb8Ob"
4 e3 L7 A: w1 m5 M4 y3 ]) {+ X. b - E6 e) i) H+ R% |* a2 J0 N
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
9 p+ B3 a( F) r" N( u % U! c7 H) S2 D, A2 v7 o
sub out
( G v' h- }3 |3 R
% A+ J1 Q3 {1 j8 Ksdcms.setsession "adminid",""' `% L8 v% s2 d! z
5 b$ }- g( i1 l# l7 K+ ?
sdcms.setsession "adminname","" m! i6 W# }. D' }6 {0 P7 R T
0 e5 Y; C& ?+ v3 asdcms.setsession "admingroupid",""
- k) e+ J8 Y8 u3 y3 @- e, q
! n# z: w, ]$ {' }. B5 X+ `sdcms.setcookie "adminid",""9 @, G- M' z6 t6 K
6 @' j# X( l3 O- n
sdcms.setcookie "loginkey",""
8 j; L9 }5 B; N7 w+ M! p 3 O& Z: I# H8 v1 c7 H+ x! O0 Z. a
sdcms.setcookie "islogin",""
! f- I. Z X$ A# O) ^3 C
0 ]$ b. E8 k/ i( a3 ]( Lsdcms.go "login.asp"% W$ m C/ ?' W5 o
6 ~1 J8 h1 w* ~$ _end sub# E/ u5 ?( @# l& R; K3 z- z# K$ ?
T. y5 J: N2 j# w) B, X; G + H! U4 G3 ^2 F0 ^* Y" D
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
) k" r5 l2 P+ D9 H6 k- U: O) K修复方案:! I" p- w5 ?! y. ?9 e
修改函数!7 P* k* e6 ?8 |; Z
|
发表于 2013-7-26 12:42:43
收藏
支持
反对