要描述:
" i9 O* D, b+ i2 W9 a( X
% h1 n& a" Y1 I0 K1 K) e5 U; KSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
' A) k2 ?# |1 `' R6 s/ |详细说明:, L- x, q) E( E9 T/ u
Islogin //判断登录的方法 o, J2 s7 J& }1 D9 H; ^
: S7 }- R0 P" S( [
sub islogin()& M# I! ~) v7 r2 E4 M6 Q$ p: S
; f% q- t& K3 l$ }% P* r
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
# f% r! ]$ V/ Y
; b7 O+ |1 v8 ~2 \! q' |dim t0,t1,t2
6 g( [' M4 E: e
% ~: s& `) H* l: B3 g( ut0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
% E7 p% |% I" A
3 [+ H! n' A1 X+ \3 D* ]t1=sdcms.loadcookie("islogin")/ F5 F( r+ U9 f4 d4 U0 h* ]: b
8 U2 @" U6 z$ Dt2=sdcms.loadcookie("loginkey")
7 z4 i& k. X( r9 @ 2 |0 F4 g1 O' D. U- |0 @# K
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
/ y! Y1 T. J5 v . {6 r; b: w- T! ]( ]# n3 _
//
! w3 |! I0 f) k. c 2 P8 {" Z3 Y. O7 g" n7 F( h
sdcms.go "login.asp?act=out"
0 y" ]) j) ?2 t6 q& y4 K
& ^. t% Z5 v6 ]$ J; Iexit sub
$ t& K9 f; b b1 E 1 Q5 L; }. t0 |% j0 s
else
( h! R% l, U( |5 R7 u B3 c$ C 5 s' }4 b$ Z/ j/ f$ c3 z- v5 t& y
dim data
+ O; C& j# {. r* @8 Z 3 y% I4 p) A6 l: X4 u" n" U
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控
; I5 ^8 Z% F7 y! l( F( a' p
$ v. H8 d( \) H1 M$ Wif ubound(data)<0 then
8 [$ X: C2 r3 G' \7 _( p
) y% p4 o2 \: U# `7 L: G: E& ?sdcms.go "login.asp?act=out"
% E7 P( L% _ @ `! N6 O8 s
% K+ x2 R$ w1 w; o9 w. f( Aexit sub
8 a% P4 U! m. ?9 R
5 R+ J) Q. J) S; z, F+ l) Celse
# F8 N$ p! B, m+ } 1 ]- g2 v" z. @# ~
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then2 x9 Z- n2 P* N2 A3 k
# o$ |1 M: W& `7 M# wsdcms.go "login.asp?act=out"3 ?, `% r( t* B( i) N) c0 W8 w
, T/ P c: |0 l( Y0 F2 G% a' h; }
exit sub
2 _, ?, o8 }: @ 2 Y( j2 ~0 I( w8 X
else9 m; Z% Z: o9 k7 p/ A# F" ~
+ }. `9 g. V1 U/ H+ k. K6 [adminid=data(0,0)8 C! e1 p- `: Y+ Z# z6 D4 _
2 G) f6 a1 K8 U+ x; C; l
adminname=data(1,0). `1 T+ } O# g
A: K6 [1 B2 D
admin_page_lever=data(5,0)3 r. y8 C0 v, f* K3 x
: X9 X/ T( O% F0 w# Xadmin_cate_array=data(6,0). q1 L. A& a: I/ {& @; X) k
' Y3 n4 `- c; J) r6 T- B
admin_cate_lever=data(7,0)
- ?7 R& O7 J" l. a
6 y1 n+ }9 G, c- ^$ A8 }8 gif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0/ l4 u1 J7 P% K/ Q9 B
Z( {- a8 K9 K0 |* V9 ]
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
/ v# C; P9 |' |4 K) A! t N
1 p2 r$ l3 F% `) y5 e/ q7 y' eif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
, ~$ u4 ~* P# l0 C5 S+ h
/ s" r! f. }+ @0 N# nif clng(admingroupid)<>0 then
K/ U+ K, Q. Q3 m0 q) p: ?
% c! Y# j1 d* b4 f# Z0 `- B! wadmin_lever_where=" and menuid in("&admin_page_lever&")"
9 c! @+ H1 R; t% V# d) J: Z
( H# L+ a; ?8 ]; vend if
) p0 ^# w2 h* l' i* [3 k7 R * Y* Q5 ?* s2 |) G$ ]- M1 j( e
sdcms.setsession "adminid",adminid: i. w. v+ f$ P& }
6 x$ n& {8 Q. j
sdcms.setsession "adminname",adminname
/ m8 @$ P ^6 F" d! c( `
" @0 g1 ]+ y' h0 g/ f/ ?$ Ksdcms.setsession "admingroupid",data(4,0)
) d1 u8 `5 ~4 \2 g! N ) f3 q2 k$ O% p6 V( n. ^) v
end if. A9 h# _' V7 L- \- S0 w. i- x
' x# d1 _ M! ^3 w% m
end if
5 n, g y% \6 [4 C6 H9 _
, A3 \0 |) c) X6 x; }# `end if: }& \8 v4 v8 T+ ^- D- T0 D' i+ f4 f- v
7 x# ]* M9 J- w0 o* V3 f* zelse2 s# f! |( m3 M q5 Y4 ~) `9 ]! c
% C; k; A, G g; ^$ w3 Wdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
9 Z0 a+ f2 [3 q% {( R1 U ^
2 O& ~% Q4 F: x1 s4 ~% j8 K* C1 dif ubound(data)<0 then; u9 B( y. X' w7 [
) A R, F! v! k: n( |! }) u3 lsdcms.go "login.asp?act=out"; Q" Y$ E- Q& U9 N& O, B+ r' y; ~
& C3 }& y! _5 S' X8 N4 x2 w/ uexit sub8 Q3 B: f& x \9 h
1 m) [+ |; y0 ^' oelse
9 m; Z+ ~2 S6 P" \4 e' B* Y
6 A' I, O6 q( Y; M" y& W3 ^3 |admin_page_lever=data(0,0)
% O( E6 P+ L7 ?! {1 s 8 K3 ?2 Z5 I& g! j
admin_cate_array=data(1,0)
3 S M% P7 v( [2 T* M
( {( Y! b7 D9 g4 l3 ?admin_cate_lever=data(2,0)) e, r9 V0 [. t1 |
* Q, [% ]$ a" z7 \# o
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
+ f# x9 Q2 C G2 y" ?0 [7 f
0 [" K1 t3 P9 E6 G' Xif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=07 I6 h" _2 g! ]
: j$ ^* J+ l+ Z7 t6 T. i( g9 Kif sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0* n1 u) U% X1 l" h7 R! P
& e% \5 x& G6 i- {% c& Nif clng(admingroupid)<>0 then' |. z* n9 }5 q, s% a; @$ ~- Z
1 V; k0 S$ T- |! B( I
admin_lever_where=" and menuid in("&admin_page_lever&")"$ o1 _0 [( M6 r: q& Q" y. a4 `1 z
2 \5 D" ?& b0 q( x7 kend if3 U$ f A: @& U( |$ j" Q; G
% w- N. I& N, T7 @( t7 K6 X; Aend if
5 k, i4 ~; D/ E! j* b+ W $ c. G a- ^& j" j6 T- d1 _
end if7 X! o2 n7 w. s ]& n
7 h8 J9 H' H C) {& B
end sub
# M; p8 H. n3 ?% t2 ]" O漏洞证明:7 z; j7 k! V" t2 m2 o$ S/ [
看看操作COOKIE的函数: t/ S; P9 l/ k' g! B- M( r7 D2 c
! M4 Z1 C4 I( j! B- Z. C- X
public function loadcookie(t0). H7 v: s- e! G
4 B4 ~3 q+ F1 x/ o. y# z
loadcookie=request.cookies(prefix&t0)
7 }5 Z8 Y1 n! C: |) R1 H i & e. l* X5 Q; @" X* A
end function4 A. M9 g4 G0 R$ {! S
; P9 Y) O; @8 \1 m/ j7 e
public sub setcookie(byval t0,byval t1)6 e+ V9 x# d6 X
" u# D" ^, L6 V1 a: Sresponse.cookies(prefix&t0)=t1! Z3 C( v) ]% K: I8 w S1 R: s w9 c
7 y! }. n8 N5 O6 d& c! y) f
end sub+ |4 ~0 ~- h. k
* I7 p; n) N3 w( w1 c* b6 W
prefix
! R# O U( R8 c7 f, S" L: d + J; I f# k* j7 {, A6 v, y, I
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
* e, f9 i: G" |. |
2 e X5 \) l; @- x& o9 Odim prefix
( K P4 X' R( u
% O* X* R" ~9 Yprefix="1Jb8Ob"
5 m: j8 t8 m8 S9 U- Z ~5 I/ j
. K: Y! ^$ f: {) l+ ~" e3 U! L'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
\, h4 V/ _: G9 d, I& F/ u, p
, e4 o" {- `" d, B* t! L/ isub out
0 b% K) ^% N8 L9 A# q" y
0 e: Z- p3 |( J* ~6 u* m; y4 fsdcms.setsession "adminid",""- f' L' @8 C5 f6 G5 r" L
8 G) a: `8 F2 k R. j/ Q. H, ysdcms.setsession "adminname",""7 [7 G$ U3 o* |& ^
. M! c- S0 l- _4 o( I% m9 }5 d
sdcms.setsession "admingroupid",""
9 t1 ~! s& W: E- M( {
2 O, r6 E7 B, C) osdcms.setcookie "adminid","" b. k4 ~9 j( H9 ]- Y1 Q
! D" ^3 F" j" Q. `5 R, a# d* X* asdcms.setcookie "loginkey",""- J# f" F1 e2 C. l1 w" _- Z! l
3 @/ F9 ^ A% W! d" vsdcms.setcookie "islogin",""1 E, ] @. }3 V0 N; T, P5 F
7 c) P; o& Z9 Y% `- O2 B
sdcms.go "login.asp"
6 _9 x' V% F& ^ U+ f" e $ v6 W4 ~/ X6 f+ V( g
end sub8 e/ N8 k5 t* i/ v: @
2 \7 V J0 ?+ y/ q8 C; O( n8 [% u
4 z3 S) f9 ~+ Q+ }5 g6 K0 y4 g3 z
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
9 P! |# c. E3 _! Y) x+ p! r修复方案:+ s1 j: R' ~; n" v
修改函数!
4 S' M! ^- W- r2 q$ S- a1 A |
发表于 2013-7-26 12:42:43
收藏
支持
反对