要描述:* q+ ^! \1 @- G& h- u+ @ ~/ `; @
! u/ C: _# ]2 s9 X+ T& iSDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试
7 s6 ~ d* c8 T/ |7 `* P详细说明:
4 c ~- f% b+ ^' s; dIslogin //判断登录的方法. D" U9 C u5 r5 ]) {' J; q4 \
! K2 Z Z* V/ t7 X4 |2 B# j! Rsub islogin()" y& j( |' o% K: d3 @! M
6 b! e; f3 a' W8 ^) m/ E
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then , E) m4 M3 e# M: T* X9 t
9 o% D6 y/ g& M' b% ^& Z* H( S5 s5 C
dim t0,t1,t2 8 U+ O% w9 y" u6 O: ?% V& c' R1 ^
O" D* d9 Z( Y8 U b9 l
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie 6 X# o, s! h# r7 e: Y$ s! x4 t
2 g/ }2 y' N& E8 }t1=sdcms.loadcookie("islogin")( J5 L% H. y3 V8 }1 i
/ j8 w+ z/ P& qt2=sdcms.loadcookie("loginkey")
7 w5 I: b; t2 K* y/ ?4 X/ ]% q- u 8 Z+ [7 h" S) ?. L. n- M
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
7 R# N4 K9 H! n7 Z3 C
3 G4 m1 P5 X* `. Y% O4 f4 }//
. H- E7 E' Z+ f% S; n
+ O8 A/ a3 N9 Wsdcms.go "login.asp?act=out"+ j1 F' D9 j4 R( ~) Z' a1 i# r+ I
* a7 u! b9 H5 Rexit sub! P& E M2 D" N ]7 G" W- h
+ g" c1 ?2 e" I, F. nelse5 D% g, P. u7 r* M2 m& u. O
( A1 Y( ]* h; a/ |
dim data. g) N' O" M2 ~) S9 ]( M; w. P
4 _5 j. o$ \! f. N$ R3 Mdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控; b- J) y/ f" e7 `* \& Y
* k% ^ l) w* T$ [3 Z5 _9 h
if ubound(data)<0 then
$ E2 l* m& l% w) V
t0 K, N3 W& m8 F, ~ P$ Q: j3 `sdcms.go "login.asp?act=out"
9 J; u% s$ Q5 S. f) X+ z. k
" s9 M k% Z, H% ?exit sub& W1 B% B6 p% m7 e' G$ ^' p; }5 W
+ m: N. ^( { g- w) Gelse. X# P F( K) H2 u; T
8 S% ?: A5 S# g
if instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then
, ?, {" N& l) A) |/ \9 x 1 g/ ?# f* ?5 g0 U
sdcms.go "login.asp?act=out"
' W" W4 @2 m2 V5 i V
$ ^9 Q/ m4 }" a8 o4 x3 a [exit sub& R2 i8 u8 t i
$ s _# s; X- ~0 K. celse
+ {+ B/ J, X; `. q9 ?( }
0 @: `/ M+ f9 ?/ dadminid=data(0,0)# c0 v* T& |- b( R
; j2 `4 C- d+ madminname=data(1,0)2 u. k1 n0 l, s- I) R5 }
5 u8 O& i1 I' t1 g5 F, q$ N
admin_page_lever=data(5,0)
. z* Y, d! _5 P4 j% x1 E - A' q, a7 J) _( F0 r& B, r
admin_cate_array=data(6,0)9 Y5 u/ X5 t, }. d: Q
8 p8 |9 w; L, u# g; L: h; Z" ~+ Madmin_cate_lever=data(7,0). l/ J) u: I5 v8 f# c, O% R/ a
5 \, g, h/ p, g- A( Z
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0* S4 P' J! ?# ?6 f! n6 N
! z0 @% ~5 ^+ o4 I) N* ]) q
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0* W3 {: c! ^; f3 V
0 E* Y" J3 E6 k" t
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
1 \- p8 [: t0 F4 l& t0 v
4 ?6 R# U8 }$ f" l, L9 N, y# rif clng(admingroupid)<>0 then$ X2 s7 ~/ Z3 n: T; [
5 j1 S. a+ l1 v: b0 Gadmin_lever_where=" and menuid in("&admin_page_lever&")"
S0 B0 Q5 E( x
% G( Y( U& G8 F$ w1 xend if
( V8 |! N$ }* a/ p% [- m
: K' J- A9 W/ O8 J1 ?# \sdcms.setsession "adminid",adminid
0 B7 ^/ P" k* Y" y* F0 W' t4 P 3 D3 w' K( g' `3 a' P- R* Q
sdcms.setsession "adminname",adminname( V; D# D4 ~$ f* |% q- {
7 @7 l1 W4 `( l7 Bsdcms.setsession "admingroupid",data(4,0)
% m) T- u! ]! { - G4 v! f* V( D# M0 k& J- b
end if; t5 J& ^8 N# W6 q# P
7 u' m, A) u3 r1 F# f0 D% q) Uend if! b9 w5 Z5 p/ [1 ^- E# b
' U5 \& N: k" f- ^
end if, s1 Y9 }5 v, ?4 s+ Z, @
7 F; [. m& B: s! zelse
0 a. P6 L1 G D: F1 p - Y$ {$ i8 \6 s8 Q
data=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")
* k7 W7 x3 c' s! E6 V! I
d4 W: a* b4 Iif ubound(data)<0 then
& O- V+ M6 E5 J" d9 o! {
9 f% [7 o! E$ x' M# jsdcms.go "login.asp?act=out"
4 k/ g' i/ a4 ^; |* g1 \$ U6 ?
0 P$ w5 K" f; m }exit sub
* b* M! X9 m% \. N: x5 V
$ }1 v. S' v% P) i! zelse
" M0 m) b5 K3 U6 M; i 2 e/ T9 h& U+ ?) V; L2 b: N: r
admin_page_lever=data(0,0)
% Y9 K) y9 ^8 [: b& I , V; I: B" l4 D$ \' S- |
admin_cate_array=data(1,0)
0 t8 _. s$ Z! c1 k
& E& q9 | M+ O$ b3 Z" O. W. m( Madmin_cate_lever=data(2,0)7 o# D" M6 h- r* D) m/ |% X! ]7 f& ~" L
3 y5 S" T" V! p' n7 L
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
+ c6 N8 e5 J% ~. |
! n+ b, T' F- B- Y0 kif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
S8 }! G# R) F, \2 D* F! a : z; m7 ~$ Q+ @ C$ S
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
' B! P( \, p* J) Q# g" _9 x ( F& p4 d3 M7 W Y; [) n
if clng(admingroupid)<>0 then
& i1 y1 J- H2 O6 X1 Q / y; e: Q5 J$ J" F+ [
admin_lever_where=" and menuid in("&admin_page_lever&")"
! L/ X, @+ B( S2 Y; q 8 f4 i6 v. d4 w6 b8 k4 }" i6 s
end if. u- ^3 D8 u3 N5 M% V/ u
9 U. [$ F0 m4 W/ V6 T$ P! d( }- ^
end if
- ~* G6 t* e2 A% N 4 ?5 P2 o7 a+ ]+ j( R
end if
7 c7 P/ p) w4 p2 H* r " L0 a1 Y5 ~6 P5 r" _
end sub, ?- h+ o" N) R( f6 a6 Z
漏洞证明:
( o7 P& @# W2 C) u# J1 M: W看看操作COOKIE的函数( c+ K' b% r6 G; u
6 b% V1 t; h+ }! O' W8 F2 h
public function loadcookie(t0)
0 l: Y- p$ V) t0 a7 D/ z+ n 6 b6 E: J, ~$ P7 Q* `
loadcookie=request.cookies(prefix&t0)! D* Y0 H, z9 r+ i; V; |& H
" [) I s+ V$ P! k' w# { r* Send function
8 e$ w& N3 S. n- P! l1 ?8 }
; u3 y# J9 b8 C) qpublic sub setcookie(byval t0,byval t1)
6 D# d, l) G& Q! V" E, f- h : L' k/ J9 z) C
response.cookies(prefix&t0)=t1( l" Q! g/ J- ?& ?; z. W4 }
( P2 Z5 J& Z2 ~end sub' A. u* e$ @' l3 N& y T
+ L. i/ T! A$ G6 ^1 o
prefix
& L7 ]% c% {- O. Q! F) ]
' u( e6 u' b4 @4 U* }0 O'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值4 E6 h+ ?7 a" e9 _
9 J1 t+ X3 \8 i" p' @/ e* J
dim prefix& B7 w, r; I( o* o. H
" _- `* e, @! [. I
prefix="1Jb8Ob"3 n4 o g; s: {4 _& n5 p
( k/ C ]% t- t, l2 n'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里
8 F8 l, a! w0 \) C& n: V
# F, D5 z$ K% m% ]sub out
' A- n( e- c0 p+ q7 m* S( z4 A, f+ u5 K
7 `- l, ^6 c( f* \) `' Q$ Ysdcms.setsession "adminid",""
) p+ i5 X) s7 h% _
( `6 Q }/ e1 d& ?' P) y' C% Z9 esdcms.setsession "adminname",""
: M6 W$ w) E4 o1 ^ 6 Z1 N& Q$ g4 F
sdcms.setsession "admingroupid",""
' L/ l! _ R0 E8 |3 B6 x
3 K, x' f$ H2 Zsdcms.setcookie "adminid",""
: ^( q" f9 N0 @6 J0 w
1 U5 f* o( |( h4 n1 E$ l6 I, vsdcms.setcookie "loginkey",""* ^' J$ ~, `' Y+ |3 j/ W% T g
8 Y1 t" L& M+ Q, i
sdcms.setcookie "islogin",""
8 }5 a# y6 c; R/ F! f 5 o" P5 c& s9 H+ I
sdcms.go "login.asp"
% @3 i( E( E( K' Z; r( s' C
$ Y V3 _4 v h% \+ I3 g% tend sub: c+ K0 k5 g( O& |- U' G. a
! d7 y! V% X( N- ?* C# X ' `; G1 }" c5 Q0 t0 @& K0 w
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!5 z* }/ U7 d' X9 T9 Z& {
修复方案:- n7 \! D+ G T6 {6 w6 D4 i
修改函数!4 R5 a x: [% t# M1 H; R
|
发表于 2013-7-26 12:42:43
收藏
支持
反对