要描述:
; P. i5 k' Z6 b4 R) @& y! Q" T9 s8 _
( m, K# { W" d OSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试4 J' u" T, P. q. n* V
详细说明:
3 d' v) X( b' YIslogin //判断登录的方法# z, b& E& A* ?8 k$ x, c0 |
' b5 y& N8 X' q% F) B" _. k
sub islogin()
, I0 ?" x7 t+ a" D9 f4 B + `) Q, b% Y0 m) W
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
/ ?/ b1 \6 o/ ~' y
# P4 P3 ^6 ?; s" Y& \+ p" u. ^6 k' Udim t0,t1,t2
0 o% h5 u' W6 v0 E0 i$ [% m - n) }& t. T+ n5 R9 R! x
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
" {6 _5 B; @+ t% L& |; p 9 {/ |& u3 O: f2 s0 J% i( |
t1=sdcms.loadcookie("islogin")
, F Q5 |9 h. @
9 L0 I# q; P0 I' e7 i, L1 h; p! zt2=sdcms.loadcookie("loginkey")7 \2 K1 L- G% m0 f
! [" ]& g" g4 H% B0 sif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行+ H- R. j5 l1 U$ k" A! W
2 M( {2 w6 {' n. X//
5 Q6 i6 e) N! ^! ~3 D! H
: Y2 ]9 a# H: s+ Lsdcms.go "login.asp?act=out"
3 m9 Y1 D% l P) [6 v
4 Q) b2 R' N4 S- x6 ^) Bexit sub
2 |2 F) x, J3 U( O" p% S! Q
3 l& y+ X* R8 ?/ y7 u7 |. ielse) a" t/ w: n& A8 f2 @
$ W P" g1 p2 D% r
dim data6 L g4 K) [0 l v1 N3 N
3 Q, R; F2 w5 W" ^
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控, {7 ^1 M3 O8 b. @ [0 l0 J7 M' q
6 m9 V, J/ d4 p. Z
if ubound(data)<0 then
8 W) K8 l M/ v0 F8 C+ F
. u) |7 |7 p0 a. F2 @sdcms.go "login.asp?act=out" q. J/ h+ R+ w2 v. Q
! A% r' }. a/ }+ P E( g. c
exit sub `, d" C- w' f6 _; M8 Y- h: J
6 k M8 M) q+ H# d3 \
else. ?2 v, x. t8 R$ E
) ?- ?4 V: u* n! c, |/ n, j) Uif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then4 `& G) O' W0 V, [
' o- r- `! N* l( J1 Q7 }2 V; s
sdcms.go "login.asp?act=out"
. L5 l; q; R- J) K6 [/ ~# X
( L2 t2 M" B+ [/ c/ Q6 K3 Q$ Uexit sub0 B- n+ c9 x2 e# `" j4 U
/ E0 ~6 p2 t! m( o( Selse" ?$ _! V0 T/ d- X$ h. P
+ |& D2 I0 v( ]& o! C8 a3 J9 ladminid=data(0,0)
% E" ^; k; e1 q . r" C1 x6 J2 ^5 A+ p
adminname=data(1,0)& u3 ]5 _! z8 m, F7 q9 y2 ]
6 d0 n& Y* _) M) Hadmin_page_lever=data(5,0); I- K) h! V u, L$ K+ j+ W7 V
7 w; ^+ N+ e, [1 f! l- Nadmin_cate_array=data(6,0) }/ E9 _; P4 L3 a2 F: u. K; ~
0 t v: ^+ e( i& I5 {/ ?
admin_cate_lever=data(7,0)+ P! p4 I& n# f: Q
. e, `# _5 F K3 T: F1 Cif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
+ a" C6 M/ d' H' K \8 x
a4 I) m: W- L$ Y# t( Bif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0& Q F4 Z3 e* i8 r2 h
* X& n+ i% W" ^0 Xif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
: G2 _: Y/ \$ o5 O$ h2 q$ @
* v! Y V- V2 A: uif clng(admingroupid)<>0 then2 a5 v7 f' k2 T3 i% `9 ?
- ]3 R) @+ _5 m# X/ E. G
admin_lever_where=" and menuid in("&admin_page_lever&")"+ C, H! H! D4 E* Z" p+ P
' D, I4 @) {2 C% C7 E d& `1 E. J
end if
0 l, o( }. }2 L2 a2 K# @& F
$ o: L3 p, x0 Ysdcms.setsession "adminid",adminid
# D/ F: M* Z/ ~1 x7 O8 W1 B$ T
# y# T* o/ U; L3 C. B# ?sdcms.setsession "adminname",adminname
7 p o+ G9 k$ |9 I" M
0 m% D2 K6 N( d2 Y4 e, o Qsdcms.setsession "admingroupid",data(4,0)
$ D9 O2 L' x! ]6 M$ m
, D. o5 J, ^+ G/ Z& y8 rend if$ f9 Z6 J& G1 c$ W( x6 i
1 S! F6 x% {. ?6 p0 oend if
0 \6 ?8 s; S, h' O) B4 W
2 Z7 ~9 a# r- e6 hend if
' B! a# U: v. L: Y
. g- w; g+ {1 G& p" c aelse" a' V# v5 V: h( N3 Z* {
9 |5 g1 E" I1 I: V gdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
& [! K; S B( P" q4 O7 `3 H, ^
* q0 M" ~! F' t4 Cif ubound(data)<0 then
4 D ]( H& c7 E/ T* O4 v
7 W" V$ D8 P) E9 j5 j) E( Bsdcms.go "login.asp?act=out"
2 M* a( B- f7 [" K. L
- L+ T$ P" B. l+ s1 x0 |exit sub
$ n' f" O- X" u( e
* d- P( P. g% k% j' F: M9 q2 C$ Celse0 \* x; ~7 ]6 [ C+ ]& x) c! C' s
" h0 }: L6 A; Y0 q+ c6 r
admin_page_lever=data(0,0)$ C; n, i0 R0 Q% f5 e/ b$ h
' N3 V! h7 R% fadmin_cate_array=data(1,0)( L3 C! Y, @1 M& t" \
# v7 t0 O3 a3 Z6 |admin_cate_lever=data(2,0)7 i' F( m1 J! a( H& d" Q
9 D3 }+ b, |* J. z2 Q tif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0: Q% A+ A' u7 G6 @/ `
3 H. ^' g: n5 a9 g3 l, Y6 e0 dif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0( g+ v5 J/ s' |* |0 H& W# z. h
! v R; _6 J$ B, y$ Oif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
4 e( f9 g( z) N2 g# F6 }) H + J" w: ~' @7 N1 i
if clng(admingroupid)<>0 then
/ e4 i5 C7 K9 g5 I1 n 9 T7 u0 j' b5 h: w
admin_lever_where=" and menuid in("&admin_page_lever&")"
: i! w7 v7 D0 W! }+ y- K" {; J4 ]# L 1 X6 [' E9 v9 S J$ T8 x
end if
( y) q+ m; _0 n, n6 V& i) R6 |# W( g
0 M$ b$ u+ D% xend if2 @* e7 T# h# i
8 F- m! {7 e9 A+ |2 M0 [+ Q8 j
end if7 J/ d) c ~0 z _$ }+ I# a
+ ]( n5 R- S9 ?end sub" N% i H0 ~8 z" k S' ?
漏洞证明:% P: N! ~' K' f: F- ^; o# C
看看操作COOKIE的函数1 g3 K0 ^( i9 x/ V) V `) G4 r
" l% U) N3 H( ~5 l- Z
public function loadcookie(t0)
: u4 E6 `* K C
6 h. c. I$ B0 M, K8 ]7 gloadcookie=request.cookies(prefix&t0)
: f3 x3 D! D& v; Q5 n/ D8 x + ^8 X2 u6 n, T' y1 N' j, B
end function* x O$ g) u! D! f j) [+ _. A
) @$ c8 |0 m$ b% p5 P& [3 X
public sub setcookie(byval t0,byval t1); K. A4 A, |/ ]( s2 U
# p% X% I: h; @7 b& l% m0 G
response.cookies(prefix&t0)=t1
' D7 J( r' R: M# b& C% a+ B# l4 [& T 6 f$ m/ L3 Y! s/ \- `( I
end sub2 Y- X4 N& v2 q- y
! l/ Y; n! P0 [7 c8 N) T+ B
prefix
; M _9 B6 R" [# c
: b! \1 f0 P1 x'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值9 Z3 Z1 C ?* w0 q8 u" ~" z% G s: v
" |* X" j- t$ `9 h
dim prefix
3 i) V$ n/ R; \+ k
$ v! x: m' V" h! I7 u5 N/ w- [. k% Fprefix="1Jb8Ob", P' W# F; t% m. g# I, _
7 K! w. u" Q3 u'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
& C6 W3 J7 N0 G ; ?" S4 D+ f' b: G s0 s
sub out5 Q4 B7 W# v6 ]% g3 q
) h' x9 B1 n7 L' U4 ?' qsdcms.setsession "adminid",""
8 o6 J0 f% w; t( H( {; D
4 A* c. r( k$ a& R; Vsdcms.setsession "adminname",""7 V2 B0 m* p- i+ K( E1 |- f: Q
8 G# q/ g4 d) K9 O3 B8 ~+ ?9 F0 usdcms.setsession "admingroupid",""
" s2 b( `6 K" e% X x 2 w* Z( J. w, s* x
sdcms.setcookie "adminid",""$ B; ?8 C8 W; ^1 B
. |; w$ t$ n( v S; Usdcms.setcookie "loginkey",""
S* m% e4 |# e( u# J" I ' N2 h) N& x" `3 [
sdcms.setcookie "islogin",""
, ~4 x3 R) Q. V8 O
3 H1 W2 i" ?$ g9 q E* u" tsdcms.go "login.asp"$ u0 A" _, ~8 B, p; b% c' V+ b
; ]9 Y; K3 a W% `+ L4 s+ Lend sub' V8 X* H$ `) b. X( |) \
& t& \. S/ @: E- c& T K9 @/ R" i
9 U- w. i1 N6 P! h N* a- I# b利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了! b5 R' r1 s3 A7 m, n5 Q# o1 s
修复方案:
: G* S: H+ h2 z2 z" |修改函数!
! n/ [% {2 O+ |1 K+ q# J |
发表于 2013-7-26 12:42:43
收藏
支持
反对