要描述:
/ H" e7 n/ ], o2 l6 P6 ^' L! P B4 e0 h3 ?! b/ ^) D8 t* ?
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试; H; S, c+ Y2 v4 T
详细说明:
( E5 O5 T( [- M1 y" g+ `Islogin //判断登录的方法$ u7 ~# y) M A/ Y, L! q
5 s5 F' o1 f$ e, |0 V0 E7 M+ l5 Y
sub islogin()) L1 w& Z2 Y, T) R( ]
: ^/ z8 X) L, ^7 W0 Z4 {
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then - d, m8 c! F: y2 m
' D. A( ~7 K M( z# r! z% A2 [
dim t0,t1,t2 ( b+ p/ {' I4 ^" e; l# H( C8 b6 D2 S
5 I5 G! }" H$ e9 c4 ^$ b4 u1 r4 kt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 8 d. r( C1 B& y2 ?
3 f2 R# A: Y; X) T7 a0 c% R
t1=sdcms.loadcookie("islogin")" M$ i0 W; I% u" l
" p8 w2 `9 s6 ~2 F6 ut2=sdcms.loadcookie("loginkey")" N/ d+ s3 M9 J+ Z$ s' \
9 g1 ~' F2 y3 d' R- n
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
( Z* B6 i# q' f! ?' K
2 m! r( s" f5 s$ t( K//
8 j6 ~9 V c( _% _ & w6 j; L2 w( U. W# P- j1 ]
sdcms.go "login.asp?act=out"
) H2 r g+ x* |+ X$ h
7 P7 H) Q) W$ b2 T) Iexit sub
) B* X& h( d7 ]" [0 b" P 8 j% g# @- D5 j: f/ X
else
1 r: X5 Q$ x+ w+ o* C9 v
+ e; d6 H% M; G/ B( ^/ i* Tdim data- d$ D8 \7 b, D# q( [/ h% s
( G; J" ^9 H3 q4 u4 c/ M" i
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
! ^( d/ j9 }; \7 v
4 N$ g$ M5 f# D" l0 D8 Aif ubound(data)<0 then* X9 ?' p- ^, r4 b
1 o6 j0 p' x9 A6 s8 L( ~
sdcms.go "login.asp?act=out"0 T0 S( @# `6 H' b+ l, i
; \, ]: W/ j- E+ a+ A, z9 b( z Xexit sub: c% c1 ~& R" a% E3 N9 _. r
& G4 s b' j5 J4 T4 Y4 K- L
else$ E1 O/ I/ l; b$ l1 H* ?2 t
( O8 C/ {2 V+ N- N+ V5 E, _
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
! c' m+ `1 ~9 C
3 v& r" ~3 R( `9 T2 V0 v; \sdcms.go "login.asp?act=out"
9 Q+ } L, |1 z 0 s) w" \( T. o$ v
exit sub
% v' f+ ~( p7 a+ U* o( q6 ? & [0 q' h( U4 K# A4 f: `
else
5 t7 m- f$ ~! R, f; Y$ ~ `9 h / X- W, j4 M# G/ ~# k' B% E
adminid=data(0,0)
9 ^3 G) z1 A1 w5 W7 X# G2 _. I. U! ? " v% [. N5 m) D
adminname=data(1,0)
7 H7 X+ `* G2 f1 E- Q
: D" `& d/ ^5 A; k* padmin_page_lever=data(5,0), W# B+ L" S4 f
& L& v# K/ A; G2 p3 o$ X0 h3 w
admin_cate_array=data(6,0)8 E6 b1 P8 X( ]) S
8 p" c. h/ N2 f3 X$ s8 q
admin_cate_lever=data(7,0), x) Z0 V5 M! w0 B. ?* A
* T+ {! u- j# ]/ f' N& @if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
' h7 D% Z8 ?( Z* [ e1 |! b
6 p r* h9 k2 Dif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
& \" d, G" }/ i# X) E# P 5 R2 ] P3 \, R$ ?2 Q" N
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
& b8 K9 o/ q; O) I
6 s* r. {( l1 `if clng(admingroupid)<>0 then
: x5 a( b3 {( ]- E! V9 c- q8 G/ h
5 j1 g9 q: C) @+ s) p( G$ Sadmin_lever_where=" and menuid in("&admin_page_lever&")"7 F* B( i2 b1 V4 V& Q3 F
1 d, F$ | _0 Y; t* }( X2 ?end if/ Y: v2 i* B+ E7 p _
0 {' g& T* d' O7 _" vsdcms.setsession "adminid",adminid2 U* N8 Q n+ @# Y1 x+ L
; c" Z5 \4 g5 F0 M0 t+ x: E
sdcms.setsession "adminname",adminname
* }3 O4 Y0 e/ I9 c N" U$ {
3 R1 F W$ @( o6 w# I3 ysdcms.setsession "admingroupid",data(4,0)
" D1 ~* s2 ?( y/ `* k# Z 7 t* _ {2 h6 ~! d+ \
end if
/ Z$ P# R) K0 k8 J
. P& ^, H3 z, [1 Send if% M" N2 \8 X# O6 I( E7 p) G5 ]. m
5 X4 C, }! A" M) P8 xend if
+ |5 n/ J6 P# @- E* ~# M4 L ' r0 D) H/ _0 s4 z* {( J( _
else, E* W& s# h. i; U& n
! j3 _9 A& Z' O, ~ ?data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
4 {! v- Q) F: N7 L2 k& A( Y( o& X
8 K( f# e9 Y0 Y; lif ubound(data)<0 then8 ^2 ^# a+ L( p2 a' ?* h
- J4 X8 y9 r& l, _ R# jsdcms.go "login.asp?act=out"
3 g( B; c! c) @& I/ m0 @ D
: b! O+ n. Q# Y, nexit sub
/ N- \! F1 b: ]8 V
+ h/ ?0 t9 H: `- v5 u0 O9 yelse
A$ h- n0 {; q+ Y
4 ]3 o" `* a$ w1 s4 L/ K) Dadmin_page_lever=data(0,0)7 r/ o9 m( A! A* f* ^6 ~% k1 G
# V1 w/ ?1 j2 @' l* y+ Z7 jadmin_cate_array=data(1,0)
W" [8 x1 y" O8 G
" I z0 ^" Z; @( r y) nadmin_cate_lever=data(2,0)# `$ {" W8 c. M" _2 F; E
+ b7 S4 w2 Y( G) s
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
: z$ s; F% Q3 T. o6 ]0 j ( p* ^6 E2 R6 ^* I) `" P9 U9 n
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=07 q9 ^: Z t1 T% W# U/ Y" @
: y/ r' }# ~7 f+ pif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
/ e8 v% o0 b& e1 f- w" G 4 I$ k4 j: \* U0 B/ P
if clng(admingroupid)<>0 then
2 @* }2 Q" w8 ^8 a8 s( g; ? , H y& g" K& J
admin_lever_where=" and menuid in("&admin_page_lever&")"
; h# n4 V5 p' z; w, {( i. W' Q
. G5 z+ x0 G4 D( cend if2 ~ k; m' e5 t/ t+ Z. B
5 p" q' y7 \3 V& v6 Dend if, w) o/ T, L2 z; o0 ?( c K# u' q
& e1 G7 ~% Q+ w# \( }: o) J) Xend if& Z( ~" m' q. Q4 t/ S
w: ^2 {5 r$ i8 Z( U( v
end sub
* k; f- N: X4 M% n; t9 s& J漏洞证明:/ X( n) z1 R, [' }; a7 O
看看操作COOKIE的函数
8 j+ F' I- X( L+ S% o. S# J1 C " X3 g& q( @- D# v& Q2 s) t
public function loadcookie(t0): e3 [* j+ i8 {9 V4 v
- e3 V3 T. q; r5 r8 F- l7 uloadcookie=request.cookies(prefix&t0)( v8 y* q- Q- l7 H
) G! V: U1 |& q1 q0 r( _end function" y w/ ^9 K- Y
6 N' K* b4 F6 I) l3 \6 C S
public sub setcookie(byval t0,byval t1)) w7 q2 m- x, n8 n% N! z
( I' }4 M+ ?2 P! M4 Presponse.cookies(prefix&t0)=t1
5 x2 {1 ]; Z [) v
' L, u& U- @4 yend sub9 X D$ d5 x% V1 O
! U3 f: `# P. ~0 @' G; S
prefix
7 Q( F% H( v3 _7 _& J3 t " z) K+ t# H: q
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
: A# H8 x( U- ~) m $ y- A9 F8 k8 j- j& R
dim prefix. [& C' \" ^% H" X* C
4 a. v* U& i4 ?+ z! f
prefix="1Jb8Ob"
. s6 H& _9 Q% w( D; ]4 W % D7 Z a+ s5 r7 G# k) Y
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 " c2 G2 e. V7 P1 b
3 A4 z; W1 J& M5 f {6 ?sub out
/ p6 H: H- n* i0 H! H5 ~/ }7 k6 x
( V; N ~$ p( _sdcms.setsession "adminid",""
6 x( `- Z: V( D' y) g+ A " S: X- }9 w5 M) p9 [
sdcms.setsession "adminname",""1 p. w/ \/ O& D8 [; A. I5 S" g! V
$ i3 M# N. J8 u9 u# L0 Ksdcms.setsession "admingroupid","": N( V% F; r" ]0 |" F) V- u$ r" F
" }/ l w% ]9 I; q9 dsdcms.setcookie "adminid",""6 }! C+ F& ]/ {" g! j; }+ r/ i
0 V3 u1 ?1 Z. t0 }
sdcms.setcookie "loginkey",""
( M' T- ^) R; R* x4 b7 H 6 d% M. f/ r: Y' U: t1 @* a* |( p
sdcms.setcookie "islogin",""6 |' r. T8 m4 @# e4 d
! o) o, ~$ L; J9 I
sdcms.go "login.asp"
~8 C; G3 D9 L+ N% i
2 X# Q3 S- r& _2 C5 D' K2 r z; }end sub
9 P& g" K# `4 l$ T& n 7 U9 D3 l! a4 W; Q
( D4 u0 X$ ^9 k8 X5 s2 R
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
- }, h+ a$ R( ]8 Q% i1 {4 S8 i修复方案:0 h0 _8 Z, p) p2 N" g# V3 r% l
修改函数!
& |% v# Q. N, O3 m# k2 I |
发表于 2013-7-26 12:42:43
收藏
支持
反对