要描述:
# C" p9 P! d, e2 g+ [6 D; R/ \# h0 o
SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
8 C: a' {& D' O. w# ?详细说明:
) L9 d# r1 T3 ~8 iIslogin //判断登录的方法: h" B5 ]* y; M$ p* q" V5 F. J
) Q5 ?9 H, ?# x6 `5 h. z- ^! esub islogin()2 O3 {: @6 r2 i h4 j! j9 y& _" j
) w' s: W2 }0 \
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
0 K3 s; i0 B1 o, \5 c6 @: I : e4 @- I7 E) q* a; M5 \( x7 a
dim t0,t1,t2
h- ?3 c0 M! J6 v) m5 D$ Y
Q0 v+ L0 {2 e/ @% E- Jt0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie , @4 k% V1 F) t2 F4 n V( t
7 J( x/ r' a ?- U* g1 q) `3 `" Q2 [t1=sdcms.loadcookie("islogin")
6 @$ L3 K7 r2 K. E6 M # w, M o* x7 _" k3 c
t2=sdcms.loadcookie("loginkey")" l( x" I7 y( e' {1 T
; C: c4 v: l* a. |+ Z: Qif sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
& D7 c e4 Q$ `( Z2 j* Q, @
- M) H v7 ?2 N1 N, V& f/ E//
9 T9 V2 l/ c4 M: t
6 D5 y" h9 c! P ^# s. qsdcms.go "login.asp?act=out"
% d. S* j2 a5 p8 n/ L0 w1 {
G5 a. {# v+ C; w3 i* A( m/ sexit sub
Z' j8 L/ D0 ?8 j 0 E7 ^8 }9 j E5 \ ^* p' u
else
, E4 j( g' h% d- q ! ]- T- U }+ o9 ~: t, s9 g: ~$ y
dim data- V" m8 ~3 c O
. V% E% Y: c* N6 f; H
data=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控1 R) n0 b( [+ B4 V
5 z5 y9 w7 i3 J! a) x4 C
if ubound(data)<0 then" L- G0 J- z& c$ r+ s
# f5 a* q1 Q J! @$ @9 r$ \sdcms.go "login.asp?act=out"
* v: ?- _" p4 a. ~6 c, p1 v {% G
5 }8 u Y, ~) v" a2 M, jexit sub ^( u! N5 Q% _0 H
8 \6 } }% G) E+ f$ |else/ I i" m9 T4 J" V7 }# Q% s
, _* j4 s, s% _. H' F2 E0 s- eif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
4 k6 M0 ^$ a& l1 o1 W: f
: y4 u* c% `. P) w& l) \sdcms.go "login.asp?act=out"
6 {8 z E5 P& E! w, d9 L ' A( }- @, j2 b$ A- C
exit sub% n! k4 d) w! e$ o/ b1 y" N$ x6 z
! D) ]( E- o3 y [" e6 n6 Q2 \
else
# m( z. o9 M7 B" U% |/ `& C0 j
6 x& f, y2 u( B J1 H/ S- padminid=data(0,0)
6 x1 Q" U" d% c$ q3 `
( q* s% K- f9 {6 \% j2 dadminname=data(1,0)
/ c4 w+ O: a1 y0 Y. c
' p" I, b/ f$ radmin_page_lever=data(5,0)
( d9 T2 k: x' ~4 f6 b8 B4 G
. H2 g, Y, }% i' O9 P m8 {3 Fadmin_cate_array=data(6,0)
9 W+ L0 \) v- b$ J5 f w& [
- G3 l2 t5 ~ k6 q, r( t0 @' uadmin_cate_lever=data(7,0)6 b+ C! @' U K( b4 F6 K
1 V3 J& `. M5 ~8 ^/ S4 X' ~if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
# ]' z$ E$ T& |5 {; u 4 _: l) M5 O) U: x$ Y7 `
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
4 G/ m! M! A) V! ~- e3 P# ? 6 L( |9 b, e4 z& [- m& _, [
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
) e4 p8 i$ g% @5 r
/ V* G$ J4 S2 B! u. `9 O2 t6 k; ~if clng(admingroupid)<>0 then
6 k' r" ^% [, {
* |) A5 [( d8 |" G( ladmin_lever_where=" and menuid in("&admin_page_lever&")") [4 ]( H$ w* V# V' r- I1 l
7 b; Z" h$ C4 c% H; U1 G3 Wend if' E- \: {" {) h! r
% U: o1 o% b/ K- N4 F) I5 S, ^- Jsdcms.setsession "adminid",adminid
/ R# s, G5 m9 ^4 L5 x J 7 O9 g; W2 W+ A; e& g
sdcms.setsession "adminname",adminname
1 R8 Z- a/ B' m q7 ? * L, T c/ z# D. [. `
sdcms.setsession "admingroupid",data(4,0)3 o5 G4 Z: F% N
# w8 d, s9 Q, s) E1 M$ Xend if
% Z" u, j& G1 q' R) v& {0 \! T
' ~) m0 w' m8 `2 G' V' iend if
7 ]7 c& Z2 V2 D* |- m, `; {4 W
8 A0 z( M$ f( s7 d' j: [2 ]end if- {' F% D0 ~9 L
2 Q& H: y1 |$ O- K+ m" C! {
else0 d4 U5 i8 D# W. ?! _( r
* q- `7 b* N) P5 q) l5 Odata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")0 P' E& n- [9 P. g; {% C! K( W
3 G2 V6 h9 n. I& D, D% ]- q$ [if ubound(data)<0 then2 v3 M7 h' y$ f" ]7 ^4 z. q. L2 n
6 S! s6 @/ u! c' j, Z! c" m Qsdcms.go "login.asp?act=out"
6 B1 o( o8 X0 T 5 d' U3 a% ^2 n+ t/ ^
exit sub p' N. O1 x5 e& K2 t1 \- b
1 p+ I* Y- \6 [5 y8 B8 G
else
: E3 Y* N! T. p ! a- m" W( R- |# j9 P1 A
admin_page_lever=data(0,0)
- Y0 G$ I7 ?* c( ~! K9 w8 t
" ^' U& o3 O; o' ?/ Zadmin_cate_array=data(1,0)( H* y4 O3 u1 C: s! P) o
2 J: d/ P5 y4 b) Y; H" sadmin_cate_lever=data(2,0)
0 }( {& i5 q. ^4 X
8 Y' W' H- a0 } c& I2 \* V. Y: fif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
! B2 I8 _! d5 L; E0 x. S z& Q8 v ' m# N3 o7 h& B: {9 ~8 c
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0" x" O& a9 L$ Y: N
- y+ b$ _( |) t% [ [2 o$ d5 z
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
8 J9 b& j7 I! O0 c n1 l) F! h$ b% l & u6 t$ D4 O6 o+ U/ I+ o* ?9 B/ Z
if clng(admingroupid)<>0 then; o; C6 Z! s/ ?' L4 F6 |
: ^( u. |# H% J- ]admin_lever_where=" and menuid in("&admin_page_lever&")"
5 y3 @& F; i' |" Y2 o. V' _
; F' u5 r+ F# U% ]; s; _/ Z8 uend if$ ~5 s1 d$ f; t9 E" G- J6 d2 A8 u
# l$ k) t" d3 [$ G7 W- C: tend if
% l8 Z, [6 T8 y3 n, p. ^" P0 x7 t+ R ' ~$ ]. ?2 T+ I2 y; y
end if3 R# B$ ^% g5 m5 S
9 l: u7 h7 @4 Y1 f7 a# xend sub
+ `! @8 Q; g- ^, S4 @0 B8 n漏洞证明:/ `6 w$ G% }' \4 P+ A
看看操作COOKIE的函数
% [5 s+ Y5 {( b& F* a1 [9 z
) e- J* a7 c" S& n7 ]* h1 X3 Xpublic function loadcookie(t0)/ V8 ]( \& P' J' V& c
( X& X( I5 q% Y& D5 Sloadcookie=request.cookies(prefix&t0) I' F- Y5 n! w
8 P7 I0 N( P9 Y$ V0 nend function
% e. p+ ?- `5 q+ ~. U
* U5 u- M2 P' f4 X7 h2 @- H2 mpublic sub setcookie(byval t0,byval t1)" s( M3 a7 S. ~" S+ b# w' w; P
% L: r- i6 m$ E& [response.cookies(prefix&t0)=t12 Z* u! h% `' M/ M. }: ^
! s' B& V% F1 z. m/ E6 `end sub `8 G5 A4 @& u0 w7 u
# U. A9 Y) u1 k$ `
prefix
4 g5 ~, h. F3 w! @8 U 3 g t. W8 n$ `
'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值
% M8 e+ z/ u+ V4 R" {1 i9 s% T2 p " y' e3 y- c9 Q# I* N
dim prefix. q1 P' q, y* y4 r7 W: M
# |. N$ Q$ X# p% Y3 dprefix="1Jb8Ob"
( t5 K. j- j1 L
9 F. `0 E; J! I2 d1 I$ R'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
) h( {3 J. L/ W# i( ? 5 x0 u* Q! ?/ ^9 O) N* Z
sub out: G: l8 O' P4 _0 N/ @) F
$ Z9 q- k8 B3 U" I- V9 Vsdcms.setsession "adminid",""4 q" ?7 R. _2 a% ^0 ]0 d* z
7 i* P h2 q, I# Jsdcms.setsession "adminname",""; S, {$ H0 F y7 \1 f
8 W* E8 T" L% h P- Psdcms.setsession "admingroupid",""
: r: \1 ]# |; B4 A1 M! b: i
% g2 l" f! r! jsdcms.setcookie "adminid",""
, C! t2 M i; ^- r 1 ~# m" G7 D" \5 b% O
sdcms.setcookie "loginkey","": M& X6 h5 S( k! q) e8 A
, U, @- R; c ?. Y/ o- H) s
sdcms.setcookie "islogin",""
. R' x4 S& V. C6 @) V 5 H4 B) a" {3 [. M
sdcms.go "login.asp"
6 r7 K. O8 s5 J5 M) X6 h/ Q . ~" ^( @$ V1 k1 |3 i3 E
end sub
/ y5 N2 H4 f- m4 y% \3 Z2 h 9 u9 D2 p$ {9 D; V
0 j4 t" i3 G& r; x利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
$ d ]3 G: X6 n# x修复方案:
$ N) f3 l$ ]/ k2 y6 \" C4 ^; Y修改函数!" X$ r& z T# j4 k4 ?' U0 ?
|